President Donald Trump’s fiscal 2027 budget would slash the Cybersecurity and Infrastructure Security Agency’s total by $707 million, according to a summary released Friday, which would deeply chop down an agency that already took a big hit in Trump’s first year.

Another budget document suggests a smaller — but still substantial — hit of $361 million, with the discrepancy possibly due to the comparison points amid budget uncertainty for CISA’s parent agency, the Department of Homeland Security. DHS and CISA did not immediately respond to a request for clarification.

“At the time the Budget was prepared, the 2026 appropriations bill for the Department of Homeland Security was not enacted, and funding provided by the last continuing resolution it had been operating under (Continuing Appropriations Act, 2026, division A of Public Law 119-37, as amended by division H of Public Law 119-75) had lapsed,” the budget summary notes. “References to 2026 spending in the text and tables for programs and activities normally provided for in the full-year appropriations bill reflect the annualized level provided by the last continuing resolution.”

By either measurement, the proposed budget would cut deeply into an agency that started the Trump administration at roughly $3 billion, and would be substantially below that if Congress enacts the latest blueprint. The budget appendix says CISA would end up with slightly more than $2 billion in discretionary funding under Trump’s plan. For fiscal 2026, appropriators sought to mitigate some of Trump’s proposed CISA reductions.

The 2027 budget summary recycles identical language from the 2026 budget summary, and makes references to ending programs that CISA has already shuttered.

“The Budget refocuses CISA on its core mission — Federal network defense and enhancing the security and resilience of critical infrastructure — while eliminating weaponization and waste,” the summary states in both the 2026 and 2027 documents.

It makes references to getting rid of things that have already been cut, like “external engagement offices such as council management, stakeholder engagement, and international affairs.” It talks about ending programs focused on censorship, something CISA under the Biden administration said it never had, and on “so-called” misinformation, which CISA said it ended during the former president’s term.

Mississippi Rep. Bennie Thompson, the top Democrat on the House Homeland Security Committee, criticized the budget proposal for CISA.

“Like the President’s cyber strategy, the President’s CISA budget reflects his utter lack of understanding of the urgency of the cyber threats we face and how to mobilize the government to help confront them,” he said in a statement to CyberScoop. “As of 2023, CISA was spending $2 million on countering information operations, an effort initially launched at the behest of Congressional Republicans during the first Trump Administration.

“There is nothing that justifies a reckless $700 million cut to CISA, particularly at a time of heightened tensions with Iran and an increasingly aggressive China,” he continued. “I am committed to working with my colleagues to push back against these cuts and ensure we can protect government and critical infrastructure networks.”

The post Trump budget proposal would cut hundreds of millions more from CISA appeared first on CyberScoop.

A California county sheriff and Republican contender for the state’s gubernatorial race has seized 650,000 physical ballots from Riverside County, saying they were part of an investigation into election fraud tied to redistricting wars.

State officials and election security experts say that the underlying allegations are spurious and local law enforcement do not have the authority to unilaterally investigate or validate election results.

Riverside County Sheriff Chad Bianco said at a news conference Friday that he intended to conduct a hand count of the ballots, which were tied to elections last November, and “compare that result to the total votes recorded.”

In a March 6 letter, California Attorney General Rob Bonta directed Bianco to pause the investigation until the state could review “the factual and legal basis” for the probe and seizure.

Based on an initial review of the warrants and affidavits in the case, Bonta wrote that his “office has serious concerns as to whether probable cause existed to support the issuance of the warrants, and whether your office presented the magistrate with all available evidence as required by law.” 

While Bonta’s letter does not describe the underlying content of the search warrants, it points to a public presentation made by a resident at a Feb. 10 Riverside County Registrar of Voters meeting that “addresses the alleged vote discrepancy that appears to be the basis of your investigation.”

In that meeting, an individual identifying himself as “Errol” — wearing a “Trump 2028” hat — alleged the council had participated in local, state and federal election fraud.

At several points, the individual said he relied on Google for information on individuals and companies he was accusing of receiving improper payments. At another point, he claimed the Riverside County auditor would not disclose the purpose behind thousands of pages of county payments, before saying “you’re not getting the files, I got them put away.”

“We have a lot of problems, you guys. You’ve committed serious fraud here, forever,” the individual alleged, adding that he hoped the members of the council were imprisoned.

Bonta accused Bianco of “flagrantly violating my directives” under the California State Constitution, and threatened court action should he proceed with the investigation and hand recount.

The act by Bianco — who is running third in the state’s open primary for governor this month, per an Emerson College poll — is the second such seizure of ballots to take place this election cycle, following the FBI’s raid of Fulton County, Georgia’s election office.

Gowri Ramachandran, director of elections and security at the Brennan Center for Justice, told CyberScoop that the election allegedly being investigated wasn’t a close race. Further, like virtually every other election, candidates or parties have opportunities to contest irregularities or results, including automatic recounts or recounts paid by candidates or campaigns — along with state courts that regularly adjudicate questions of election outcomes.

“It’s important for people to know none of those processes involve someone coming in and haphazardly coming in and grabbing the ballots,” she said, adding: “I worry if it happens closer to an actual election what it could do to interfere with it.”

Ramachandran said that by seizing physical ballots, which she called “the gold standard” we use for determining ground-level truth about voter intent, Bianco was disrupting the chain of custody that is one of the key processes designed to give voters trust in their elections.

“It should just be a really high bar, not just, ‘I’m suspicious, I want to do a fishing expedition,’” she said. “That’s not enough to have someone who doesn’t have any experience in counting ballots or keeping them safe [to] just come in and grab all that stuff.”

Bonta’s suggestion that Bianco did not materially inform the courts echoes what Fulton County officials alleged in their own lawsuit, which accused the FBI of presenting the judge with a “flagrantly misleading narrative” that omitted key evidence, undermining the government’s basis for investigating the 2020 ballots. 

The post State officials, election experts question California sheriff’s seizure of ballots appeared first on CyberScoop.

A cyberattack that an Iranian hacking group said it carried out against medical device manufacturer Stryker might mark Tehran’s first significant cyber action since the start of the joint U.S.-Israel conflict.

But even that may have been a happy accident for Iranian hackers in what has been a low buzz of activity during that timeframe, with the attackers striking paydirt by happenstance rather than on purpose.

Cybersecurity firms, threat intelligence trackers and critical infrastructure owners have been fighting to separate the noise about proclaimed attacks out of Iran, and the warnings and threats related to the conflict, from what is actually happening and poses any significant danger.

“Everybody is scrambling right now,” said Alex Orleans, a long-time Iran threat analyst and head of threat intelligence at Sublime Security. Others said the nascent nature of the conflict is making assessments difficult.

“What we see is quite difficult to quantify or characterize about whether there’s been an increase or decrease,” said Saher Naumaan, senior threat researcher at Proofpoint. “I think since we’re only a couple weeks into the conflict, and the regular cadence of Iranian actors isn’t very consistent, necessarily, we don’t have enough data points or enough time to really judge.”

Signs of activity

In the early days of the conflict, there were indications that physical attacks on Iran might have hampered Iranian retaliatory efforts or other cyber activity, as those who would carry out cyberattacks were probably “hiding in bunkers,” Orleans said, and as Iran suffered internet outages.

In recent days, however, the Stryker attack and other indicators suggest that Iranian cyber activity could be heating up.

“For several days following the outbreak of the conflict, there was a noted decrease in cyber threat activity emanating from Iran,” a group of industry information and sharing analysis centers warned Wednesday. “However, there are signs of life in Iranian offensive cyber operations.”

The Stryker attack stands out for both the size and location of the target, a Michigan-based medical device manufacturer with more than $25 billion in revenue in 2025.

But both Orleans and Sergey Shykevich, threat intelligence group manager at Check Point Research, said the attack has the hallmarks of an opportunistic one rather than a deliberate, focused one. The group claiming credit for the attack, Handala — a Ministry of Intelligence-linked outfit — is known more for seizing advantage of weaknesses they happen upon rather than doggedly pursuing particular targets.

Notably, Stryker is also the class of a military vehicle used by U.S. forces. That military connection, even if confused with the medical device manufacturer, could possibly explain why the company was a target.

Still, “it was a much higher-profile attack than we expected from Handala,” Shykevich said. “Unfortunately, it’s possible to define it as a relatively big success for them.”

There have been reports of other cyber activity that might be connected to the conflict. Albania said the email system of its parliament had been targeted, with Iranian hackers taking credit. There was the targeting of cameras from Iran-linked infrastructure in countries that Iran then launched missiles into. Poland said it was looking into whether Iran was behind an attempted cyberattack on a nuclear research facility.

Some of the claims don’t match reality. “There are many hacktivist groups that are very active in Telegram, but actually they don’t have any significant successes,” Shykevich said.

There are other cyber-related developments in the conflict, too, like espionage, the proliferation of artificial intelligence-fueled misinformation and the possibility of Russia or China helping out in cyberspace on Iran’s behalf, even if some experts doubt the likelihood of the latter.

How effective any of it has been is still unclear. Stryker, for instance, said the attack mainly affected its internal networks, although there were signs it might be affecting communications at hospitals, too.

But the damage might be beside the point. Orleans said the attacks could be psychological in nature, aimed at producing fear abroad and affirming hackers’ standing with domestic leaders in Iran during the conflict.

Even low-level defacement or distributed denial-of-service attacks can play a role.

“Coming into work and finding an Iranian flag on your workstation would be a little bit  disconcerting, because they’re letting you know that, ‘I can reach out and touch you,’” said Sarah Cleveland, senior director of federal strategy at ExtraHop and a former cyber officer in the U.S. Air Force.

Possible follow-up impacts

While primarily known as a medical supply company, Stryker has received sizable contracts with the military for hospital equipment and surgical supplies, for example. It is unclear whether the hackers intended to use Stryker’s military connection to exploit government systems.

The Pentagon has long warned of increased, complex cyberattacks against the defense industrial base, a vast network of companies — with disparate levels of cybersecurity — that the military relies on for advanced weaponry to basic stretchers. The DIB is often seen by adversaries as a backdoor into military systems.

While he did not directly address the Stryker hack, the Army’s principal cyber adviser, Brandon Pugh, outlined some of the challenges to the DIB and the service’s part in trying to protect it during a webinar Thursday in response to a question on the topic.

He said adversaries “right or wrong” see companies “as an extension of the military” and that they believe an attack on private industry would have a secondary impact on the armed forces.

“Some are very large, sophisticated multinational companies,” he said, noting that security needs across the DIB aren’t universal. “Others are very small companies that are lucky to have a director of IT, let alone a sophisticated cyber team, and I think that’s where it’s really important to lean into.”

Pugh said that agencies across the federal government have been working with the DIB to boost its resilience to attacks, and that the Army’s cyber effort emphasizes entrenching cybersecurity from the beginning of the acquisition process.

“Cyber can’t be an afterthought — not saying it is,” Pugh added. “I’d say the Army does a great job here, but making sure it’s never forgotten and is always considered along that way.”

Matt Tait, the CEO and president of MANTECH, said in response to a question about the Stryker attack and DIB protections that defending against such incidents includes leveraging government agreements and access, such as with the NSA, and quickly sharing information following an attack.

“To me, it’s about real time information sharing,” he said. “You need real time information sharing when you’re getting attacked to be able to actually share that information with the rest of industry, as well as with government, because they can actually share that information across” federal cybersecurity entities.

“If you want to do mission focused technology work, this is the world you have to live in, and that you should be sharing this information on a real time basis,” he added. “24 hours later, 48 hours later, I call that ambulance chasing. That’s too far after the fact from a cyber perspective.”

The post Stryker attack highlights nebulous nature of Iranian cyber activity amid joint U.S.-Israel conflict appeared first on CyberScoop.