National Cyber Director Sean Cairncross expects more executive orders coming from the White House as part of implementing the national cybersecurity strategy, he said Wednesday.

Staffers on Capitol Hill and others in the cyber world have been awaiting the implementation guidance the Trump administration had proclaimed would come to accompany the strategy  published last month.

Asked at a Semafor event about whether that would include executive orders, Cairncross answered, “I think that that’s the case.”

The administration released an executive order on fraud the same day it released its cyber strategy on March 6. Some of that order touched on cybercrime.

“This is rolling forward actively, and you should expect that there will be more execution and action in line with our strategic goals,” he said.

Cairncross cited another administration activity that fit into the strategy, such as the first conviction last week under the Take It Down Act, a law First Lady Melania Trump advocated for that seeks to combat non-consensual AI-generated sexually explicit images, violent threats and cyberstalking.

He declined to preview any future implementation plans, and said he expected they would be coming “relatively soon.”

A centerpiece of the administration strategy is confronting adversaries to make sure they suffer consequences for their hacking of United States targets.

Cairncross wouldn’t say explicitly if Trump, in his visit to Beijing next month, would address Chinese hacking.

“When we start to see things like prepositioning on critical infrastructure, that is something that needs to be addressed,” he said. Pressed on whether that meant cyber would be on the agenda during the visit, Caincross said, “I would expect that the safety and security of the American people will be first and foremost, as it always is for the president.”

Cairncross touted American ingenuity for producing an artificial intelligence model like Anthropic’s Claude Mythos, rather than it developing under U.S. cyber rivals like China or Russia. He acknowledged reports about the administration holding meetings about the cyber risks and benefits of something like Mythos — “the model right now that everyone’s talking about” — adding that the administration is looking to balance the dangers and positive capabilities of AI in cyberspace.

“I would say from the White House perspective, we are working very closely with industry,” Cairncross said. “We’ve been in close collaboration with the model companies across the interagency to make sure that we are evaluating and doing this.”

The post Executive orders likely ahead in next steps for national cyber strategy appeared first on CyberScoop.

Immigration and Customs Enforcement has confirmed it is using Paragon spyware, prompting outrage Thursday from a trio of House Democrats.

In response to a letter from the lawmakers inquiring about Paragon’s use, acting ICE Director Todd Lyons wrote that he had authorized the use of “cutting-edge technological tools” to help the Homeland Security Investigations division fight fentanyl, particularly against organizations using encrypted communications. 

“Any use of the technology will comply with constitutional requirements and be coordinated with the ICE Office of the Principal Legal Advisor,” Lyons wrote Wednesday, without naming Paragon specifically. “Further, use of the technology will align with and support the Homeland Security Task Force’s strategic initiatives to identify, disrupt, and dismantle Foreign Terrorist Organizations, addressing the escalating fentanyl epidemic and safeguarding national security.”

But Democratic Reps. Summer Lee of Pennsylvania, Shontel Brown of Ohio and Yassamin Ansari of Arizona weren’t pleased with ICE’s answer.

“It’s outrageous that [the Department of Homeland Security] and ICE are using this spyware with no Congressional oversight and a complete lack of compliance standards,” they said in a joint statement shared with CyberScoop. “Given the track record of the Trump Administration, ICE’s feigned compliance with existing standards doesn’t mean much; we need to see proof and evidence of ironclad safeguards.

“That’s why we requested so much documentation, which they have completely failed to provide,” they continued. “House Democrats will continue to demand more information and hold ICE accountable for its abuses.”

Lyons wrote that he certified use of the technology, which he said complied with a 2023 executive order issued by then-President Joe Biden. That executive order requires certification that use of commercial spyware wouldn’t pose national security or counterintelligence risks, or create significant risks of improper use by a foreign government.

In 2024, the $2 million ICE contract with Paragon came under White House review. But last year, ICE lifted a stop-work order.

ICE didn’t immediately respond to a request for comment on the Democrats’ reaction. ICE’s use of surveillance technology has drawn concern from civil liberties groups.

Paragon’s Graphite technology has been found on the phones of journalists and there are suspected uses in a number of countries. WhatsApp last year said it had disrupted a campaign employing the spyware against its users.

The letter’s vague language on safeguards, combined with ICE’s stance on privacy, is concerning, said Cooper Quintin, a security researcher and senior public interest technologist with the Electronic Frontier Foundation’s Threat Lab.

“It leaves open the door for them to interpret that it is constitutional for them to use administrative subpoenas to use this malware in HSI investigations,” Quintin said.

Bloomberg first reported on Lyons’ letter.

This story was updated April 2, 2026, with comments from Quintin.

The post House Dems decry confirmed ICE usage of Paragon spyware appeared first on CyberScoop.

President Donald Trump signed an executive order Tuesday that purports to limit mail-in voting, though critics say the move will almost certainly be challenged in court on constitutional grounds.

The order instructs the Homeland Security secretary, the director of U.S. Citizenship and Immigrations Services and the commissioner of the Social Security Administration to compile lists of American voters for each state, including their supposed citizenship status.

To build the lists, the agencies would rely on the controversial Systemic Alien Verification for Entitlements database that DHS has been building under the Trump administration, as well as Social Security and federal citizenship and naturalization records.

Those lists would then be transmitted to states, most of which have already rejected previous Trump administration efforts to collect voter data or dictate voter registration lists. The White House order instructs the Department of Justice to prioritize the investigation and prosecution of state and local officials or any others involved in the administration of federal elections who issue federal ballots to individuals not eligible to vote in a federal election.  

The order also directs the postmaster general to issue new proposed regulations that require mail-in ballots to be mailed in special envelopes that include barcodes for tracking. Crucially, it asks states ahead of time whether they intend to submit a list of voters eligible to vote by mail, and attempts to assert the authority to deny sending ballots to states that do not participate. It also claims the attorney general is entitled to withhold federal funding from noncompliant states.

The Trump administration’s previous efforts to aggressively assert executive branch authority over elections have been rebuffed by courts, with judges noting the U.S. Constitution explicitly empowers states and Congress to set the time, manner and place for elections. 

The order justifies White House involvement by claiming it has “an unavoidable duty” under Article II of the Constitution to maintain confidence in election outcomes by preventing violations of criminal law. But numerous post-election audits, investigations and recounts have consistently confirmed over decades that criminal non-citizen voting is infinitesimally rare in U.S. elections, and for the small number that did, most turn out to be accidents or decades-old administrative errors.

Criticism from election officials, experts and Democrats in Congress was swift.

Minnesota Secretary of State Steve Simon, who has resisted demands by the DOJ to hand over state voter data, predicted the order “will meet the same fate” as previous executive orders in being struck down by courts. Other secretaries of state have issued similar statements rejecting the order’s constitutionality. 

“Our office has helped stop his actions before and we are now exploring our legal options to stop this new order from taking effect,” Simon said in a statement to CyberScoop.

He also stumped for mail-in voting, calling it a secure, trustworthy and convenient way for citizens to exercise their rights to vote. Local election officials “track every ballot” sent by mail and have a range of checks and safeguards to ensure they’re sent to only eligible voters and that voters can only cast one ballot.

“Absentee voters who choose to vote by mail must provide a matching ID number, sign their signature envelope, and have a witness sign their ballot envelope before returning their ballot,” Simon said. “All of that information is tracked digitally by election administrators. Voters are able to track the status of their ballot using our online ballot tracker tool. Any attempt to register or cast a ballot while ineligible is referred for investigation and potential prosecution.”

Sen. Alex Padilla, D-Calif., called the order a “blatant, unconstitutional abuse of power” and said he expected “immediate” lawsuits challenging its legality.

“The President and the Department of Homeland Security have no authority to commandeer federal elections or direct the independent Postal Service to undermine mail and absentee voting that nearly 50 million Americans relied on in 2024,” Padilla said in a statement. “A decade of lies about election fraud does not change the Constitution.”

David Becker, executive director for the Center for Election Innovation and Research, said the administration’s latest mandates are so far outside the constitutional limits of the executive branch they will almost certainly be halted through lawsuits. 

“Some may freak out about this, but honestly, this is hilarious,” Becker wrote on Bluesky. “It’s clearly unconstitutional, will be blocked immediately, and the only thing it will accomplish is to make liberal lawyers wealthier. He might as well sign an EO banning gravity.”

However, while lower courts have consistently struck down previous orders and lawsuits from the White House, election experts have expressed concerns that the Supreme Court’s conservative majority — which has clashed with lower courts over the Trump administration’s constitutional authority — appeared receptive to the administration’s position in a recent oral argument.

Alexandra Chandler, director of the Free and Fair Elections program at nonprofit Protect Democracy, said in a statement that the White House order “is more like an attempted executive override” of state authority over elections.

“Meant to solve for a problem that exists only in the false rhetoric of the Trump administration and its political fortunes, the [order] is a classic example of their playbook to deceive the American people and disrupt the election process in order to deny any future results that don’t suit them,” Chandler said.

The post White House executive order purports to limit mail-in voting, mandate federal voter lists  appeared first on CyberScoop.

The recently released executive order targeting cybercrime, fraud, and predatory schemes uses language the federal government has often avoided. Now, for the first time, the Trump administration is echoing what the cybersecurity industry has been shouting for years: cyber-enabled fraud is a product of transnational organized crime.

That distinction matters because organized crime requires an organized response.

Cybercrime is now the world’s fastest-growing criminal economy, built on stealing from everyday people. It is no longer a loose collection of hoodie-wearing hackers in basements or misfits trading malware in online forums. It is a mature global industry operating at scale. In the entirety of human history, there has not been a transfer of wealth of this magnitude since the era of pillaging empires. We have just gotten so used to it that it feels like background noise.

Modern cybercrime groups look less like street gangs and more like corporations. They run structured operations, complete with HR departments, training pipelines, performance metrics, and technology stacks that rival most enterprise companies. Their attackers don’t rely on sophisticated exploits — they think like expert investigators, systematically probing for weaknesses, exploiting psychological pressure, manipulating insiders, and using deception to move through gaps that defenders left open. They operate around the clock, in every time zone, and increasingly use AI to automate attacks at a scale that once required highly skilled operators.

Worse yet is that many of these operations rely on forced labor. Scam compounds in Southeast Asia run like factory floors, with rows of trafficked workers carrying out romance scams, cryptocurrency fraud, and impersonation schemes under threat of violence.

Their goal is to make fraud faster and more profitable. The result is a global criminal ecosystem that extends far beyond online scams. It fuels human trafficking, weapons smuggling, political corruption, compromised organ systems, and even nuclear programs.

If the federal government is ready to recognize what the industry has known — that cybercrime truly operates like an organized global industry — then responding to it solely through traditional law enforcement is not enough. The question goes beyond how governments apply sanctions, coordinate investigations, or pressure jurisdictions that harbor these operations. The greater question is whether the private sector is willing to help dismantle the infrastructure that allows this industry to thrive.

One word changes everything

I want to be specific about why this executive order is different, because the language is not accidental.

The order doesn’t just call these groups “hackers” or “organized crime.” It calls them transnational criminal organizations (TCOs). That word carries legal and operational weight that most coverage has glossed over. Transnational is the jurisdictional framing that authorizes an entirely different class of response. It is the same threshold that moves a case from local law enforcement to federal jurisdiction and beyond.

Pair that with what follows – “law enforcement, diplomacy, and potential offensive actions” – and you are reading something that goes well beyond a policy memo. Notice the sequence: diplomacy before offensive action is proportionality doctrine. But the administration did not rule out offensive action. The document also calls for deploying the “full suite of U.S. government defensive and offensive cyber operations” and uses the word “shape” as its first pillar of action. In military doctrine, shaping an adversary’s behavior does not mean gentle persuasion. It means force is part of the calculus.

This is not the language of a consumer protection policy. Whoever wrote this has studied the opposition.

An organized threat demands an organized response

The executive order draws a line in the sand: cybercrime has outgrown its origins as a consumer protection issue. It’s now a fundamental threat to economic stability and national security. But tackling an industry operating at this scale requires more than government action alone. The order’s answer is to mobilize the private sector – giving companies the green light to identify and disrupt adversary networks.

That framing matters.

The private sector sees the machinery of cybercrime every day. Security vendors, major platforms, and infrastructure providers spot the command-and-control servers, malicious domains, and payment pipelines that keep these operations moving. Too often, that intelligence is used only to defend commercial interests, when in reality, it should also be used to disrupt the networks behind the attacks. When criminal groups lose core infrastructure, they have to rebuild. That costs time. That costs money. That creates pressure.

At the same time, the order puts a question squarely before the private sector: How far is it willing to go, and under what terms? I spent my career believing “minimal force” matters. Precise, proportionate action prevents escalation and avoids creating cascading problems. As we move beyond a defense-only approach, those principles matter more than ever.

There is another question that sits underneath all of this: How far does “potential offensive actions” actually go? Does it stop at cyberspace? Financial sanctions? Asked bluntly, “Will leaders and shareholders know whether providing threat intelligence ends with a measured network take-down or an all-out drone strike on the fraudulent call center?”

Organizations need to fix the security weaknesses criminals are exploiting for profit. Most attacks in 2026 do not succeed because criminals are brilliant. They succeed because the basics are missing. No multifactor authentication. Weak Identity controls. Unpatched vulnerabilities sit open for months. Criminals don’t care about your industry or company size. They go where it’s easiest.

When organizations ignore basic security controls, they are doing more than accepting risk. They’re subsidizing the criminal infrastructure that exploits those gaps.

Governments must keep pressure on nations that harbor these operations. Large-scale cybercrime thrives where enforcement is weak or non-existent. The order specifically calls out “nations that tolerate predatory activity”—a signal that safe havens won’t be ignored. Stronger coordination across governments, law enforcement, and private industry can make it much harder for criminals to operate at scale.

The order also targets “foreign TCOs and associated networks,” with “associated networks” being a deliberately broad phrase. Defining who qualifies will be critical. Draw the lines too narrowly and the policy won’t work. Too broadly and you risk dangerous escalation.

Simply put, cybercriminal groups are disciplined because discipline pays. Disrupting them will require the same. It will demand pressure on countries that act as safe havens. It will take dismantling the infrastructure behind these schemes. It will require better basic security across every organization that criminals target.

The executive order is right – Cybercrime is organized. It is industrial. It is ruthless. For the first time in a long time, the response looks like it might be, too. Whether the government, private sector, and public can align around what this actually demands, and what it risks, are still unanswered questions.

After years of watching policy documents gather dust while victim numbers grow, I will take action over perfection every time.

Kyle Hanslovan is a former NSA cyberwarfare operator and CEO of Huntress Labs.

The post Washington is right: Cybercrime is organized crime. Now we need to shut down the business model appeared first on CyberScoop.

Washington has rediscovered consequences. Just not consistently.

The March 6 executive order rests on a simple, correct idea: cyber-enabled fraud persists because it is profitable, scalable, and too often tolerated. So the government’s answer is to raise the cost. More coordination. More disruption. More prosecutions. More diplomatic pressure on the states that shelter these operations.

Good.

But weeks ago, an OMB Memo rescinded earlier federal software supply chain memos issued during the Biden administration. In practice, that pulled back from the prior attestation-centered model and made tools like the Secure Software Development Attestation Form and SBOM requests optional rather than durable expectations.

Put plainly, we are getting tougher on the people exploiting digital systems while getting softer on the conditions that make those systems so easy to exploit.

The executive order gets something important right. Cyber-enabled fraud is not a collection of random online annoyances. It is an industrialized form of predation: ransomware, phishing, impersonation, sextortion, and financial fraud that’s run as repeatable business models, often transnational and sometimes protected by permissive states. The order responds with a more centralized federal posture built around disruption, coordination, intelligence sharing, prosecution, resilience, and international pressure.

That is directionally correct. Criminal ecosystems do not retreat because we publish better guidance. They retreat when the cost of doing business rises.

But then we arrive at software.

The critique of the old federal assurance regime is not entirely wrong. Compliance can become theater. Bureaucracies are very good at turning legitimate security goals into rituals of form collection and checkbox management. Some skepticism was warranted. OMB says as much explicitly, arguing the prior model became burdensome and prioritized compliance over genuine security investment.

Still, the failure of bad compliance is not proof that accountability itself was the problem.

That is where the logic breaks. The administration is clearly willing to believe that criminal actors respond to deterrence. It is willing to use prosecutions, sanctions, visa restrictions, and coordinated pressure downstream. But upstream, where insecure technology shapes the terrain those criminals exploit, the theory suddenly changes. There, we are told to trust discretion. Local judgment. Flexible, risk-based decisions.

Sometimes that is wisdom. Often it is just a more elegant way of saying no one wants a hard requirement.

This is also why my own position has not changed. In a post I wrote in 2024, I argued that the industry did not need softer expectations or another round of polite encouragement. It needed more concrete action and consequences strong enough to change incentives. The problem was never that we were demanding too much accountability. The problem was that insecure software remained too cheap to ship.

That is the deeper issue. Cybercrime at scale does not thrive only because criminals exist. It thrives because the environment rewards them. Weak identity systems, brittle software, sprawling dependency chains, poor visibility, and diffuse accountability all make predation cheaper. The people who ship avoidable risk rarely absorb the full cost of it. Everyone else does.

So these two policy moves, taken together, reveal something uncomfortable. The government seems to believe in consequences for cybercriminals, but not quite in consequences for insecure production. It wants deterrence for the scammer, but discretion for the supplier.

A coherent cyber strategy would do both. It would aggressively disrupt criminal networks and also create meaningful pressure for secure-by-design production and procurement. It would recognize that punishing attackers matters, but so does changing the terrain that keeps making attack profitable.

The administration is right about one thing: cybercrime will not shrink until the costs of predation rise.

The unanswered question is why that logic should stop at the edge of the scam center.

Brian Fox is the co-founder and CTO of Sonatype.

The post If consequences matter, they should apply to vendors, too appeared first on CyberScoop.

Senate Intelligence Committee Chairman Tom Cotton is raising the spectre of foreign adversaries playing too heavy a role in open-source software, and asking the national cyber director to counter the risks.

The Arkansas Republican wrote to National Cyber Director Sean Cairncross Thursday, saying he was concerned about reports that “state-sponsored software developers and cyber espionage groups have started to exploit this communal environment, which assumes that contributors are benevolent, to insert malicious code into widely used open source codebases.”

Cotton cited last year’s alarms about a shadowy suspected nation-state hacker, Jia Tan, inserting a backdoor into a beta version of the compression utility XZ Utils. He also noted a Russia-based developer being the sole maintainer of a piece of open-source software (OSS) that’s in Defense Department software packages, and citations about Chinese tech companies Alibaba and Huawei being top OSS contributors.

“As the Office of the National Cyber Director holds responsibility for coordinating implementation of national cyber policy and government-wide cybersecurity, you are well-positioned to lead the U.S. government in addressing this cross-cutting vulnerability,” Cotton wrote. “I respectfully request that you take steps to build up the federal government’s capability to maintain awareness of provenance and foreign influence on OSS and track contributions from developers in adversary nations.”

Cotton’s letter adds to warnings from the Hill this year about the risks that Chinese involvement in open-source tech poses, following a letter from the House select committee on China on the subject to Biden-era Commerce Secretary Gina Raimondo. Legislation designed to improve open-source cybersecurity didn’t advance in the Senate after leading lawmakers introduced it in 2023.

The senator noted that open-source software is part of critical government and defense systems. Defense Secretary Pete Hegseth in July ordered the Pentagon’s chief information officer to take steps to guard against foreign influence in department technology.

“The DoD will not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the Department,” he wrote.

At the same time, a Trump administration executive order this year puzzled experts by deleting language from a previous Biden administration executive order emphasizing the importance of open-source software.

The post Senate Intel chair urges national cyber director to safeguard against open-source software threats appeared first on CyberScoop.