Senate Intelligence Committee Chairman Tom Cotton is raising the spectre of foreign adversaries playing too heavy a role in open-source software, and asking the national cyber director to counter the risks.

The Arkansas Republican wrote to National Cyber Director Sean Cairncross Thursday, saying he was concerned about reports that “state-sponsored software developers and cyber espionage groups have started to exploit this communal environment, which assumes that contributors are benevolent, to insert malicious code into widely used open source codebases.”

Cotton cited last year’s alarms about a shadowy suspected nation-state hacker, Jia Tan, inserting a backdoor into a beta version of the compression utility XZ Utils. He also noted a Russia-based developer being the sole maintainer of a piece of open-source software (OSS) that’s in Defense Department software packages, and citations about Chinese tech companies Alibaba and Huawei being top OSS contributors.

“As the Office of the National Cyber Director holds responsibility for coordinating implementation of national cyber policy and government-wide cybersecurity, you are well-positioned to lead the U.S. government in addressing this cross-cutting vulnerability,” Cotton wrote. “I respectfully request that you take steps to build up the federal government’s capability to maintain awareness of provenance and foreign influence on OSS and track contributions from developers in adversary nations.”

Cotton’s letter adds to warnings from the Hill this year about the risks that Chinese involvement in open-source tech poses, following a letter from the House select committee on China on the subject to Biden-era Commerce Secretary Gina Raimondo. Legislation designed to improve open-source cybersecurity didn’t advance in the Senate after leading lawmakers introduced it in 2023.

The senator noted that open-source software is part of critical government and defense systems. Defense Secretary Pete Hegseth in July ordered the Pentagon’s chief information officer to take steps to guard against foreign influence in department technology.

“The DoD will not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the Department,” he wrote.

At the same time, a Trump administration executive order this year puzzled experts by deleting language from a previous Biden administration executive order emphasizing the importance of open-source software.

The post Senate Intel chair urges national cyber director to safeguard against open-source software threats appeared first on CyberScoop.

The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.

The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions. The House could take it up as soon as this week.

The legislation states that the secretary of defense “shall ensure” that wireless mobile phones the department provides to its senior leaders and others working on sensitive national security missions meets a list of cybersecurity requirements, such as data encryption. A Pentagon watchdog last week published long-awaited examinations of the Signalgate incident that enveloped Defense Secretary Pete Hegseth. 

The bill directs the department to make sure that behavioral health specialists with proper security clearances are dispatched to United States Cyber Command and the Cyber Mission Force. It follows in the tradition of past provisions of defense policy bills to address the mental health needs of personnel there.

The department is told to revise mandatory training on cybersecurity for members of the Armed Forces and civilian employees “to include content related to the unique cybersecurity challenges posed by the use of artificial intelligence.”

There are plenty of other cybersecurity provisions contained in the bill.

It would set up barriers to splitting the leadership of Cyber Command and the National Security Agency by prohibiting any department funding from being used to “reduce or diminish the responsibilities, authorities or organizational oversight of the Commander of the United States Cyber Command.”

On behalf of defense contractors, the bill orders the department to “harmonize the cybersecurity requirements” across the department and reduce the number of cybersecurity requirements “that are unique to specific contracts.” That’s a focus of the forthcoming Trump administration cybersecurity strategy.

It also includes a statement of policy on the use of commercial spyware. It says that policy is to oppose the misuse of commercial spyware to include groups like journalists and human rights activists, to coordinate with allies to prevent the export of commercial spyware to those who are likely to misuse them and to “establish robust guardrails,” as well as work with the private sector counter abuse.

Such statements of policy don’t carry legal force but give a sense of lawmaker consensus and intentions.

The post Defense bill addresses secure phones, AI training, cyber troop mental health appeared first on CyberScoop.