Accenture announced Thursday it would acquire a majority stake in industrial cybersecurity firm Dragos for $3.25 billion and purchase two smaller security companies outright, essentially making a $4.18 billion bet that defending the IT networks of power grids, pipelines, factories and critical infrastructure sectors will become one of the defining challenges of the AI era.

The deals — which also include two Austin, Texas-based companies, runZero and NetRise —  represent a significant strategic pivot for Accenture toward operational technology (OT) security,  a segment of the cybersecurity market that has long been underfunded relative to traditional IT defenses. The announcement comes as the consulting giant faces pressure on its core business from the same AI tools reshaping the threat environment it is now moving to address.

Dragos, founded in 2016 by former intelligence specialists and based in Hanover, Maryland, has built what the industry regards as a leader detecting threats in OT environments. Its proprietary dataset of industrial threat intelligence has made it a trusted partner to critical infrastructure operators globally.

RunZero specializes in asset discovery and attack-surface intelligence — essentially mapping what is connected to a network and identifying where it is exposed. NetRise focuses on firmware-level visibility and software supply chain security, areas that have drawn increased scrutiny since high-profile incidents revealed how deeply embedded vulnerabilities can propagate through industrial device ecosystems.

Dragos co-founder and CEO Robert M. Lee will continue leading the combined entity, which will operate as an independent business under Accenture’s ownership. The CEOs of runZero and NetRise, HD Moore and Tom Pace, respectively, along with NetRise’s chief technology officer Michael Scott, will join Dragos as senior executives.

The acquisitions are not Accenture’s first move in OT security. The company acquired Cimation in 2015 and Revolutionary Security in 2020, along with several other OT-focused firms. 

Thursday’s deal, however, is of a different scale and ambition. Where previous acquisitions built out Accenture’s services capabilities, the addition of Dragos, runZero and NetRise moves the company firmly into OT cybersecurity software, a market it had not previously entered at scale.

Accenture and Dragos describe this expanding environment — which also encompasses Internet of Things devices, cloud-connected sensors and related IT infrastructure — as “xOT.” The concern is that as AI is integrated into industrial decision-making, the attack surface grows. At the same time, adversaries are using AI to shorten the window between compromising an IT network and pivoting to OT systems underneath it.

Despite that convergence, most cybersecurity budgets remain concentrated on traditional IT, leaving critical infrastructure comparatively exposed. The OT cybersecurity services market is estimated at roughly $7 billion in 2026. The broader OT cybersecurity market, which includes software, is estimated at $27 billion this year and projected to reach nearly $59 billion by 2031, growing at approximately 16% annually.

“Our energy and water systems, manufacturing plants, data centers and other operational environments need cybersecurity built from the ground up for xOT and designed to keep pace as threats evolve. The consequences of getting it wrong become societal threats,” Lee said in a release. “Organizations need solutions, not a patchwork of software and services. The addition of runZero and NetRise will allow the Dragos Platform to be a unique end-to-end platform for global defense, and Accenture will bring its decades of trusted relationships and deep expertise to help us scale and secure more critical infrastructure and physical operations globally.”

The transactions are expected to close in August or September, pending customary regulatory approvals.

The post Accenture shells out $4.18B on three companies in big industrial cybersecurity push appeared first on CyberScoop.

The Cybersecurity and Infrastructure Agency wants to fundamentally reevaluate how it prioritizes risks and vulnerabilities, both for privately-owned critical infrastructure and within the federal government, acting director Nick Andersen said Tuesday.

The plans include a binding operational directive for federal agencies set to be published Wednesday and getting more specific with critical infrastructure owners and operators about which assets they need to protect most and how, Andersen said while speaking at an event hosted by Axonius in Washington, D.C. and talking with reporters afterwards.

The binding operational directive looks to revise how federal agencies do vulnerability management, he said. “Overall, our approach to date has been ‘A patch is released, apply this patch as quickly as you can,’” he said.

“We’re really asking people to take more of a focus on risk associated with each vulnerability. Is it with an asset that is internet-exposed? Does it align to a KEV entry?” he said, referring to CISA’s list of known exploited vulnerabilities. “Is it automatable in its exploitation? Really, we need to be able to highlight that some patches just aren’t as important as others, and plugging the holes for some vulnerabilities is simply not as important as others.”

Andersen said he has made setting the right priorities the focus of his tenure.

“We have to be okay with saying there are some systems that are less important than others, there are some elements of critical infrastructure that are less important than others,” he said. “Those things are very easy for us to rationalize [for] physical crises, but we need to start wrapping our minds around how we’re going to do that during cyber crises.”

Andersen said artificial intelligence-enhanced threats have fueled the directive in part, based on “a recognition that we’re a different dynamic environment with the shorter timeline to weaponization and exploitation,” but the discussions on the directive have been going on for months, before the splashy announcements about frontier AI models and the risks they might deepen. Wednesday’s directive is unrelated to the AI-focused executive order released by the Trump administration last week.

The idea of prioritizing certain potential hacking targets over others isn’t a new one in critical infrastructure, with concepts like “Section 9” designations under a 2013 executive order for entities whom an attack upon could have catastrophic effects; “systemically important critical infrastructure” designations, as recommended by the Cyberspace Solarium Commission; or the creation of the National Risk Management Center established during President Donald Trump’s first term but now the subject of proposed budget cuts.

Andersen said past concepts haven’t worked well, citing Section 9 designations as an example.

“We would sit here and say, ‘Congratulations, you’re with this company, and you’re a Section 9 entity, isn’t that fantastic?’” he said. “That’s really not the level of fidelity that we have to be able to get to to have a real measurable conversation about risk. I need to be able to go to a company and say, ‘Here’s the specific function you’re supporting that makes you more critical. Let’s have a conversation about the specific assets that support that function, and how do we get to a measurable level of resilience for those assets?’”

Those discussions need to get down to a “fine grain,” Andersen said.

“If I’ve got a major bank that I’m talking to, is it as important to me that the bank’s process that supports the bulk payment system is resilient, or is it just as important to me that the branch location two blocks away is continuing to operate?” he said. “Those things just are apples and oranges, even though it’s the same entity that might be affected.”

CISA’s capabilities under the Trump administration have drawn considerable scrutiny, given deep budget cuts at the agency, with more planned. The administration is now making moves to hire back personnel.

Andersen said the agency is working to hire 329 people, and will have job offers out to 182 of them by the end of June. He said the emphasis of the first tranche of hires under the hiring sprint is operational capabilities, meaning areas like emergency communications, infrastructure security and regional personnel.

The agency also has had some of its work hampered by the government shutdowns, such as the delay in plans for town-hall meetings about implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require key owners and operators to report major incidents within 72 hours.

Andersen said he couldn’t set a date for finalization of regulations related to the law — which had already been delayed prior to any funding lapses — with those town halls now scheduled to begin next week.

“We could have a lot of comments that come to us and really radically change our way of thinking about what the need is here,” he said. “But our focus is just on what’s the original congressional intent behind CIRCIA. what is the greatest need that we’re going to be able to serve, and how it’s going to be able to further the mission that we have for the nation.”

The post CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector appeared first on CyberScoop.

Anthropic is broadening access to its Project Glasswing program, adding approximately 150 organizations in 15 countries, the company announced Tuesday, as its restricted Claude Mythos Preview model has already surfaced more than 10,000 high- or critical-severity software vulnerabilities since the program launched in early April.

The expansion follows an initial cohort of roughly 50 partners that were announced when Anthropic first unveiled the initiative. Those members included technology companies such as Amazon Web Services, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, among others.  

According to the announcement, the new group covers sectors that were underrepresented in the first wave, including power, water, healthcare, communications, and hardware. Many of the new partners are vendors whose codebases underpin critical infrastructure systems.

The company did not give any further details on what companies or organizations were part of the new cohort.  Sources tell CyberScoop that NetSkope and Rubrik, which specialize in cloud security and data management, is part of the group given access in this latest round.

The scale of what Mythos Preview has already found is drawing attention across the security industry. Cloudflare identified 2,000 bugs across its critical-path systems, including 400 rated high or critical, with a false-positive rate the company described as better than that of human testers. Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing the model, more than 10 times the number found in a previous Firefox version using an earlier Anthropic model. Several other partners reported that their rates of bug discovery increased more than tenfold after deploying the model. 

Anthropic also used Mythos to scan more than 1,000 open-source projects, flagging 23,019 potential vulnerabilities, 6,202 of them estimated as high or critical. Of 1,752 high- or critical-rated findings independently reviewed, over 90% were confirmed as valid. 

The findings have shifted what Anthropic describes as the central issue in cybersecurity. Despite the enhanced ability to discover flaws, the company admits there are challenges with verifying, disclosing, and patching them before attackers can take advantage.

“The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them,” the company said in its blog post. 

That bottleneck has broader implications. A joint report from the Cloud Security Alliance, the SANS Institute, and OWASP concluded that organizations are “likely to be overwhelmed” in the near term by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them.

Anthropic has said it will not release Mythos-class models to the general public, citing the absence of safeguards sufficient to prevent serious misuse. In the interim, it has released Claude Security, a product using its publicly available Claude Opus 4.8 model that has been used to patch more than 2,100 vulnerabilities in three weeks. 

The program’s expansion comes as the Trump administration signed a scaled-back executive order on AI security. The order, which was signed hours after Anthropic’s announcement, sets up a voluntary framework requiring AI developers to submit advanced models to a government review up 30 days before public release.

The post Anthropic expanding access to Project Glasswing appeared first on CyberScoop.

Two cybersecurity-focused members of Congress agreed Thursday that reductions to the Cybersecurity and Infrastructure Security Agency have done too much damage to an agency essential to defending civilian networks against foreign adversaries.

Rep. Don Bacon, R-Neb., and Rep. James Walkinshaw, D-Va., spoke during a panel at the National Cyber Innovation Forum. Despite representing different parties, and serving on different congressional committees, the two lawmakers offered closely aligned assessments of CISA’s role and the consequences of recent cuts.

Bacon, who is the chairman of the House Armed Services Subcommittee on Cyber, Information Technologies, and Innovation, framed the agency as central to protecting domestic networks. 

“What we really need is a strong CISA that helps protect our domestic networks, our energy grids and things like that,” he said, before adding that “unfortunately” the administration had moved in the opposite direction over the past year. 

He said officials had not appreciated the agency’s defensive value, telling the audience he did not think they recognized the “one-for-one output” CISA provides.

Walkinshaw, who is a member of the House Homeland Security Committee, echoed that view and tied it directly to the threat picture. 

Referring to Chinese-linked intrusion campaigns like Salt Typhoon, he said the United States is contending with adversaries “getting into critical infrastructure overseas and coming after big parts of our critical infrastructure industry here at home.” He said CISA’s information-sharing function and its relationships with utilities and local governments are part of what makes a centralized civilian defense workable.

Both lawmakers placed their concern in the context of a threat environment they described as escalating. Bacon ranked China as the leading cyber adversary to the United States, surpassing Russia, and said intrusions lay groundwork for further actions. “They’re in our energy grid,” he said. “On Day 1 of the war, they want to turn off our energy.” 

The case for a well-resourced CISA, the two lawmakers said, rests on the fact that most of the entities targeted by foreign actors cannot defend themselves on their own. Walkinshaw drew on his work during his time as a county supervisor in Fairfax County, Va., where he worked with Fairfax Water. He said that even as that utility was “one of the most sophisticated, well-funded water authorities in the country,” it struggled to keep pace with the volume and sophistication of attacks. Smaller utilities, towns and businesses, he said, have no realistic path to defending themselves against a nation-state.

Bacon agreed. He said small companies are “the heart of American innovation” but cannot be expected to stand up to adversaries operating with the resources of China, Russia, Iran or North Korea without federal support.

President Donald Trump’s fiscal 2027 budget would cut CISA by $707 million, according to a summary released last month, though a separate budget document points to a smaller reduction of $361 million. Either figure would leave the agency with slightly more than $2 billion in discretionary funding, down from the roughly $3 billion it had at the start of the administration.

It has been a turbulent time for CISA during the second Trump administration, in which the agency lost roughly a third of its personnel, shuttered entire divisions and operated without a Senate-confirmed director. Former officials, industry partners and lawmakers from both parties have described diminished coordination with state and local governments, weakened relationships with the private sector and growing concern about whether the agency retains the capacity to manage a major cyber crisis. 

In the model both lawmakers endorsed, they pushed for CISA to play more of a role after an intrusion, helping affected entities restore their networks while the FBI works to identify the source. Walkinshaw said advanced artificial intelligence expands the attack surface and makes that kind of centralized support more important.

 “The advanced AI technology means that more and smaller, maybe not as well-funded organizations across the globe, can launch sophisticated attacks,” he said, adding that the result is that “the defense” becomes “more complex.”

Looking ahead, Walkinshaw said restoring CISA’s capacity should be within reach of a divided Congress. 

“In terms of bipartisan areas of agreement here in Congress, restoring and expanding those capabilities and those partnerships right now should be a top priority,” he said.

The post Lawmakers from both parties say CISA cuts have gone too far appeared first on CyberScoop.

Agency issued guidance and calls on operators to build resilient OT environments capable of surviving extended isolation and cyber compromise.

The post CISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber Conflict appeared first on SecurityWeek.

The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure owners and operators to plan for delivering essential services under emergency conditions – potentially for months at a time.

The federal government’s top cybersecurity agency warned that state-sponsored hackers, particularly two Chinese groups known as Salt Typhoon and Volt Typhoon, continue to threaten critical sectors like electricity, water, and internet. 

The agency is now working with the private sector to protect operational technology – the systems that control the heavy machinery and equipment that powers most critical infrastructure – from attacks that enter through business IT systems or third-party vendor products.

The initiative  — known as CI Fortify – will include CISA conducting targeted technical assessments of critical infrastructure entities and aims to create plans that “allow for safe operations for weeks to months while isolated” from IT networks and third-party tools, according to the agency’s website.

Nick Andersen, CISA’s acting director, told reporters that the goal is “service delivery [that] can still reach critical infrastructure after the asset owner has disconnected with IT and OT, disconnected from third party vendors and service provider connections and disconnected from third party telecommunications equipment.”

Over the past two years, wars in Ukraine, Gaza, Iran and elsewhere have seen water plants, power substations, data centers and other critical infrastructure targeted by kinetic or cyberattacks.

Andersen said the agency has already begun engaging with some companies to pilot the assessments and expects that work to ramp up considerably as CISA hires additional staff in the coming months.

He declined to name the entities involved in the pilot program, but said they will focus on organizations that support national security, defense, public health and safety and economic continuity. He added that CISA’s assessments will vary from sector to sector depending on their unique needs.

“Water isn’t necessarily designed to prioritize specific customer needs outside of recovery periods, while energy and transportation have more immediate tradeoffs for selecting one load or one set of cargo over another,” Andersen said as an example.

One pillar of CISA’s strategy is isolation: essentially turning off all third-party and business network connections to an OT network when facing an emergency or unknown vulnerability.

Organizations also need to develop an internal plan for what acceptable service levels look like under those conditions and reach understandings with their critical customers, like U.S. military installations and lifeline services.

The second pillar, recovery, involves best practices for organizations: backing up files, documenting systems and having manual backups for operations when normal computer systems are down.

In conversations with cybersecurity specialists who focus on critical infrastructure and operational technology, it is widely assumed that China is not the only nation to have broadly compromised Americans critical infrastructure. That hacking groups tied to other nations have almost surely noticed and exploited the same basic vulnerabilities and hygiene issues found by the Typhoons.

Agencies like the FBI and Federal Communications Commission have touted efforts to purge Chinese hackers and work voluntarily with telecoms to harden their network security. But U.S. national security officials and cybersecurity defenders have consistently said both Salt Typhoon and Volt Typhoon remain active threats to U.S. critical infrastructure.

The post CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict appeared first on CyberScoop.

Missile and drone attacks that took out cloud data centers in the Middle East underscored a critical vulnerability in the modern economy: reliance on digital infrastructure that sustains competitive advantage and operational continuity for corporations, nations, and militaries. 

The outages and downstream disruption were a preview of a new form of strategic and operational risk. Data centers have long been the backbone of the digital economy. What is changing is the scale of dependence as AI workloads dramatically increase the compute power required to run businesses, supply chains, and national security systems. 

Artificial intelligence has moved beyond business applications and into the core of warfare and national security. Last month, The New York Times reported that AI is “totally integrated” into the collection of intelligence and its use in strategic decision-making and military operations. Even if AI models are not directly firing weapons, AI-enabled analysis now plays a central role in how modern militaries gain visibility, find insights, and drive action.

That matters because it changes what should be considered critical infrastructure. If AI is a competitive advantage for companies and a battlefield advantage for warfighters, then the infrastructure that trains, hosts and runs AI becomes a high-value target. Attacks on the digital infrastructure organizations rely on can do more than inflict financial damage. They can slow decision-making, degrade logistics and reduce military effectiveness without ever engaging a conventional force.

Historically, nation-state campaigns targeting data centers and service providers focused on cyber intrusions for espionage or pre-positioning. What is different now is the emergence of physical attacks on digital infrastructure during active conflict. Russian military intelligence has been linked to campaigns aimed at digital infrastructure and managed services, often as part of a supply chain attack to compromise organizations at scale. Iran-aligned groups have repeatedly demonstrated willingness to target private sector entities to advance geopolitical goals. In many cases, the objective was access: steal data, implant persistence, map networks, and maintain a foothold that could be used later for espionage or disruption. 

What’s clearer now than ever before is that data centers and the AI workloads they support have become so vital to modern society, our adversaries will seek to degrade or destroy their efficacy as a tactic of both kinetic and cyber warfare.

We have already seen how quickly a digital incident can become real-world disruption. On March 11, reports surfaced of thousands of servers and endpoints wiped inside Stryker, a U.S.-based medical device manufacturer. A hacktivist group sympathetic to Iran, known as Handala, claimed responsibility. The incident reportedly halted Stryker’s global production after attackers accessed its Microsoft environment and issued a wipe command via Intune. Even without a single missile, the outcome looked like a strategic disruption: operations stopped and downstream customers felt it.

For business leaders, the imperative is clear: treat operational resilience as a board-level priority in the AI era.

In the world of corporate IT, cybersecurity prioritizes confidentiality: preventing theft of sensitive information. Resilience is a different discipline. It is the ability to sustain operations when systems are degraded, disrupted or actively under attack. For data centers and the businesses that depend on them, resilience comes down to preventing cascading failures and reducing the consequence when something inevitably goes wrong.

These developments carry an important implication for the private sector. Digital infrastructure is increasingly a strategic target, making resilience a core business priority rather than a narrow IT issue. For business leaders, the impact of data center disruption extends into multiple, often overlooked areas of cybersecurity risk.

For example, AI’s growth is colliding with a power wall in many regions where grid capacity cannot scale fast enough. That is driving facilities toward new power dependencies, including on-site generation through distributed energy and renewables, yielding more complex power management environments. This power infrastructure becomes a pressure point as interruptions to power supply or management systems can quickly force a data center offline. Russia has on several occasions demonstrated the ability to target and disrupt power generation and distribution in Ukraine in both 2015 and 2016.

Building management and automation systems, including HVAC and physical access controls, are another. These systems are essential to creating safe and supporting operational environments, but they typically have long capital depreciation cycles and inconsistent security safeguards. Frequently exposed to the Internet, and commonly misconfigured and not properly secured, they can become a pathway to outages by an attacker.

With an increasing density of computing infrastructure, thermal management has become a core environment control in data centers. As the industry adopts liquid cooling for dense AI loads, interference with cooling is no longer a niche technical issue. It is a risk vector that can cause downtime and potential equipment damage if breached by attackers.

Remote access creates another major exposure. Data centers rely on vendors, contractors, and systems integrators for maintenance, monitoring, and support, and each remote connection can become an entry point if it isn’t tightly controlled, centrally managed, and well secured. Adversaries often target these trusted access routes because they can be easier to compromise than a well-defended perimeter, allowing attackers to bypass standard controls and safeguards.

All of this has broader economic implications because data center disruption does not stay inside the technology sector. It cascades into the industries that keep society functioning and supply chains moving: hospitals, electric utilities, chemical production, food and beverage, oil and gas, and transportation. An extended outage becomes missed shipments, halted production, delayed care, safety concerns and lost trust.

What should leaders do now?

Start by defining resilience targets that match business reality: what must stay running, what can degrade, what cannot fail. Then invest in the controls that limit the impact of an incident. Segmentation between IT and OT assets should be non-negotiable. Remote access should be treated as a critical risk pathway with least privilege, strong authentication and continuous monitoring.

Manage facilities systems such as building management systems, power, and cooling controls as critical operational technology, with asset inventories, vulnerability management, logging, and incident response plans that anticipate disruption.

Finally, train to operate under degraded conditions. Tabletop exercises should include scenarios like loss of a cloud region, partial failure of a facility, or compromise of a management plane. Use these exercises to validate that the organization can maintain essential operations and recover quickly when disruptions occur. 

Policy is moving in this direction as well. Governments are increasingly treating data centers as critical infrastructure. Policies and frameworks such as the National Cybersecurity Strategy, CISA’s Secure by Design principles, and international standards like IEC 62443 all reflect a growing recognition that digital infrastructure is a national security issue. Companies that get ahead of this shift will not only reduce risk, they will build competitive advantage in a world where downtime can become a strategic weapon.

In the AI era, data centers are essential infrastructure for modern economies and national security. Their rising importance also makes them attractive targets in cyber and physical conflict. Protecting them is no longer just about safeguarding company operations, it is about protecting the systems society depends on every day. 

Grant Geyer is the chief strategy officer at Claroty.

The post Why data centers now belong on the critical infrastructure list appeared first on CyberScoop.

The growth of data centers — and adversaries’ targeting of them — left lawmakers at a hearing Wednesday contemplating whether the federal government has the right setup for defending them.

Some industry witnesses and experts at the hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection testified that the answer might be to give data centers their own standalone designation as a critical infrastructure sector.

The question of how to secure data centers against cyber and physical attacks coincides with artificial intelligence fuelling a boom in the building of such facilities across the United States. Last month, Iranian drones targeted two Amazon data centers in response to the U.S.-Israel bombing campaign on Iran, and a third data center in Bahrain was struck as well.

“If a major data center is attacked, disrupted, or taken offline, the consequences can reach far beyond one company or one sector,” Rep. Andy Ogles, R-Tenn., said in prepared opening remarks. “Yet our current framework does not provide a clear, unified approach to data center security. It does not clearly answer which federal agency is responsible for understanding the risk, coordinating with industry, or leading the response when this infrastructure is targeted.”

Three providers account for 63 percent of the market share of data centers: Amazon Web Services, Microsoft Azure and Google Cloud Platform. 

The United Kingdom already has deemed data centers as a standalone critical infrastructure sector. Reps. Vince Fong, R-Calif., and LaMonica McIver, D-N.J., asked panel witnesses Wednesday about federal protection of them.

“Given the scrutiny that is required to make sure that those data centers are secure, there would be a benefit in having them work together as a unique coordinating council,” said Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, an industry group.

The Foundation for Defense of Democracies’ Mark Montgomery suggested a sector that combines data centers and cloud providers, given the overlap in ownership. The 2024 rewrite of a White House national security memo left some experts disappointed that it didn’t designate cloud computing as a critical infrastructure sector. 

Samuel Visner, chair of the board of directors of the Space Information Sharing and Analysis Center, said he agreed, given the role data centers are playing in the U.S. economy, military and other dependencies. “Finding a way to regard them as part of our critical infrastructure and protect them accordingly is sine qua non, absolutely necessary,” he said.

A fourth witness didn’t weigh in on the need for a separate critical infrastructure designation. But Scott Algeier, executive director of Information Technology Information Sharing and Analysis Center, said his organization had created a “special interest group” for data center providers.

“The data centers are integrated already into the critical infrastructure discussions,” he told the panel.

The post Congress, industry ponder government posture for protecting data centers appeared first on CyberScoop.

One day AI may be capable of creating malware that threatens critical infrastructure.

But that day was not earlier this month, when reports surfaced of a new piece of malware seemingly configured to search for and sabotage Israeli water infrastructure, according to industrial cybersecurity firm Dragos. 

The malware, called ZionSiphon, was first identified by AI cybersecurity firm Darktrace, which said it was designed to target operational technology and industrial control system environments. The code scans the internet for IP addresses tied to water treatment and desalination plants owned or operated in Israel, with the goal of compromising them to sabotage the levels of chlorine and poison water supplies.

Strings in the malware’s binary code included the names of different components of the Israeli water sector, as well as politically-themed messaging, such as “In support of our brothers in Iran, Palestine, and Yemen against Zionist aggression.”

But a technical lead malware analyst at Dragos, Jimmy Wyles, called the malware nothing more than “hype,” claiming it poses no threat to water plants in Israel or anywhere else. 

For instance, whoever wrote the malware appears to have little knowledge of how operational technology works at Israeli water plants.

“The code is broken and shows little to no knowledge of dam desalination or ICS protocols,” wrote Wylie.

The developers also appeared to use AI to generate significant portions of the code, leading to hallucinations and errors. All the Windows-based process names and directory paths designed to confirm that a target was related to water desalination were filled with “fictional and likely LLM generated guesses.” The configuration files purportedly designed to manipulate chlorine levels were also fake and likely created using AI. 

Darktrace’s analysis notes that the malware sample they tested appears to be dysfunctional, citing an incorrect configuration in the code’s country targeting functions.

But Wylie wrote that the malware still would have been harmless to water treatment plants even when correctly configured, because the rest of the code was so riddled with “logic errors and invalid assumptions” that it would have been inoperable.

Similar maturity and logic issues were found in the malware’s USB infection and self-destruction capabilities. Wylie said Dragos was withholding additional technical analysis of the flaws plaguing ZionSiphon because they’re “not in the business of fixing malware for adversaries.”

The episode highlights an ongoing dispute around how much attention defenders – particularly those who work with operational technology – should give to more novel threats like AI-enabled hacking, versus more established tactics, techniques and procedures that have been successfully wielded by foreign hacking groups.

Operational technology – the systems that control or manipulate the machinery used in water facilities, electrical power plants and other industrial sectors – differs substantially from information technology environments. That presents challenges for both cybersecurity defenders and malicious hackers who often lack the industry-specific knowledge or skillset to design effective exploits.

To wit, Dragos claims there are publicly less than 10 malware samples capable of threatening industrial control systems. ZionSiphon is not one of them.

Wylie was critical of the way threat intelligence companies and media outlets initially framed the danger posed by the malware, saying it was overblown and likely diverted water sector cybersecurity resources away from more tangible threats, like Volt Typhoon, the Chinese-backed hacking group that U.S. intelligence officials say has burrowed deep into American critical infrastructure.

“Those responsible for protecting water treatment facilities and other critical infrastructure have finite time and attention,” Wylie wrote. “Spending either on ZionSiphon means spending less on threat groups like [Volt Typhoon], which have a demonstrated history of intrusions into those environments and are a far more pressing concern.”

The post Dragos: Despite AI use, new malware targeting water plants is ‘hype’ appeared first on CyberScoop.

Our nation has entered a new fraud arms race fueled by AI.

With billions of dollars in fraud losses mounting in both the private and public sectors, it’s clear the old ways of deterring fraud aren’t working. That’s why we need a new playbook that starts with understanding how fraudsters operate, evolving our defenses, and shifting to a proactive posture that doesn’t just fight fraud but actively hunts it down. 

In the AI era, treating fraud as just a front-door problem won’t work. This moment requires industry, government, and consumers to work together, reduce silos, and share real-time intelligence. The goal is to move beyond reactive detection by understanding the lifecycle of a threat—from its formation to its spread—so we can intervene before it establishes a foothold.

For decades, fraud has been treated like a series of isolated incidents. This false assumption has underpinned nearly every past effort to crack down on it. Those efforts, while well-intentioned, have missed the mark. 

Now, in light of the Trump Administration’s Cyber Strategy for America and accompanying executive order, it’s critical to understand the modern fraud landscape and the central role that digital identity exploitation plays within it.

New research from Socure reveals just how dramatically the landscape is evolving. 

Fraud has become industrialized, with organized crime syndicates running operations that are global, systemic, automated, and powered by AI. No organization, service, or program is safe. Fraudsters target government programs, banks, fintech platforms, telecom companies, and more, blurring the lines between public sector fraud, financial crime, and cybercrime.

It used to be that fraud could be detected through the reuse of identity elements across multiple applications: the same email, device, phone number, or IP address used over and over. 

But the data is clear: these links are declining fast. Today’s sophisticated fraudsters are now engineering their attacks to avoid traditional fraud detection patterns. Our research demonstrates that emails will be completely unique within fraud populations as soon as 2027, so we won’t be able to rely on email to identify patterns.

Speed is another defining feature of modern identity fraud. Fraudsters use AI to create clean, durable, synthetic and stolen identities at scale. In one observed campaign, 24,148 synthetic identities were built and launched in under a month, with many attacks occurring within 48 hours. What once took weeks or even months can now be completed in days. 

The rapid rise of identity farms is another indicator of the industrialization of fraud. Identity farms are operated by crime rings to systematically create synthetic or stolen identities over time in order to closely resemble legitimate identities. Matured identities are used to open bank, credit, and money-movement accounts, siphon government benefits, launder funds, and more. These identity farms focus on durable identities that can bypass traditional verification controls.

So what should we do? Simply put, we must go on offense. 

This means treating identity as critical infrastructure and implementing strategies that track how identities were created before the moment of application; expanding signals monitoring to include elements like residential proxies, ISP behavior, and domain registration activity; evaluating velocity and orchestration in real-time; and treating continuous measurement, rapid model iteration, and cross-industry intelligence as core capabilities.

Additionally, given the rapid scaling of fraud, we need more analysis of the complete ecosystem, including dynamic factors like device information, digital footprints, and behavioral biometrics so organizations can effectively distinguish genuine humans from machines. Ultimately, this layered and interconnected approach makes it significantly harder for malicious actors to recreate or steal identities at scale.

Fraud is no longer a series of isolated acts. It is a coordinated, global enterprise built on the exploitation of identity. Until our efforts reflect this new reality, we will continue to fight an imminent and ongoing threat with outdated tools and fall further behind. 

Now is the time to make this strategic shift and finally put fraudsters on their heels. 

Mike Cook serves as head of fraud insights at Socure, the identity and risk platform for the AI age.

The post Don’t just fight fraud, hunt it appeared first on CyberScoop.

Cybercrime remains a booming business. 

Annual cybercrime losses amounted to almost $20.9 billion last year, reflecting a 26% increase from 2024, the FBI’s Internet Crime Complaint Center (IC3) said in its annual report Tuesday.

The comprehensive study exposes a worsening digital crime environment that is driving financial losses, with momentum moving in the wrong direction and compounding at an alarming rate. Annual cybercrime losses have jumped almost 400% from $4.2 billion in 2020, and cumulative losses in that five-year period surpassed $71.3 billion.

The FBI’s IC3, which formed as the country’s central hub for cybercrime reporting in 2000, is busier than ever. “We now average almost 3,000 complaints per day,” Jose Perez, the FBI’s operations director for its criminal and cyber branch, wrote in the report. 

The annual internet crime report highlights growing and sustaining trends. Yet, the scope of the study is limited and relies entirely on cybercrime incidents submitted to the FBI. 

The full impact of cybercrime remains murky, as an unknown number of victims suffer in the shadows and never report the crimes they endure.

The FBI received more than 1 million complaints last year, with victims aged over 60 reporting the largest amount of crimes that also resulted in the greatest amount of total losses by age group. Victims at least 60 years old filed 201,000 complaints with losses totaling nearly $7.75 billion, or about 37% of all cybercrime-related losses last year.

Investment-related fraud remained the largest component of cybercrime losses in 2025, reaching almost $8.65 billion. Business email compromise took the No. 2 spot with almost $3.05 billion in losses, followed by tech support scams at more than $2.1 billion. 

Cryptocurrency was the primary conduit for fraud linked to investment and tech support scams last year, while wire transfers composed the bulk of fraud resulting from business email compromise, according to the report.

Phishing was the most commonly reported type of cybercrime last year, followed by extortion, investment scams and personal data breaches. The FBI tallied losses amounting to $122.5 million from extortion and $32.3 million from ransomware last year.

The FBI also received more than 75,000 reports of sextortion last year, including more than 5,700 submissions that were referred to the National Center for Missing and Exploited Children.

The top five cyber threats reported to IC3 in 2025 included data breaches at 39%, ransomware at 36%, SIM swapping at 10%, malware at 9% and botnets at 7%. 

The FBI received more than 3,600 complaints reporting ransomware last year. The five most reported variants included Akira, Qilin, INC, BianLian and Play.

Each of the 16 critical infrastructure sectors reported ransomware attacks last year, and the most heavily targeted included health care, manufacturing, financial services, government and IT.

The IC3 primarily receives complaints from U.S. residents and businesses, but it also received complaints from more than 200 countries last year, which accounted for nearly $1.6 billion in total losses. 

While losses and the sheer amount of cybercrime continued to climb last year, “the FBI continues to disrupt and deter malicious cyber actors — and shift the cost from victims to our adversaries,” Perez wrote in the report.

“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions,” he added. “Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence.”

The post Cybercrime losses jumped 26% to $20.9 billion in 2025 appeared first on CyberScoop.

The Trump administration is plotting an interagency body to confront malign hackers, pilot programs to secure critical infrastructure across states and other steps tied to its freshly-released cyber strategy, National Cyber Director Sean Cairncross said Monday.

The “interagency cell” will bring together agencies like the Justice Department, the Department of State, the FBI and the Pentagon, which will make it clear that going on cyber offense isn’t just about attacking enemies in cyberspace, Cairncross said.

“Sure, that’s part of it, but that’s not all of it,” he said at an event hosted by USTelecom. It will include diplomatic efforts, arrests and more, he said. “As President Trump has made clear, he expects results, and he’s empowered the team under him to go get them.”

A series of pilot programs will be catered to specific critical infrastructure industries in specific states, such as water in Texas and beef in South Dakota, Cairncross said. Different sectors operate at more or less mature levels, he said.

“One of the things that we are working to do is to align those sectors and prioritize those sectors in a way that makes sense,” he said.

Cairncross said the administration wants to share information with industry better, and will be looking as well at revising regulations in some instances. One of those instances is the Securities and Exchange Commission’s 2023 incident disclosure rule, which drew some of the most vehement industry opposition under the Biden administration’s’ pursuit of cyber regulations. The idea is to make sure they “make sense for industry,” Cairncross said.

But the administration also will have things it seeks from the private sector. That will include bringing together CEOs and sending the message to them that “you need to dedicate some real resources,” he said.

Cairncross has spoken before about wanting to establish an academy to address education and training in a nation with persistent cybersecurity job openings, but there’s more attached to it, he said.

The effort, which Cairncross said the administration would release details on soon, will also include a foundry (which “will be able to scale with private capital new innovation, and deploy it more quickly”) and an accelerator (“so when there’s preceded financing on on projects to really ramp that up and be able to scale as well and overcome some of the procurement hurdles that are often based in in this space”).

Cairncross said at a second event Monday that another forthcoming step was a law enforcement pilot program to better share information with state and local governments.

“We’re looking for ways to streamline information sharing from the USG side,” Cairncross said at a Billington Cybersecurity event, using the acronym for “U.S. government.” “Often, ‘how’ we know things is extremely sensitive, ‘what’ we know is less so,” he said. The goal is “to figure out how to communicate that in a helpful, actionable way.”

Updated, 3/9/26: to include comments about law enforcement pilot program.

The post Sean Cairncross lays out what’s coming next for Trump’s cyber strategy appeared first on CyberScoop.

Flights canceled. Emergency rooms shut down. Centuries-old companies shuttered.

Ransomware and other similar cyberattacks have become so routine that even those serious human and economic consequences are often overlooked or easily forgotten.

This lack of focus is dangerous.

As former leaders of FBI and CISA cyber units, we’ve seen cybercrime ripple through communities – disrupting critical services, destroying jobs, and sometimes costing lives. Today’s ransomware numbers tell a stark story. The Department of Homeland Security reported more than 5,600 publicly-disclosed ransomware attacks worldwide in 2024, nearly half of them in the United States. The FBI found that ransomware incidents increased nearly nine percent year over year, with almost half targeting critical infrastructure. Attacks on these organizations pose the greatest threat to national security and public safety.

Despite this trend, we’re cautiously optimistic about the administration’s new National Cyber Strategy. It focuses on protecting critical infrastructure and stopping ransomware and cybercrime—threats it correctly elevates to top-tier national security threats.

But success requires sustained action across government and industry. Adversaries are evolving faster than defenses: ransomware attacks now average $2.73 million per incident, driving annual losses into the billions. Attackers have compressed their operations from weeks to hours, disabling Endpoint Detection and Response (EDR) tools and leaving defenders almost no time to stop an attack.

Basic cyber hygiene still matters. But it’s no longer sufficient. Attackers steal valid credentials, exploit known vulnerabilities, disable tools, and move laterally at machine speed, now accelerated by AI. They need a stunningly low level of technical expertise to do so, and AI tools are increasing the speed and scale of their actions.

Our defenses must keep pace with evolving threats. Protecting national security requires immediate action. Automating cyber threat information sharing offers clear benefits, but government agencies need significant structural and technological upgrades before they can effectively share data. This requires sustained investment and oversight.

The government does not have to do this alone. Industry and academia possess tools that could mean the difference between progress and revisiting this same conversation four, eight, or twelve years from now. Forums like CISA’s Joint Cyber Defense Collaborative (JCDC), the National Cyber Investigative Joint Task Force (NCIJTF), and NSA’s Cyber Collaboration Center (CCC) have demonstrated that information fusion and joint operational planning can work. But overlapping missions and unclear playbooks leave companies guessing what to share, when to share it, and with whom. These forums and underlying collaboration mechanisms must be resourced, deconflicted, and made predictable.

Despite the noble efforts of government agencies to share behind-the-scenes and interact with industry with one voice, the current structure remains fragile and dependent on personal relationships. We simply cannot afford this fragility or inefficiency, particularly in an era of constrained government cyber resources and escalating threats.

Effective protection of critical infrastructure requires focused collaboration. The administration’s strategy rightly emphasizes this, but narrowing this focus will not be easy. For years, the government has tried to cover sixteen sectors and hundreds of thousands of entities equally—an impossible task. Equal attention for all is unrealistic. Looking back, we wish we had prioritized more strategically during our time in government.

Prioritization is politically difficult, but operationally necessary. When everything is critical, nothing truly is. For the most important critical infrastructure, we must focus on resilience—ensuring systems can withstand attacks and recover quickly—rather than assuming we can prevent every breach.

The government can take concrete steps now to disrupt the ransomware ecosystem. Ransomware has cost American lives; designating certain ransomware actors and their enablers as Foreign Terrorist Organizations could unlock more powerful sanctions, diplomatic action, and intelligence operations. Sensible regulation holding cryptocurrency exchanges accountable for knowingly laundering ransomware proceeds could weaken criminal business models while strengthening legitimate digital asset markets in the U.S. and allied nations.

The technology and cybersecurity industry has responsibilities, as well. Industry must share actionable intelligence where legally permitted, pressure-test government programs with candid feedback, and support reauthorization of the Cybersecurity Information Sharing Act of 2015.

We all must do our part. Every day that passes without us confronting these critical questions is a gift to our adversaries. This will only be exacerbated by advancements in AI. We are hopeful that the release of this administration’s National Cyber Strategy will spark much-needed debate and decisions about the role of the government and industry in advancing our nation’s cybersecurity and resilience.

Cynthia Kaiser is senior vice president of Halcyon’s Ransomware Research Center. She was formerly Deputy Director of the FBI’s cyber division.

Matt Hartman serves as chief strategy officer at Merlin Group, where he is focused on identifying, accelerating, and scaling the delivery of transformative cyber technologies to the public sector and critical industries. Prior to this role, Matt spent the last five years serving as the senior career cybersecurity official at the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security.

The post We’ve seen ransomware cost American lives. Here’s what it will actually take to stop it. appeared first on CyberScoop.

President Donald Trump released his administration’s cyber strategy Friday, promoting offense operations in cyberspace, securing federal networks and critical infrastructure, streamlining regulations, leveraging emerging technologies and strengthening the cybersecurity workforce.

Trump also signed an executive order Friday directing agencies to take action to combat cybercrime and fraud.

A little more than half of the five pages of strategy text of the long-anticipated document is preamble, and two of its seven pages are title and ending pages. Administration officials have said the strategy is deliberately high-level, and the White House promised more detailed guidance in the future.

The strategy “calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation, and to make the most of America’s cyber capabilities for both offensive and defensive missions,” the White House said in a statement accompanying its release.

Each of the six “pillars” of the strategy offer some prescriptions.

“Shaping adversary behavior” calls for using U.S. government offensive and defensive capabilities in cyberspace, as well as incentivizing the private sector to disrupt adversary networks.

It also says Trump will “counter the spread of the surveillance state and authoritarian technologies that monitor and repress citizens,” even as administration critics argue that his administration has fostered surveillance and repression against U.S. citizens.

The shortest pillar, “promote common sense regulation,” decries rules that are only “costly checklists.” The Biden administration expanded cyber regulations, spurring some industry resistance. But the Trump pillar does talk about addressing liability, a point of emphasis for the prior administration as well.

“Modernize and secure federal networks” talks about using concepts and technologies like post-quantum cryptography, artificial intelligence, zero-trust and lowering barriers for vendors to sell tech to the government to meet those goals.

To “secure critical infrastructure,” the strategy calls for fortifying not just owners and operators but also the supply chain, in part by focusing on U.S.-made rather than adversary-made products.

“We will deny our adversaries initial access, and in the event of an incident, we must be able to recover quickly,” the strategy reads. “We will galvanize the role of state, local, Tribal, and territorial authorities as a complement to— not a substitute for — our national cybersecurity efforts.” Some critics of the administration’s cybersecurity actions have contended that it has shifted the burden to state and local governments too much.

AI usage makes up the bulk of the pillar entitled “sustain superiority in critical and emerging technologies,” in addition to reflecting earlier parts of the strategy on the topics of quantum cryptography and privacy protection. That includes the protection of data centers, the subject of localized fights across the country over their location and resource costs.

The final pillar says the United States must “build talent and capability,” after a year of the administration cutting a significant number of cyber positions in the federal government. “We will eliminate roadblocks that prevent industry, academia, government, and the military from aligning incentives and building a highly skilled cyber workforce,” it states.

Some positive reviews rolled in about the strategy despite the late-Friday afternoon release, traditionally the time of week when an administration looks to publish news it hopes will garner little attention.

“As new and more sophisticated threats emerge, America needed a new national cyber strategy that captures the urgency of this moment,” USTelecom President and CEO Jonathan Spalter said in a news release. “The President’s strategy rightly recognizes that harnessing America’s unique mix of private-sector innovation with public-sector capacity is the best deterrence.”

Frank Cilluffo, Director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University, was struck by the focus on deterrence: “This unified strategy determining a direction on offensive and defensive cyber operations and collaboration couldn’t be more timely.”

The Business Software Alliance cheered the call for streamlining cyber regulations, in particular.

A number of cyber vendors took note of the passages on AI. “Redirecting resources from paperwork to AI-powered security capabilities is the only way to keep pace with modern threats and adversaries who operate at great speed,” said Bill Wright, global head of government affairs at Elastic. “This strategy appears to recognize that fundamental truth.”

Not all the reviews were flattering, however, including from the top Democrat on the House Homeland Security Committee, Bennie Thompson, who said the strategy’s “underachieving” was the only thing impressive about it.

“What little ‘substance’ does exist in this pamphlet is a mishmash of vague platitudes, a long catalogue of ‘we will’ statements that may or may not match the Administration’s current behavior, and, mercifully, an apparent extension of some Biden-era policies,” he said. “Completely lacking is even the most basic blueprint for how the Administration will go about achieving any of its cybersecurity goals — an objective possibly hamstrung by the hemorrhage in cyber talent across all Federal agencies since Trump took office.”

The executive order Trump signed Friday coincides with the release of the strategy but there’s little overlap between the subject matter; the strategy makes one mention of cybercrime.

The order directs the attorney general to prioritize prosecution of cybercrime and fraud, orders agencies to review tools that they could use to counter international criminal organizations and  gives the Department of Homeland Security marching orders to improve training, in addition to other steps, according to a fact sheet.

“President Trump is unleashing every available tool to stop foreign-backed criminal networks that exploit vulnerable Americans through cyber-enabled fraud and extortion,” the fact sheet states.

The post The long-awaited Trump cyber strategy has arrived appeared first on CyberScoop.