Cyber Briefing – May 20, 2026
TODAY’S TOP 5
TELECOMS UNITE IN NEW ISAC: Major U.S. telecommunications companies launched a new information sharing group on Tuesday in a bid to redouble their collective efforts to combat AI-powered cyberattacks, state-sponsored espionage and other increasing threats to communications networks. The Communications Cybersecurity Information Sharing and Analysis Center, or C2 ISAC, will give telecoms a private venue for exchanging sensitive information such as newly discovered vulnerabilities and tips about threat actor behavior. The eight founding members are AT&T, Charter, Comcast, Cox, Lumen, T-Mobile, Verizon and Zayo. Their chief information security officers will sit on the C2 ISAC’s board, while Valerie Moon, a former top official at the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI’s Cyber Division, will serve as the group’s executive director. “The main driver for us is our recognition that the threat environment has evolved, and we as a sector and private entities need to evolve and really keep up with the pace and velocity [at which] that’s happening,” Mark Clancy, T-Mobile’s chief security officer and a C2 ISAC board member, told Cybersecurity Dive in an interview.
- An attack exploiting a previously unknown vulnerability in Huawei enterprise router software caused a nationwide telecoms outage in Luxembourg last year, according to multiple sources briefed on the matter, disrupting mobile, landline and emergency communications for more than three hours, The Record reports. The vulnerability has never been publicly disclosed. No CVE identifier — used by cybersecurity professionals worldwide to track software flaws and protect their systems — has been filed in any public database in the 10 months since the incident, and no public warning has been issued to other operators running the same equipment.
- What if the next decisive intelligence advantage isn’t a recruited insider but a nation’s ability to model entire societies from its digital exhaust? Salt Typhoon’s multi-year cyber campaigns against U.S. telecommunications networks and critical infrastructure demonstrate China’s unparalleled focus on data-centric espionage: collect widely, analyze fast and operationalize at scale — alongside continued investments in traditional intelligence disciplines. This approach reshapes how the United States has conventionally thought about intelligence advantage, Ashley Ruiz writes at War on the Rocks. It’s machine overmatch: intelligence advantage derived less from singular access and more from the ability to fuse data into actionable models faster than an adversary can respond.
GAO ASSESSES AGENCIES FOR CHINA EQUIPMENT RISK: A 2018 law generally prohibits executive agencies from procuring telecommunications and video surveillance equipment produced by certain companies, or their subsidiaries and affiliates, linked to the People’s Republic of China (referred to as “covered equipment”). Agencies are not prohibited from using covered equipment procured prior to this prohibition. Officials from four of six selected agencies — the Departments of Homeland Security, Justice, State and Treasury — told GAO they did not identify any covered equipment connected to their IT networks. The Departments of Defense (DoD) and Energy reported finding little covered equipment in recent searches and having efforts underway to address potential risks. For example, DoD officials identified three instances of covered equipment connected to its network and confirmed the devices have been blocked from external access while DoD acts to remove them. All six selected agencies have used a combination of methods to search for covered equipment since 2019. Each method has benefits and limitations. For example, IT network scans may not scan agencies’ entire IT networks, including classified networks.
- Officials at some of the selected agencies cited limited visibility into product supply chains as a challenge in identifying covered equipment, GAO reported. For example, one agency official noted that manufacturers were reluctant to share proprietary information about their supply chains, thereby limiting the agency’s ability to determine whether devices in its inventory contained components produced by covered entities. Some officials said the lack of comprehensive, authoritative information on companies’ subsidiaries and affiliates also posed a challenge. However, officials noted that such information would be accurate only at the time it was developed, because companies may change their names or acquire or divest subsidiaries and affiliates.
- Senators of both parties unveiled a bill aimed at countering Chinese sales of artificial intelligence tools overseas, according to a copy seen by Reuters. The legislation, sponsored by Democrat Jeanne Shaheen of New Hampshire and Republican Pete Ricketts of Nebraska, would create an office within the State Department to subsidize purchases by allied governments of American technology and streamline the procurement process. If passed, a fund worth $500 million would be created to help finance the program.
ALARM BELLS IN CONGRESS AFTER CISA EXPOSURE REPORT: Congressional Democrats want answers from the Cybersecurity and Infrastructure Security Agency about the reported public exposure of sensitive agency credential data on GitHub in an incident that the security researcher who discovered it called one of the worst leaks he’s ever seen, CyberScoop reports. Other security professionals also voiced concern Tuesday about the leak and the potential for abuse by any malicious parties who got a hold of the information. “My main fear … is that a state actor will get the data and might be able to do bad stuff,” GitGuardian security researcher Guillaume Valadon told CyberScoop that he thought to himself upon discovering the leak, after concluding it was real; he initially thought it looked fake.
- Sen. Maggie Hassan (D-N.H.) is requesting an “urgent” classified briefing from the acting director of the country’s top cyber agency after the leak of internal agency credentials was exposed, according to a letter first shared with Axios.
SUMMER GRID OUTLOOK: As electricity demand continues to rise and the resource mix changes, the North American grid is being called on to adapt in real time. NERC’s 2026 Summer Reliability Assessment finds that record resource additions have strengthened readiness for the summer season, even as elevated risks remain in some areas. All areas are projected to have adequate resources for normal summer conditions due in part to the large expansion of bulk power system resource additions, including a substantial influx of solar and battery and some new natural gas-fired generators over the past year. Despite the improved outlook, the assessment identifies ongoing challenges that could strain the grid this summer, NERC said. Accelerated demand, rapid growth of large loads, periods of low wind output and the overlap of early summer heat with maintenance outages may challenge reliability.
- The PJM Interconnection can curtail data centers and other large loads that have backup generation under an emergency order issued Monday by the U.S. Department of Energy, Utility Dive reports. PJM on Sunday asked to be able to direct transmission owners and electric utilities in its Mid-Atlantic and Midwest footprint for permission to curtail those facilities if needed for three days starting May 18 because of hot weather combined with planned power plant maintenance outages. PJM said it expected to have less than 5,800 MW of reserves during its May 18 peak, and that Maryland and Virginia could be especially stressed by the unseasonably hot weather.
- The Nordics, long seen as a magnet for data center investment thanks to their stable climate and abundance of renewable energy, are now weighing limits on the growth of the power-hungry facilities as surging energy demand forces a rethink, CNBC reports. At the center of the debate is Denmark, the first of the Nordics to confront the question head-on, as the formation of a new government and a spike in grid access requests have meant a pause on new projects.
- Data centers have traditionally depended on uninterruptible power supply systems and backup generators to keep them online during a power cut, grid event, or natural disaster. But the critical nature of modern AI workloads is such that there is no tolerance of downtime. Further measures must be in place to ensure energy continuity. For some, that may even mean setting up an adjacent power plant that can either entirely power the data center or can come online when needed, POWER reports.
A ROBOT HELD OFF THE RUSSIANS FOR SIX WEEKS: A single remote-controlled Ukrainian ground combat vehicle defended a “key intersection under constant adversary attack” for 45 days last summer, according to a 3rd Army Corps spokesperson who called it “Ukraine’s first fully robotic defensive operation of a position.” It likely won’t be the last, Defense One reports. The robot — a Droid TW 12.7 armed with a machine gun — and its operator, some 10 kilometers away, “disrupted every attempted breakthrough and prevented enemy infiltration,” with no loss of Ukrainian life, the spokesperson said in a recent interview. As the United States and other militaries work to catch up, Ukraine is putting remote-controlled air and ground systems to uses the world has never seen.utting remote-controlled air and ground systems to uses the world has never seen.
| OSINT YOU NEED TO START YOUR DAY: The Cyber Briefing is brought to you by the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. SUBSCRIBE |
| WE WANT TO HEAR FROM YOU: What would you like to see in your morning briefing? Reach out to Executive Editor Bridget Johnson with your comments and suggestions |
CYBER FOCUS PODCAST
(Watch on YouTube or click the player above)
NEW: In the latest episode of Cyber Focus, Frank Cilluffo speaks with Walter Haydock, founder of StackAware, about the accountability, governance and national security challenges emerging as organizations rush to deploy artificial intelligence. Haydock argues that AI does not erase familiar cybersecurity and risk-management problems but accelerates them. From non-human identities and AI agents to third-party risk, federal regulation and the environmental demands of AI infrastructure, the conversation centers on a core question: Who is accountable when AI systems act, fail or cause harm? Rather than treating AI governance as a compliance checklist, Haydock makes the case for assigning clear ownership, focusing policy on outcomes and giving business leaders — not risk advisors alone — responsibility for the risks their organizations accept.
SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Biothreats
As Ebola spreads in Congo, Islamic State and rebels slow rescue efforts
In the two days since the World Health Organization declared the outbreak in the Democratic Republic of the Congo to be a global emergency, confirmed cases have passed 500, with at least 131 deaths, one of the largest recorded Ebola epidemics in the region, according to Congo’s health ministry. One hot spot for the virus—an Ebola strain called Bundibugyo that is fatal in up to 50% of cases, according to the U.S. Centers for Disease Control and Prevention — is also a battleground between Ugandan troops and Islamic State militants. The other focal point is a rebel-held city largely cut off from government resources. (WSJ.COM)
Breaches
GitHub confirms breach of 3,800 repos via malicious VSCode extension
GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension. The company has since removed the unnamed trojanized extension from the VS Code marketplace and has secured the compromised device. “Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” the company said. (BLEEPINGCOMPUTER.COM)
Aurora, Ill., investigating cyberattack that led to fraudulent payments from city accounts
The city of Aurora is actively investigating a cyber attack that resulted in fraudulent payments being made from city accounts, according to authorities. The incident has been confirmed by the Aurora city government, the Aurora Police Department and the FBI, the latter of which said it was aware of the situation but declined to say whether it is investigating due to U.S. Department of Justice policy. The city discovered the fraudulent activity on April 30, the day after it happened, according to Aurora Mayor John Laesch. (CHICAGO TRIBUNE VIA YAHOO.COM)
Dark web
B1ack’s Stash releases 4.6 million stolen credit cards for free
Through a forum post targeting the criminal underground, B1ack Stash recently declared the suspension of approximately 8 million stolen CVV2 records from its active inventory. The stated reason: sellers on the platform had been reselling cards purchased from B1ack’s Stash in competing shops, violating the marketplace’s internal rules. Rather than simply removing the affected cards, the operator/s behind the marketplace chose to release approximately 4.6 million of them as a free download, directing users to the marketplace’s Freebies section. The post also extended an olive branch to sellers deemed trustworthy, offering them a “second chance” through a support ticket system, and teased the upcoming launch of a new card database. (SOCRADAR.IO)
Financial
Banana RAT malware in fake invoices hits customers at 16 Brazilian banks
A new threat called Banana RAT malware is targeting banking customers in Brazil, using fake documents and tools to compromise devices and steal funds. Cybersecurity experts from TrendAI (formerly Trend Micro) found the operation and shared its details with Hackread.com. The scam was still active when TrendAI experts began investigating. They collected data directly from the hackers’ live servers between 17 and 22 April 2026 to fully understand how the scam works. (HACKREAD.COM)
Maritime
A ship’s crew risked the Strait of Hormuz. They met with a hail of bullets
Before chancing the treacherous waters of the Strait of Hormuz, the all-Filipino crew of 23 had been stranded at anchor for more than a month in the Persian Gulf as the U.S. and Israel waged war against Iran. The crew members had huddled on the cargo ship’s bridge to cast a final vote: Should they risk the perilous six-hour journey, made treacherous by mines and Iranian attacks? Although the path was closed to most international traffic, there was no way out but through. Their worst fears came to pass: As the vessel navigated the Strait of Hormuz, it met with a hail of bullets that shattered windows and pockmarked it with dents. The crew scattered for cover, caught up in the ripple effects of a conflict in which they had no part. The gunfire appeared to come from small Iranian boats. (WASHINGTONPOST.COM)
Ransomware
ShinyHunters goes after cybersecurity firm warning victims not to pay ransoms
A cybersecurity company says the hacking gang ShinyHunters has tried to censor and cut off its communications after it urged the public to refuse to pay the group’s ransom demands. “They want you to forget past behavior that caused victims to stop taking them seriously,” warned Allison Nixon, chief research officer for cybersecurity vendor Unit 221B. “They are also flooding our email to make it more difficult for journalists to reach us.” Nixon posted the message on LinkedIn after ShinyHunters reached a new level of infamy earlier this month for hacking Canvas, an online educational system used by thousands of universities and schools in the U.S. (PCMAG.COM)
Trends
Verizon DBIR 2026: Vulnerability exploitation overtakes credential theft as top breach vector
Vulnerability exploitation was the most common access vector for data breaches in 2025, the latest installment of Verizon’s annual Data Breach Investigations Report (DBIR) shows. The number of analyzed security incidents has increased to 31,000. Of these, more than 22,000 were confirmed breaches, nearly double compared to last year’s 12,195 confirmed breaches. Approximately 31% of the breaches were the result of unpatched vulnerabilities being exploited. Credential abuse, which was the top entry point in last year’s DBIR, accounted for 13% of the breaches. (SECURITYWEEK.COM)
WATCH: White House National Cyber Director Sean Cairncross, CISA Acting Director Nick Andersen and more top leaders at the recent McCrary Cyber Summit
THREATS
Artificial intelligence
Agentic AI accelerates software builds and mobile app attacks
The frequency of cyber-attacks on customer-facing mobile apps has increased rapidly over the past few years, as AI reduces skill, time and cost barriers for threat actors, according to Digital.ai. The DevOps specialist collected telemetry from billions of application instances across clients in financial services, healthcare, automotive, telecommunications and other sectors to compile its 2026 Application Security Threat Report, published on May 19. It claimed that 87% of monitored apps faced attacks in 2026 – up from 55% in 2022. The increase over that time has mirrored the growth in AI model use since ChatGPT launched in November 2022, the firm said. (INFOSECURITY-MAGAZINE.COM)
Botnets
Void botnet leverages Ethereum for resilient C2
A newly identified botnet, named Void, is leveraging Ethereum smart contracts to build a resilient, hard-to-disrupt command-and-control (C2) infrastructure, marking a continued evolution in blockchain-enabled cybercrime. Discovered in March 2026 and advertised on a Russian-language cybercrime forum, Void Botnet follows closely behind the earlier Aeternum C2 campaign documented by Qrator Labs, but introduces notable differences in implementation and design. Unlike Aeternum, which used Polygon and was written in C++, Void Botnet is developed in Rust and relies on Ethereum blockchain smart contracts to deliver commands to infected systems. (GBHACKERS.COM)
Malware
Exposing Fox Tempest: A malware-signing service operation
Fox Tempest is a financially motivated threat actor that operates a malware-signing-as-a-service (MSaaS) used by other cybercriminals to more effectively distribute malicious code, including ransomware. The threat actor abuses Microsoft Artifact Signing to generate short-lived, fraudulent code-signing certificates to appear legitimately signed, allowing malware to evade security controls. Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. (MICROSOFT.COM)
DevilNFC malware traps Android users in NFC relay attacks
A newly identified Android malware family named DevilNFC is raising concern among cybersecurity researchers for its advanced use of kiosk mode to trap victims during NFC relay attacks. These malware families mark a significant evolution in NFC relay threats. Unlike earlier campaigns dominated by Chinese-speaking Malware-as-a-Service ecosystems, DevilNFC and NFCMultiPay are developed by independent regional threat actors. Analysis shows DevilNFC is linked to Spanish-speaking operators, while NFCMultiPay carries strong indicators of Brazilian Portuguese origin. This shift highlights how local cybercriminal groups are increasingly building their own tooling rather than relying on external platforms. (GBHACKERS.COM)
Resilience
Critical infrastructure: Rethinking facility hardening
Mission-critical facilities operate under a different standard. Utilities, data centers, transportation hubs, and water treatment facilities cannot afford blind spots or tolerate downtime. As security postures evolve, these sites should no longer rely on reactive security models built around passive recording and human monitoring alone. Facility hardening today means designing layered protection that detects earlier, responds faster, and automates intelligently, while operating within strict cybersecurity and network constraints. (CAMPUSSECURITYTODAY.COM)
Scams
Trapdoor Android ad fraud scheme hit 659 million daily bid requests using 455 apps
Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, per HUMAN’s Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud. “Users unwittingly download a threat actor-owned app, often a utility-style app like a PDF viewer or device cleanup tool,” researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell detailed in a report. (THEHACKERNEWS.COM)
Vulnerabilities
Patch bypass allows hackers to exploit prior flaw in SonicWall SSL-VPN
A threat group has successfully been exploiting a two-year-old vulnerability in SonicWall SSL-VPN appliances since February, despite the flaw being patched, according to a report released Tuesday by cybersecurity firm Reliaquest. The authentication bypass vulnerability, tracked as CVE-2024-12802, allows an attacker to bypass multifactor authentication (MFA) in SonicWall SSL-VPN appliances. Starting in February 2026, attackers were able to engage in brute force attacks using automated tools, which bypassed MFA without setting off any red flags or login alerts, according to Reliaquest researchers. (CYBERSECURITYDIVE.COM)
Windows zero-day barrage continues after Patch Tuesday
A security researcher with an apparent grudge against Microsoft has in recent days disclosed two more Windows zero-days and released a proof-of-concept exploit against a third vulnerability that Microsoft supposedly patched in 2020. That makes six flaws researcher “Nightmare Eclipse” has disclosed over the past six weeks, some of which attackers are already actively exploiting, and one that the Cybersecurity and Infrastructure Security Agency (CISA) has included in its catalog of known exploited vulnerabilities (KEV). (DARKREADING.COM)
Drupal to release urgent core security updates today, sites told to prepare
Drupal has issued an alert stating that it intends to release a “core security release” for all supported branches on May 20, 2026, from 5-9 p.m. UTC. “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” the maintainers of the PHP-based content management system (CMS) said. “Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.” (THEHACKERNEWS.COM)
FreePBX security flaw lets attackers access user portals
A critical security vulnerability has been discovered in FreePBX, a widely used open-source PBX platform, allowing unauthenticated attackers to access user portals under certain conditions. The flaw, tracked as CVE-2026-46376, carries a CVSS v4 base score of 9.1 and affects the User Control Panel (UCP) via the “userman” module. According to an official advisory published on GitHub (GHSA-m55x-h47x-v3gx), the vulnerability stems from the use of hard-coded credentials during the UCP template setup process. (GBHACKERS.COM)
Max-severity flaw in ChromaDB for AI apps allows server hijacking
A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It received the maximum severity score from HiddenLayer, the company that discovered it. ChromaDB is an open-source vector database and AI retrieval backend used in agentic AI and related applications. It enables retrieving semantically relevant documents during large-language model (LLM) inference. (BLEEPINGCOMPUTER.COM)
SEPPMail Secure E-Mail Gateway vulnerabilities enable RCE and mail traffic access
Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. “These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network,” InfoGuard Labs researchers Dario Weiss, Manuel Feifel, and Olivier Becker said in a Monday report. (THEHACKERNEWS.COM)

ADVERSARIES
Collaboration
Xi and Putin hail partnership while signing pacts to deepen ties
Chinese President Xi Jinping and his Russian counterpart Vladimir Putin praised the strength of their relationship during talks in Beijing as both countries seek to reinforce bilateral ties in the shadow of wars in Ukraine and Iran. The two leaders signed a pact on deepening strategic cooperation on Wednesday before looking on as officials from both nations inked a series of other documents on topics ranging from trade and technology to railway construction. Putin said approximately 40 agreements had been reached during the visit, even as they didn’t mention a key gas pipeline project. (BLOOMBERG.COM)
Moscow and Beijing’s shadow war: How Russia and China are keeping Iran lethal
The ceasefire between the United States and Iran is barely holding. Pakistani mediators are still shuttling between capitals, fighting has flared in recent days, and President Trump is now sitting across from Xi Jinping in Beijing for a high-stakes summit covering trade, Iran, and Taiwan. Yet American intelligence has reached a different conclusion about what Beijing is actually doing: China is preparing to move man-portable air-defense systems, MANPADs, to Iran through third-country cutouts, according to CNN, which cited three sources familiar with recent intelligence assessments. The shipments would reach Tehran while Beijing holds itself out as the party that helped stop the war. (THECIPHERBRIEF.COM)
Iran
Early war goal was to install hard line former president as Iran’s leader
Days after Israeli strikes killed Iran’s supreme leader and other top officials in the opening salvos of the war, President Trump mused publicly that it would be best if “someone from within” Iran took over the country. It turns out that the United States and Israel went into the conflict with a particular and very surprising someone in mind: Mahmoud Ahmadinejad, the former Iranian president known for his hard-line, anti-Israel and anti-American views. But the audacious plan, developed by the Israelis and which Mr. Ahmadinejad had been consulted about, quickly went awry, according to the U.S. officials who were briefed on it. (NYTIMES.COM)
Russia
Russia launches unannounced nuclear exercise, including Belarusian launch sites
Russia launched its largest nuclear exercises in years on Tuesday, mobilizing nearly 65,000 troops, over 200 missile launchers, 140 aircraft, 73 surface vessels and 13 submarines, including eight strategic nuclear submarines, in a three-day drill that runs through Thursday. The Russian Defense Ministry announced the maneuvers without prior public notice on May 19, framing them as a rehearsal for “the preparation and use of nuclear forces in the event of a threat of aggression.” The exercises involve the Strategic Missile Forces, the Northern and Pacific Fleets, Long-Range Aviation Command, and units from the Leningrad and Central Military Districts, according to the ministry statement. Live launches of ballistic and cruise missiles at ranges inside Russia are planned as part of the drills. (DEFENSENEWS.COM)
Threat actors
Belarus-aligned FrostyNeighbor attacks Ukrainian government, again
ESET Research uncovered new activities from Belarus-aligned threat group FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running continual cyberoperations, changing and updating its toolset regularly and updating its compromise chain and methods to evade detection — targeting victims located in Eastern Europe, according to ESET telemetry. The ultimate aim of the attacks is espionage. Since March 2026, ESET has detected new activities attributed to FrostyNeighbor that use links in malicious PDFs sent via spearphishing attachments. The compromise chain is the newest iteration observed to date, using a JavaScript version of PicassoLoader to deliver a Cobalt Strike payload. (ESET.COM)

GOVERNMENT AND INDUSTRY
Artificial intelligence
Appeals court skeptical Anthropic can block U.S. supply-risk label
A federal appeals court appeared skeptical of Anthropic’s bid to block the Pentagon from declaring that the company poses a supply-chain risk to US national security, a move that led to a ban on government use of its artificial intelligence technology. At a hearing Tuesday in Washington, two of the three judges on the panel peppered Anthropic’s attorney with questions about his claim that Defense Secretary Pete Hegseth made the declaration illegally in March, following a dispute over how the company’s Claude AI chatbot would be used by the military. (BLOOMBERG.COM)
USDA is using AI — but doesn’t have required controls to manage risks, watchdog finds
The Agriculture Department is using artificial intelligence to identify risks in the supply chain, estimate yearly corn and soybean yields and make recommendations during the permitting process. But the department doesn’t have all of the required cybersecurity and governance controls to keep that technology in check, according to an inspector general report released last week, which found that Agriculture doesn’t even have a generative AI policy at all. The department hasn’t fully implemented cyber and risk controls in its AI systems, as required by federal standards, because it has prioritized using AI over setting up controls for the technology. (NEXTGOV.COM)
Europe prepares to hunker down against bug finding AI models
The European Commission is defending its response to the advent of artificial intelligence models with strong cybersecurity bug dissecting capabilities while promising measures to protect the European Union from what many expect to be an imminent onslaught of AI-powered attacks. Two weeks after dozens of lawmakers demanded urgent action – including obtaining access to Anthropic’s hacking-capable Mythos model – commission Vice President Henna Virkkunen told the European Parliament the EU already has tools to handle the situation. (GOVINFOSECURITY.COM)
AI raises the bar on vulnerability awareness and secure-by-design software
With the advent of AI-powered vulnerability scanning tools, there is arguably no reason for technology firms to be unaware of bugs in their products, according to the European Union Agency for Cybersecurity’s (ENISA) chief cybersecurity officer. “Now, there is no reason anymore for any company to say, ‘I didn’t know about our glitch or our vulnerability in our application’ because you can actually, right now, see it and fix it,” said Hans de Vries, chief cybersecurity and operational officer at ENISA, speaking during the ESET World conference on 19 May. AI-powered vulnerability scanning technology has advanced rapidly in 2026, highlighted by the launch of new frontier models like Claude Mythos and OpenAI’s GPT5.5-Cyber and that can identify and fix software bugs at unprecedented speed and scale. (INFOSECURITY-MAGAZINE.COM)
Frustrated franchisee sues Pizza Hut over crappy kitchen AI
The back-of-house AI system that Pizza Hut has mandated its restaurants to adopt has been so poorly received by some franchisees, that one is suing the company for $100 million in losses tied to the technology. Put that in your crust and stuff it! Chaac Pizza Northeast, a franchisee with around 111 Pizza Hut locations in New York, New Jersey, Maryland, Washington DC, and Pennsylvania, filed a complaint in the Business Court of Texas earlier this month accusing the Hut of breaching its franchise agreement by mandating Chaac adopt restaurant management AI from Dragontail, a provider of AI-powered food delivery software. (THEREGISTER.COM)
The AI race isn’t real
OPINION: Start with the descriptive problems. The race metaphor implies a finish line, but AI competition has none. Military AI development is an ongoing accumulation of dangerous capabilities, with no fixed endpoint. The metaphor also gets the competitive dynamics backward. AI knowledge is leaky. It is rapidly copied, distilled, and reverse-engineered, and as a consequence, racing ahead often accelerates competitors rather than leaving them behind. And in the economic domain, the case for racing is weaker still. AI products show few of the network effects that would let a first mover maintain market dominance. (LAWFAREMEDIA.ORG)
Data
FBI seeks U.S.-wide access to license plate cameras, wants ‘data in near real time’
The Federal Bureau of Investigation announced plans to buy nationwide access to a network of license plate readers, saying it will award contracts to one or more vendors that can offer “near real time” information from cameras across the US. The proposed contract is for the FBI Directorate of Intelligence. “To evaluate and manage threats to personal safety, property, and law enforcement, the FBI requires professional service firms that can provide License Plate Readers (LPRs) for tracking subjects on roads and highways over the US and its territories,” the FBI said in a Request for Proposals (RFP) published on May 14. The FBI said the winning bidder or bidders “must provide law enforcement and/or commercial license plate reader data provided through the Contractor’s existing platform.” The system must cover 75 percent of locations, the FBI said. (ARSTECHNICA.COM)
Defense
‘Everybody is going underground’: CENTCOM head calls for new tech to hit buried targets
More money to counter drones and attack underground targets is necessary for future fights, the head of U.S. Central Command said on Thursday, as lawmakers praised and grilled the four-star admiral about the war in Iran. In his first House Armed Services Committee appearance since the Iran war began, Adm. Brad Cooper said the U.S. military has changed even in the past eight weeks, leaning on LUCAS drones as well as land-attack missiles and finding cheaper ways to fight off Iranian drones and other weapons. But when asked by Rep. John McGuire (R-Va.) what additional support was needed, the four-star admiral had a wish list ready. (DEFENSEONE.COM)
Army probes Apache transmission problem as service rushes to ditch older helicopters
A newly discovered problem with the Apache helicopter’s transmission is plaguing the Army’s fleet, just as funding woes have pushed the service to drastically cut flight hours and rapidly retire older variants of the combat helicopter, Defense One has learned. An Army investigation has indicated that “some AH-64E [improved drive system] main transmissions can experience an internal failure resulting in loss of accessory gearbox drive, which can result in loss of tail rotor thrust, electrical power, and hydraulics,” according to an April internal safety document reviewed by Defense One. “The root cause is still under investigation.” (DEFENSEONE.COM)
Elections
House members press Big AI CEOs on election protection steps
A bipartisan pair of House lawmakers is pressing the chief executives of seven leading artificial intelligence (AI) companies to explain how they plan to prevent political bias, misinformation, and inaccurate election-related information from influencing voters during the 2026 midterm elections. In a May 13 letter, Reps. Mike Lawler (R-N.Y.) and Josh Gottheimer (D-N.J.) said they want to work collaboratively with the companies to address the risks posed by AI systems that are increasingly being used by tens of millions of Americans to research candidates, ballot measures, and voting procedures. (MERITALK.COM)
Energy
How big can solar go? These 3 projects show us the gigascale future
Until recently, pacesetting solar projects were measured in the hundreds of megawatts. But panels keep getting cheaper, and developers keep getting better at installing them. As a result, power companies are undertaking projects that are bigger than anyone could have conceived five years ago. China has led the way on this with a series of installations that push past the gigawatt scale. Other countries aren’t far behind, including the U.S., though it hasn’t reached the gigawatt threshold yet. Giga-scale construction requires a whole new level of land access, workforce mobilization, and transmission planning. (CANARYMEDIA.COM)
Health care
HHS revamps HIPAA enforcement agency
The U.S. Department of Health and Human Services’ agency charged with health data breach investigations announced Monday that it will stand up a new office dedicated to pursuing cases of religious discrimination alleged by healthcare workers and patients, as well as a new unit focused on matters such as anti-Christian bias and anti-Semitism. The department will continue to enforce HIPAA privacy and security regulations, but the reality is that data breach-related work already has been a diminished priority under the Trump administration, some experts said. (HEALTHCAREINFOSECURITY.COM)
Leadership
Sandhoo named Space Development Agency director, PAE for missile warning and tracking
Gurpartap “GP” Sandhoo has officially been named as director of the Space Development Agency and the new portfolio acquisition executive for Space Force’s missile warning and tracking programs, the agency announced Tuesday. Previously SDA’s deputy director, Sandhoo has been leading the agency as acting director since September 2025, when Derek Tournear stepped down from the role. In the last few months, Sandhoo has overseen SDA begin the highly anticipated launch campaign of its foundational program — the Proliferated Warfighter Space Architecture (PWSA). (DEFENSESCOOP.COM)
Space
From space photography to mission readiness, NASA turns to AI to alleviate data influx
During a keynote address last week, Troy LeBlanc, chief information officer of the Johnson Space Center in Houston, illustrated how technology advancements have multiplied the agency’s data flow by focusing on some of NASA’s most recognizable outputs: photos. From pictures of the first moon landing to training photos to the latest captures of the four Artemis II astronauts landing safely back on earth, LeBlanc’s team at NASA stewards millions of images-of-record documenting humanity’s journey into space. As technology has advanced, so too have the number of photos and data associated with each image. (FEDSCOOP.COM)
LEGISLATIVE UPDATES
Senate advances resolution to end Iran war as GOP Sen. Bill Cassidy flips to support it
The Senate voted 50-47 on Tuesday to move forward with a resolution to force President Donald Trump to end the war in Iran, a breakthrough for the Democratic-led effort. Sen. Bill Cassidy, R-La., who just lost his primary for renomination over the weekend after he faced opposition from Trump, voted “yes” to advance the measure, the first time he has done so after having repeatedly voted “no.” “While I support the administration’s efforts to dismantle Iran’s nuclear program, the White House and Pentagon have left Congress in the dark on Operation Epic Fury,” Cassidy said in a statement. (NBCNEWS.COM)
Kids digital safety concerns collide with prediction market debate
The growing popularity of prediction markets has caught the attention of kids online safety advocates in Congress and gambling researchers, putting pressure on the industry to explain what they are doing to prevent minors and those younger than 21 from using their platforms. The scrutiny from Congress largely comes from a contingent of lawmakers who have long focused on kids’ digital safety, for which efforts have largely targeted the addictive nature of social media platforms and artificial intelligence chatbots. (THEHILL.COM)
Senate lawmakers renew military right to repair push
A bipartisan group of lawmakers is renewing their efforts to give service members the ability to fix their own equipment after popular “right to repair” provisions were stripped from the 2026 defense policy bill following strong industry pushback. In a letter to the leaders of the Senate and House Armed Services committees, Sens. Elizabeth Warren (D-Mass.) and Tim Sheehy (R-Mont.) urged lawmakers to pass the Warrior Right to Repair Act through the 2027 National Defense Authorization Act, a measure that would require contractors to provide the technical data and materials the military needs to maintain its own equipment. (FEDERALNEWSNETWORK.COM)
COMMITTEE ACTIVITY
TSA MODERNIZATION: The House Homeland Security Committee will hold a May 20 hearing on to hear industry perspectives on key security and travel reforms 25 years after 9/11.
SLTT CYBER: The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a May 21 hearing on state and local cybersecurity in the context of escalating threats, federal partnership and the resilience of America’s communities.
WATER: The House Science, Space and Technology Environment Subcommittee will hold a May 21 hearing on applying science to secure U.S. water systems from cyber threats.
ALERTS AND ADVISORIES
ShinyHunters: Cyber criminal group attacks learning management system
The Federal Bureau of Investigation (FBI) is providing this Public Service Announcement (PSA) to warn of potential future impacts related to a cyber-attack that affected an online Learning Management System (LMS), resulting in an interruption of service to educational institutions and students across the country. The LMS platform is now fully operational. ShinyHunters (SH) — which claimed the cyber-attack that caused the disruption—is a cyber criminal group specializing in large — scale data breaches and extortion. They target major companies across tech, finance, and retail, often stealing millions of customer records at once. (IC3.GOV)
CISA adds one known exploited vulnerability to catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation: CVE-2026-42897 Microsoft Exchange Server Cross-Site Scripting Vulnerability. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. (CISA.GOV)
Critical vulnerability affecting Cisco Catalyst SD-WAN
The Canadian Centre for Cyber Security (Cyber Centre) is aware of active exploitation of Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) devices. In response to the Cisco security advisory released on May 14, 2026, the Cyber Centre issued AV26-471 on May 14, 2026. Tracked as CVE-2026-20182, this vulnerability is a critical Improper authentication vulnerability (CWE-287) affecting the peering authentication process of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). (CYBER.GC.CA)
Events
TO BE INCLUDED IN THIS CALENDAR, SUBMIT YOUR SECURITY-FOCUSED EVENT FOR CONSIDERATION
SECURITY POLICY: Congressman Michael McCaul has been at the center of Congress’s foreign policy debates over the past two decades, first as chairman of the House Homeland Security Committee and later as the chairman of the House Foreign Affairs Committee. As Chairman Emeritus McCaul prepares to leave Congress and begin a new chapter of his service to the nation, please join Mariano-Florentino (Tino) Cuéllar, president of the Carnegie Endowment for International Peace, for a May 20 conversation with the congressman reflecting on his legacy on Capitol Hill, his views on the future of American global leadership, and the lessons that his career offers to the next generation of policymakers.
AI AND HEALTHCARE: As AI rapidly transforms healthcare, the ability to responsibly access, share, and scale health data has become a defining factor in U.S. competitiveness and national security. How can the U.S. unlock the value of health data while protecting privacy? On May 21, the Atlantic Council’s Cyber Statecraft Initiative will host a panel discussion at the Capitol Visitors’ Center on the future of health data and artificial intelligence (AI).
SPACE: Join the Center for Strategic and International Studies (CSIS) Aerospace Security Project and Secure World Foundation (SWF) on May 22 for a discussion on the evolving space threat environment and the latest trends in global counterspace capabilities.
AI AND MENTAL HEALTH: AI is becoming a go-to source of mental health support for young people. But is it safe? In this May 27 Policy Lab, RAND’s Ryan McBain examines both the promise and the risks of this growing trend — and what it might take to ensure chatbots are safe for adolescents.
RUSSIA: For nearly two decades, U.S. strategy produced meaningful cooperation as Russia and the United States cooperated in outer space, counterterrorism and nuclear energy. While today is starkly different from the 1990s, what lessons can be learned from this period of cooperation? Once there is a fair peace in Ukraine and Russia atones for the damage it has done, will it be worth resuming cooperation? Join Rose Gottemoeller, a nonresident fellow in Carnegie’s Nuclear Policy Program and former deputy secretary general of NATO, for a May 27 conversation with Andrew S. Weiss, the James Family Chair and vice president for studies at the Carnegie Endowment, to explore how Gottemoeller tackles these questions in her new book “Security Through Cooperation.”
ELECTROTECH STACK: The most pressing danger may not be Chinese hardware but rather American policy paralysis: overcorrection that delays the technologies this buildout demands, or indecision that continues ceding strategic ground to Beijing. FDD and CMIST will host a May 28 discussion moderated by Harry Krejsa, director of studies at CMIST, featuring Phoebe Benich, non-resident fellow at CMIST; and Dr. Emma Stewart, non-resident fellow at CMIST and lead for Idaho National Laboratory’s Center for Securing Digital Energy Technology. RADM (Ret.) Mark Montgomery, senior director of FDD’s Center on Cyber and Technology Innovation (CCTI), will provide introductory remarks.
AI AND ENTERPRISE: Join AEI on June 3 to examine how businesses are shaping AI and transforming American enterprise. Experts from academia and business will examine these questions: What industries are changing most rapidly? Which are changing the future for others? And how are we preparing business leaders for future challenges?
CYBER FORCE: Join CSIS on June 3 for a discussion on the forthcoming report from the Commission on U.S. Cyber Force Generation, which examines how the United States can better build, organize, and sustain the cyber workforce needed to meet evolving national security demands. As cyber threats grow in scale and sophistication, the report assesses key challenges across the current ecosystem, including persistent talent shortages, fragmented institutional structures, and barriers to effective coordination between government and the private sector.
BIOTHREATS: On June 4, the Bipartisan Commission on Biodefense at the Atlantic Council will host its latest meeting, which will discuss how non-federal governments approach biodefense. State, local, tribal, and territorial governments serve on the front lines of biodefense. As the biological threat continues to grow, those officials who tackle this topic on a daily basis require reinforcement. This meeting of the commission will discuss the impacts of changes in federal support for state, local, tribal, and territorial biodefense activities, as well as the biodefense roles, responsibilities, and investments of non-federal governments. The discussion will also touch upon the personnel, policies, and programs needed to bolster preparedness for future biological threats.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | BLUESKY
SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS