Cyber Briefing – May 22, 2026
TODAY’S TOP 5
DIRECTOR’S NOTE: Read here
HOW THE AI EXECUTIVE ORDER DIDN’T HAPPEN: Eleventh-hour phone calls with industry leaders and former AI and crypto czar David Sacks helped persuade President Donald Trump not to sign a highly anticipated executive order on artificial intelligence on Thursday, The Washington Post reports. The tech leaders who spoke with Trump, who included SpaceX CEO Elon Musk and Meta founder Mark Zuckerberg, warned that the administration’s new vetting system could inhibit development of a technology at the heart of the U.S. economy, according to three people familiar with the matter, who spoke on the condition of anonymity to describe the private conversations. Trump decided not to sign the order after the White House had already sent out invitations to the leaders of top tech companies to attend a signing ceremony scheduled for Thursday afternoon.
- Treasury Secretary Scott Bessent has privately expressed alarm about the slow pace of progress on AI policy, even before the White House again delayed an executive order on the subject, POLITICO reports. The drafting of the executive order has exposed tensions between Bessent, who has taken on an outsize role in the policy’s creation, and National Cyber Director Sean Cairncross, according to a senior White House official, another senior U.S. official and two other people familiar with the dynamics.
- The potential for artificial intelligence to spur economic growth, enhance social well-being, and improve national security has led to a global AI race. How can the U.S. find out if its AI abilities stack up? And what can the U.S. do to improve its standing in the AI competition? The Government Accountability Office created a framework that analysts can use to assess U.S. AI competitiveness, which could include comparing to other nations or analyzing the nation’s AI progress over time. The framework helps analysts identify policy options that policymakers could use to improve U.S. competitiveness in AI.
- Research and consultancy group Wood Mackenzie has warned that the power requirements of AI data centers are growing too fast for national grids to keep up, IT Pro reports. With grid transmission build-outs 5 to 10 years away, the firm said, projects, markets, and consumers are all at risk. While data center operators are pursuing colocated generation and flexible interconnection models, these projects face far greater technical, regulatory and economic hurdles than the industry understands.
- In 2023, U.S. data centers consumed an estimated 228 billion gallons of water: about 17 billion gallons drawn on-site, the figure that appears on a withdrawal permit, and 211 billion gallons (12 times the direct figure) consumed at the power plants generating their electricity. By 2030, the off-site share reaches 72% of total consumption. The water-energy interdependence is not new; what is new is the scale at which the system approving new facilities cannot see most of it, Zainab Ashkanani writes at Smart Water Magazine.
CISA CHIEF ON OPEN-SOURCE VULNERABILITIES, DELAYED SECURITY IMPROVEMENTS: Securing some of the open-source technology that serves as the backbone for all modern digital infrastructure is going to require some “hard decisions” amid a wave of malware attacks, the leader of the Cybersecurity and Infrastructure Security Agency said Thursday, CyberScoop reports. “The open-source community is one that I’m particularly worried about when we start to think about rapid escalation of vulnerability discovery,” acting director Nick Andersen said, referencing a cartoon about how key technologies that underpin the internet are often maintained by a single person. In one recent attack, a hacker hijacked an account of a single open-source project maintainer to publish malicious updates for axios, popular with software developers, raising the potential for attacks that could spread more widely. TeamPCP, a suspected North Korean hacking group, has been on a sweeping spree of open-source attacks.
- As AI accelerates the sophistication and scale of cyberattacks, Reps. Don Bacon (R-Neb.) and James Walkinshaw (D-Va.) said that Congress should prioritize restoring and expanding CISA’s capabilities to defend the nation’s critical infrastructure from foreign adversaries, MeriTalk reports. Speaking at the National Cyber Innovation Forum in Washington, the lawmakers argued that the federal government must move faster to strengthen domestic cyber defenses as AI lowers the barriers for increasingly sophisticated attacks.
- CISA is now letting security experts nominate vulnerabilities to the agency’s Known Exploited Vulnerabilities catalog, Cybersecurity Dive reports. CISA on Thursday published a form that technology vendors, independent researchers and anyone else can use to warn CISA that hackers are exploiting a vulnerability and it should be added to the KEV. “This new reporting capability enhances CISA’s ability to identify, validate, and quickly share critical threat information,” Chris Butera, CISA’s acting executive assistant director for cybersecurity, said in a statement. “Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale.”
WATCH: House Science, Space and Technology Environment Subcommittee hearing on applying science to secure U.S. water systems from cyber threats
SLCGP PLEA TO LAWMAKERS: Several state technology officials on Thursday brought before a House Homeland Security subcommittee a request that Congress reauthorize funding for the expired State and Local Cybersecurity Grant Program and renew cybersecurity programs inside the Cybersecurity and Infrastructure Security Agency that have been decommissioned under the Trump administration, StateScoop reports. Led by Rep. Andy Ogles, a Republican from Tennessee who chairs the Subcommittee on Cybersecurity and Infrastructure Protection, and who introduced legislation approved by the House last year to reauthorize SLCGP grant funding, state officials said their organizations, and the local governments they assist, are facing cybersecurity challenges can be met far more readily with aid from the federal government. Colin Ahern, New York State’s director of security and intelligence, summarized the problem in his opening statement when he said that “our states are on the front lines of multiple cyber conflicts, yet we are being asked to manage nation-state risks while our federal partners step back.”
WHEN WAR HITS NUCLEAR INFRASTRUCTURE: An attack on a nuclear power plant in the United Arab Emirates has raised fears about the scope of Iran’s retaliation to a potential U.S. resumption of strikes, with experts highlighting the greater role Tehran-backed militias in Iraq are playing in the war, Bloomberg reports. The UAE said this week that a drone targeting its Barakah plant on Sunday was launched from Iraq, condemning it as a “terrorist” act. Anwar Gargash, a senior adviser to President Sheikh Mohamed Bin Zayed, blamed “Iranian militias in Iraq” for the incident, in a social media post. It’s “a grave indicator of the scale of the threat facing the region,” Gargash said. The incident forced the plant to activate backup power, one of the last lines of defense to maintain nuclear safety.
- Iran has discussed partnering with the Gulf state of Oman — an American ally — in a system charging fees for vessels passing through the Strait of Hormuz, ignoring the Trump administration’s warnings against demands for payment to pass through the critical international waterway, The New York Times reports. It is unclear whether anything concrete will come out of the discussions. But the talks appear to signal that the United States and Iran are no closer to ending a war that has badly damaged the global economy despite repeated claims to the contrary by President Trump. At least publicly, neither side has shown a willingness to compromise.
- As Iran braced for conflict with the U.S., a key regime financier built a secret payment network to keep money flowing to its military forces. At its core was Binance, The Wall Street Journal reports. Until as recently as December, the network, run by Babak Zanjani, an Iranian who is a self-described “antisanction” operator, made $850 million in transactions over two years on the world’s largest cryptocurrency exchange, mostly on a single trading account, internal Binance compliance reports show.
THE SPACE RACE DISPARITY WITH CHINA: The Mitchell Institute for Aerospace Studies released a new entry in its Policy Paper series authored by Col. Kyle Pumroy, USSF (Ret.), senior resident fellow for space studies at the Mitchell Institute Spacepower Advantage Center of Excellence. The United States and China are engaged in an enduring competition for leadership in space. China’s military-led space habitation and lunar ambitions have maintained a consistency of purpose with goals that execute on schedule. Their plans for manned lunar stations and control of lunar territory must be viewed as credible. In contrast, the U.S. human spaceflight and Moon programs have been marred by inconsistency in vision, policy and funding, allowing China to gain steady ground over time. This disparity, paired with China’s consistent use of belligerent force to assert territorial dominance, is concerning.
| OSINT YOU NEED TO START YOUR DAY: The Cyber Briefing is brought to you by the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. SUBSCRIBE |
| WE WANT TO HEAR FROM YOU: What would you like to see in your morning briefing? Reach out to Executive Editor Bridget Johnson with your comments and suggestions |
CYBER FOCUS PODCAST
(Watch on YouTube or click the player above)
In the latest episode of Cyber Focus, Frank Cilluffo speaks with Walter Haydock, founder of StackAware, about the accountability, governance and national security challenges emerging as organizations rush to deploy artificial intelligence. Haydock argues that AI does not erase familiar cybersecurity and risk-management problems but accelerates them. From non-human identities and AI agents to third-party risk, federal regulation and the environmental demands of AI infrastructure, the conversation centers on a core question: Who is accountable when AI systems act, fail or cause harm? Rather than treating AI governance as a compliance checklist, Haydock makes the case for assigning clear ownership, focusing policy on outcomes and giving business leaders — not risk advisors alone — responsibility for the risks their organizations accept.
SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Biothreats
I survived Ebola. This is what scares me most about this outbreak
OPINION: As soon as I heard about the Ebola outbreak in the Democratic Republic of Congo, I knew it was going to be catastrophic. On Friday, the D.R.C. reported 246 suspected cases. Most Ebola outbreaks end before they get that big. The same day, reports emerged that someone had died of Ebola hundreds of miles away in Kampala, Uganda’s most populous city. Less than a week after it was first declared, this is already the third-largest Ebola outbreak in history. (NYTIMES.COM)
Cybercrime
U.S. and Canada arrest and charge suspected Kimwolf botnet admin
U.S. and Canadian authorities arrested and charged a Canadian man with operating the KimWolf distributed denial-of-service (DDoS) botnet, which infected nearly two million devices worldwide. 23-year-old Jacob Butler (also known online as “Dort”) was arrested by Canadian authorities in Ottawa on Wednesday pursuant to an extradition warrant. According to a criminal complaint unsealed on Thursday in the District of Alaska, Butler was taken into custody based on IP address and online account information, transaction records, and online messaging records that exposed his links to the KimWolf botnet. (BLEEPINGCOMPUTER.COM)
‘First VPN’ cybercrime service disrupted, administrator arrested
Authorities in North America and Europe have participated in a law enforcement operation to disrupt First VPN, a popular cybercrime service used for ransomware and other attacks. According to the FBI, First VPN has been active since 2014, providing 32 exit nodes across 27 countries at the time of its disruption. The service, advertised on Russian-language dark web cybercrime forums, has been used by at least 25 ransomware groups for network reconnaissance and intrusions. IP addresses associated with First VPN have been involved in scanning, botnets, DoS attacks, and hacking. (SECURITYWEEK.COM)
Health care
Hackers steal patient and billing data from German hospitals via third-party provider
German university hospitals are grappling with a large-scale patient data breach after unknown hackers targeted an external billing service provider used by medical centers across the country, according to statements from several affected medical institutions. The attack reportedly hit Unimed, a company that handles billing services for privately insured and self-paying patients on behalf of numerous German hospitals. Hospitals said the breach did not compromise their own clinical infrastructure or disrupt patient treatment. (THERECORD.MEDIA)
Transportation
Waymo expands pause to four cities as robotaxis keep driving into floods
Waymo has now paused service in four cities because its robotaxis are struggling to deal with heavy rain and flooded roads, a problem that already prompted the company to issue a recall last week. One of Waymo’s robotaxis was spotted driving through a flooded street in Atlanta, Georgia, on Wednesday before it ultimately got stuck for about an hour, according to local news reports. The vehicle was recovered and removed from the scene, Waymo told TechCrunch. Waymo says it paused service in the city, just like it has in San Antonio, Texas, while it figures out a solution. (TECHCRUNCH.COM)
MORE: Waymo halts freeway rides after robotaxis struggle in construction zones (TECHCRUNCH.COM)
WATCH: White House National Cyber Director Sean Cairncross, CISA Acting Director Nick Andersen and more top leaders at the recent McCrary Cyber Summit
THREATS
Artificial intelligence
Rapid7 warns AI-driven attacks are accelerating vulnerability exploitation
Rapid7 has released its Q1 2026 Threat Landscape Report, warning that AI-driven cyber attacks are dramatically accelerating vulnerability exploitation and shrinking the window organizations have to defend exposed systems. According to the report, vulnerability exploitation accounted for 38 per cent of managed detection and response incident response cases during the first quarter of 2026, overtaking social engineering at 24 per cent and compromised accounts at 14 per cent as the leading initial access vector. (CYBERDAILY.AU)
Authentication
Deleted Google API keys remain active up to 23 minutes, study finds
A new study conducted by the cybersecurity firm Aikido Security reveals that deleted Google API keys stay active and can continue authenticating successfully for up to 23 minutes after they are removed. The results were obtained after running 10 controlled trials over two days to measure the delay. During this timeframe, threat actors holding a leaked key retain full access to any enabled APIs on the project. This allows them to exfiltrate cached conversations and dump files uploaded to Gemini. They can also access BigQuery data and Maps APIs. (HACKREAD.COM)
Financial
Over 50% of API banking attacks happen in Asia-Pacific, report finds
According to the AI-Empowered Botnets and API Visibility: Attack Trends in Financial Services report, 52 per cent of all global distributed denial-of-service (DDoS) attacks occurred in the Asia-Pacific region, including Australia. DDoS attacks involve a malicious actor disrupting and overwhelming a service network, making tracking and detection efforts extremely difficult to manage. Targeting banks specifically, the report, led by Akamai, found that the banking sector in the region accounted for 92 per cent of “lower-level network attacks.” (CYBERDAILY.AU)
Supply chain
UK firms concerned about AI in the supply chain
UK insurer QBE out this week which revealed that 75% of UK businesses are worried about vendors and suppliers using AI. They’re already on high alert for possible supply chain incidents. QBE claimed that the share of respondents experiencing a “cyber event in the past 12 months” rose from 53% in 2025 to 59% in 2026. This year, over a fifth (22%) claimed that “all or most” of the attacks they suffered involved a supplier. However, despite their concerns, only 28% of AI-using businesses have taken steps to assess or audit their third-party suppliers’ AI systems, while just 35% have a formal AI usage or governance policy, QBE claimed. (INFOSECURITY-MAGAZINE.COM)
Vulnerabilities
Google accidentally exposed details of unfixed Chromium flaw
Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. The flaw was reported by security researcher Lyra Rebane and acknowledged as valid in December 2022, as per the thread on Chromium Issue Tracker. An attacker could exploit the problem to create a malicious webpage with a Service Worker, such as a download task, that never terminates. Rebane says that this could allow an attacker to execute JavaScript code on the visitors’ devices. (BLEEPINGCOMPUTER.COM)
Max severity Cisco Secure Workload flaw gives Site Admin privileges
Cisco has released security updates to address a maximum-severity Secure Workload vulnerability that allows attackers to gain Site Admin privileges. Formerly known as Cisco Tetration, Cisco Secure Workload helps admins reduce their network’s attack surface through zero trust microsegmentation and stop lateral movement to keep business applications safe. Tracked as CVE-2026-20223, the security flaw was found in Secure Workload’s internal REST APIs, and it enables unauthenticated attackers to access resources with the privileges of the Site Admin role. (BLEEPINGCOMPUTER.COM)
Splunk patches multiple vulnerabilities enabling DoS attacks and data exposure
Splunk has released security updates to fix three newly disclosed vulnerabilities that could allow low-privileged users to access sensitive data or disrupt Splunk Enterprise deployments through denial-of-service (DoS) conditions. The patches address issues in both Splunk Enterprise and the Splunk Cloud Platform, as well as the Splunk AI Toolkit app. The flaws include improper access control, sensitive data exposure in logs, and unsafe handling of file paths that can be abused to break an instance. (GBHACKERS.COM)
TrendAI patches Apex One zero-day exploited in the wild
TrendAI, Trend Micro’s enterprise business, has informed customers that it has patched another Apex One vulnerability that has been exploited in the wild. The zero-day, tracked as CVE-2026-34926, is a medium-severity directory traversal issue that can be exploited by an unauthenticated local attacker to “modify a key table on the server to inject malicious code to deploy to agents on affected installations”. TrendAI noted that the attacker requires admin credentials to the server, and the attack only works against the on-premises version of Apex One. (SECURITYWEEK.COM)
Three-quarters of firms knowingly ship vulnerable code
Three-quarters of organizations have admitted to shipping vulnerable code, as AI risk proliferates in supply chains, according to two new studies out this week. Checkmarx published new data on May 21 showing that 75% of organizations often or sometimes deploy code they know is vulnerable. That’s down from a figure of 81% last year, but remains too high at a time when increasingly powerful AI models are enabling threat actors to find and exploit vulnerabilities with ever-greater efficiency. (INFOSECURITY-MAGAZINE.COM)

ADVERSARIES
China
Chinese APTs share Linux backdoor in Central Asia telco attacks
For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework. The malware is called “Showboat,” or “kworker.” Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an unknown IP in the disputed Donbas region of eastern Ukraine — suggesting that Chinese advanced persistent threats (APTs) are trading it around. At least one of those APTs is Calypso, according to PricewaterhouseCoopers (PwC). (DARKREADING.COM)
Russia
For Russia, AI and ‘traditional values’ are part of the same security logic
OPINION: Drawing on primary source material from Voennaya Misl’ (ENG: Military Thought), the Russian Defense Ministry’s flagship military journal, and tracing the doctrine’s origins to the Kremlin’s response to the 2011-2012 Bolotnaya protests, this piece argues that Russia’s “traditional values” campaign, sovereign internet architecture, AI restrictions, and external information operations are not separate policy domains. Rather, they are a coherent two-directional architecture: hardening domestic cognitive space against external penetration while eroding the common identity substrate of adversary societies. Western FIMI analysis correctly identifies the visible effects of Russian information operations but systematically underweights the deeper target, which is the shared values framework that enables collective action. This piece reframes the analytical problem and identifies implications for practitioners assessing Russian behavior in the information domain. (SMALLWARSJOURNAL.COM)
Sanctions toward Russia are not a strategy: Toward a more coherent statecraft
OPINION: Today, sanctions occupy a central place in U.S. foreign policy. They are both executive-driven and congressionally mandated. They are bipartisan. And they are durable, even sticky. In Washington, the use of sanctions has become a reflex: a default instrument deployed in response to aggression, corruption, cyber-attacks, human rights absuses, and broader geopolitical destabilization. Yet the case of Russia illustrates how sanctions do not constitute strategy. (JUSTSECURITY.ORG)

GOVERNMENT AND INDUSTRY
Artificial intelligence
After AI layoffs, Newsom orders state government to find ways to ease the pain
Amid tech layoffs, anxiety around artificial intelligence and a forthcoming run for president, Gov. Gavin Newsom signed an executive order that calls for state agencies to explore ways to mitigate job losses stemming from AI. The order, among other things, tells state agencies to explore severance policies, subsidized employment and other ways to help displaced workers. It also calls for a report on the impact of AI on the California labor market. In addition, it calls for the study of increased job training , stock compensation, cooperative business ownership for workers and how unions are negotiating over AI. (CALMATTERS.ORG)
Defense
Pentagon doubts over rare earths deal provoke White House clash
The Pentagon is weighing whether to scrap an $80 million conditional loan offer to rare-earths refiner ReElement Technologies Corp., touching off a clash with the White House over an agreement that was meant to help break China’s chokehold on critical minerals. The Pentagon’s Office of Strategic Capital announced the agreement with ReElement in November. Since then, officials vetting the company have raised doubts about its ability to scale its technology, as well as its long-term revenue forecasts, according to people familiar with the process. (BLOOMBERG.COM)
The Pentagon still cannot Manage cyber talent at scale. Here’s the fix
OPINION: The Department of Defense does not primarily have a cyber recruiting problem — it has a cyber talent management problem. The military already possesses serious qualification frameworks, scholarship programs, credentialing systems, and selection tools. What it still lacks is a system tying assessment, training, assignment, performance, and retention together across an entire cyber career. In March 2026, the department announced at its Cyber Workforce Summit 2.0 an effort to reinvent the cyber workforce. Called Cyber Command 2.0, this effort’s principal goal is improvement in talent management by focusing on identifying, recruiting, hiring, and retaining the right people. (WARONTHEROCKS.COM)
Inside Ukraine’s battlefield innovation loop
OPINION: In Ukraine, the end user’s requirements drive innovation, and any technology that reaches the battlefield is evaluated immediately under harsh conditions. In the Western world, on the other hand, the private market often dictates the direction of innovation. This means that a lot of Western technology can be far from emergent battlefield needs. It also means that certain technologies can’t keep up with the pace of change. Because of this, many technologies coming from abroad are not suited for use in Ukraine. It’s possible that some companies understand this and are hesitant to test in Ukraine because failure on the battlefield is very visible, especially while those companies continue selling in Western markets. “Tested in Ukraine” can mean a million different things, and there’s a risk that it has become a vague marketing label that encompasses a wide range of behaviors. (WARONTHEROCKS.COM)
Drones
Poland joins Pentagon’s counter-drone marketplace amid unexpected U.S. deployment cancellation
Even as the Army abruptly canceled a planned deployment to Poland earlier this year, the service is continuing to expand military cooperation with the country through the Pentagon’s counter-drone initiative, the Army announced on Wednesday. The service touts the program as a way to help Washington and its allies purchase defense technology faster, as the U.S.-managed marketplace connects partner nations with emerging technology in an attempt to speed up slow procurement systems that have often lagged behind ever-changing threats. (DEFENSENEWS.COM)
U.S. military’s Shahed-136 kamikaze drone clone is getting hivemind swarming capability
The U.S. military’s Low-Cost Uncrewed Combat Attack System, or LUCAS, the recently combat-proven long-range one-way attack drone designed for massed operations, will be equipped with Hivemind autonomy software from Shield AI. The company was selected for the integration effort by the Office of the Under Secretary of War for Research and Engineering (OUSW R&E) as part of an effort to bring AI-enabled swarming and autonomous teaming to LUCAS. The aim of incorporating swarming capabilities onto LUCAS, which is built by SpektreWorks, is something that officials told us about soon after the program broke cover. (TWZ.COM)
Energy
76% of Americans want stronger utility oversight
More than three-quarters – 76% – of Americans want elected officials to exercise stronger utility oversight, even though they appear to have little faith in those officials’ ability to prevent rising power bills, according to a new poll and report from consumer advocacy group PowerLines. PowerLines said only 29% of respondents said they trusted their state governments to protect their interests in dealings with utilities, down from 38% in a similar poll last year. Public sentiment is souring as U.S. utilities filed $9.4 billion in rate increase requests impacting 81 million people just in the first quarter of this year, according to PowerLines. (UTILITYDIVE.COM)
Quantum
Commerce announces $2 billion in quantum computing incentives for nine companies
The Department of Commerce signed letters of intent to distribute roughly $2 billion in federal funds to nine companies in an effort to accelerate their work related to quantum computing. The deals will also give the department a non-controlling stake in each company. The financial incentives come as part of the CHIPS and Science Act, a 2022 law focused on U.S. semiconductor production, and directly invest in manufacturing, research and innovation in microelectronics, per a Thursday release. The equity is a condition of the agreement meant to “enhance the return for the U.S. taxpayer.” (FEDSCOOP.COM)
Inside New Mexico’s push to build a quantum startup hub
New Mexico’s state government is rethinking its role in emerging technology by building a quantum startup hub aimed at driving innovation, creating jobs and positioning the state as a leader in the burgeoning industry. Last year, New Mexico lawmakers appropriated $25 million to establish a quantum startup hub as part of the state’s broader investment of more than $300 million in quantum technology and infrastructure. That larger effort, which combines state funding, federal partnerships, venture capital investment and startup support, is aimed at attracting research and development, creating an ecosystem of support for the tech. But most importantly, the initiative is helping state leaders imagine a broader vision for state government’s role in technology development — not just as a regulator, but as an active participant in innovation. (STATESCOOP.COM)
Regulations
UK plans for cybercrime law reform would protect almost no one, experts warn
The British government’s plans to overhaul the country’s main cybercrime law would offer such narrow legal protections that most security researchers would be left in the same position as today, multiple sources briefed on the proposals have told Recorded Future News. Plans to amend the Computer Misuse Act 1990 were announced in the King’s Speech last week following years of campaigning by industry to modernize a law they criticized for prohibiting ordinary cybersecurity activities. Last December, Security Minister Dan Jarvis pledged the government would introduce a statutory defense — a formal legal protection written into law — protecting researchers from conviction in court, “as long as they meet certain safeguards.” But sources briefed on the plans, which have not previously been reported, say those safeguards are extremely limited. (THERECORD.MEDIA)
Resilience
Sovereignty can’t be vibecoded: Why Europe must physically build to ensure resilience
OPINION: Across European Union policy circles, a decisive shift is underway. The language of globalization — efficiency, interconnected supply chains, frictionless markets — has given way to a new vocabulary: resilience, sovereignty, strategic autonomy. Budgets are being redirected, industrial strategies rewritten, and political consensus is emerging around the need for Europe not just to compete, but to withstand disruption and operate independently in times of crisis. This is not about reversing globalization or retreating from international cooperation; Europe’s strength lies in open markets and global partnerships. But resilience requires ensuring that critical capabilities can be sustained when those systems come under strain. (BREAKINGDEFENSE.COM)
Social media
Meta becomes latest to settle social media addiction case ahead of June bellwether trial
Meta has settled a federal lawsuit over social media addiction just weeks before the bellwether trial was slated to start in June, joining three other technology firms that settled earlier this month. Meta and attorneys for the Breathitt County, Ky., Board of Education, confirmed the settlement to The Hill on Thursday, resolving claims that the Facebook and Instagram parent company intentionally designed its platforms to keep kids engaged, prompting mental health issues. (THEHILL.COM)
Tech giants promise British regulator they will tweak platforms to protect kids online
Several major tech firms promised a British regulator they will make significant changes to their platforms to better protect children. The regulator, Ofcom, had required Roblox, Snapchat, Instagram, Facebook, YouTube and TikTok to answer questions about their efforts to remove harmful algorithms, check kids’ ages and protect them from sexual predators by the end of April. All of the companies, except for YouTube and TikTok, said they would commit to certain changes. (THERECORD.MEDIA)
Transportation
DOT considers taking humans out of the AI loop
The Department of Transportation is considering whether workers always need to be in the loop for AI workflows, according to one of the agency’s top technology leaders. Having a human in the loop — which means having a team member control whether an AI tool starts or stops an action — is a risk management strategy present across the federal government. But as AI agents creep closer to agencies’ tech stacks, the prevalence of the practice may lessen. The Federal Motor Carrier Safety Administration, for example, handles about 500,000 inspections a year, according to Ankur Saini, chief product and technology officer for several DOT units, including FMCSA. (FEDSCOOP.COM)
LEGISLATIVE UPDATES
Republicans call off vote on Iran war resolution that was on the verge of passing
Republicans struggled Thursday to find the votes to dismiss legislation that would compel President Donald Trump to withdraw from the war with Iran, delaying planned votes on the matter into June. The House had scheduled a vote on a war powers resolution, brought by Democrats, that would rein in Trump’s military campaign. But as it became clear that Republicans would not have the numbers to defeat the bill, GOP leaders declined to hold a vote on it. It was the latest sign of the slipping support in Congress for a war that Trump launched more than two months ago without congressional approval. (APNEWS.COM)
Key Army efforts pinned to lawmakers’ taste for a new reconciliation bill
The White House decision to seek about one-quarter of its gargantuan $1.5 trillion defense-spending request as reconciliation funding leaves some of the military’s top priorities—munitions, industrial-base upgrades—up to lawmakers’ appetite for another precedent-breaking budget maneuver. The Army, for example, is asking for $24.5 billion to fund purchases through DOD’s Munitions Acceleration Council, according to budget documents. The service is also asking for $206 million to expand and upgrade its own weapons factories—ten times the amount requested in last year’s reconciliation bill. “We have all of these incredible things that we’re trying to do and move forward, but acceleration is only as good as our counterparts on the Hill are able to push it forward as well, right?” Maj. Gen. Rebecca McElwain, the Army’s budget director, said Thursday during an Association of the United States Army event. (DEFENSEONE.COM)
House committee discusses modernizing the TSA as Trump seeks to privatize airport screening
A House committee on Wednesday expressed bipartisan support for ensuring Transportation Security Administration officers get paid during future government shutdowns and are equipped with the latest technology, discussing the agency’s future as the Trump administration lobbies to make airport screening a job for private contractors. Members of the House Committee on Homeland Security held a hearing on ways to modernize the TSA nearly 25 years after it was created in the wake of the Sept. 11 attacks. But the morale of TSA officers who went without pay during three funding lapses since Oct. 1, and whom the administration wants to replace at small U.S. airports, overshadowed the talk about better machines and reliable funding. (APNEWS.COM)
A mid-life crisis for Senate Intelligence?
OPINION: This week marks the 50th anniversary of the Senate’s adoption of Senate Resolution 400 of 1976 (S.Res. 400), creating the Senate Select Committee on Intelligence (SSCI). The SSCI has worked better than most committees in terms of passing legislation and retaining bipartisanship much of the time, but a 50th anniversary is an apt time to look at lessons learned and possible new directions. (JUSTSECURITY.ORG)
ALERTS AND ADVISORIES
‘First VPN Service’ used by ransomware actors to compromise systems
The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) and identified tactics, techniques, and procedures (TTPs) associated with the First VPN Service. The service has been active since approximately 2014 and currently provides 32 exit node servers in 27 countries. At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions. First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking. First VPN Service was almost exclusively advertised in known criminal dark web forums such as Exploit[.]in and XSS[.]is, two of the most prominent Russian-language online forums which provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband. (IC3.GOV)
Kali365 phishing-as-a-service kit hijacks Microsoft 365 access tokens
The Federal Bureau of Investigation (FBI) is issuing this Public Service Announcement (PSA) to warn the public about an emerging Phishing1-as-a-Service2 (PhaaS) platform called Kali365, first seen in April 2026. Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication3 (MFA) protocols without intercepting the user’s credentials. Through the Kali365 platform subscription, cyber threat actors can capture “OAuth” tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments. Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities. (IC3.GOV)
CISA adds two known exploited vulnerabilities to catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation: CVE-2025-34291 Langflow Origin Validation Error Vulnerability and CVE-2026-34926 Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. (CISA.GOV)
Events
TO BE INCLUDED IN THIS CALENDAR, SUBMIT YOUR SECURITY-FOCUSED EVENT FOR CONSIDERATION
SPACE: Join the Center for Strategic and International Studies (CSIS) Aerospace Security Project and Secure World Foundation (SWF) on May 22 for a discussion on the evolving space threat environment and the latest trends in global counterspace capabilities.
AI AND MENTAL HEALTH: AI is becoming a go-to source of mental health support for young people. But is it safe? In this May 27 Policy Lab, RAND’s Ryan McBain examines both the promise and the risks of this growing trend — and what it might take to ensure chatbots are safe for adolescents.
RUSSIA: For nearly two decades, U.S. strategy produced meaningful cooperation as Russia and the United States cooperated in outer space, counterterrorism and nuclear energy. While today is starkly different from the 1990s, what lessons can be learned from this period of cooperation? Once there is a fair peace in Ukraine and Russia atones for the damage it has done, will it be worth resuming cooperation? Join Rose Gottemoeller, a nonresident fellow in Carnegie’s Nuclear Policy Program and former deputy secretary general of NATO, for a May 27 conversation with Andrew S. Weiss, the James Family Chair and vice president for studies at the Carnegie Endowment, to explore how Gottemoeller tackles these questions in her new book “Security Through Cooperation.”
ELECTROTECH STACK: The most pressing danger may not be Chinese hardware but rather American policy paralysis: overcorrection that delays the technologies this buildout demands, or indecision that continues ceding strategic ground to Beijing. FDD and CMIST will host a May 28 discussion moderated by Harry Krejsa, director of studies at CMIST, featuring Phoebe Benich, non-resident fellow at CMIST; and Dr. Emma Stewart, non-resident fellow at CMIST and lead for Idaho National Laboratory’s Center for Securing Digital Energy Technology. RADM (Ret.) Mark Montgomery, senior director of FDD’s Center on Cyber and Technology Innovation (CCTI), will provide introductory remarks.
AI AND ENTERPRISE: Join AEI on June 3 to examine how businesses are shaping AI and transforming American enterprise. Experts from academia and business will examine these questions: What industries are changing most rapidly? Which are changing the future for others? And how are we preparing business leaders for future challenges?
CYBER FORCE: Join CSIS on June 3 for a discussion on the forthcoming report from the Commission on U.S. Cyber Force Generation, which examines how the United States can better build, organize, and sustain the cyber workforce needed to meet evolving national security demands. As cyber threats grow in scale and sophistication, the report assesses key challenges across the current ecosystem, including persistent talent shortages, fragmented institutional structures, and barriers to effective coordination between government and the private sector.
BIOTHREATS: On June 4, the Bipartisan Commission on Biodefense at the Atlantic Council will host its latest meeting, which will discuss how non-federal governments approach biodefense. State, local, tribal, and territorial governments serve on the front lines of biodefense. As the biological threat continues to grow, those officials who tackle this topic on a daily basis require reinforcement. This meeting of the commission will discuss the impacts of changes in federal support for state, local, tribal, and territorial biodefense activities, as well as the biodefense roles, responsibilities, and investments of non-federal governments. The discussion will also touch upon the personnel, policies, and programs needed to bolster preparedness for future biological threats.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | BLUESKY
SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS