Cyber Briefing – May 7, 2026
TODAY’S TOP 5
AI GUARDRAILS BETWEEN THE U.S. AND CHINA?: Washington and Beijing are weighing the launch of official discussions about artificial intelligence, said people familiar with the matter, as their AI competition threatens to become the arms race of the digital era, The Wall Street Journal reports. The deliberation comes as the White House and the Chinese government are considering putting AI on the agenda for a summit next week in Beijing between President Trump and Chinese leader Xi Jinping. Establishing official discussions on AI would mark the start of U.S.-China engagement about the issue under the current Trump administration, reflecting a recognition that the rush to produce more powerful AI models could trigger a crisis neither government has the means to manage. The Biden administration started a dialogue with China, but it yielded limited results, and since then the risks have grown.
- National Economic Council Director Kevin Hassett said Wednesday the White House is considering an executive order that would require AI models to go through an evaluation process similar to that used by the Food and Drug Administration, The Hill reports. The potential order comes as the Trump administration is grappling with Mythos, a new advanced AI model from Anthropic that has raised widespread security concerns. “We’re studying possibly an executive order to give a clear roadmap to everybody about how this is going to go and how future AIs that also potentially create vulnerabilities should go through a process so that, you know, they’re released in the wild after they’ve been proven safe, just like an FDA drug,” Hassett said on Fox Business’ “Mornings with Maria.”
- The White House and the Pentagon are taking significantly different approaches to how — and whether — the federal government uses Anthropic’s artificial intelligence systems. As the White House warms up to the frontier AI company and the Pentagon digs its heels in against the firm, government employees and contractors are left in a bind. “For providers dependent on a specific model, this creates confusion,” an industry source operating inside federal agencies told The Hill. “Most are taking a dual-track approach to wait for clarity while preparing internally to transition from Anthropic to alternative models if needed.”
OFFENSIVE CYBER OPS AS COUNTERTERRORISM STRATEGY: Offensive cyber operations would be a part of a suite of counterterrorism responses aimed at groups deemed threats to U.S. interests, according to the Trump administration’s counterterrorism strategy that was released Wednesday, Nextgov/FCW reports. Counter-terror activities against state actors “include offensive cyber operations against those planning to kill Americans or who support those plotting to do so,” the strategy reads. The framework, more broadly, specifically lists narcoterrorists and transnational gangs, legacy Islamic terrorist groups and “violent left-wing extremists, including anarchists and anti-fascists” as the main entities threatening the nation.
- President Donald Trump’s new U.S. counterterrorism strategy sets eliminating drug cartels in the Western Hemisphere as the administration’s highest priority, the Associated Press reports. The document was released months after his administration published an updated national security strategy that called for the hemisphere to be the top U.S. focus. “We will not let cartels, Jihadists, or the governments who support them plot against our citizens with impunity. Terrorists of any kind will not be allowed to find safe harbor here at home or attack us from abroad,” Trump wrote in the 16-page document.
DRONE THREATS ARE EVOLVING, DATA RETENTION RULES ARE NOT: Congress has granted the Department of Defense counter-UAS authorities, most notably in 10 U.S.C. § 130i. That provision authorizes the Defense Department, notwithstanding any other applicable criminal statutes, to detect, identify, monitor, track and mitigate threats posed by UAS to covered facilities and assets located domestically. From the outset, these authorities were deliberately narrow and designed to operate alongside long-standing domestic surveillance and privacy protections. Over time, the practical operation of these authorities came to rely on limited retention of UAS-related data to support, among others, countermeasure evaluation and pattern recognition. However, subsequent amendments to § 130i, most recently in the National Defense Authorization Act (NDAA) for Fiscal Year 2026, have narrowed both the purposes and the duration for which the Department of Defense can retain certain lawfully acquired records of communications intercepted from UAS and data derived from them, including command-and-control links, telemetry and associated signal characteristics. Congress should revisit the statute to restore coherence between retention authority and operational reality without weakening the privacy protections that are especially important in the domestic context, Navy Commander Philip W. Rohlfing writes at Lawfare.
PENTAGON CYBER TRAINING AND CONTRACTOR SECURITY: The Pentagon plans to require service members to complete cybersecurity training once every three years, DefenseScoop has learned, a move that will scrap an annual mandate and is set to upend the Army’s recent shift to a five-year requirement. In a Sep. 30 memo, Defense Secretary Pete Hegseth directed the military to “restore mission focus” by reducing, consolidating or eliminating a slew of mandatory courses, such as cybersecurity training, that he said were distracting from the military’s core job of fighting wars. Hegseth did not specify by how much the services should “relax the mandatory frequency” of cybersecurity training, and by February, the Army issued its own directive that required soldiers to take the course once every five years instead of annually, DefenseScoop reported.
- A defense technology company with Department of Defense contracts exposed user records and military training materials through API endpoints that lacked meaningful authorization checks, according to an account published by Strix, an open-source autonomous security testing project. The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings, CyberScoop reports. According to Strix, an ordinary low-privilege account was able to access data across multiple tenants, including user listings, organization records, course information, training metadata and direct links to documents hosted on the Schemata’s Amazon Web Services instances.
- Pentagon leaders say workers are using new agentic AI tools to compress weeks of work into hours. But the same tools are opening new frontiers of digital crime and changing the very nature of cybersecurity. The rollout of agentic tools on the department’s GenAI.mil platform since December has been a “tremendous success,” Emil Michael, defense undersecretary for research and engineering, told reporters at the Pentagon on Tuesday, Defense One reports. Michael said people were using the tools to do “the mundane part of their job” and take a “two-week task and compress it down to three hours.” The platform recently added Google’s Gemini and is looking for more such.
- The Islamic Republic of Iran has quietly become one of the world’s most aggressive adopters of artificial intelligence for warfare, deception, and repression. Tehran’s strategy is coherent and five-pronged, and the United States isn’t ready for it. Policymakers must contend with the hard truth that AI is now in the arsenal of every U.S. adversary — not unique to Iran but perfected there, Leah Siskind writes at FDD, detailing five ways Iran is exploiting AI in warfare.
AI-ASSISTED COMPROMISE OF A WATER UTILITY: Dragos is reporting an early real-world observation of an adversary using commercial AI tools to identify and prioritize operational technology (OT) infrastructure during an IT intrusion. In late February 2026, researchers at Gambit Security recovered a vast collection of materials related to a large-scale compromise of multiple Mexican government organizations that occurred between December 2025 and February 2026. Gambit brought Dragos into their investigation to specifically assess adversarial activity that took place during an intrusion into a municipal water and drainage utility in Monterrey, Mexico. During this analysis, Dragos identified a significant compromise of the utility’s enterprise IT environment, which showed an attempt to escalate the intrusion into an OT environment. Artifacts recovered from the adversary’s infrastructure associated with this intrusion showed that an unknown adversary extensively leveraged commercial AI tools to accelerate core intrusion activities, including reconnaissance, environment mapping, tool development, and intrusion planning.
| OSINT YOU NEED TO START YOUR DAY: The Cyber Briefing is brought to you by the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. SUBSCRIBE |
| WE WANT TO HEAR FROM YOU: What would you like to see in your morning briefing? Reach out to Executive Editor Bridget Johnson with your comments and suggestions |
CYBER FOCUS PODCAST
(Watch on YouTube or click the player above)
Most people think secure messaging begins and ends with encryption. Signal CTO Ehren Kret says that is only part of the picture. On the latest episode of Cyber Focus, host Frank Cilluffo sits down with Kret to discuss what private communication really requires, from protecting message content to limiting what platforms can learn from metadata, identity, group membership and social graphs. Kret explains how Signal’s nonprofit model shapes its privacy-first design choices, why endpoint security remains a major challenge and how AI built into operating systems could create new risks for private communication. The conversation also explores post-quantum encryption, lawful access debates, phishing threats against messaging accounts and why the future of secure communication depends not only on better technology but on helping users understand what is and is not truly private.
SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Biothreats
Inside the global effort to figure out where Hantavirus will strike next
Ruhi Çenet, a YouTuber and travel blogger, was on the MV Hondius cruise ship when the captain announced that someone on board had died. “We’re not infectious,” a ship official said in a video Çenet posted on social media. “The ship is safe.” In the days afterward, people on board ate at buffets, mingled, stargazed and attended lectures. Passengers offered comfort and condolences to the widow of the person who had died. Nearly two weeks after the first passenger’s death, Çenet said, he and 20 to 30 other people disembarked in St. Helena, a tiny British territory in the Atlantic Ocean. The widow boarded a flight from the island in a wheelchair, he said. (WSJ.COM)
MORE: About 40 passengers previously left ship hit by Hantavirus outbreak at island of St. Helena (APNEWS.COM)
Critical infrastructure
Five years later: Lessons learned from Colonial Pipeline ransomware attack
OPINION: In May 2021, the largest refined petroleum pipeline in the US was brought down using a method that is still leveraged today: a single compromised credential on an old, unused VPN that lacked multifactor authentication. No sophisticated exploit. No nation-state tradecraft. One password, one unlocked door and than 5,500 miles of pipeline went dark. The incident, coming on the heels of the global pandemic, marked a turning point in public awareness of cyber attacks on the private sector. Five years later, the Colonial Pipeline ransomware attack remains the clearest blueprint for what a ransomware strike on critical infrastructure looks like. Colonial faced a business continuity crisis, a reputational crisis, a supply chain crisis, and a public safety event all at once. (INFOSECURITY-MAGAZINE.COM)
Cybercrime
Romanian man extradited to U.S. for role in hacking scheme 17 years ago
A Romanian national was recently extradited to the United States for his role in a cybercrime scheme carried out 17 years ago, the Justice Department announced this week. The suspect, 53-year-old Gavril Sandu, was arrested in Romania in January 2026 and was extradited to the US in late April. According to the DOJ, Sandu was indicted by a federal grand jury in 2017 on conspiracy to commit bank fraud and bank fraud. However, his alleged crimes took place even earlier, between May 2009 and October 2010. (SECURITYWEEK.COM)
Education
Instructure breach exposes schools’ vendor dependence
The breach of a leading educational technology provider has raised fears and concerns regarding possible downstream implications for schools, their staff, and their students. Instructure, which provides learning management system (LMS) software Canvas for K-12 and higher education clients, disclosed a data breach on May 1 in which a threat actor stole “certain identifying information of users at affected institutions,” the company said on its status page. This identifying information includes names, emails, student ID numbers, and messages shared among users. There is no evidence passwords, dates of birth, government identifiers, or financial information were stolen, according to the disclosure. (DARKREADING.COM)
Health care
Data breaches announced by four healthcare providers
Western Orthopaedics, an Englewood, Colorado-based healthcare provider with locations throughout Colorado, has disclosed a security incident that was first identified on October 2, 2025. Assisted by third-party cybersecurity experts, Western Orthopaedics confirmed unauthorized access to its network between September 17, 2025, and September 25, 2025, during which time files containing personal and protected health information may have been viewed or acquired. (HIPAAJOURNAL.COM)
Scams
Hawaii AG claims someone is impersonating the state’s CTO, a role that doesn’t exist
The Hawaii Department of the Attorney General last week warned the public about a man falsely claiming to be the state’s chief technology officer, both at national conferences and on online platforms. Toni Schwartz, a spokesperson for the Hawaii AG’s office, wrote in an email that someone attending the 2026 Bitcoin conference, a gathering of more than 30,000 attendees in Las Vegas last week, alerted the department that a man named Iqbal Khowaja was presenting himself as the “CTO of the State of Hawai’i.” (Scwartz declined to provide further details about the person who contacted the office, to “protect the integrity of the on-going review.”) (STATESCOOP.COM)
WATCH: White House National Cyber Director Sean Cairncross, CISA Acting Director Nick Andersen and more top leaders at the recent McCrary Cyber Summit
THREATS
Artificial intelligence
Poisoned truth: The quiet security threat inside enterprise AI
As enterprises rush to deploy internal LLMs, AI copilots, and autonomous agents, most security conversations focus on familiar threats: prompt injection, jailbreaks, model abuse, and data exfiltration. But some security leaders argue a quieter risk deserves far more attention: what happens when the model’s understanding of reality itself becomes corrupted. This problem is broadly described as AI data poisoning, though experts use different language depending on where the manipulation occurs. Sometimes it refers to maliciously altering training data so a model learns false information. Sometimes it means poisoning retrieval-augmented generation (RAG) pipelines or other contextual layers that enhance LLM outputs, internal knowledge bases, or agent memory. And sometimes the issue isn’t malicious at all, but the result of stale, conflicting, or low-quality enterprise data. (CSOONLINE.COM)
One command turns any open-source repo into an AI agent backdoor. OpenClaw proved no supply-chain scanner has a detection category for it
Just two months ago, researchers at the Data Intelligence Lab at the University of Hong Kong introduced CLI-Anything, a new state-of-the-art tool that analyzes any repo’s source code and generates a structured command line interface (CLI) that AI coding agents can operate with a single command. Claude Code, Codex, OpenClaw, Cursor, and GitHub Copilot CLI are all supported, and since its launch in March, CLI‑Anything has climbed to more than 30,000 GitHub stars. But the same mechanism that makes software agent-native opens the door to agent-level poisoning. The attack community is already discussing the implications on X and security forums, translating CLI-Anything’s architecture into offensive playbooks. (VENTUREBEAT.COM)
Dark web
Darkhub hacking-for-hire portal promotes crypto fraud and spyware services
A newly identified dark web platform, Darkhub, is advertising a wide range of hacking-for-hire services, including account compromise, surveillance, and financial manipulation. The service, accessible via the Tor network, presents itself as a centralized hub for offensive cyber capabilities targeting both individuals and organizations. Many similar services historically function as advance-fee scams rather than delivering real cyber intrusion services. (GBHACKERS.COM)
Identity
Most security pros say managing identity has become a major challenge
The vast majority of 3,200 cybersecurity and senior IT leaders surveyed by Keeper Security — 89% — are finding managing the growing identity footprint a major challenge. Based on responses from security pros across the United States, Europe, Asia-Pacific, and the Middle East, the survey released May 6 also found that 96% said that disconnected and poorly integrated security tools have created exploitable gaps for organizations. Another telling stat: 72% of organizations said they don’t detect credential misuse in real-time, with most taking hours and in some cases, days or weeks, to identify unauthorized privileged access. (SCWORLD.COM)
IoT
Mirai-based xlabs_v1 botnet exploits ADB to hijack IoT devices for DDoS attacks
Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted server at the IP address “176.65.139[.]44” without requiring any authentication. The malware supports “21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, capable of bypassing consumer-grade DDoS protection,” Hunt.io said. (THEHACKERNEWS.COM)
Malware
Malicious NuGet packages steal browser credentials, SSH keys and crypto wallets
Malicious NuGet packages are quietly stealing browser credentials, SSH keys, and cryptocurrency wallet data from developer machines and CI/CD infrastructure, with a particular focus on Chinese .NET ecosystems. The campaign blends legitimate-looking UI and infrastructure libraries with a heavily protected infostealer payload, making it hard for developers and traditional security tools to spot. Packages IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, and IR.iplus32 wrap real functional code but embed a .NET Reactor–protected infostealer. (GBHACKERS.COM)
Phishing
Researchers spot uptick in use of Vercel for phishing campaigns
Low-skilled threat actors are abusing legitimate generative AI (Gen AI) platforms in growing numbers to create highly convincing phishing campaigns, Cofense has warned. The security vendor said that it has observed a number of campaigns based around v0[.]dev, a powerful GenAI tool provided by web application development specialist Vercel. “This AI tool is the driving force behind the malicious sign-in pages created by attackers. With just a few text prompts v0[.]dev can create a fully functioning malicious site that completely resembles real-life brands,” it explained in an article published on 6 May. (INFOSECURITY-MAGAZINE.COM)
Hackers abuse Google ads for GoDaddy ManageWP login phishing
A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddy’s platform for managing fleets of WordPress websites. The threat actor is using an adversary-in-the-middle (AitM) approach where the fake login page acts as a real-time proxy between the victim and the legitimate ManageWP service. ManageWP is a centralized remote administration platform for WordPress websites, enabling users to manage multiple sites from a single panel instead of logging into separate dashboards. Common users include web developers, web agencies managing client sites, and enterprises. (BLEEPINGCOMPUTER.COM)
Ransomware
When ransomware hits, governors are calling the National Guard
OPINION: Minnesota called in its National Guard last month. Not because there was a flood, a fire, or even civil unrest. This time, Winona County needed support after a cyberattack. It was the second such attack the county had experienced in just three months. Gov. Tim Walz authorized the Minnesota National Guard’s cyber protection team to join the incident response efforts to “ensure continuity of municipal operations.” As cyberattacks continue to grow in frequency and scope, the need for cyber response capabilities grows, too. The National Guard’s cyber units, when trained and equipped effectively, are a necessary piece of U.S. cyber defenses. But not every state has one. (FDD.ORG)
Tactics
Scammers exploit disposable VoIP numbers to bypass reputation blocking
New tactics used by threat actors who embed phone numbers in scam emails as a key indicator of compromise (IOC), revealing how attackers exploit VoIP infrastructure to evade detection and scale fraud operations. Telephone-oriented attack delivery (TOAD) remains a dominant phishing technique, in which victims are lured to call attacker-controlled numbers rather than clicking malicious links. This shift allows scammers to manipulate targets in real time, often leading to credential theft or malware installation. (GBHACKERS.COM)
Vulnerabilities
vm2 Node.js library vulnerabilities enable sandbox escape and arbitrary code execution
A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems. vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment. (THEHACKERNEWS.COM)
Redis security flaws expose servers to remote code execution risks
Redis has disclosed and patched five security vulnerabilities, including four rated High severity, that could allow authenticated attackers to achieve remote code execution (RCE) on affected Redis servers. The advisory, published May 5, 2026, by Redis Chief Information Security Officer Riaz Lakhani, covers CVE-2026-23479, CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, and CVE-2026-23631. CVE-2026-23479 carries a CVSS score of 7.7 (High) and involves a use-after-free flaw in Redis’s unblock client flow. (GBHACKERS.COM)

ADVERSARIES
China
War and energy shortages boost China’s influence in Asia
As the war in Iran drags on, China has deepened its influence with fuel-starved neighbors, offering to ease shortages while pushing its renewable energy technology. In the days after the United States and Israel attacked Iran and the Strait of Hormuz was closed, China banned oil-product exports, squeezing Asian countries that rely on its refineries for jet fuel, gasoline and diesel. Across Asia, governments are petitioning Beijing to blunt the war’s impact. Unlike the rest of the region, China is dealing from a position of strength. It is the world’s largest importer of crude oil, but it has amassed huge reserves, spent decades reducing its dependence on foreign oil and poured hundreds of billions of dollars into clean energy technology. (NYTIMES.COM)
Iran
Muddying the tracks: The state-sponsored shadow behind Chaos ransomware
In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a “false flag” masquerade. Technical artifacts, including a specific code-signing certificate and Command-and-Control (C2) infrastructure, suggest with moderate confidence that this activity is linked to MuddyWater (Seedworm), an Iranian Advanced Persistent Threat (APT) affiliated with the Ministry of Intelligence and Security (MOIS). The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate Multi-Factor Authentication (MFA). Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent. (RAPID7.COM)
Iran has hit far more U.S. military assets than reported, satellite images show
Iranian airstrikes have damaged or destroyed at least 228 structures or pieces of equipment atU.S. military sites across the Middle East since the war began, hitting hangars, barracks,fuel depots, aircraft and key radar, communications and air defense equipment, according to a Washington Post analysis of satellite imagery. The amount of destruction is far larger than what has been publicly acknowledged by the U.S. government or previously reported. The threat of air attacks rendered some of the U.S. bases in the region too dangerous to staff at normal levels, and commanders moved most of the personnel from these sites out of the range of Iranian fire at the start of the war, officials have said. (WASHINGTONPOST.COM)
Taking a toll: How allowing Iran to charge for transit in the Strait of Hormuz could undermine U.S. strategy
OPINION: In April, Iran began charging ships transiting the Strait of Hormuz a “toll” for safe passage. By itself, this represents a dangerous new dynamic in the Middle East that may have begun with the Houthis in Yemen as early as 2024, wherein parties extort international commerce by imposing fees in exchange for safe transit as part of their war effort. Although some countries have agreed to pay Iran’s fees, many countries such as the United Kingdom as well as organizations, including one representing the majority of tanker firms, have condemned it. Iran’s latest proposal to control and charge ships for safe passage in the Strait of Hormuz as part of its ceasefire negotiations with the United States is far more dangerous, with global implications. (JUSTSECURITY.ORG)
Russia
Revealed: Russia’s top secret spy school teaching hacking and election meddling
Last April, Vladimir Putin visited the campus of Bauman Moscow state technical university, set on the banks of the Yauza River in the east of the city and home to some of the country’s brightest scientific minds. He toured the campus, met undergraduates and boasted about Moscow’s ambitious plans for space missions to the moon and Mars. “You have everything it takes to be competitive,” Putin told the students. What the Kremlin readout of Putin’s visit did not mention was a secret faculty inside the university, known simply as Department 4, or “Special Training.” Here, a select group of students are quietly prepared for careers in the GRU – Russia’s military intelligence directorate, whose operatives have hacked western parliaments, poisoned dissidents on foreign soil and interfered in elections across Europe and the U.S. (THEGUARDIAN.COM)

GOVERNMENT AND INDUSTRY
Artificial intelligence
What if AI didn’t need to touch government data at all?
When government works with AI, one of the fundamental concerns has been loss of data control — if AI uses inputs to learn, then how can an agency put sensitive or even confidential information into it? Toward that end, many government agencies have been explicitly buying enterprise versions of AI platforms that don’t feed inputs back into the larger public model for training. In California, one agency’s guidelines to staff pointed out that nothing that could be subject to a public records request should be run through generative AI. But what if there was a way to use AI without it even seeing the data? That could, essentially, eliminate those concerns about privacy and loss of control. (GOVTECH.COM)
Defense
A first look at CDAO’s new ‘Wingman’ work to enable custom, AI digital assistants across DOD
The Pentagon’s Chief Digital and AI Office is eager to expand its deployment of a new task automation platform — the “CDAO Wingman” — that’s designed to help defense and military users develop and scale their own digital assistants to offload document-heavy workflows and repetitive, compliance-driven functions. “Many military departments have already been using this capability, but obviously technology is changing every day and evolving, and we want to make sure that everyone knows how to access it and have the ability to build out their own workflows on their own,” War Data Platform Program Director Elizabeth “Liz” Chirico said on a panel Tuesday at the UiPath Fusion conference, presented by FedScoop. (DEFENSESCOOP.COM)
Air Force wants AI in its air-ops command-and-control system
The Next-Generation Air Operations Center Weapon System effort aims to upgrade the Air Operations Center (AOC) Weapon System to bring AI-powered tools to planners and operators at combatant commands. Since February, the Air Force has released a request for information and two sets of Q&As. The contract is managed by the Air Operations Center Program Office of Kessel Run, the Air Force software factory now housed under the service’s Portfolio Acquisition Executive for command, control, communications and battle management. Postings on Sam.gov indicate that the service wants a fast, flexible acquisition plan, perhaps through the use of other transaction agreements. (DEFENSEONE.COM)
‘Expose your interfaces’: Army pushes industry to open up software for ‘hackathon’
The Army, along with nine major defense companies, will embark on a series of “hackathons” later this month in an attempt to create a common operating system across the service’s disparate platforms. The Army called the effort “Right to Integrate,” according to a Tuesday press release, which will include a “sprint” to shed conflicting information silos that have historically been a fixture of “exquisite warfighting systems” the service has purchased from industry. The integration of these platforms “frequently failed,” the service said. From weapons to networks, military platforms have struggled to communicate with each other. Officials, citing modern conflicts, have said that the ability to quickly inventory and move data between domains so troops can make faster decisions on the battlefield is key to success. (DEFENSESCOOP.COM)
Coast Guard creates its own special operations command
With new threats emerging at home and abroad, the U.S. Coast Guard has created a new Special Missions Command (SMC) to oversee its “deployable specialized forces.” The move, officially unveiled today, comes as the Trump administration is increasing the use of these units for ship and drug interdictions around the globe. The Coast Guard is a uniformed military service, but has specific law enforcement authorities. Under Title 14 of the U.S. Code, its personnel can board vessels, carry out seizures, and make arrests. (TWZ.COM)
The Pentagon needs a playbook for munitions surge production
OPINION: The Tomahawk Land Attack Missiles the U.S. military fired during Operation Epic Fury take months to put on contract and years to produce. Whether driven by U.S. military operations or support to partners, the challenge of quickly replenishing U.S. munitions is not new. Exquisite munitions often take an exquisite amount of time to manufacture and deliver. Defense officials, in turn, frequently want to compress that time as much as possible, seeking to restock fast and mitigate future risks. The Russo-Ukrainian War has illuminated the challenge of accomplishing this feat. It also offers lessons for how the U.S can accelerate munitions production timelines in a crisis. (WARONTHEROCKS.COM)
Education
From cheating to AI literacy, public school systems are still answering big questions about AI
Chatbots are changing the way we access information and what we gain from it. It’s happening online, in workplaces, and, over the last few years, in schools themselves. In the wake of early mass adoption of ChatGPT — years before its parent company OpenAI added age-specific tools and restrictions — schools, including in Los Angeles and New York City, banned chatbots in the classroom outright. Many school officials feared generative AI tools would be used primarily to cheat, and there are still concerns that AI can hamper learning or exacerbate mental health concerns, including child exploitation. (MASHABLE.COM)
Energy
Nuclear reaches 41% of TVA’s power supply
The Tennessee Valley Authority’s nuclear fleet supplied 41% of its power supply in the first half of its fiscal year 2026, compared to 31% in the year-ago period, and the federal utility’s interim president and CEO Mike Skaggs said in a Tuesday earnings call that nuclear is a major priority for him. Skaggs particularly wants to “[establish] clarity on our position around new nuclear technologies,” and “work with the federal administration and our board of directors to clarify TVA’s path going forward and the U.S. nuclear development and regional deployment,” he said. (UTILITYDIVE.COM)
Health care
HHS proposes to restructure biomedical research with AI
Research breakthroughs tackling complex diseases and chronic illnesses can take years. The U.S. Department of Health and Human Services is hoping to speed that up ten-fold with artificial intelligence-enabled ecosystem of shared research and experimental procedures. The Advanced Research Projects Agency for Health, a unit of HHS, is spearheading a five-year Intelligent Generator of Research grant program with the stated intent of disrupting a centuries-old status quo of research spearheaded by individual labs. The proposition for Igor, APRA-H says, isn’t to put a biomedical research wrapper around a frontier large language system. (HEALTHCAREINFOSECURITY.COM)
Maritime
The strategic importance of critical maritime infrastructure
OPINION: Critical maritime infrastructure has become a core pillar of national security for the United States, Japan, and South Korea. For many years, maritime security was understood mainly through traditional concepts: naval power, sea-lane protection, piracy, territorial disputes, and freedom of navigation. These issues remain important. However, they no longer fully capture the security challenges facing advanced maritime states today. Modern societies now depend on systems located at sea, under the sea, and at the land-sea interface. Undersea cables, ports, energy terminals, offshore platforms, pipelines, shipyards, repair facilities, and logistics hubs form the hidden architecture of economic life and military power. For the United States, Japan, and South Korea, these systems are not simply commercial assets. They are essential to economic resilience, military readiness, alliance operations, and crisis stability. (REALCLEARDEFENSE.COM)
Resilience
Kansas bolsters cybersecurity with new shared services model
Kansas is now offering shared IT and cybersecurity services to its local governments, public schools, hospitals and nonprofits, potentially creating an economy of scale that will lower costs for the state as well, said Kansas Chief IT Officer Jeff Maxon. This comes after the passage and signing in April of two key pieces of legislation that expand state tech support and oversight in different ways. The first is Senate Bill 51, which formally lets the state’s Office of Information Technology Services (OITS) provide IT and cybersecurity services to cities, counties, schools, hospitals and nonprofits. The state will use a chargeback model, which means recipients pay for services rendered, rather than for tech support in perpetuity. (GOVTECH.COM)
Social media
Meta asks California judge to throw out landmark social media addiction verdict
Meta Platforms has asked a Los Angeles judge to throw out a jury’s verdict finding the company liable for a woman’s depression in a landmark trial over whether the company has harmed young users by designing its platforms to be addictive. In the filing, submitted on Monday but made public on Wednesday, Meta asked the judge who oversaw the trial to overturn the verdict and rule in its favor or order a new trial. The jury in March found that Meta and YouTube parent Google had been negligent in the design of their platforms and had failed to warn users of their dangers. The jury found Meta liable for $4.2 million in damages and Google for $1.8 million. (REUTERS.COM)
Space
Space Force boosts contract ceiling for Andromeda space monitoring sats to $6.2B
The service on Monday announced the plan to bolster its new Andromeda space-based space domain awareness program, explaining that the fiscal 2027 Pentagon budget request was “significantly increased” shortly before the original award in April in order to meet “the escalating threat environment projected for CY [calendar year] 2030+. The original Andromeda award tapping 14 companies to compete for future task orders focused on plans for a new constellation, called RG-XX, to replace the current Geosynchronous Space Situational Awareness Program (GSSAP) neighborhood watch satellites. (BREAKINGDEFENSE.COM)
Workforce
How AI could open up cybersecurity to a wider workforce
OPINION: For decades, cybersecurity has been defined by its complexity. To work in the field meant mastering a dense cluster of proprietary tools, obscure query languages and vendor-specific workflows. Expertise meant not only a grasp of security principles but knowing which menu hid which setting across dozens of platforms. Cybersecurity practice thus became a kind of priesthood: a highly specialized discipline accessible only to those who spent years learning its rituals. Artificial intelligence (AI) is poised to dismantle this model by making cybersecurity far less arcane. The technology is emerging as a powerful abstraction layer that lets people express their security intent in natural language, while the system translates that intent into technical action. (WEFORUM.ORG)
LEGISLATIVE UPDATES
Senator warns CISA election security pullback could leave midterms vulnerable
Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., is demanding answers from the Department of Homeland Security over what he says is a sharp decline in federal election security support ahead of the 2026 midterms, warning that cuts to the Cybersecurity and Infrastructure Security Agency could leave states more exposed to cyber threats and foreign interference. In a letter sent Wednesday to DHS Secretary Markwayne Mullin, Warner said state and local officials have reported that CISA is no longer providing the same level of election security training, intelligence sharing and cybersecurity assistance it offered in prior election cycles. (NEXTGOV.COM)
ALERTS AND ADVISORIES
CISA adds one known exploited vulnerability to catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation: CVE-2026-0300 Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. (CISA.GOV)
Events
TO BE INCLUDED IN THIS CALENDAR, SUBMIT YOUR SECURITY-FOCUSED EVENT FOR CONSIDERATION
NUCLEAR: To explore Chernobyl’s enduring legacy, the Carnegie Endowment for International Peace invites you for a May 7 panel discussion with Adam Higginbotham, journalist and author of the New York Times bestseller Midnight in Chernobyl; Mariana Budjeryn, senior researcher at MIT’s Center for Nuclear Security Policy and author of Inheriting the Bomb; and Corey Hinderstein, vice president for studies at Carnegie and former principal deputy administrator for the National Nuclear Security Administration. Ukraine’s ambassador to the United States, Olga Stefanishyna, will deliver opening remarks.
RUSSIA: On May 8, the Atlantic Council’s Eurasia Center and the New Eurasian Strategies Centre will co-host an expert discussion on Russia’s economic, military, and domestic pressures and their implications for Moscow’s war against Ukraine.
CHINA: In Defending Taiwan, Eyck Freymann offers a comprehensive strategy to deter war and sustain peace. With Jason Hsu, Freymann will discuss in a May 11 Hudson event how the United States and its partners can adapt to China’s evolving strategy and develop a coherent plan to prevent conflict while safeguarding Taiwan’s future.
EMERGING TECH: In an evolving geopolitical landscape, how can the US build on its experience in developing frontier technologies and globally competitive industries through investments in priority technologies for the 21st century? Join AEI’s Michael R. Strain for a May 13 conversation with experts from the Massachusetts Institute of Technology for a conversation on their new book “Priority Technologies: Ensuring US Security and Shared Prosperity (2026).”
BIOTHREATS: On June 4, the Bipartisan Commission on Biodefense at the Atlantic Council will host its latest meeting, which will discuss how non-federal governments approach biodefense. State, local, tribal, and territorial governments serve on the front lines of biodefense. As the biological threat continues to grow, those officials who tackle this topic on a daily basis require reinforcement. This meeting of the commission will discuss the impacts of changes in federal support for state, local, tribal, and territorial biodefense activities, as well as the biodefense roles, responsibilities, and investments of non-federal governments. The discussion will also touch upon the personnel, policies, and programs needed to bolster preparedness for future biological threats.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | BLUESKY
SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS