State of American cyber, plus the grandfather of cyber weapons

Danny Brugmann

9 min read
Share
State of American cyber, plus the grandfather of cyber weapons

Five Cyber Stories - April 26, 2026 - Issue 006

Hello there! Thanks, as always, for checking out this week's Five Cyber Stories. Each week, I'm sharing five stories showcasing how cybersecurity and digital privacy affects our non-digital lives. This week we'll catch up on the state of American defensive cybersecurity, the precursor to Stuxnet (if this word doesn't mean anything to you - don't worry, we'll explain), and even more fascinating cyber tales.

But first...

A reader recently asked me about the "($)" after some links in each issue. While I had previously written about the symbol's meaning, I had made it difficult to find. My bad. So, to explain: Links followed by "($)" indicate that the referenced article may throw up a paywall. I'll do my best to utilize gift links and free sources, but sometimes, it's unavoidable. Plus, I think it's worth supporting good journalism.

Ok, with my housekeeping out of the way, let's dive in!

1. A view of American cybersecurity

Leaderless at the helm: The Trump administration's pick to run the United States' Cybersecurity & Infrastructure Security Agency (C.I.S.A.), Sean Plankey, asked the White House to withdraw his nomination. Politico was first to report the development, and TechCrunch's Zack Whittaker has a good write up linking to various coverage.

The wide lens: While I am hardly qualified to give the definitive view on the status of American cybersecurity, – which is why I link to lots of journalists and commentators with lots of points of view – I'm worried our government is not taking cybersecurity, particularly defensive cybersecurity, as seriously as it should.

Politico reports the nomination of Sean Plankey to lead C.I.S.A. has been held up for political reasons in the Senate, which according to TechCrunch were "unrelated to cybersecurity." A year into this administration, C.I.S.A, which labels itself as "America's Cyber Defense Agency," remains without Senate confirmed leadership. Meanwhile, the White House is also proposing $700 million cuts to the agency's FY2027 budget. A third of C.I.S.A. staffers have left since the beginning of the Trump administration. The agency was also left off the access list for Anthropic's powerful AI model, Mythos. Ironically, the N.S.A. does have access to Mythos in spite of open legal disputes between Anthropic and the NSA’s parent agency, The Pentagon.

It's no secret that the White House holds a grudge with C.I.S.A., accusing the agency of censorship. Bad feelings appeared to play a role in the administration largely skipping this year's RSAC conference, which executive branch officials usually attend. According to Axios, this administration has preferred "...to give more policy influence to the White House's national cyber director."

But I would argue this goes beyond the breaking of norms. The White House's national cyber strategy prompted the National Cyber Director, Sean Cairncross, to say, "I'm not talking about the private sector, industry or companies engaging in a cyber offensive campaign." Regardless, businesses such as Google seemed to take notice, saying shortly after the strategy was released, "...disrupting threat actors must become the status quo in our industry."

The F.C.C.'s ban of foreign made routers could be seen as defensive, but as I've written once before (actually twice before), that the ban and subsequent "Conditional Approvals" given to some routers seem to make little sense. The vague announcement from eero this week that their routers also received Conditional Approval only leaves me (to put it mildly) more confused. It’s hard to see a strategy behind these seemingly incongruous decisions and announcements.

This affects you, dear reader: I assure you that all these government acronyms and bureaucracies matter. I've recently written about Iran's threat to our critical infrastructure such as water and energy. Just this week, an unnamed "U.S. federal civilian agency" discovered sophisticated malware, named Firestarter, on devices on their network. U.S. federal civilian agencies can include N.A.S.A., the Department of Homeland Security (D.H.S.), the F.B.I., the Department of Justice (D.O.J.), the I.R.S. and more. This list made me question why the government is not disclosing which agency was compromised. (Also of note, C.I.S.A. was involved in responding to both the Iran threat and Firestarter.)

All of this is taking place with international recognition of China's offensive cyber capabilities and activities. The Dutch Defense and Intelligence and Security Service (MIVD) has reportedly said that "'China now probably stands on an equal footing with the United States in the area of offensive cyber capabilities,'". The same reporting from The Record's Alexander Martin noted Five-Eyes intelligence agencies think China is embedding in "Western critical infrastructure" in preparation for a possible conflict related to Taiwan.

Additionally, ransomware attacks have become so prevalent that former F.B.I. Cyber Division official, Cynthia Kaiser, called on Congress to start labeling such attacks as acts of terrorism. She advocated for pursuing homicide charges for perpetrators of ransomware attacks against hospitals that result in deaths. But the alarm goes beyond the expert level. I've previously written about polling showing that residents of NATO countries view these types of attacks as acts of war.

To add one more data point to the importance of proper cyber security prioritization, Europe has begun to take steps on multiple fronts to detach itself from U.S. tech, potentially diminishing American soft power.

All of this looms while C.I.S.A. remains without Senate confirmed leadership. Since Plankey, the White House's nominee, asked to withdraw, the Administration has yet to put forward another nominee while simultaneously proposing to slash the agency's budget. Given all of this pretext, I think it's fair to ask, is our government properly prioritizing defensive cybersecurity?

2. Before Stuxnet ($)

Reporting by Wired's Andy Greenberg

The grandfather of state malware: Security researchers at the firm SentinelOne discovered a new piece of malware referred to as Fast16. According to Wired's reporting ($), Fast16 "...may have been used in Iran, even before Stuxnet." Iran's nuclear program was targeted via malware known as Stuxnet in 2009 ($). Fast16 is thought to predate it. Before now, Stuxnet was anecdotally seen as the first known example of state-level cyber warfare.

This newly discovered malware is thought to have targeted software used by the Iranian nuclear program at that time. It operated at a very deep level (kernel level) of computer operating systems, and it would give false results to calculations being run by said software. Thomas Rid of John Hopkins University's Alperovitch Institute says in the article ($):

"'If you're a very high-value intelligence target like a nuclear program in a country with potent adversaries, then maybe you can't trust your computers,' Rid says. 'And even worse: you could never trust them.'"

Adding to the paranoia: This is a fascinating read. Stories about Stuxnet were part of what first drew me to cybersecurity. I’m fairly familiar with the program and expected a well reported retelling of something similar. Actually, this was more frightening. Vitaly Kamluk, one of the researchers who discovered Fast16, tells Wired ($),

"...[It] represents a deeply disturbing, even paranoia-inducing discovery—one that makes him question his trust in the computers that have assured the safety of everything from trains to airplanes.

'For any kind of disaster or catastrophe where people died in an accident,' Kamluk says, 'you don't want to nurture these fears, but it naturally comes up: Was there a cyber angle?'"

Yikes. For those who want to read about Fast16 but skip the paywall (for now), The Register's Simon Sharwood has also written about the discovery.

3. Weapons of mass hacking?

Reporting from The New York Times' Paul Mozur and Adam Satariano

Unilateral anxiety: Last week and the week before, I wrote a lot about Anthropic's latest AI model Mythos' potential to disrupt cybersecurity. Most of the stories I shared were written from an American or British perspective. But this week The New York Times briefly reported on a somewhat more international point of view. The notable quote included in the NYT piece was from a Russian outlet calling Mythos, "worse than a nuclear bomb."

New power dynamics: Though I hesitate to again belabor the worry (or lack of concern) about Mythos, this article notes a mindset shift worth watching. The reporters note that AI models are beginning to take on the character of "weapons tests."

"The scramble over Mythos comes at a moment of minimal international cooperation on A.I. Governments are viewing one another with suspicion as corporations race to outpace rivals. There is no equivalent of the Nuclear Nonproliferation Treaty, no shared inspections and no agreed-upon rules for how to handle something like Mythos."

If this viewpoint holds in the global zeitgeist, it further affirms this newsletter's thesis that cybersecurity affects everyone's non-digital and now geo-political lives. It's important to dwell on this idea for a moment especially considering that Mythos reportedly leaked to "'unauthorized users'".

4. Ice, ice, no privacy

Reporting from Ken Klippenstein

New looks: Exclusive reporting from Ken Klippenstein this week revealed that the Department of Homeland Security's (DHS) Immigration & Custom Enforcement (ICE) is developing their own smart glasses to "...collect intelligence on Americans." That is, scan everyone's faces.

Eye exam: Last week, I wrote about privacy concerns surrounding Meta's smart glasses. This week, I'm sharing privacy concerns about government smart glasses. Still, there's likely a portion of Americans who are in favor of ICE's use of facial recognition despite the agency's polarizing status ($). I recommend considering the dual nature of this technology's application while reading Klippenstein's reporting. If this tool can be used against your enemies, it can also be used against your friends or even yourself. I personally found it alarming how many facial recognition databases the U.S. government operates. To give a less theoretical example, watch this Texas man's story about his encounter with government surveillance.

5. Full spoilers

Reporting from The Verge's Charles Pulliam-Moore

Bit bending: Nickelodeon's feature length animated film Avatar Ang: The Last Airbender has fully leaked. According to reporting from The Verge,"Paramount determined that the leaks did not come from anyone working in the company..." The Singaporean police arrested someone accused of "...accessing a server where the project was being held...". Wired reported that the film was previously available ($) to (illegally) watch in its entirety via online platforms.

Out of balance: Though aspects of this story are at least a week old, it hits close to home in a couple ways. The original Nickelodeon show, Avatar: The Last Airbender, was a show I very much enjoyed while growing up. (I re-watched it as an adult with my then-girlfriend, now wife.) But also, I work in the entertainment industry. When I’m not bringing you cybersecurity headlines, I work on feature documentaries in post-production. It is no small task, often a labor of love, to finish any movie.

Some have said they "do not care" about the leak given circumstances surrounding Paramount. Others watched the leaked film online calling it "beautiful." While it's easier to see this act as a victimless crime than, say, stealing something from your neighbor, those who worked on this film certainly feel harmed. It comes as creatives are grappling with the consolidation of their industry, the threat of AI and an uncertain economy. In comments to Wired ($), Jason Scheier who worked on the movie says, "Revenue determines if sequels get greenlit and how a film covers its production and marketing costs. This is devastating to the team and to the studios producing the movie."

Until next week

Some other notable stories I read this week included Cyberscoop's report on the cyberattack on Vercel, Cybersecurity Dive's article on the impacts of the attack on Hasbro (see issue 003), Ars Technica's story on the crypto scams possibly luring ships into the Strait of Hormuz, and Wired's reporting on Mythos helping Mozilla find and fix 271 flaws ($) in Firefox.

Did I miss anything, have feedback, or want to shoot the breeze? Just reply to this email. As always, thanks for reading.

Signing off!
Danny

Read more