CISA says it will rebuild with more staff in 2026 to redress cuts in 2025

Don't miss my latest CSO piece, which examines how identity systems were never designed for the coming wave of autonomous AI agents, a situation that will force CISOs to overhaul how they deal with identity verifications.

Get your message, announcement, or white paper in front of thousands of cyber leaders, policy makers, and decision-makers for little more than the cost of an annual Metacurity subscription. Click the button below to find out more about our sponsorship options.

The Cybersecurity and Infrastructure Security Agency will increase its hiring efforts in 2026 as it seeks to rebuild from the Trump administration’s deep cuts and prepare for a potential US conflict with China.

“The recent reduction in personnel has limited CISA’s ability to fully support national security imperatives and administration priorities,” acting CISA director Madhu Gottumukkala said in a Nov. 5 memo to staff obtained by Cybersecurity Dive. The agency has “reached a pivotal moment,” he added, but it remains “hampered by an approximately 40% vacancy rate across key mission areas.”

With China continuing to target US and allied critical infrastructure, and experts predicting a crisis in 2027, Gottumukkala wrote, “CISA must hire highly qualified professionals by the end of fiscal year 2026 to strengthen the agency’s defensive posture.”

As part of a new workforce and talent strategy, CISA will prioritize the hiring of state cybersecurity coordinators and regional cybersecurity advisers, particularly in regions with what Gottumukkala called “persistent vacancies.” Many of those vacancies are the result of the Trump administration’s policies. These personnel, who serve as vital liaisons between CISA and critical infrastructure organizations across the country, have been among the hardest hit by the layoffs and voluntary departures that have rocked CISA over the past 10 months.

In addition, CISA will expand its use of the Department of Homeland Security’s Cyber Talent Management System, a special hiring program, “to recruit critical cyber talent at market rates,” Gottumukkala said, “focusing on junior practitioners and experienced industry experts.” The agency will work with DHS’s human-resources office to make the hiring process faster. (Eric Geller / Cybersecurity Dive)

Microsoft reports that the powerful Aisuru botnet launched a massive 15.7 Tbps DDoS attack against a customer on Microsoft’s Azure cloud computing service. 

The incident occurred on Oct. 24, with Microsoft indicating it involved over 500,000 devices generating internet traffic in an attempt to knock a target offline. 

The company traced the DDoS to the Aisuru botnet, which was responsible for the largest DDoS on record back in September. That attack peaked at 22.2 Tbps, while also pushing 10.6 billion packets per second from over 300,000 devices. It targeted a customer on Cloudflare, an internet infrastructure company that also provides DDoS protection. 

The Oct. 24 attack targeted a single endpoint based in Australia. Microsoft didn’t elaborate, but it looks like the company automatically mitigated the impact, preventing it from overwhelming its services. “Malicious traffic was effectively filtered and redirected, maintaining uninterrupted service availability for customer workloads,” Microsoft said. (Michael Kan / PCMag)

Related: Microsoft, The Register, HackRead, Fudzilla, WebProNews, CSO Online, r/cybersecurity, Bleeping Computer, Security Affairs, Microsoft Tech Community, PCMag, CyberInsider, Hacker News (ycombinator)

Protei, a Russian telecom company that develops technology to allow phone and internet companies to conduct web surveillance and censorship, was hacked, had its website defaced, and had data stolen from its servers.

Founded in Russia, Protei makes telecommunications systems for phone and internet providers across dozens of countries, including Bahrain, Italy, Kazakhstan, Mexico, Pakistan, and much of central Africa. The company, now headquartered in Jordan, sells video conferencing technology and internet connectivity solutions, as well as surveillance equipment and web-filtering products, such as deep packet inspection systems.

It’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8. The website was restored soon after.

During the breach, the hacker obtained the contents of Protei’s web server — around 182 gigabytes of files — including emails dating back years.

A copy of Protei’s data was provided to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest, including data from law enforcement, government agencies, and companies involved in the surveillance industry.

The identity of the hacker is not known, nor their motivations, but the defaced website read: “another DPI/SORM provider bites the dust.” The message likely references the company’s sales of deep packet inspection systems and other internet filtering technology for the Russian-developed lawful intercept system known as SORM, the main lawful intercept system used across Russia, as well as several other countries that use Russian technology. (Zack Whittaker / TechCrunch)

Related: Mezha

Companies and cyber groups have told UK government officials that making paying ransoms illegal would remove a valuable tool in negotiations where highly sensitive data or essential services could be compromised, according to two people familiar with the matter.

“An outright ban on payments sounds tough on crime, but in reality it could turn a solvable crisis into a catastrophic one,” said Greg Palmer, a partner at law firm Linklaters.

The proposal, announced by the Home Office in July, is designed to deter cyber criminals by making it clear that any attempt to blackmail regulated companies such as hospitals, airports, and telecoms groups will not succeed. If enacted, the UK would be the first country to implement such a ban. (Kieran Smith / Financial Times)

Related: Slashdot

In a statement, more than 60 digital commerce and trade groups called on governments around the globe to reject efforts or requests to weaken or bypass encryption, saying strong encrypted communications provide critical protections for user privacy, secure data protection, and trust that underpin some of society’s most important interactions.

“Encryption is a vital tool for ensuring that consumers, businesses, and governments can confidentially engage online, fostering a secure environment that supports economic growth and cross-border collaboration,” the groups wrote.

The statement, signed by The App Association, the Business Software Alliance, the Information Technology Industry Council, the Surveillance Technology Oversight Project and others, argues that the tradeoffs in privacy and security to all users would outweigh the benefits to law enforcement, stating “any effort to undermine encryption, whether through backdoors, key escrow systems, or technical mandates, undermines that trust.” (Derek B. Johnson / CyberScoop)

Related: ACT, The App Association

Managed detection and response company Socura and threat exposure management company Flare warned the UK’s largest companies that they’re at risk of being breached, after finding hundreds of thousands of corporate credentials on cybercrime sites.

The companies teamed to monitor “cybercrime communities” across the clear and dark web for FTSE 100 company domains. Its resulting report, FTSE 100 for Sale, revealed 460,000 compromised credentials belonging to employees at these firms.

Some firms had as many as 45,000 leaked credentials, while 15 companies had more than 10,000 each. Although this is a problem across multiple sectors, financial services (70,000+) were particularly affected.

Much of the problem stems from the proliferation of infostealer malware. Socura and Flare found 28,000 corporate credentials in stealer logs, which on average equate to 280 per FTSE 100 company.

Their research also revealed that poor password hygiene is still a significant security challenge for even the country’s biggest and best-resourced organizations.

Over half (59%) of FTSE 100 companies have at least one employee using “password” as a password, it found. Password reuse was also commonplace. One employee had three variations of the same password (the TV actor “Ross Kemp”) in six known leaks. (Phil Muncaster / Infosecurity Magazine)

Related: Socura, Forbes, PR Newswire

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The US Department of Defense is not fully confronting security risks posed by the growing amount of publicly accessible digital information for its personnel and operations, according to a new Government Accountability Office (GAO) report.

Digital activity from personal and government devices, online communications, and defense platforms can generate volumes of traceable data – also referred to as digital footprints, GAO warned in the report.

“When aggregated, these digital footprints can threaten military personnel and their families, operations, and ultimately national security,” the report reads.

GAO acknowledged that three of five offices under the Office of the Secretary of Defense have issued policies and guidance on the risks associated with the public accessibility of DOD’s digital information. However, it found that the guidance does not cover all stakeholders or security areas.

GAO made 12 recommendations, including assessing policies, improving collaboration to reduce risks, providing training on the digital environment and its associated dangers across security areas, and completing required security assessments.

DOD agreed with 11 recommendations and partially agreed with one. GAO maintained that “all recommendations are warranted.” (Lisbeth Perez / Meritalk)

Related: GAO, Stars and Stripes, The Register, Bleeping Computer

A ransomware attack on the Pennsylvania Office of the Attorney General exposed the Social Security numbers and medical information of an undisclosed number of people.

The office confirmed that data was stolen during the attack, which caused chaos this summer for the state’s legal system, taking down the website, phone lines, and email systems used by most employees.

“Based on the OAG's review of the data involved, for some individuals the information involved may have included name, Social Security number, and/or medical information,” Attorney General Dave Sunday said.

“On November 14, 2025, we provided notice, via email, of this incident to individuals for whom we had been provided a valid email address. We have also notified the Federal Bureau of Investigation of the incident and are assisting their investigation.”

The statement confirms that the ransomware attack was discovered on August 9 and that a subsequent investigation confirmed that files were stolen from the office’s systems during the incident.

A toll-free number was created for victims with questions about the incident. (Jonathan Greig / The Record)

Related: Pennsylvania Attorney General, CBS News, Penn Live, Bleeping Computer, ABC27, WHP Harrisburg, Beaver County Radio, PennWatch

The French telecommunications company Eurofiber acknowledged a breach of its cloud customer platform and digital ticket system after a hacker accessed the network through software used by the company.

Eurofiber France SAS is the French unit of the Eurofiber Group N.V., a Dutch telecommunications service provider that operates a fiber network of 76,000 km across the Netherlands, Belgium, France, and Germany.

The cybersecurity incident impacts only the French division of the group, the company says in the announcement, including its cloud division (ATE portal) and its regional Eurafibre, FullSave, Netiwan, and Avelia sub-brands.

In a press release, the company states that the impact is minimal for indirect sales and wholesale partners in France, as most of them rely on separate systems.

A threat actor calling themselves ‘ByteToBreach’ claimed the attack on a data leak forum, alleging that they stole data belonging to 10,000 businesses and even government entities, all clients of Eurofiber.

The threat actor claims to be holding data that the clients uploaded to the ticketing system, including screenshots, VPN configuration files, credentials, source code, certificates, archives, email accounts as files, and SQL backup files. (Bill Toulas / Bleeping Computer)

Related: Digwatch, Tornews, Techzine

Cybersecurity startup Mate emerged from stealth with a $15.5 million venture funding seed round.

Team8 and Insight Partners led the round. (Chris Metinko / Axios)

Related: Insight Partners, Calcalist, FinSMEs, StartupRise

Best Thing of the Day: Well, If You Can't Have Privacy, Facebook Will At Least Protect Your Reels IP

Meta introduced Facebook content protection, a mobile tool designed to detect when a creator’s original reels posted to Facebook are being used without their permission.

Bonus Best Thing of the Day: No Truer Words

Alphabet CEO Sundar Pichai said people should not "blindly trust" everything AI tools tell them.

Worst Thing of the Day: A Cautionary Tale About Out-of-Date Software

Australia's TPG Telecom said a customer died after their Samsung mobile phone running out-of-date software failed to connect with the Triple Zero emergency services, and there was no network outage at the time.

Bonus Worst Thing of the Day: ICE Knows Where You Are All the Time

Immigration and Customs Enforcement (ICE) recently invited staff to demos of an app that lets officers instantly scan a license plate, adding it to a database of billions of records that shows where else that vehicle has been spotted around the country.

Closing Thought