Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,550 words, this briefing is about a 6-minute read.
At a glance.
- CBO was hacked by a foreign entity.
- UK proposes new cybersecurity laws.
Congressional Budget Office was potentially hacked by foreign actors.
The news.
Last week, the Congressional Budget Office (CBO), which is a nonpartisan bookkeeper, was successfully targeted by a potential foreign actor. A spokeswoman for the agency stated that key financial research data was potentially exposed during the breach. For context, this data is oftentimes used by Congress members when creating legislation.
The breach was discovered earlier last week, and there are concerns that communications between lawmakers’ offices and researchers may have been compromised. Officials in the Senate Sergeant at Arms office expressed concerns that these communications could be used to create highly targeted phishing scams.
CBO spokeswoman Caitin Emma stated:
“The CBO has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”
Emma also stated that the agency is currently investigating the incident and will continue to work for Congress.
For context, the CBO is an organization that assists lawmakers with calculating economic projections for bills. Every bill discussed in either the House or the Senate receives a “score” from the CBO that determines how much it would either add to or subtract from the national debt.
The knowledge.
While the full scope of this attack is unclear, this attack does reignite concerns regarding foreign entities targeting critical infrastructure and government partners. In 2024, a Chinese state-sponsored group, known as Salt Typhoon, was able to successfully target and exploit the United States (US) telecommunications industry. This attack was so large that it impacted over eighty nations and was dubbed as the “worst telecom hack in [the US’s] history” by Senator Mark Warner.
During this attack, the hackers infiltrated major telecommunication networks operated by AT&T, Verizon, and Luman, among others, by compromising networking equipment. By exploiting technical vulnerabilities, Salt Typhoon was able to obtain large amounts of records which showed where, when, and with whom people were communicating and included the contents of phone calls and text messages. Alongside collecting this sensitive information, the attackers also deployed tools to expand their control over the network and deploy malware for future use. Notably, this was not an isolated incident; rather, this attack was a part of a years-long campaign, beginning in 2021, aimed at targeting and compromising a large majority of the US’s telecommunications infrastructure
These major attacks are a part of a larger, worrying trend that is seeing cyberspace becoming an increasingly vulnerable and exploited place. According to the World Economic Forum (WEF)’s Global Cybersecurity Outlook report from January 2025, they found that geopolitical tensions are significantly impacting current cybersecurity strategies. In their report, the WEF found that nearly 60% of their surveyed organizations stated that geopolitical tensions are impacting strategies. Further, they found the following:
- 45% of CISOs are worried that these tensions will disrupt operations.
- 33% of CEOs are worried that these tensions will result in the loss of IP or sensitive information.
- 11% of CEOs and CISOs are concerned that these tensions will result in financial losses from cyberattacks.
These concerns reflect the larger challenges that still continue to exist within cybersecurity and are likely only going to continue becoming more challenging.
The impact.
This latest attack and those that have come before it tie to a growing concern that cyberspace is becoming increasingly hostile with no indication of improving. While businesses themselves will not be able to perfectly mitigate and prevent every cyber incident, understanding and preparing for this reality is critical.
By understanding these challenges, businesses can find vulnerabilities faster and implement mitigation strategies that may not be able to fully prevent a breach. Rather, these strategies can help leaders mitigate damages and recover faster from incidents.
UK brings forward new cybersecurity bills.
The news.
On Wednesday, the United Kingdom (UK) introduced a series of new cybersecurity laws. With these laws, the UK aims to strengthen its cybersecurity defenses by requiring organisations to meet stricter security standards. More specifically, these new laws will require medium and large companies to provide services such as IT management or cybersecurity to be regulated.
If these laws are passed, regulated companies would need to report any potentially significant incident to both the UK government and their customers, and to have plans in place to help manage and recover from incidents. Additionally, regulators would be able to designate suppliers as essential, which would increase the penalties companies would face for breaches.
The Department for Science, Innovation, and Technology (DSIT) commented on these policies, stating:
“Because they hold trusted access across government, critical national infrastructure, and business networks, they will need to meet clear security duties.”
Alongside these efforts, the UK government also plans to ban public sector entities in critical infrastructure from paying ransom demands to cybercriminals.
The knowledge.
These new cyberlaws come in the wake of some of the largest cyber attacks the UK has faced in years. These attacks targeted Marks & Spencer, the Co-op, and Jaguar Land Rover (JLR). In addition to these high-profile attacks on major UK brands, the nation also experienced an attack on its Ministry of Defence’s payroll system and on its National Health Service (NHS).
These attacks each had a substantial impact on the nation, with the JLR attack having impacted the nation’s gross domestic product, and the NHS hack disrupted thousands of appointments and procedures, and contributed to a patient’s death.
Within these new laws, the UK is aiming to implement multiple significant changes. First, the bill implements turnover-based penalties based on a company’s annual revenue for violating compliance regulations. Secondly, the UK government is increasing its scrutiny of managed service providers (MSPs) by increasing incident reporting requirements and implementing a new framework. According to Shivraj Morade, a senior analyst at Everest Group, this increased scrutiny aims to prompt MSPs to “invest in SOC maturity, rapid triage, and legal alignment.” Lastly, this effort would empower the technology secretary to direct regulators and organizations to take "specific, proportionate steps” to better manage cyberattacks that could threaten national security. With this new authority, the technology secretary would be permitted to implement enhanced monitoring and impose temporary network isolation.
The impact.
While these laws have not been passed, these laws signal the UK’s continuing effort to increase security efforts to better manage and recover from severe cyber incidents. If passed, these measures would significantly expand the UK government’s regulatory powers, allowing regulatory authorities to manage critical infrastructure organizations better and ensure that MSPs are more accountable.
For organisations tied to the UK’s critical infrastructure or national security escorts, leaders should understand these proposed measures and the impacts that they would have on their regulatory requirements. By properly accounting for these potential new requirements, organizations can avoid the substantial penalties associated with these new regulations.
Highlighting key conversations.
In this week’s Caveat Podcast, our team met with Max Shier, Optiv’s CISO, to discuss the newly released CMMC 2.0. For context, the CMMC, or the Cybersecurity Maturity Model Certification, is a Department of Defense program aimed at helping ensure compliance and maintain a standardization of cybersecurity requirements. With CMMC’s updated version, our team discussed how the revised version improves upon the original model and how people can maintain compliance as the program kicks off in 2025.
Like what you read, and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other noteworthy stories.
Thailand approved $3.1 billion of data centre investments.
What: Thailand approves new data centre investments.
Why: On Monday, Thailand’s Board of Investment approved four data center projects worth $3.1 billion, alongside approving new measures to jumpstart other already approved projects.
The investments include building an 84-megawatt (MW) data centre and an additional hyperscale data centre project that will have an IT load of 200 MW. Lastly, the board also approved measures to speed up investments valued at $9.2 billion that were stalled.
With this effort, Board of Investment chief Narit Therdsteeerasukdi stated:
“This will strengthen investor confidence in Thailand’s investment framework and contribute to increased employment and broader economic development.”
Meta planning to invest $600 billion into US infrastructure.
What: Meta plans to invest substantially in US AI infrastructure.
Why: On Friday, Meta announced it will invest $600 billion into US infrastructure and jobs over the next three years in an effort to fuel its artificial intelligence (AI) plans. Within this pledge, the company has committed several hundred billion dollars to building AI data centers.
CEO Mark Zuckerberg stated that the company aims to expand its computing capabilities as “it’s the right strategy to aggressively front-load capacity so we’re prepared for the most optimistic cases.”
Alongside this investment, Anthropic also announced that it aims to invest $50 billion within the US to build additional data centers to support its AI infrastructure.