The CBO Got Hacked

The Congressional Budget Office — the nonpartisan number-crunching arm of Congress — was breached by a foreign nation-state actor. The Washington Post reported this on Thursday.

The CBO handles sensitive economic projections, budget analysis, and legislative scoring. Foreign adversaries knowing that data before Congress acts on it is a serious problem.

No attribution has been made public yet. No timeline for the breach has been released. The silence raises questions.

The Scorecard Is Ugly

A bipartisan commission just graded U.S. cyber readiness — and America is going backward.

The Cyberspace Solarium Commission, now housed within the Foundation for Defense of Democracies, released its annual review measuring progress against 82 specific national cybersecurity goals. The verdict: the U.S. is slipping.

Retired Admiral Mark Montgomery, executive director of Cybersolarium.org, told CNBC: "We were surprised and disappointed."

The Cybersolarium Commission was bipartisan by design — created under the first Trump administration, continued under Biden, and still operating today. When a commission of that pedigree says things are getting worse, the warning carries weight.

What's Getting Cut

Montgomery named specific agencies where cuts are doing damage: the Cybersecurity and Infrastructure Security Agency (CISA), the State Department, the National Science Foundation, the National Institute of Standards and Technology, and the U.S. Department of Commerce.

DOGE-driven cuts ripped through all of them.

The goals the commission tracks aren't abstract either. They include things like reducing regulatory burdens on critical infrastructure, building cyber capacity inside the FBI and intelligence agencies, and improving K-12 cybersecurity education pipeline. Bread-and-butter national security work.

Every one of those areas is now stalled or regressing, according to the commission's assessment.

One Law Quietly Died. Nobody Noticed.

A federal law that allowed private companies to share cybersecurity threat information with each other — without triggering antitrust liability or legal exposure — lapsed on September 30.

Gone. Expired. Not renewed.

That law was a rare piece of smart legislating. It let companies say "hey, we just got hit with this attack vector" to their competitors without a lawyer shutting them down. The kind of real-time threat intelligence sharing that actually stops cascading breaches.

Congress let it die quietly. The Trump administration didn't push to renew it. And now it's gone at exactly the moment AI-enabled hacking tools are making attacks faster and harder to detect.

The White House Response

CISA issued a statement through a spokeswoman: "Under the leadership of President Trump and Secretary Noem, CISA is steadfastly fulfilling its core mission by demonstrating daily operational collaboration, accelerating intelligence sharing, and strengthening our defense of cybersecurity and critical infrastructure across the nation."

The statement doesn't address the commission's scorecard. It doesn't address the CBO breach. It doesn't address the lapsed information-sharing law. It doesn't name a single metric showing improvement.

When the administration has real numbers to counter Montgomery's data, they should produce them. Until then, the gap between the White House's talking points and the commission's documented findings is substantial.

What Mainstream Coverage Is Getting Wrong

Left-leaning outlets like Axios and CNBC are correctly reporting the budget cuts and the commission's findings. Credit where it's due.

But they're framing this entirely as a Trump problem. That's incomplete.

The information-sharing law that lapsed? Congress — controlled by Republicans — let it die without a fight. That's a legislative failure, not just an executive one. Name the committee chairmen who let it expire. Name the members who didn't prioritize renewal. That accountability is missing from every story.

The CBO breach also raises questions about Congressional IT security practices that predate this administration. Nobody's asking those questions.

Right-leaning media, meanwhile, is mostly ignoring this story entirely. That's worse. A foreign nation-state just hacked a core congressional institution and conservative media is quiet. The CBO isn't a political enemy — it's an American institution, and its breach is an American problem.

What This Means for Regular People

Critical infrastructure cybersecurity isn't abstract. It's the power grid. It's water systems. It's hospital networks. It's the financial system.

When CISA gets gutted, the federal agency responsible for warning private companies about incoming attacks gets slower and quieter. Companies find out they're under attack the hard way — when systems go down.

Montgomery put it plainly: "I think we can recover from this. But you can't continue to cut."

There's a recoverable situation here — but only if the cuts stop and the lapsed laws get renewed. Every week of inaction is a week that adversaries — China, Russia, Iran, North Korea — use to close the gap.

The CBO hack isn't a one-off. It's a data point in a trend. And the trend is pointing in the wrong direction.