Cyber Command and NSA Chief Warns Foreign Adversaries Likely to Target Midterms

What happened

Army Gen. Joshua Rudd, head of both US Cyber Command and the National Security Agency, testified before the Senate Armed Services Committee on Tuesday that foreign adversaries will likely attempt to interfere in the 2026 midterm elections, calling such attempts reasonable to expect based on historical patterns.

Rudd told senators that Cyber Command and NSA are postured and ready to support election security efforts, but acknowledged uncertainty about whether an Election Security Group has been formally reconvened for the 2026 cycle. The ESG is a joint task force that has coordinated election security efforts across Cyber Command, NSA, CISA, the FBI, and other agencies since 2018. Rudd said he would follow up on whether one was being established, calling it important to set up.

The testimony comes amid broader concern about the federal government’s election security posture. Critics including former national security officials have argued that the current administration has weakened election defenses by reducing CISA’s capacity and scaling back federal efforts to counter disinformation. Those concerns are compounded by the FBI’s attribution of a breach of the 2024 Trump campaign to Iranian hackers, who also attempted to target the Biden-Harris campaign in the same cycle.

During the hearing, Sen. Dan Sullivan suggested Rudd consider using offensive cyber capabilities to expose foreign leaders who attempt to undermine voter confidence, framing it as a deterrent against election interference.

Who is affected

Federal and state election infrastructure operators face the most direct exposure, along with political campaigns, voter registration systems, and the broader information environment surrounding the 2026 midterms. Organizations that support election administration, including technology vendors and communications platforms, are also within the relevant threat perimeter.

Why CISOs should care

The combination of confirmed foreign interference attempts in recent cycles, uncertainty about whether a coordinating task force has been stood up, and reported reductions in CISA’s capacity creates a more ambiguous federal election security posture than in previous midterm cycles. For security leaders in sectors that intersect with election infrastructure, including technology vendors, media organizations, and state and local government contractors, the reduced federal coordination footprint means less early warning and fewer shared resources than organizations may have relied on in 2018, 2020, and 2022.

The Iranian campaign breach of a presidential campaign in 2024 also demonstrated that election-adjacent organizations, not just official election infrastructure, are in scope for state-sponsored targeting.

3 practical actions

Assess your organization’s exposure to election-cycle threat actors if you operate in adjacent sectors: Technology vendors, media organizations, polling firms, and political campaign contractors are documented targets during election cycles. Review whether your current threat model accounts for state-sponsored actors with election interference objectives and update detection priorities accordingly.

Do not assume federal coordination resources will be available at the same level as prior cycles: Organizations that relied on CISA threat briefings, the ESG’s coordinated warnings, or joint agency information sharing in previous cycles should assess their independent threat intelligence capabilities and establish direct relationships with sector-specific ISACs that can provide early warning if federal capacity is reduced.

Harden communications and authentication infrastructure against spear-phishing and account compromise: The Iranian breach of the Trump campaign and the attempted breach of the Biden-Harris campaign both involved targeted intrusions against campaign staff. Organizations with any proximity to political campaigns, advocacy groups, or election administration should treat this period as an elevated threat window and reinforce phishing-resistant MFA, email security controls, and access management accordingly.