The Congressional Budget Office Breach: Why An Active Cyber Threat Against Congress Isn't Making Headlines

The nation's legislative scorekeeper remains compromised while America sleeps on the story

When the Congressional Budget Office confirmed it had been hacked on November 7, 2025, the response was muted at best. A few headlines, some perfunctory warnings to congressional staff, and then... silence. Yet this wasn't just another data breach. This was—and remains—an active cyber threat against one of the most strategically valuable targets in the entire U.S. government.

Watch our coverage of the CBO breach

The Breach That Won't Go Away

Here's what should be keeping people up at night: The Congressional Budget Office breach is still considered an "ongoing" threat. According to internal emails obtained by multiple news outlets, congressional staffers were explicitly warned not to click on any links from CBO email addresses and to restrict all communications with the agency. The implication is stark—the hackers aren't confirmed as contained.

Foreign hackers, suspected to be Chinese state-backed actors, potentially accessed internal CBO emails, chat logs, and communications between lawmakers' offices and CBO researchers. But the full scope remains unknown, the threat actors haven't been fully evicted, and the agency that provides economic analysis for every major piece of legislation moving through Congress is effectively radioactive.

"Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time," read the warning to Library of Congress employees, obtained by POLITICO. "Maintain a high level of vigilance and verify the legitimacy of CBO communications by confirming with the sender via telephone that they sent the message."

Think about what that means. Congressional staff—the people crafting legislation that affects 330 million Americans—are being told their primary research and analysis partner cannot be trusted. Every email could be compromised. Every communication channel is suspect.

Why This Matters More Than You Think

The Congressional Budget Office isn't just another federal agency. The CBO is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers during the federal budget process, including after legislative bills get approved at the committee level in the House and Senate.

Every major policy decision—from taxation to defense spending to entitlement programs—runs through CBO analysis before it becomes law. If adversaries have access to CBO's network, they can:

• Gain strategic foresight into how the U.S. government will make economic or national security decisions before the public or even Congress knows
• Predict sanctions and military funding levels before they're announced
• Anticipate economic policy shifts and adjust their own markets and investments accordingly
• Craft highly convincing phishing attacks using legitimate email threads between CBO researchers and congressional staff

James Faxon, managing director and CISO at NukuDo and former head of cybersecurity for Boeing, explained the strategic implications: accessing the CBO's internal models and drafts allows a hostile nation to predict how the U.S. plans to spend money and adjust their playbook in advance, giving them a major advantage.

A Perfect Storm of Cybersecurity Failure

The breach appears to stem from a textbook case of patch management failure. Security researcher Kevin Beaumont identified that the CBO was running a Cisco ASA firewall that had not been patched since 2024, leaving it vulnerable to security flaws that suspected Chinese government hackers were actively exploiting.

The timeline reveals criminal negligence:

1. 2024: CBO's Cisco ASA firewall receives its last patch
2. October 2024: New critical vulnerabilities in Cisco firewalls are discovered and actively exploited by Chinese APT groups
3. October 1, 2025: Federal government shutdown begins, further limiting cybersecurity operations
4. Early November 2025: CBO discovers the breach
5. November 7, 2025: Breach becomes public; firewall finally taken offline

The vulnerable firewall remained unpatched even as the federal government shutdown took effect on October 1, 2025, which furloughed two-thirds of CISA staff and suspended routine patching and system maintenance across federal agencies.

The Government Shutdown Factor

This breach didn't happen in a vacuum. It occurred during what has become the longest government shutdown in U.S. history—a shutdown that gutted America's cybersecurity defenses at precisely the moment they were needed most.

The Cybersecurity and Infrastructure Security Agency furloughed approximately two-thirds of its 2,540 personnel during the shutdown, leaving only about 900 workers to defend the nation's digital infrastructure. This came on top of nearly 1,000 CISA employees who had already departed through voluntary buyouts and layoffs earlier in 2025.

The shutdown also coincided with the expiration of the Cybersecurity Information Sharing Act of 2015, which provided legal protections for companies to share cyber threat intelligence with government agencies. Without these protections, private sector companies became hesitant to share information about emerging cyber threats.

The message to America's adversaries couldn't have been clearer: the door is open, the guards are gone, and the alarm system is offline.

This Isn't An Isolated Incident

The CBO breach is part of a disturbing pattern of attacks targeting legislative support agencies:

In September 2024, foreign adversaries successfully accessed email communications between congressional legislative staffers and the Library of Congress's Congressional Research Service. The breach lasted from January through September 2024, compromising months of sensitive correspondence between Capitol Hill's legislative staffers and the research agency responsible for supplying committees with policy and legal analysis.

The breach specifically targeted communications that may have contained detailed economic projections, budget analyses, and policy impact assessments—exactly the kind of information that adversaries can exploit for strategic, political, or financial advantage.

These aren't random targets. They're strategic chess moves by sophisticated nation-state actors building a comprehensive intelligence picture of U.S. legislative priorities and economic planning.

The Secondary Threat: Weaponized Trust

Perhaps the most insidious aspect of this breach is what comes next. The Senate Sergeant at Arms office warned congressional offices that emails between CBO and congressional offices could have been compromised and used to craft and send phishing attacks.

Imagine receiving an email that appears to come from a CBO researcher you've been working with for months on a sensitive piece of legislation. The email references your previous conversations, uses the correct terminology, and asks you to review an attached document. You've exchanged dozens of legitimate emails with this person. Why would this one be different?

That's the nightmare scenario playing out right now on Capitol Hill. The attackers don't just have data—they have context, relationships, and the ability to weaponize trust.

Why Isn't This Bigger News?

So why isn't this story dominating headlines? Why aren't there congressional hearings? Why isn't there public outcry?

Several factors contribute to the muted response:

Cybersecurity Fatigue: After years of high-profile breaches, the public has become somewhat numb to cyber threats. Unless money is stolen or personal data is leaked, it doesn't generate sustained outrage.

Complexity: The strategic implications of a CBO breach require understanding how federal budgeting works, the role of cost estimates in legislation, and how nation-states conduct espionage. That's a heavy lift for a news cycle dominated by simpler narratives.

Shutdown Distraction: The record-breaking government shutdown has consumed media attention, ironically overshadowing one of its most serious consequences.

Political Fatigue: In a hyper-partisan environment, cyber threats against government institutions can become politicized, causing both sides to downplay or ignore the issue rather than address it.

Lack of Immediate Victims: There are no sympathetic victims with ruined credit scores or emptied bank accounts. The damage here is strategic and long-term, which doesn't drive clicks or outrage.

The Real Cost We Can't Yet Calculate

The true damage from this breach may not be known for years. Every budget negotiation, every cost estimate, every economic projection that moves through Congress over the next several months is potentially compromised. Foreign adversaries may have advance knowledge of:

• U.S. defense spending priorities and vulnerabilities
• Economic policy shifts that could affect global markets
• Trade negotiation strategies and red lines
• Infrastructure investment plans and timelines
• Tax policy discussions and revenue projections

CBO manages massive data sources related to policy issues ranging from mass deportation plans to tariff implementation to tax and spending cuts. Access to this information gives adversaries unprecedented insight into U.S. government priorities and decision-making processes.

What Should Happen (But Probably Won't)

In a rational world, this breach would trigger:

1. Immediate Congressional Hearings: How did a critical agency go over a year without patching known vulnerabilities?
2. Comprehensive Security Audit: Every legislative support agency should undergo immediate security review
3. Shutdown-Proofing CISA: Ensure the nation's cybersecurity agency can operate during future funding lapses
4. Mandatory Patching Standards: Federal agencies should face consequences for failing to maintain basic security hygiene
5. Information Sharing Review: Assess how much damage has been done and what adversaries now know

But in our current political environment, with a record-breaking shutdown dragging on and cybersecurity treated as a partisan football, comprehensive response seems unlikely.

The Bottom Line

The Congressional Budget Office remains compromised by what appears to be Chinese state-backed hackers. Congressional staff are being told to treat all CBO communications as potentially hostile. One of the most strategically valuable targets in the U.S. government is effectively announcing that it's radioactive.

And yet, this story has largely disappeared from public consciousness.

Whether through cybersecurity fatigue, political paralysis, or sheer complexity, we're collectively choosing to look away from an active, ongoing threat to the heart of our legislative process. The hackers are still there. The vulnerabilities remain. And America's adversaries are learning lessons about just how vulnerable we really are.

The question isn't whether this should be bigger news—it's why we've decided it shouldn't be.

The Congressional Budget Office has stated it has "taken immediate action to contain" the breach and implemented "additional monitoring and new security controls." However, warnings to congressional staff about ongoing threats suggest containment remains incomplete. Neither the CBO nor Cisco have publicly commented on the specific vulnerabilities exploited or the current status of the threat actors' access.

What you can do:

• Contact your congressional representatives and demand answers about this breach
• Support legislation to "shutdown-proof" CISA and other critical cybersecurity agencies
• Stay informed about the ongoing investigation and push for transparency
• If you work in government or contracting, remain vigilant for sophisticated phishing attempts leveraging this breach

The hackers are counting on us to forget about this story. Let's prove them wrong.