In 2012, a Defense Department inspector general report raised concerns about the limits of signature-based antivirus tools. The Senate Armed Services Committee echoed those concerns, acknowledging that the military’s cybersecurity system could only detect threats it already knew about. Worse, the system consumed so much communications capacity that commanders in low-bandwidth environments faced an impossible choice between operational security and mission execution.

More than a decade later, federal agencies are paying the price for ignoring that warning. The signature-based defenses that Congress questioned in 2012 are still protecting critical systems in 2025, and at the same time, adversaries have leapfrogged ahead with automation, AI, and constantly shifting tactics designed specifically to evade detection. The government’s failure to heed that warning established a dangerous pattern: Reactive defenses are always one step behind evolving threats. Today, that same approach leaves federal agencies vulnerable across multiple fronts — and email, the most universal communication channel, has become the easiest entry point for nation-state actors to exploit.

Chinese hackers impersonated a U.S. congressman — and federal defenses failed

In July, the Chinese state-sponsored cyber threat group APT41 as part of a spear-phishing campaign targeting trade groups and law firms ahead of critical U.S.-China trade discussions. Posing as Moolenaar, attackers asked recipients to share their feedback as part of a ploy to gather information, and included malware disguised as a draft proposal.

It should give government security leaders pause that this email evaded detection and successfully reached its targets. With malicious AI tools at their fingertips, adversaries (and their tactics) are becoming increasingly sophisticated — and more challenging to detect.

For decades, email has remained the leading gateway that cybercriminals leverage to infiltrate federal agencies. Email is a universal communication mechanism, and for federal agencies who frequently engage with the public, it must remain open and available. But recent attacks have exposed a sobering reality: Our federal infrastructure isn’t adapting quickly enough to keep up with threats, and vulnerabilities are growing.

Despite ongoing security awareness efforts and phishing security tests, many people still fail to recognize the risk that can come from a simple email. After all, when you’re using official systems, it’s easy to assume that once a message lands in your inbox, it’s already passed all the necessary checks. And as AI has made traditional phishing red flags — like a suspicious attachment or poor grammar — mostly obsolete, it’s not surprising that a recent phishing is now the starting point for 77% of advanced attacks.

Why government can’t keep up

Government bureaucracy moves methodically but slowly. It’s often the result of complex coordination across layers of hierarchy and competing priorities from multiple stakeholders. But when it comes to cybersecurity, this deliberative pace can create critical security gaps that deepen technical debt.

The challenge isn’t for lack of effort, as the DoD and other agencies have made real investments in modernization. But the security landscape has changed faster than policy can adapt. Defenses must move from reactive to adaptive. Future-proofing federal cybersecurity means embracing tools and strategies that don’t just chase yesterday’s threats using the same methods, but anticipate tomorrow’s with adaptive and modern techniques.

Here are ways government agencies can start to enact this approach:

• Revise BOD 18-01. While the 2017 directive includes several still-relevant protections, it doesn’t fully defend against newer, more advanced threats, particularly those that leverage AI to bypass legacy detection methods. This policy should now be assumed as baseline hygiene, not the ceiling for email security. Updated guidance must reflect the role of AI and behavioral analysis in identifying novel threats with no known signatures.
• Employ purpose-built, AI-native solutions. This administration has loudly declared the intention to move forward on AI, and in the new fiscal year, agencies have a timely opportunity to invest in tools that deliver impact without added complexity. Purpose-built, AI-native solutions offer a practical path forward, helping teams solve a specific problem — like detecting and stopping advanced email threats — without raising additional governance or risk concerns.
• Adopt a multi-layered security approach. Foundational measures like security awareness training and multi-factor authentication are still an essential part of any modern security program. By combining them with advanced, AI-native technologies that can more precisely detect anomalies, provide more tailored, sophisticated training, and better identify malicious activity, these measures will help ensure long-term protection against novel threats.

In this fiscal year, agencies will be expected to more widely embrace AI — a daunting but necessary shift. The focus should be on operationalizing AI to solve specific, labor-intensive tasks that drive mission impact. Email may seem routine, but it’s a vital link in mission execution and public trust. The Pentagon warned us 13 years ago that reactive defenses would fail. They were right. The question now is whether federal agencies will learn from that mistake, or whether we’ll be writing the same warnings in 2038 about the AI-powered threats we’re ignoring today.

Yejin Jang is head of government affairs at Abnormal AI.

The post The federal government ignored a cybersecurity warning for 13 years. Now hackers are exploiting the gap. first appeared on Federal News Network.