Cyber Command Finding to Authorize Offensive Strikes on Ransomware Networks, Officials Say

The Finding

December 23, 2025, Washington - The White House is preparing a classified presidential finding that would authorize U.S. Cyber Command to conduct offensive cyber operations against foreign ransomware networks operating outside the United States, according to two U.S. officials familiar with the matter. The directive, which could be signed as soon as December 25, would mark the first time a presidential finding has explicitly targeted criminal ransomware infrastructure rather than nation-state actors, the officials said. A presidential finding is the formal mechanism used to authorize covert action and notify Congress under the National Security Act.

The finding would permit Cyber Command, in coordination with the National Security Agency and the Federal Bureau of Investigation, to take disruptive action against servers, command-and-control nodes, and cryptocurrency wallets used by ransomware groups that have repeatedly targeted U.S. critical infrastructure. The operations would be conducted under authorities established by Title 10 and would not require a separate declaration of war, according to a senior official, speaking on condition of anonymity because the directive remains classified. The official said the operations would be subject to the same legal review process that governs other offensive cyber activities.

The draft document allocates roughly $440 million in reprogrammed Defense Department funds for the operations, which would be managed through a new task force based at Fort Meade, Maryland, the officials said. The task force would draw personnel from Cyber Command, the NSA, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. The funding would cover contractor support, specialized malware analysis tools, and secure communications infrastructure through the end of fiscal year 2026.

One official said the finding has been under review at the National Security Council since early November, with input from the CIA, the Defense Department, the Justice Department, and the Treasury Department. The official said the final draft was circulated to principals on December 18, with minor edits requested by the White House counsel's office. The official said Treasury raised concerns about the legality of disrupting cryptocurrency wallets held by foreign nationals not accused of terrorism, but those concerns were addressed with additional targeting criteria.

Scope and Targets

The finding focuses on ransomware groups that have attacked U.S. hospitals, municipal governments, and energy facilities during 2024 and 2025, according to the two officials. While the document does not name specific organizations in its unclassified summary, officials familiar with the targeting list said it includes networks linked to operators based in Eastern Europe and Central Asia that have demanded ransom payments in Bitcoin and Monero.

One official said the operations would prioritize groups that have targeted health care systems, including a coordinated string of attacks in October and November 2025 that disrupted billing and patient-record systems at more than a dozen U.S. hospitals across the Midwest and Southeast. The official said the finding would allow Cyber Command to act even when the ransomware operators are not directly affiliated with a foreign government, a departure from previous practice that required evidence of state sponsorship.

A former Senate Intelligence Committee staffer who was briefed on the broad outlines of the plan said the proposal represents a significant expansion of military cyber authorities. 'This moves the Defense Department into a space that has traditionally been handled by law enforcement,' the former staffer said. 'The argument inside the administration is that the FBI and Justice Department have been unable to keep pace with the speed and scale of these networks, and that the military has the technical capacity to disrupt infrastructure overseas more quickly.'

The former staffer said the plan has drawn internal skepticism from officials at the Justice Department, who are concerned that offensive cyber operations could complicate ongoing criminal investigations and international extradition efforts. Those concerns were raised during a Deputies Committee meeting on December 12, the staffer said, but did not block approval of the finding. The staffer said State Department lawyers also questioned whether the operations could be interpreted as violations of bilateral extraction treaties with countries where some servers are located.

Timing and Notification

The finding is scheduled to be signed at the White House on December 25, following a final interagency review completed on December 23, the officials said. Congressional leadership and the intelligence committees would be notified under the standard procedures for covert action findings on December 25, one official said. The so-called Gang of Eight, which includes the chairs and ranking members of the House and Senate intelligence committees, would receive a classified briefing before the signing.

The $440 million would be drawn from existing Cyber Command and NSA budgets through a reprogramming action approved by the Office of Management and Budget, according to a budget document reviewed by The Alamo Post. The funds would cover 180 additional personnel, contractor support, and specialized software tools through September 30, 2026. The document identifies $210 million from Cyber Command's operations and maintenance account, $165 million from the NSA's cyber operations budget, and $65 million in transferred funds from the Defense Information Systems Agency.

The reprogramming action was approved by the Pentagon comptroller on December 19 and is scheduled to be transmitted to the four congressional defense committees on December 24, the budget document showed. Congressional aides said the notification would arrive while both chambers are in recess for the Christmas holiday. One aide said the notification may not receive full scrutiny until lawmakers return on January 5, 2026.

What to Watch

If signed as drafted, the finding would take effect on January 2, 2026, the first federal workday of the new year, the officials said. Cyber Command would then have 45 days to submit an operational plan to the Pentagon and the National Security Council, with the first operations potentially beginning in late February. The task force would begin standing up at Fort Meade on January 5, with initial staffing completed by February 1. Officials said the task force would operate under the internal designation 'Ransomware Defense Cell.'

Congressional Democrats and some Republicans are expected to question whether the operations blur the line between military and law enforcement authority, the former Senate Intelligence Committee staffer said. The Senate Select Committee on Intelligence has scheduled a closed briefing on cyber authorities for January 15, 2026, according to a committee aide. House Armed Services Committee staff have also requested a separate briefing on the reprogramming action for the week of January 12.

Major news organizations, including the Associated Press and Reuters, are expected to confirm elements of the finding by December 25 or December 26, once congressional notifications begin, one official predicted. The White House and the National Security Council declined to comment.