The recent shakeups at CISA, while aimed at modernizing federal cybersecurity, are having the opposite effect in the short term. Leadership turnover and structural overhauls are freezing progress at a moment when adversaries are accelerating.

Specifically, the commercial spyware market isn’t slowing down. Fueled by new rounds of venture funding and increasingly sophisticated capabilities, these tools are evolving faster than regulation can keep up. The gap between policy timelines and adversary tactics is only widening, and we may see the consequences of that gap sooner than we think.

Meanwhile, attackers aren’t waiting for frameworks to catch up. They’re already targeting mobile endpoints using zero-click exploits and surveillance tools that leave little trace. Without better visibility into mobile compromise, both enterprises and their employees remain exposed in ways traditional security stacks aren’t prepared to address.

Rising Spyware Risks Call for Broader Concerns

For years, our understanding of mobile threats was limited to a narrow set of high-profile targets, such as journalists, political activists, and government officials. These investigations were critical for surfacing the capabilities of tools like Pegasus, but they also left a gap in visibility that persists today. That gap is now being filled by a growing body of evidence: commercial-grade spyware is no longer reserved for the geopolitical elite as it’s hitting the enterprise. Executives in finance, logistics and real estate are now being targeted for the sensitive data and strategic access they carry in their pockets. It’s time for mobile devices to be treated with the same endpoint security controls as corporate-issued laptops to avoid security concerns.

Meanwhile, groups like Scattered Spider have shown that mobile compromise isn’t just about surveillance. It’s a launchpad for enterprise-scale attacks. With the right exploit, everything from credential theft to point-of-sale compromise can be done at scale through a single compromised phone. If these groups gain access to nation-grade spyware, the business fallout could be swift and severe.

Lawmakers Play a Critical Role 

While I’m cautiously optimistic lawmakers will take this security gap seriously, the extent to which such initiatives remain a priority is contingent upon understanding the true threat we face. Mobile devices are endpoints and it is time policymakers recognized them as such. Malware on a mobile device allows for much broader entry points to sensitive data compared to what could be compromised via telecom networks alone, spotlighting the critical need for mobile to be treated as a serious threat to national security regulations.

We’ve already seen the reuse of mobile malware amongst United States government adversaries exploiting commercial spyware, and we have to assume mobile exploitation will be an intelligence goldmine for America’s adversaries, especially to discern things like plans and intentions, order of battle, and more.

We need to call for better compliance requirements that extend to the mobile device.

Lawmakers must fully acknowledge the rise of mobile spyware and we have no choice but to pay attention to it as part of our national security strategy and policies.

Bridging the Gap: Why Public-Private Collaboration Matters

Mobile devices have become one of the most valuable and vulnerable endpoints in the enterprise. And yet, they remain the least protected. Defending against mobile spyware and exploitation can’t fall on individual companies alone. It requires active, agile collaboration between public agencies and private sector defenders to close the gaps in threat intelligence, detection, and response.

Security teams in the private sector often detect threats first, sometimes weeks or months before they’re recognized more broadly. But without fast, open channels for sharing that intelligence and research, we lose valuable time. On the flip side, federal agencies may have unique visibility into attacker tactics and tooling that never reach commercial defenders. Bridging this disconnect is critical, especially as we face a rising tide of commercial spyware and zero-click exploits that can be reused, resold, and repurposed across industries.

The future of mobile security depends on building shared standards for mobile threat detection and enabling a faster, more unified response across sectors. Today’s threat landscape is moving too fast for siloed defenses. It will take a united front to stay ahead of the next wave.