CyberWire Daily - Blizzard warning: Russia’s GRU unleashes new cyber saboteurs.
Episode Date: September 6, 2024Cadet Blizzard is part of Russia’s elite GRU Unit. Apache releases a security update for its open-source ERP system. SonicWall has issued an urgent advisory for a critical vulnerability. Researchers... uncover a novel technique exploiting Linux’s Pluggable Authentication Modules. Google’s kCTF team has discloses a critical security vulnerability affecting the Linux kernel’s netfilter component. Predator spyware has resurfaced. US health care firm Confidant Health exposes 5.3 terabytes of sensitive health information. Dealing with the National Public Data breach. On our Solution Spotlight: Mary Haigh, Global CISO of BAE Systems, speaks with N2K's Simone Petrella about moving beyond the technical to build an effective cybersecurity team. An AI music streaming scheme strikes a sour note. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight segment, Mary Haigh, Global CISO of BAE Systems, speaks with N2K President Simone Petrella about moving beyond the technical to build a cybersecurity team. Selected Reading Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team (WIRED) Apache Makes Another Attempt at Patching Exploited RCE in OFBiz (SecurityWeek) SonicWall Access Control Vulnerability Exploited in the Wild (GB Hackers) Linux Pluggable Authentication Modules Abused to Create Backdoors (Cyber Security News) PoC Exploit Released for Linux Kernel Vulnerability that Allows Root Access (Cyber Security News) Predator spyware resurfaces with signs of activity, Recorded Future says (CyberScoop) Therapy Sessions Exposed by Mental Health Care Firm’s Unsecured Database (WIRED) Frustration Trying to Opt-Out After the National Public Data Breach (Security Boulevard) Musician charged with $10M streaming royalties fraud using AI and bots (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's Join GRU unit.
Apache releases a security update for its open-source ERP system.
SonicWall has issued an urgent advisory for a critical vulnerability.
Researchers uncover a novel technique exploiting Linux's pluggable authentication modules.
Google's KCTF team has disclosed a critical security vulnerability
affecting the Linux kernel's netfilter component.
Predator spyware has resurfaced.
A U.S. healthcare firm, Confidant Health, exposes 5.3 terabytes of sensitive health information.
Dealing with the national public data breach, on our Solutions Spotlight, Mary Haig, global CISO of BAE Systems,
speaks with N2K's Simone Petrella about moving beyond the technical to build an effective cybersecurity team.
And an AI music streaming scheme strikes a sour note.
It's Friday, September 6th, 2024.
I'm Dave Bittner, and this is for joining us. It is great to have you here with us.
A group of Western government agencies, including the U.S., U.K., Ukraine, and others, revealed that a hacker group known as Cadet Blizzard
is part of Russia's GRU Unit 29155.
This unit is infamous for acts of sabotage and assassination,
including the attempted poisoning of Sergei Skripal
and a failed coup in Montenegro.
Recently, it seems to have developed its own cyber warfare team,
separate from other GRU units like Fancy Bear and Sandworm. Since 2022, this new team has led
cyber operations, including the Whispergate malware attack on Ukraine ahead of Russia's
invasion. The U.S. Cybersecurity and Infrastructure Security Agency also issued a detailed advisory
on Cadet Blizzard's hacking methods. The U.S. Department of Justice indicted five members,
and the State Department offered a $10 million reward for information on the group.
This underscores the increasing overlap between physical sabotage and cyber warfare in Russia's tactics.
Apache released a security update for its open-source ERP system OFBiz, addressing two
critical vulnerabilities, including a patch bypass for previously exploited flaws. The bypass allows
unauthenticated attackers to execute code on affected Linux and Windows systems.
The vulnerability is linked to three recently patched remote code execution flaws,
which share the same root cause, controller view map state fragmentation.
Rapid7 reported the patch bypass, warning that the underlying issue persists despite earlier fixes.
The update implements additional authorization checks to prevent exploitation and also resolves
a server-side request forgery flaw.
Users are urged to update to the latest version as attackers are actively targeting vulnerable
systems.
SonicWall has issued an urgent advisory for a critical vulnerability
affecting SonicOS management access and SSL VPN. This flaw, actively exploited in the wild,
could allow unauthorized access or cause firewall crashes. It impacts Gen 5, 6, and 7 SonicWall devices running older SonicOS versions.
Users are urged to apply the latest patches immediately.
For those unable to patch, SonicWall recommends restricting firewall management and disabling SSL VPN access from the Internet.
The vulnerability has a CVSS score of 9.3.
The vulnerability has a CVSS score of 9.3.
Group IB's DFIR team uncovered a novel technique exploiting Linux's pluggable authentication modules to create persistent backdoors on compromised systems.
This method, not yet in the MITRE ATT&CK framework,
involves abusing the PAM exec module to execute malicious scripts
during SSH authentication. By modifying PAM configurations, attackers can exfiltrate sensitive
data, like usernames and authentication details, without leaving traces in system logs, making
detection challenging. This technique allows unauthorized access and persistent control over affected systems.
To defend against this threat,
organizations should implement proactive measures
like privilege management for Unix and Linux
and file integrity monitoring to detect suspicious changes.
The discovery highlights the risks of PAM's flexibility and modularity.
Google's KCTF team has disclosed a critical security vulnerability affecting the Linux kernel's NetFilter component,
specifically the NFT SetRBTree module.
Rated with a CVSS score of 7.8,
Rated with a CVSS score of 7.8, this high-severity flaw arises from improper handling of end-interval elements during garbage collection in the Arbitry data structure.
This issue can lead to unauthorized access or execution of malicious code.
The vulnerability impacts multiple Linux kernel versions, but patches have been released for distributions like Ubuntu and Debian. Google has also released a proof of concept on GitHub to raise awareness and aid
security professionals in mitigating the risk. System administrators are urged to apply the
latest patches to protect against potential exploitation. The discovery highlights the
need for proactive security measures
and timely updates to maintain the integrity of Linux systems globally.
After a period of low visibility, the Predator spyware has resurfaced,
according to research from Recorded Futures' Insict Group.
The spyware, developed by Intellexexa has previously targeted high-profile
individuals, such as U.S. Congress members and United Nations officials. New infrastructure
linked to Predator was discovered, with likely customers in Angola, Saudi Arabia, and the
Democratic Republic of the Congo. Intellexa's operations were affected by U.S. sanctions and public exposure,
forcing them to adapt their tactics, but they continue with minimal changes. Recorded future
identified predator activity in the DRC, possibly linked to government use,
particularly in conflict-affected regions like the eastern provinces.
in conflict-affected regions like the eastern provinces.
Security researcher Jeremiah Fowler uncovered a major data breach involving the U.S. healthcare firm Confidant Health,
exposing 5.3 terabytes of sensitive health information.
The unprotected database contained over 120,000 files and 1.7 million activity logs, including audio and video of
therapy sessions, psychiatric reports, and personal medical histories. Patients' deeply
private details, such as addiction struggles and family traumas, were accessible, along with
administrative records like ID and insurance cards. Confidant Health, operating in states like Connecticut, Florida, and Texas,
offers addiction recovery and mental health services.
Fowler alerted the company, which secured the database within an hour.
However, some files had password protection, while others did not.
Confidant Health's co-founder emphasized the company's commitment
to security and expressed concern over what he labeled sensational portrayal of the breach.
Author Matthew Rosenquist penned a piece for Security Boulevard describing his significant
challenges in dealing with the national public Data Breach, which exposed sensitive personal information, including his own. As a California resident, he has the legal right
to demand data deletion, but his experience with their opt-out process has been frustrating.
After confirming his data was compromised, Rosenquist followed instructions to opt out,
only to encounter an unresponsive automated system and vague reassurances through voicemail.
Adding to his frustration, privacy requests are directed to a sales email, raising doubts about whether his request will be properly handled.
Rosenquist suspects the complex, unhelpful process may be a deliberate attempt to discourage data deletion requests,
which could pose a legal liability for the company.
He expresses concern about privacy rights and wonders if others have had success navigating the process,
or if a class-action lawsuit might be underway.
Coming up after the break,
Mary Haig, Global CISO of BAE Systems,
speaks about moving beyond the technical to build an effective cybersecurity team.
Stay with us. We could book a vacation. Like somewhere hot. Yeah, with pools. And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Mary Haig is Global CISO of BAE Systems. And in today's Solution Spotlight,
our own N2K's Simone Petrella sat down with Mary Haig
to talk about moving beyond the technical
to build an effective cybersecurity team.
So I started life as a semiconductor physicist,
working on military thermal cameras, of all things,
and then went into spinning out intellectual property out into
businesses so that gave me the kind of business experience of what's the market who are the
competition how do you set up a successful business model how are you going to get investment
and grow it and from that i dived into cyber security because they asked me to
go and work with a cyber security business on how they should develop their product.
So that took me into the cyber world about 15 years ago,
and I've never left because it was such an interesting space to be in
in terms of, well, fascinating market, fascinating development,
a real sense of purpose and doing good.
And so I kind of stayed in cyber and in there i've i've done
everything from uh managing um sort of business groups that were focused on cross-domain solutions
so how do you connect the internet to top secret um and the controls you have in place um and
security monitoring is quite a lot on the technologies and security
monitoring so really broadening out and learning about lots of different
aspects of cyber security and there are so many different aspects of cyber security so
sort of learning about more and more of those and managing those as product lines and services and
then about three and a half years ago I got a phone call to say um are you interested in in doing a CISO role at BAE systems which which was
one of those wonderful phone calls where you go immediately oh yes because that's the for me that
was the other side of the fence so I'd been doing all of this work on developing products to take
to market and understanding all of the customer problems and the market needs. And now suddenly I had the chance to go on to that, if you like,
that customer side. So do cybersecurity for yourself across a company like BAE Systems.
And that was pretty exciting. Yeah. Can you help describe, because as I understand it,
your role in BAE Systems is internal focused on the company's own security.
But obviously, BAE Systems also does cybersecurity work for its customers and clients.
So what's the dynamic like in an organization that both delivers security and security services and products, but also has to be mindful of its own security controls and programs?
roles and programs yeah i mean it's actually quite useful dynamic because uh there's a good understanding across all levels of the organization that cyber security matters
and you know you can easily see when you're producing um a product or a service to take into
um a battle space environment you you know, a defence environment,
that stakes are high and cyber is a domain of warfare.
So our products in and of themselves
must be resilient against that environment.
And of course, that plays back right back through
to when you're building them in the environment within BA systems.
So it's not some separate thing,
the cybersecurity products to the security of our internal infrastructure the two uh are
inextricably linked if you develop our products in a really poor security environment they're not
going to perform well in a you know the secrets will already have been leaked if you like um of
how they work so um although the a strict, if you like,
governance model point of view,
engineering does the management of that product side
from a what is good cybersecurity,
what culture do we want across the whole organization,
how do you do good, thinking about risk,
thinking about threat,
thinking about the controls you put in place.
We try to do that consistently across the organization.
So I work very closely with engineering and with manufacturing
to drive that consistency wherever we can.
And in fact, we updated our concept of operations recently,
our operating model, so that it's one operating model
describing the whole of cybersecurity right across IT, OT products and internal infrastructure,
because they're so linked. Yeah, no, that's fascinating. And I think it's such a unique
feature of so many companies like BAE that are doing kind of that customer facing work,
but worrying about their own. I want to flip on you because I know that
in your role as a leader, in your background, I know you have been a big advocate for
diversity in the field and women in particular. And I want to start with a quote that you gave
earlier this summer. And you said, I hire for attitude. And often it's the technical skills
that we can't teach. Is there a moment in time, like what was the aha moment where you came to that philosophy?
It was actually in this role.
And so many people were saying to me, oh, one of our biggest risks is skill shortages.
It's a really small pool of talent.
It's really hard to hire. And I listened to all
of that and thought, okay, well, we'll grow our own. We've got to play a part as good cyber
citizens in growing that talent pool. Because if a massive company like BAE can't do it, then who
can? Right? So we've got to be part of building that pool of people.
And I looked at my team and who was in it
and thought they're not all,
they've not all got cybersecurity degrees.
They're not all computer scientists.
They're from a massive range of background.
I'm a physicist.
We've got a biologist, a geographer, a dancer.
It's so many different backgrounds, and yet they were all really strong together.
And actually they were strong partly because of that diversity of background.
And so then when I was actually having some mentoring with a coach and really getting into kind of how do I build teams and how do I think about the behaviors that I want.
And I realized that when I drew that kind of hierarchy of needs, when you're thinking about building a team, it wasn't technical skill that was at the top.
It was those attitudes, that moral code.
Because if the team really gels together in a common moral code,
we've got each other's backs, we absolutely trust each other,
we've got the same kind of outlook on those fundamental things,
then you have an incredibly strong foundation to your team
and you can build the rest of it after that.
So it was something
that I think I've done for a little bit but perhaps not as consciously and and then when it
became a really conscious thing it allows you to build it out a little bit more doesn't it right
well and and and I love it and I'm very biased in saying I love this because Rick Howard and I have given many a talk.
And we have this kind of metaphor that we use that building a cybersecurity team is similar to the book Moneyball by Michael Lewis here in the in the U.S. around.
It is a team based approach, and we often don't take a team-based approach to
building out our cybersecurity teams and you know so it's like how do you kind of look at the entire
playing field and identify the positions and where people go and just because you bring on that
superstar like having it even even if you have a team right we see this if the Olympics like you
have a team of all superstars that doesn't mean that they all are going to work well together as a team.
So being able to understand that dynamic just as much as the raw skill sets is so important.
So I love that.
And if you take your sporting metaphor a step further, the team of superstars are the visible ones.
But behind the team of superstars are the dietitians and the trainers and the psychologists and you know actually there's a massive uh range of people that have led to those visible ones being
superstars and it's the same in the cyber teams that you know people like the cyber security
architects or the head of the sock or the penthouse they're very visible um but actually it's a whole
massive load more that happens behind the scenes to deliver a good cybersecurity effect.
Right.
You know, one thing I know that you also have talked about is the importance of data.
And how that drives so much of the decision making and prioritization that happens within your team at BAE.
And obviously, we're talking a lot about people, but I would love to understand more. What are some of the things that you and your team at BAE and obviously we're talking a lot about people but I would love to understand more
what are some of the things that you and your team are doing what does BAE do to sort of embody that
data-driven approach to making decisions when it comes to building teams but also identifying what
are your priorities in your security controls and program yeah um so there were kind of two key bits
when I came in as a CISO that felt really important because there was a lot of, I call it, emotional-based decisions that were then revisited and re-challenged lots of times.
So it took a long time to reach a consensus and a decision.
And that, in a world where, in cybersecurity, agility is unbelievably important because the threat's changing and the technologies are changing.
So if you take a long time to work out how to respond to that, you're behind the curve already.
So there was the data underpinning understanding where your risk is
where your risk is and the governance model such that you can show that data to the right group of people at the right cadence at the right time such that they make right decisions.
You've got the right expertise in the room to make the decisions and that decision then
sticks.
Those two things together are really important.
So we spent quite a bit of time looking at how do other people do it
is the best practice out there around the dashboards.
And you can sketch up what you'd like to see to drive decisions.
So we sort of did it from a point of view of,
I'm going to need to make these type of decisions,
so what data would help me do that, as opposed to,
here's a load of data, did that help you make the decision because sometimes you can be overwhelmed um the difficult bit then of course is the plumbing behind that so it's easy to sketch
a dashboard but you need the data to be plumbed in and to be consistent across organization
such that it does hang together in a dashboard that gives you a good picture across the organization at scale.
So we did a lot of work on getting that plumbing in place,
which is never the most attractive, exciting thing,
but actually is absolutely fundamental to having those dashboards.
But to your point, I mean, it's so critical to know what business objective you're trying to accomplish at the get-go
because there's so much minutiae and tedium to kind of get all that data going.
And it can also be very confusing because there's so much data that we have at our disposal.
So how do you really separate that signal from the noise of what we have?
What's the question you're trying to answer?
Start with the question and then go to the data.
But we were willing to build a few dashboards,
which we threw away.
So we did have some which we built and then went,
yeah, no, that's not actually useful.
So there is a bit of a kind of fail fast approach to it.
It is really important to start on the question
rather than the data.
Now, I know BAE is a global company and so has to sort of
perform across regulatory schema in many countries. But in the U.S., the Office of the National Cyber
Director and the White House has been making a big push around skills-based hiring, specifically
in the government, in the U.S. government, and even to the point of reclassifying job codes.
And I'm curious where that, if you have seen, again, I know this is on the more of the customer
client facing side than internally, but has that started to change the way BAE is thinking about
its workforce, how it supports those U.S. federal government clients, and what are they doing in
order to sort of evolve to kind of meet those new requirements?
Yeah, we're seeing that push from across FIBO, so across US, UK, Australia in particular.
And I'd sort of characterize it as cybersecurity in the grand scheme of things is quite a new space, really.
And we're trying to professionalize. So, you know, you see my generation coming through
with a whole load of crazy and fantastic backgrounds.
That's brilliant.
But we do need to both professionalize it,
so you, particularly for smaller companies,
I think it's quite hard if you're starting from scratch
building a cybersecurity capability,
knowing what you're looking for, because there is increasingly qualifications which you can go, yes, if you've got that, that and that, then they're good.
But it's a little bit mixed.
So professionalizing it more is an important part of the maturing cybersecurity as a profession, whilst not losing some of those useful backgrounds.
So we do need to make sure that the professionalization still brings career changes in because they're a valuable part of it.
So we're tracking that.
UK Cyber Security Council has done some work on that in the the us as you've called out um and we're
trying to mirror that so simple things like our way of describing the roles of cyber security we
have taken as it happens the the uk way of describing it because what i don't want is to
hire for a job role
and use a totally different term from it than anyone else in the market
because it's really unhelpful.
So standardizing the way that we talk about roles
and the development framework.
So if you're in this role, these are the types of the way
that you would develop your career in that role
and taking that deliberately from government developed things because it's only when industry gets behind government that you get the momentum
to standardize and to professionalize it. Right. And, you know, as someone who has spent a lot of
my time in that space, it just is a it takes a lot of strategy and thought that often I think as a security profession,
we don't want to take that step back and do that lift because we're like, well, no, you
have to defend the network now.
And that takes a lot of that kind of strategic step back work.
So we often get stuck in this in between purgatory.
Yeah.
And I don't, I think it is something that's better to do at a national
level because if, if I did it and then the other defense prime did it, not only would it take up a
lot of our time, but we'd all come out with something tiny bit different. Right. And actually
those differences don't add value. So pull together a really good team at a national level
and then everyone else takes it. That's sort of, I think the most efficient approach.
My, my last question is I do want to touch on the diversity in the field. That's, I think, the most efficient approach. My last question is I do want to touch
on the diversity in the field. One, because I always love to have a chance to talk to other
really amazing industry executives and women in the field who have really made it to the top of
their games. And, you know, one thing that always frustrates me when we talk about the cybersecurity
profession and the people strategy associated with it is that, you know, I thing that always frustrates me when we talk about the cybersecurity profession and the
people strategy associated with it is that, you know, I think everyone kind of lines up and says,
we have this need for diversity and we're committed to doing these things. And I think
there's a lot of consensus around that point. But I also think there are still some really major
roadblocks that seem to be preventing us from making any real, like, fast or demonstrative progress. I mean, it's
happening, but it's happening, I think, more slowly than many of us would like. What do you
think is standing in the way of kind of us as leaders in addressing those diversity and gap
and kind of talent issues we've kind of discussed? And what are some of the things maybe that we can
look to implement in the future to be, you know, I don't want to end on a negative note.
I want to be optimistic here that there's a way to kind of make that forward momentum and progress.
Yeah.
Well, obviously, recognizing it is an important first step.
And as you say, I think mostly people have done that.
There is sometimes a tendency to go admire the problem and go, oh, it's so big that others, you know, that if I do this little thing, is it really going to make a difference?
There is no silver bullet.
It's lots of little things.
And the more we just get on and do those. when we look at our talent management we look at our performers i always ask the question on the
diversity of those high performance high performers when we're promoting people to fellows so the
technical excellence have we got the diversity in there and in some cases we find we haven't
and it all it needs is a tap on the shoulder. So in our fellows, for example, we had
one female application. So we halted the process. I went out to a load of brilliant women and said,
you know, there's this fellow thing, and I think you'd be really good for it.
And pretty much all of them went, I didn't think I was good enough. And all it took was a tap on
the shoulder to say, you're so good enough. And then they applied.
And now the diversity of our fellows is quite a lot better than it was.
And as soon as you get that momentum in, it grows from there.
Mentoring is another area that's really close to my heart.
It's not that hard to set up a mentoring scheme.
We set up a Women in Cyber Mentoring Scheme.
We didn't want it to be just BAE because the value of mentoring is is broad
perspectives so I used my industry contacts and we've got so many different companies involved
from governments um the trans research labs in the UK to Microsoft to some of the big five
consultancies PwC they're all involved in it because they can, you know, if you set up a
good scheme, they'll all get involved. So we've got this cross-industry mentoring scheme for women
in cyber and the mentors can be men or women. And mentoring can be such an important moment
in people's career, that moment when they just don't feel like they belong, they don't quite
know where they're going, they've had a really bad day and they didn't feel like they were listened to in a meeting or they were interrupted
so many times just having that that mentor that you can ring up um and go how do i handle this
situation it's really you know someone really trusting that you can talk to can make the
difference between someone saying do you know what I just haven't got the energy anymore versus, okay, I know how
to handle this. I can bring in some more tools. I can challenge what's happening and stay in the
industry. So never underestimate those small things that you do to really drive the change.
to really drive the change.
Yeah, well, and one of the things that has struck me,
and I apologize for using a stat that's very US-centric.
I'd have to relook it for where we are in kind of the global phenomenon.
But, you know, as we track supply and demand in the US,
and it's all publicly available,
of like what jobs are open and available
and then what's the availability of applicants, where is the talent pool? We've kind of for the first time seen that
we have a surplus of entry-level candidates for roles. There are more candidates available than
roles, which is a great news story in that we have gotten, we're getting more people interested
in entering the field. But now to your point, we still have this major gap in the middle.
And, you know, when you talk about mentorship and bringing someone along, like we're not going to
be able to fill that gap in the middle or the gap of people who are starting to retire out or, you
know, exit the field at their senior levels until we have some mechanism, not only to mentor, but
bring them through. And it really resonates with me when you talk about like a lot of women, they
won't apply if they don't feel they need all the qualifications.
But the reality is we're not going to be able to grow that talent unless we're part of the solution as industry to get them there.
So it's, you know, it's twofold. It's like, how are we supporting those development pathways to bring people into those positions?
And, you know, that middle ground of people, those are the people that that's why retention matters so much that they do stay in and that you do have a way of really leaning in and coaching them and developing them.
And I'll hook it back. That's why the behaviors piece in your team and the culture matters so much, because if you've got that good moral code and culture in the team, do you know what? It's an inclusive environment. And it being an inclusive environment
is massively important to the retention
that everyone's voice is heard and respected.
That makes a huge difference to feeling like you belong,
which is just essential.
That's Mary Haig, Global CISO of BAE Systems,
speaking with N2K's Simone Petrella.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And finally, our streaming media desk tells us the story of Michael Smith, a North Carolina musician who hit the jackpot, but not in the way you'd expect.
Between 2017 and 2024, Smith allegedly raked in over $10 million in royalties from Spotify, Apple Music, Amazon Music, and YouTube by streaming AI-generated songs with the help of thousands of bots.
That's right, he created a digital audience of automated listeners.
With the assistance of an AI music company CEO and a music promoter,
Smith uploaded hundreds of thousands of AI-created tracks to these platforms.
Using VPNs to avoid detection, his bots streamed the songs billions of times.
He even emailed his team about needing a ton of songs to outsmart anti-fraud policies.
Smith's clever math saw him earning over $3,000 a day in royalties, totaling $12 million from 4 billion fake streams. Now, though,
the melody has soured. He faces charges of wire fraud and money laundering,
with up to 20 years in prison awaiting him.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday with our guest Kevin
Lentz, team leader of the Cyber Pacific Project at the
Global Disinformation Lab, discussing the recent threat casting report, Cyber Competition in the
Indo-Pacific Gray Zone 2035. That's Research Saturday. Check it out. We'd love to know what
you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly
changing world of cybersecurity. If you like our show, please share a rating and review in your
favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your team smarter. Learn how at
n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester,
with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karff.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.