CyberWire Daily - Cyber and AI take center stage.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. The DMV has established itself as a top-tier player in the global cyber industry. DMV rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. At TALIS, they know cybersecurity can be tough, and you can't protect every.

Starting point is 00:01:00 thing. But with TALIS, you can secure what matters most. With TALIS's industry leading platforms, you can protect critical applications, data and identities, anywhere and at scale with the highest ROI. That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most. Applications, data, and identity. That's TALIS. T-H-A-L-E-S. Learn more. at talusgroup.com slash cyber. The House passes a defense policy bill that includes new provisions on cybersecurity and AI. Senator Wyden accuses Microsoft of gross cybersecurity negligence after a 24 ransom.

Starting point is 00:02:00 attack crippled health care giant ascension. The White House shelves plans to split U.S. Cyber Command and the NSA. The Pentagon finalizes its long-awaited cybersecurity maturity model certification rule. Akira ransomware group targets sonic wall devices. Officials warns solar-powered highway infrastructure should be checked for hidden radios. The Atlantic Council maps the global spyware market. Researchers uncover serious flaws in Apple's airplay. A European DDoS mitigation provider thwarts a record-breaking attack. My caveat co-hosts, Ethan Cook and Ben Yellen unpack the cyber elements of the big beautiful bill. And who fixes the vibe code? It's Thursday, September 11th, 2025. I'm Dave Bittner, and this is your cyberwar.

Starting point is 00:03:00 Wire Intel Briefing. Thanks for joining us here today. It's great to have you with us. The U.S. House of Representatives has passed an $848 billion defense policy bill that includes new provisions on cybersecurity and artificial intelligence. The National Defense Authorization Act was approved in a 231 to 196 vote and sets Pentagon policy for the year. While less sweeping than past cyber debates, the bill still carries weighty digital measures. It directs the NSA to brief lawmakers on plans for its cybersecurity coordination center

Starting point is 00:03:50 and requires combatant commands to report on cyber commands support. The Pentagon would also build a soft-executive. bill of materials for AI-enabled tools and pursue up to 12 initiatives using generative AI for cybersecurity and intelligence. Amendments adopted allow threat sharing between the NSA and the private sector and task the DOD with studying the National Guard's cyber response role. The Senate will take up its version next week. Senator Ron Wyden is urging the Federal Trade Commission to investigate Microsoft after a 2024 ransomware attack crippled Catholic health care giant Ascension. Wyden accuses Microsoft of gross cybersecurity negligence, citing its default support

Starting point is 00:04:40 for RC4 encryption, a 1980s-era standard vulnerable to a hacking method called Care Bear Roasting. Attackers allegedly exploited this weakness in Ascension's Microsoft Active Directory, spreading ransomware that disrupted 140 hospitals across 19 states and exposed data on nearly 6 million patients. Wyden argues Microsoft failed to warn customers clearly, instead burying guidance in obscure blog posts. Microsoft acknowledges RC4's risks but said abruptly disabling it would break systems, pledging instead to phase it out by 2026.

Starting point is 00:05:20 Wyden likened Microsoft to an arsonist selling firefighting services, given its market dominance in Enterprise IT. The Trump administration has decided to keep U.S. Cyber Command and the NSA under dual-hat leadership shelving plans to split the roles due to the complexity and risks of restructuring. Officials concluded a separation could take six years slowing national security priorities. Army Lieutenant General William Hartman, currently acting leader, is Trump's choice to head both agencies permanently, reinforcing the arrangement's benefit for speed, coordination, and unified direction. Lawmakers largely support the move, warning a split could weaken U.S. cyber and intelligence capabilities.

Starting point is 00:06:11 The Pentagon has finalized its long-awaited cybersecurity maturity model certification rule, requiring stricter cyber standards for defense contractors. The framework first proposed in 2019 aims to safeguard sensitive but unclassified information across the defense industrial base, which includes over 300,000 companies. Rolled out in three phases over three years, starting November 10th, CMMC sets three security levels. Contractors handling federal contract information may self-attest, while the those with more sensitive data must undergo third-party or defense industry or defense industrial-based cybersecurity assessment center certification. The program reduces the original five levels to three,

Starting point is 00:07:02 easing compliance concerns for small businesses. Still, experts warn most contractors lack strong governance and encryption practices. Ultimately, nearly all defense vendors will need to adjust operations to meet the new requirements. In August 2024, Sonic Wall disclosed an SSL VPN flaw affecting their Gen 5 through Gen 7 firewalls. Though patches were released, incomplete remediation left devices exposed. The Akira Ransomware Group has since exploited this, combining the CVE with two additional risks, over-provisioned access from SSL-VPN default. groups, and public exposure of the virtual office portal, which attackers use to hijack MFA setups.

Starting point is 00:07:53 Rapid 7 has observed rising intrusions and urges organizations to patch, enforce MFA, restrict portal access, rotate local accounts, and monitor SSL VPN activity closely. The U.S. Department of Transportation has issued a security advisory, warning that solar-powered highway infrastructure, such as EV chargers, traffic cameras, and weather stations, should be checked for hidden devices like undocumented radios, Reuters reports. Officials say foreign-made inverters and battery management systems have been found with rogue components, often linked to Chinese suppliers. These devices could enable remote tampering, triggering outages, or data theft.

Starting point is 00:08:41 Experts warn they might also sabotage roadside systems or autonomous. vehicle networks. The advisory urges transportation operators to inventory inverters, use spectrum analysis to detect unauthorized signals, remove rogue radios, and ensure network segmentation. The warning comes amid wider U.S. efforts to limit Chinese technology and critical infrastructure, including restrictions on Chinese-made cars, set to take effect by 2026. spyware the commercial intrusion software enabling covert access to devices poses acute human rights and national security risks the atlantic council's updated mythical beasts project maps the market through 2024 expanding its data set to 561 entities across 46 countries notably u.s-based investors now make up the largest share

Starting point is 00:09:39 despite U.S. sanctions, visa restrictions, and diplomacy aimed at curbing proliferation. Resellers and brokers have also emerged as critical under-researched intermediaries that obscure vendor-buyer links and expand regional reach. Recent events underscore the stakes. NSO Group was fined $168 million in the U.S. over Pegasus targeting WhatsApp. The report highlights persistent patterns like jurisdiction hopping, serial entrepreneurship and hardware partnerships, and major transparency gaps in corporate registries. Policy recommendations center on tightening oversight of outbound U.S. investment,

Starting point is 00:10:22 boosting disclosure and due diligence, scrutinizing intermediaries, and improving public registries to increase accountability and slow the spread of abusive malware. Researchers at Oligo uncovered serious flaws in Apple's Airplay Protocol, and SDK, dubbed Airborne, that could enable remote code execution, data theft, and man-in-the-middle attacks. One bug allows wormable zero-click exploits. Ologo demonstrated attacks on Apple CarPlay, showing hackers could connect via USB, Wi-Fi, or Bluetooth.

Starting point is 00:10:59 Due to weak authentication in CarPlay's IAP2 protocol, attackers can impersonate iPhones, steal Wi-Fi credentials, and hack systems. Apple patched back in April, but most automakers have yet to deploy fixes, leaving millions of vehicles exposed. A European DDoS mitigation provider was hit by a record-breaking attack peaking at 1.5 billion packets per second. The assault launched from thousands of compromised IOT devices and microtick routers across 11,000 networks was mitigated by Fast NetMond using the customer's scrubbing facilities and ACLs on edge routers. Though the target wasn't named, the attack highlights the growing weaponization of consumer hardware. Fast NetMond's founder warned that without proactive ISP-level filtering,

Starting point is 00:11:54 such massive UDP floods could overwhelm defenses and cause widespread service disruptions. Coming up after the break, my caveat co-hosts Ethan Cook and Ben Yellen unpacked the cyber elements of the big beautiful bill, and who fixes the vibe code. Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier. And it can strengthen your security posture while actually driving revenue for your business.

Starting point is 00:13:04 You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that, you know, compliance teams using Vanta are 129% more productive. It's a pretty impressive number.

Starting point is 00:13:41 So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be. Visit Vanta.com slash cyber to sign up today for a free demo. That's V-A-N-T-A.com slash cyber. With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot trackside. So being a fan for life turns into the trip of a lifetime.

Starting point is 00:14:22 That's the powerful backing of Amex. Pre-sale tickets for future events subject to availability and varied by race. Terms and conditions apply. Learn more at MX.ca. slash YNX The caveat podcast is where my co-host Ethan Cook and Ben Yellen

Starting point is 00:14:41 and yours truly look at policy issues affecting cybersecurity on our latest episode Ethan and Ben unpack the cyber elements of the big beautiful bill All right

Starting point is 00:14:56 well let's start at a high level here I mean for folks who may not have followed every detail. Ethan unpack this for us. What is the big beautiful bill and why has it generated so much debate? Yeah. So the big beautiful bill for context is, you know, illegally known as HR1 is the, I guess, the stepping stone for the Trump administration and its major funding effort for the next four years. Obviously, there's going to be other funding that comes through, but this is a really big homework on what its intentions are for the next four years and what it is trying to do. So some of the big things that came through this were the extension of the tax

Starting point is 00:15:31 cuts that from 2017, obviously I already mentioned the social program cuts, but also a massive influx in spending. I believe he's $150 billion with a B billion dollars into defense, as well as there's another $150 billion put into border security. Not going to cover that portion today, purely looking at the defense aspect. But in here we have things related to procuring new technologies, improving supply chain resiliency, things along those lines. And the spending is kind of crazy. It puts the U.S. spending on military over $1 trillion. And this money, while I say $150 billion, is a lot. Worth noting, it is over the next four years. It's not just 2025, 2026. It is a four-year program for a lot of these things.

Starting point is 00:16:23 but I do think it's worth looking at what these programs are because it is very indicative of what the Trump administration is trying to do from a defense perspective. Yeah. Can I be snarky and say, should we call it defense or war? I think they put on the website that the Department of War is just a nickname. It's not legally changing it. Well, because it requires an act of Congress to legally change it,

Starting point is 00:16:48 and I guess they'll have trouble with that. There is a new placard, though, outside of... There is a new placard. Secretary Hegsteth's office, so we do have that. Yeah, yeah. All right, well. Enough of my snark. Let's dig into some of the details here.

Starting point is 00:17:05 I mean, my understanding is that a big part of this is defense modernization. What exactly do they mean by that? So I think the defense modernization aspect is saying that for the next 10 years minimum, that wars and I guess the lead up to a war is not. going to be won by just raw manpower. It's going to be one by technological advancement. And some people are going to say, well, that's obvious. You know, that's the way it's been forever, right? You know, whoever developed the bow and arrow over the other group was better, right? Gun counter. But I think what that means for the modern context is things like

Starting point is 00:17:42 investing in mesh networks and communication capabilities. There's 300 million just provision just for mesh networks in the Indo-Pacific region. They also are putting $400 million into the development of advanced command and control tools, $500 million for accelerating the integration of 5G and 6G technologies across the military, and many others that are, and we can go on. I think one of the most important ones was the $500 million to prevent the delay of delivering AI-related military-capable tools. hmm then yeah i mean i think there's a theme here uh i think it's reflected in the one billion dollars for offensive cyber operations uh which is a really significant investment and i think signifies

Starting point is 00:18:35 an acceleration of a strategy that we all the three of us have talked about pushing to more offensive cyber operations uh as a weapon of foreign policy um you know the rest of it seems like They could have been bipartisan investments in the Department of Defense. I don't think if you were to go line by line here, there's anything that most members of Congress were it would per se object to. Just in the context of a much larger bill, it is a significant increase in defense spending. And depending on what your priorities are, I mean, I think the controversy is whether that money would have better been spent elsewhere. Like, I don't think there's anything particularly controversial about the line items in the section here for the Department of Defense.

Starting point is 00:19:28 Yeah. So, Ethan, you mentioned that one of the bill's focal points is the Indo-Pacific Command. What makes that region a priority? China. The simple solution to that is China. I think the Trump administration has obviously always been very anti-China, even in a different. under his first administration. And while the Biden administration was also not on the best of terms with China,

Starting point is 00:19:54 the second Trump administration, I expect to be just as hostile, if not more, more so over that relationship. And I think the massive amount of money that they poured it from just this bill alone into the Indo-Pacific Command is very indicative of where they say we need to poke, focus our money, we need to not just keep diverting resources, but add resources, because again, And this is in addition to the money we have already spent to boost to that region. We're putting billions of dollars more into that effort. And I think it's not just about building advanced technologies.

Starting point is 00:20:31 It's about building a series of networks and control in that area with allies, with saving sure that because it's so large, we can communicate efficiently across those areas, have the infrastructure in place to really make sure that we can control and have predictability in the area. and make sure that there's nothing happening that we can't control or that we can't respond to very quickly. Yeah, this bill also has a lot of funding for supply chain resilience. What's the concern there for both the military and the broader economy? So I think from the supply chain aspect, I think a key part of it is making sure the U.S. always has access to critical minerals for semiconductors and AI-related products. I believe that there was...

Starting point is 00:21:18 is $5 billion put in for investments into critical mineral supply chains, among other similar ones. They also are expanding not just the raw ability to acquire, but the ability to predict and analyze what is needed. They put $25 million, which, now that doesn't sound like a lot, but that's purely for the expansion of their industrial policy workforce. So they're putting $25 million to just expanding the Department of Defense's ability. Nice stimulus for law and policy analysts out there. Yeah, exactly. And I think that that is, the reason why that stood out to me was because at a time when the U.S. government, specifically the Trump administration, has been cutting, not just within certain agencies, but across the board, has been cutting positions within the DOD, within CISA, et cetera.

Starting point is 00:22:09 This marked a, hey, we're not cutting here. We're expanding. This is something that we're worth investing in, that industrial policy security is really important, especially under the Department of Defense. I think that was a huge indicator of what they're trying to do and to really ensure that the department has, that the military has not only access to these consistently, but not for right now, but for the next 10, 15 years. Be sure to check out the complete episode of caveat wherever you get your favorite podcasts.

Starting point is 00:22:48 Oh, this is it, the day you finally ask for that big promotion. You're in front of your mirror with your Starbucks coffee. Be confident, assertive, remember eye contact, but also remember to blink. Smile, but not too much, that's weird. What if you aren't any good at your job? What if they dim out you instead? Okay, don't be silly, you're smart, you're driven, you're going to be late if you keep talking to the mirror.

Starting point is 00:23:13 This promotion is yours. Go get them. Starbucks, it's never just. coffee. And finally, the rise of vibe coding, that magical process where AI generates the software that looks fine until it implodes, has given birth to an unlikely cottage industry, vibe code fixers. What began as a LinkedIn meme about cleanup specialists has become a legitimate business. Freelancers like Hamid Siddiqui now offer to fix clunky front ends,

Starting point is 00:23:50 optimize messy code, and rescue apps that crash whenever somebody sneezes. Companies such as Ulam Labs openly advertise post-vibe cleanup services, while vibecodefixers.com connects desperate founders with seasoned developers. The common issues are as predictable as they are tragic, broken features when new ones are added, inconsistent design, and what one founder calls credit burn, wasted money on AI usage fees as apps unravel in their final stages. Despite the chaos, vibe coders remain emotionally attached to their Franken apps. As Swantantera, Sony puts it, AI may help people prototype, but humans will still be needed to keep this AI on the leash.

Starting point is 00:24:44 And that's the Cyberwire for links to all of today's stories. Check out our daily briefing at the Cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com. N2K's senior producer is Alice Caruth.

Starting point is 00:25:28 Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Eibon. Peter Kilpe is our publisher. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. I don't know.

Starting point is 00:25:45 Thank you.

CyberWire Daily - Cyber and AI take center stage.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.