CyberWire Daily - Trends shaping the future at RSAC.
Episode Date: April 29, 2025RSAC 2025 is well under way, and Kevin the Intern files his first report. Authorities say Spain and Portugal’s massive power outage was not a cyberattack. Concerns are raised over DOGE access to cla...ssified nuclear networks. The FS-ISAC launches the Cyberfraud Prevention Framework. Real-time deepfake fraud is here to stay. On today’s Threat Vector, host David Moulton speaks with Daniel B. Rosenzweig, a leading data privacy and AI attorney, about the growing complexity of privacy compliance in the era of big data and artificial intelligence. Protecting your company…with a fat joke. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector In this segment of Threat Vector, host David Moulton speaks with Daniel B. Rosenzweig, a leading data privacy and AI attorney, about the growing complexity of privacy compliance in the era of big data and artificial intelligence. Dan explains how businesses can build trust by aligning technical operations with legal obligations—what he calls “say what you do, do what you say.” They explore U.S. state privacy laws, global data transfer regulations, AI compliance, and the role of privacy-enhancing technologies. You can hear David and Daniel's full discussion on Threat Vector here and catch new episodes every Thursday on your favorite podcast app. Kevin on the Street Joining us this week from RSAC 2025, we have our partner Kevin Magee, Global Director of Cybersecurity Startups at Microsoft for Startups. Stay tuned to the CyberWire Daily podcast for “Kevin on the Street” updates on all things RSAC 2025 from Kevin all week. You can also catch Kevin on our Microsoft for Startups Spotlight, brought to you by N2K CyberWire and Microsoft, where we shine a light on innovation, ambition, and the tech trailblazers building the future right from the startup trenches. Kevin and Dave talk with startup veteran and Cygenta co-founder FC about making the leap from hacker to entrepreneur, then speak with three Microsoft for Startups members: Matthew Chiodi of Cerby, Travis Howerton of RegScale, and Karl Mattson of Endor Labs. Whether you are building your own startup or just love a good innovation story, https://explore.thecyberwire.com/microsoft-for-startups. Selected Reading RSA Conference 2025 Announcements Summary (Day 1) (SecurityWeek) ISMG Editors: Day 1 Overview of RSAC Conference 2025 (GovInfo Security) ProjectDiscovery Named “Most Innovative Startup” at RSAC™ 2025 Conference Innovation Sandbox Contest (RSAC) Krebs: People should be ‘outraged’ at efforts to shrink federal cyber efforts (The Record) NSA, CISA top brass absent from RSA Conference (The Register) Power Is Restored in Spain and Portugal After Widespread Outage (New York Times) DOGE employees gain accounts on classified networks holding nuclear secrets (NPR) New Framework Targets Rising Financial Crime Threats (GovInfo Security) The Age of Realtime Deepfake Fraud Is Here (404 Media) The one interview question that will protect you from North Korean fake workers (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Traditional pen testing is resource-intensive, slow, and expensive, providing only a point-in-time
snapshot of your application's security, leaving it vulnerable between development cycles.
Automated scanners alone are unreliable in detecting faults within application logic
and critical vulnerabilities.
Outpost24's continuous pen testing as a service solution offers year-round protection, with
recurring manual penetration testing conducted by Crest-certified pen testers, allowing you to stay ahead of threats and ensure your web applications are always secure.
R.S.A.C. 2025 is well underway and Kevin the intern files his first report. Authorities say Spain and Portugal's massive power outage was not a cyber attack.
Concerns are raised over Doge access to classified nuclear networks.
The F.S.
ISAC launches the cyber fraud prevention framework.
Real-time deep fake fraud is here to stay.
On today's Threat Factor, host David Moulton speaks with Daniel B. Rosenzweig,
a lead data privacy and AI attorney about the growing complexity of privacy compliance
in the era of big data and artificial intelligence.
And protecting your company with a fat joke.
It's Tuesday, April 29th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
We are once again coming to you from San Francisco at RSAC 2025. Day one announcements from the conference
point to several clear trends shaping cybersecurity. Artificial intelligence is taking center stage,
not just for automation, but also for real-time analysis, training, and security operations.
There's a major focus on identity security as companies push solutions that manage vulnerabilities tied to human and non-human identities. Unified platforms
are another big theme as vendors work to reduce security tool fragmentation by
consolidating visibility, management, and response into single frameworks.
Finally, protecting post-launch applications and external digital
threats is gaining attention,
signaling a shift toward proactive, continuous security across the entire software lifecycle.
Overall, cybersecurity is leaning hard into smarter automation, consolidation,
and preemptive threat detection.
RSAC 2025 kicked off yesterday with the Innovation Sandbox competition, and right down to the
end it was a nail-biter.
Who is the winner of the 2025 20th anniversary Innovation Sandbox competition? odds competition. Project Discovery.
Project Discovery earned top honors for its open source platform that helps security teams
rapidly detect and remediate vulnerabilities. The company's flagship tool, Nuclei, automates
attack surface monitoring and is already widely used by defenders worldwide.
Later this week, we'll share my interview with Project Discovery's CEO to discuss their
journey from open source upstart to industry standout, how they plan to scale their impact,
and what this win means for the future of automated security tooling.
Stay tuned, you won't want to miss it.
In a panel discussion Monday, former CISA Chief Chris Krebs criticized efforts to shrink
the federal cyber workforce, warning it could weaken national defenses at a critical time.
The notable absence of current NSA and CISA leaders at the conference highlights deeper
instability.
Budget cuts, leadership vacancies, and a hesitance
to engage publicly are hampering U.S. cyber agencies'
visibility and influence.
Together, these stories paint a concerning picture.
While policy and research are pushing
for stronger security practices, political pressures
and resource cuts are undermining the federal capacity
needed to lead and protect in an increasingly hostile digital environment.
Kevin McGee is Global Director of Cybersecurity Startups at Microsoft, but for this year's
RSAC, we had different plans for Kevin.
He files this report.
Hi, everyone.
Normally, I'm Kevin McGee, Global Director of Cybersecurity for Microsoft for Startups.
But this week, I am just Kevin the Intern for the CyberWire,
doing Kevin on the Street interviews live from the RSA Conference 2025.
Now, I've never really been an interviewer for a major media company before.
Honestly, I pictured myself walking around with all this super high-end gear,
complicated microphones, maybe a mini controller board strapped to my back.
But nope, Dave just met me in the lobby of my hotel,
handed me a simple voice recorder and said,
just to be safe, he taped over all the buttons I shouldn't touch.
So hopefully this goes well.
If you see me looking lost,
wandering around the
Moscone Center, or more likely hanging out near the
bookstore, I'm a proud member of the Cyber Security
Cannon Committee after all, come say hi.
So you've survived it.
The hundreds of are you going to RSA emails, the
in-mails, the texts, the signals.
You've been invited to the dinner, the reception, the
axe throwing, or whatever creative event the vendors
are hosting this year.
You've made the long flight,
packed with half your LinkedIn connections,
checked in your hotel, maybe had a pre-day event,
and now you're ready.
It's officially RSA time.
Well, so am I.
What I love about being here is simple,
running into old friends, rehashing old stories,
finding out what's new,
and let's be honest, tracking down the best after party.
But you gotta come to RSA with good walking shoes
and a game plan.
So here's mine.
This week I'll be diving into a few key themes.
How AI is transforming cybersecurity
and how we build resilience alongside it.
The future of compliance and how automation
can turn governance into a business advantage.
Empowering people, building leadership skills
and a stronger human side of security. Evolving the SOC, scaling smarter, building leadership skills and a stronger human side
of security, evolving the SOC, scaling smarter, not just bigger, and how cybersecurity is
increasingly becoming a growth driver, not just a cost center.
I'll also be keeping an eye out on the startup scene, looking for the next big innovator
and disruptor in our space.
And yes, I made sure to leave extra room in my suitcase for new cybersecurity books from
the bookstore.
Throughout the week, I'll be filing my Cyberwire report, interviewing interesting people, figuring I made sure to leave extra room in my suitcase for new cybersecurity books from the bookstore.
Throughout the week I'll be filing my CyberWire report, interviewing interesting people, figuring
out how to get the audio back to Elliott without breaking anything, and just thoroughly enjoying
myself.
So, from arrival day here at RSA, this is Kevin the Intern, man on the street from the
CyberWire, signing out.
Stay tuned for Kevin McGee's updates from the RSAC Conference throughout the week.
We reported yesterday on the massive power outage that left millions in Spain and Portugal
without electricity.
It disrupted transportation systems, halted metro services and grounded flights.
Emergency services operated on backup generators and traffic lights were out across both countries.
By this morning, power had been restored to over 99% of affected areas.
Authorities have ruled out cyber attacks as the cause of the outage.
Investigations are ongoing to determine the exact origin, with initial reports suggesting
a massive disconnection
within Spain's power grid. The event has raised concerns about the stability and resilience
of Europe's interconnected electricity infrastructure.
NPR reports two members of Elon Musk's Department of Government Efficiency were given accounts
on classified nuclear networks, though
officials insist the accounts were never activated.
Neither had prior clearance or nuclear experience.
The Department of Energy initially denied any access but later admitted the accounts
existed stressing no classified material was accessed.
Experts say simply having accounts could allow limited requests for classified information,
though strict controls remain.
The incident adds to growing concerns about DOGE's handling of sensitive data across
the government.
The situation reflects rising tensions over the politicization and management of national
security systems during ongoing federal restructuring efforts.
The FS-ISAC has launched the Cyber Fraud Prevention Framework to help financial institutions better detect and stop scams before money is lost.
The framework unites cybersecurity and fraud teams around a shared structure and language, aiming to catch threats earlier in the attack life
cycle. The shift comes amid a surge in online fraud, with the FBI reporting $9.3 billion
in crypto scam losses and Google warning billions of Gmail users about new phishing tactics.
Crime syndicates, particularly from East and Southeast Asia, are expanding their global operations,
forcing banks like those in New Zealand to adopt stricter protections.
While large institutions may find it easier to implement, FSI Sachs stresses that smaller
banks and fintechs also stand to benefit.
Experts note that while frameworks are critical, overcoming cultural resistance within organizations
remains a key hurdle to truly effective fraud and cybercrime prevention.
Real-time deepfake fraud has evolved from a theoretical threat to a practical tool for
scammers, as detailed in a recent 404 Media investigation.
Using accessible software, fraudsters can now alter
their appearance and voice during live video calls, enabling them to impersonate others
convincingly. This technology has been exploited in romance scams where victims are deceived
into believing they are interacting with someone they trust.
The sophistication of these deepfakes poses significant challenges for detection, as traditional
verification methods may not suffice.
The increasing accessibility of such tools underscores the urgency for enhanced security
measures and public awareness to combat this emerging form of digital deception.
Coming up after the break on our Threat Vector segment, David Moulton and his guests tackle
the growing complexity of privacy compliance and protecting your company with a fat joke.
Stay with us.
Let's be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions.
You know you need it, but it takes forever
and you're never quite sure if you've done it right.
That's where Vanta comes in.
Vanta is a trust management platform
that automates up to 90% of the work for frameworks
like SOC 2, ISO 27001, and HIPAA,
getting you audit ready in weeks, not months.
Whether you're a founder, an engineer,
or managing IT and security for the first time,
Vanta helps you prove your security posture without taking over your life.
More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor
compliance, streamline risk, and speed up security reviews by up to five times.
And the ROI? A recent IDC report found Vanta saves businesses over half a million dollars a year and pays
for itself in just three months.
For a limited time, you can get $1,000 off Vanta at vanta.com slash cyber.
That's vanta.com slash cyber.
Secure access is crucial for U.S. public sector missions
ensuring that only authorized users can access certain systems,
networks, or data.
Are your defenses ready?
Cisco's Security Service Edge delivers comprehensive protection for your network and users.
Experience the power of Zero Trust and secure your workforce wherever they are. security strategy by visiting cisco.com slash go dot sse that's cisco.com slash go slash
sse.
On our threat vector segment, David Moulton and his guests tackle the growing complexity
of privacy compliance.
Hi, I'm David Moulton, host of the Threat Vector podcast, where we discuss pressing
cybersecurity threats and resilience and uncover insights into the latest industry trends.
In my latest episode, I sat down with Daniel Rosenzweig,
founder and principal attorney at DBR Tech Law,
to talk about one of the biggest challenges
facing organizations today,
privacy and data protection in the age of big data.
Dan's advice, say what you do, do what you say.
It's a simple phrase with massive implications
for compliance, trust, and your bottom line.
As a recognized expert in data privacy and AI law, Dan brings clarity to the complex.
This conversation will help you rethink how your teams align technology, policy, and practice.
Check out the episode wherever you listen to podcasts. Tadden, when you think about the legislatures that are trying to pass these laws, do they
have a command of technology or does it not matter?
They're looking for an outcome, they've set the intent and you need to invent those technologies
and interpret them based on what they want for the people they represent.
Honestly, I don't think it's just a bright line rule.
I think it's totally dependent on the legislator,
dependent on the topic, but I think ultimately,
you're spot on in that I think they're really focused
on a conclusion, on an outcome, right?
And how can we get to that outcome?
And sometimes the law is very prescriptive and says,
hey, here's methods or ways to actually accomplish that outcome,
or here's the technologies you can and should be using.
Other times it's again,
data privacy laws just honor a consumer's opt-out,
or exercise the right to delete, or things of that nature.
But all in all, I think they're probably trying their best,
but I think if you don't have the technical nuance and background, you're going to create ambiguity
or create uncertainty and things of that nature.
And the technology in that particular instance
can be very powerful to get you to where you need to go.
Dan, with companies collecting and processing
massive amounts of data,
what do you see as the biggest privacy risk
that organizations face today?
Yeah, so I think this is actually
a pretty straightforward one in the sense
of what the risk is, how to manage that risk
is a different story and we can talk through that as well.
But really do what you say and say what you do, right?
Like you can have your privacy policies,
you can have your public facing statements,
you can have your contractual obligations. There there a ton of different instances and mediums where you're making representations about how you're handling data weather in the i contact with the privacy context or whatever.
What actually again making sure you're doing the things you say and honoring those statements and implementing the technology to support that.
say and honoring those statements and implementing the technology to support that is incredibly important and regulators aren't stupid and you know plaintiffs aren't either and that's what
they're really focused on that low-hanging fruit. Hey your privacy policy said you're going to honor
my opt-out then we go on to the website easily exercise the opt-out and see uh-oh that's actually
not happening or it's not working so despite the disclosure saying you're doing it,
the technology isn't supporting it. And finally, the risk that also comes with that is additional legal risk, right? Meaning if you are not supporting the technology the way that you should be or
implementing the requirements per the law, despite claiming that you are, that's a violation of the
law in and of itself as an unfair and deceptive act
under consumer protection law.
So it's just really, really important to again,
do what you say and say what you do.
Let's jump into some of the ad tech and user privacy topics
that have been top of mind for me.
Digital advertising is under a lot of pressure right now
to balance the targeted advertising with user privacy.
What do you think some of the biggest challenges
are in ad tech right now?
So a bit of a quick history lesson.
It's actually interesting that a lot of these laws,
particularly laws like the CCPA,
were actually passed as a response to targeted advertising.
I think you're spot on to home in on this and focus on this area,
because this is why a lot of privacy laws are where they are today,
as a response to targeted advertising, things of that nature.
I think there's a couple of things that right now is being a little more
difficult for publishers
and folks in the ad tech space, which is one, ignoring the hype.
It is amazing to me how many companies will come and try and approach certain things just
in the name of using buzzwords and using technologies in a way that they think they have to.
Pets are actually a really good example of that. Pets in privacy enhanced technologies and things of that, and even AI.
You don't necessarily have to
use those technologies to achieve a goal.
I think right now for targeted advertising in particular,
a lot of companies are thinking we're going to implement
these technical solutions that are going to mitigate
our exposure for targeted advertising or replace targeted advertising.
While I think that can help, certainly it's not just the apples to apples, right?
I think you need to understand what is your business objective?
What is your risk posture?
What are you trying to achieve here?
And how do we need to manage our own risk as it pertains to those business objectives?
So I think, yeah, again, ignoring the hype is going to be really, really important. And finally, I would say, as it pertains particularly to ad tech,
is admit when you're using personal data.
I think personal data has become such a quote negative word,
and it doesn't need to be like it's OK if you're using personal data
for targeted advertising and you're using it in a way that
fulfills a business objective while also giving consumers
the ability to utilize your services.
I think where companies are getting into trouble on
the ad tech space is what we briefly talked about in the beginning of the chat,
which is whether or not you're doing what you're supposed to do.
You're telling the consumer,
hey, we use your data for targeted advertising.
We are going to allow you to opt out of that if you want to.
But please understand, here's what happens when you opt out and if they're going to allow you to opt out of that if you want to, but please understand,
here's what happens when you opt out.
If they're going to exercise that right to opt out,
then honor that right to opt out.
Make sure that you implement the technology to support that.
I think that is where ad tech companies and
publishers in particular are getting in a lot of trouble.
To no fault of their own, as I said in the beginning of the conversation,
it's that they're implementing technologies to support targeted advertising or enable choice for consumers and
then not actually configuring the technology in a way that fulfills those requirements. And then
they're continuing to use targeted advertising when they shouldn't be. Dan, looking ahead,
what do you think the biggest development in privacy and AI regulation
will be in the next five years?
What will be the biggest development in the next five minutes?
I mean, it's amazing how much things have changed and continue to change.
I think it will continue to be what you can do, at least in the privacy space, what you
can do with personal data as it pertains to AI.
I think there's going to be some laws that speak to this
a little more prescriptively to kind of align
with how the AI systems are currently operating
as it pertains to personal data.
Meaning, can you use personal data for training purposes?
If so, here's what you need to do to do that.
Are there exceptions to that?
Are there mitigations that can be put in place?
And I think on the AI space, specifically agnostic to personal data, right now where we're seeing a
lot of the laws focus are focused, particularly in the US, are AI systems that are deemed high risk.
I think we're going to see, especially as the law continues to develop, and again, I have no way of
knowing this, and I mean the technology continues to develop,
I think the law is probably gonna be a little more,
you know, focused on AI generally.
I don't know if it's always gonna be limited
to just AI high-risk systems.
I think it's gonna be,
there's gonna be requirements just to AI generally.
And some of those may be pretty benign requirements
that are easily mitigated or easily complied with and others
may be more stringent and will require a certain amount of time and effort to comply with those
efforts. But I think that's ultimately where we're going to see things going.
If you like what you heard, catch the full episode now in your Threat Vector podcast
feed.
It's called Privacy and Data Protection in the Age of Big A, and it was released on April
24th.
Be sure to check out the Threat Vector podcast wherever you get your favorite podcasts. Cyber threats are evolving every second, and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, at a panel session yesterday here at RSAC, CrowdStrike's Adam Myers had
a wild tip for spotting North Korean spies posing as tech workers.
Just ask, how fat is Kim Jong Un?
Apparently they hang up faster than you can say laptop farm.
Thousands of these operatives have infiltrated Fortune 500 companies, using AI to craft LinkedIn
profiles, borrowing Polish names they can't pronounce, and even running U.S. laptop farms
to fake local presence.
Once hired, they're top performers, mainly because they have an entire team helping one
employee climb the ranks and steal IP
in tiny sneaky bits.
FBI agents warn that if caught, these workers often leave behind malware and a whole lot
of trouble.
Deep fake interviews are also getting disturbingly real.
The advice?
Tighten hiring processes, require local check-ins, and maybe think twice before
hiring that remote hotshot who's just too good to be true.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
A quick program note on today's episode of CISO Perspectives.
Host Kim Jones sits down with Kathleen Smith, Chief Outreach Officer at ClearJobs.net, a long-time
cybersecurity career advocate, to tackle one of the biggest hurdles for aspiring cybersecurity
professionals.
How do you gain experience without already having a cyber job?
And a reminder that today's episode of Sysop is the final episode of the season available
to everyone.
The rest of this season will be available exclusively to our N2K Pro subscribers. If you'd like to continue following Kim's
conversations and access the full season, head over to the cyberwire.com slash pro to
learn more about becoming a pro subscriber. We'd love to know what you think of this
podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben, Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here, tomorrow. And now, a word from our sponsor, Black Kite.
If third-party risk is keeping you up at night, you're not alone.
It's a constant battle.
BlackKite's third-party cyber risk platform is built on real-world threat intelligence,
straight from their research team's ongoing breach analysis, dark web monitoring, and
attacker tactics.
That means you get a hacker's eye view of your supply chain to proactively spot
risks. And speaking of research, they just dropped their 2025 third-party breach report,
breaking down last year's biggest trends and what's coming next. Grab the report now at
www.blackkite.com.