Podcast Summary: Cyber Security Headlines – Department of Know: Autonomous AI Cyberattack, CISOs Back to Work, Bus Kill Switches

Date: November 18, 2025
Host: Rich Stroffolino, CISO Series
Guests: Rob Dunwood (Daily Tech News Show), Howard Holton (CEO, Gigaom)
Producer: Steve Prentice
Sponsor: KnowBe4

Episode Overview

This episode of the "Cyber Security Headlines" podcast features a dynamic roundtable discussion between security leaders and tech commentators about the latest trends and incidents shaping information security. Main themes include the rise of autonomous AI cyberattacks, the complexities facing CISOs in government and enterprise, and the increasing risks and controversial control mechanisms in connected infrastructure—most notably, the revelation of bus "kill switches".

Key Discussion Points & Insights

1. Rapid-Fire "No or Know?" Segment on Security Headlines

A. Google Private AI Compute Launch

• [03:01] Google announced "Private AI Compute," a platform for secure cloud-based AI tasks that shields user data from Google and mimics Apple’s privacy moves.
  • Howard Holton: Advocates understanding if it fits company strategy, emphasizing organizational readiness.
    Quote: “Your organizational maturity and readiness is the most important question you should answer.” [03:17]
  • Rob Dunwood: Draws parallels to Apple’s approach and notes Google's hand was forced to maintain enterprise trust.
    Quote: “It’s probably an untenable position for Google to be in, so I assumed this was coming sooner rather than later.” [03:25]

B. SAP Fixes Hard-Coded Credential Flaws

• [04:32] SAP patched a critical vulnerability involving hard-coded credentials; hosts express disbelief at its persistence.
  • Rob: Reminisces about SAP practices from the 1990s, questioning continued risky habits.
    Quote: “The fact that they're still doing this… but why, SAP? Why are you doing this?” [04:49]
  • Howard: Urges prioritizing tech debt and rapid patch adoption.
    Quote: “Product teams are always told to focus on the new features, not the old… We really need to manage that tech debt.” [05:04]

C. Cyber Insurance Claims Triple in the UK

• [05:35] Report: UK cyber payouts in 2024 hit $197M (primarily ransomware), numbers keep climbing.
  • Howard: Sees it as business-as-usual—more threats and more companies insured.
    Quote: “Cyber’s not getting easier. AI has made it much, much harder… This might just be a… state of the union kind of thing.” [06:14]
  • Rob: Notes both threat volume and insurance uptake drive the increase.
    Quote: “There are more threats and more companies submitting claims, you’re going to see claims go up.” [06:50]

D. Autonomous AI Cyberattack by China-Linked Actors Using Claude

• [07:48] Chinese threat actors leveraged Anthropic’s Claude AI—directly automating attacks rather than just assisting them, marking a major shift.
  • Rob: Urges security pros to adapt defenses for AI operator attacks, not just AI-assisted ones.
    Quote: “The fact that you actually have threat actors… using AI not just to figure out how to do something, but to actually go do the something—that is a big deal.” [07:48]
  • Howard: Advises defenders to emulate attackers’ innovation, using AI tools for good; notes surprising tooling choice by attackers.
    Quote: “The best way to get ahead… is to leverage the tools.” [08:25]

E. Insider Threat—US Citizens Help North Korean IT Workers

• [09:42] Five US residents pled guilty to enabling North Korean IT workers to impersonate US-based employees.
  • Howard: Warns about remote workforce vetting and the necessity of in-person interviews to verify identity.
    Quote: “At this point, you should at least do one interview in person—really dig in with that person.” [09:42]
  • Rob: Suggests unscheduled video calls as a secondary measure, highlighting the difficulty of detection.
    Quote: “Just out the blue say, we are doing a video conference right now… Turn your camera on, let me see your face.” [10:11]
  • Howard: Emphasizes CISOs’ role as risk advisors, not ultimate decision-makers—documenting risk acceptance is key.
    Quote: “My job as CISO is as the advisor to risk. I don’t make the decision. I’m the advisor to risk.” [11:41]

2. Deep Dives: Notable Topics

A. US CISA (Cybersecurity Information Sharing Act) Reauthorization and Government Shutdown

• [15:10] The act lapsed with the US shutdown, with only a temporary extension likely.
  • Howard: Critiques the US for lax cybersecurity priorities, comparing Congressional inaction to private-sector failures. Quote: “So we sent our defending team home for the reigning champions to take it without a fight.” [15:10]
  • Rob: Frustrated by unexplained legislative holdouts, especially with broad bipartisan support. Quote: “This seems like… one of the things that we absolutely should have been figured up.” [16:21]
  • Howard: Points out the minimal financial stakes versus impact, likening it to skipping foundational security steps for minor cost savings. Quote: “It can’t be a lot… to them it’s not even a rounding error.” [17:34]

B. Passkeys and Passwordless Enterprise Infrastructure

• [20:53] Windows 11 now supports third-party passkey managers. Is enterprise truly moving to a passwordless future?
  • Rob: Lauds passkey tech but underscores the problem of keeping legacy passwords alongside passkeys.
    Quote: “Where there are passkeys, there still are passwords… So there’s a lot of issues…” [20:53]
  • Howard: Observes that bad passwords will become “evergreen” vulnerabilities as long as they’re fallback options; worries about vendor lock-in for passwordless schemes. Quote: “We’re just aging the bad habit… we’re never, ever, ever going to treat [the problem].” [22:02], [24:34]

C. Connected Vehicle Security – Electric Bus “Kill Switches” in Scandinavia

• [26:29] Norway and Denmark discovered that remote updates could render electric buses inoperable ("kill switches"), raising IoT control and sovereignty flags.
  • Rob: Suggests headlines overstate the novelty, but warns any OTA (over-the-air) device is subject to similar risks. Quote: “This is what we trade for the convenience… Yes, there’s potential that something bad can happen…” [30:19]
  • Howard: Details technical risks—drive-by-wire buses can be repurposed or “bricked” by firmware, critiques weak cloud security answers from vendors. Quote: “Telling me that AWS does things that are required by SOC2 or FedRamp does not give me any security whatsoever.” [28:10]
  • Both: Stress the need for careful RFPs and client control over vehicle firmware—possibly with a hardware fallback.

3. Memorable Moments & Notable Quotes

• On AI in Offensive Security:

  • Rob: “They’re using AI to actually go do the something.” [07:48]
  • Howard: “The best way to get ahead of this is to leverage the tools…” [08:25]

• On Government Cyber Priorities:

  • Howard: “We sent our defending team home for the reigning champions to take it without a fight.” [15:10]
  • Rob: “Why can’t our politicians get together on this?” [19:25]

• On Passkeys vs. Passwords:

  • Howard: “We’re just aging the bad habit… Literally just sticking this thing on top and it’s fine, it’s fine. Just don’t look over here.” [23:38]
  • Rob: “The clock doesn’t even start officially until you have companies saying… there is no password.” [24:12]

• On Insider Vetting:

  • Howard: “The risk of getting this wrong—hundreds of thousands or millions of dollars… spend the thousand dollars.” [10:51]
  • Rob: “Show them examples. Scaring people tends to help sometimes.” [11:26]

• On IoT Bus Risks:

  • Howard: “…these buses aren’t that old. What did your RFP look like?” [32:04]

• On AI Identities:

  • Howard: “We keep talking about AI identity like it’s an NHI. It’s the first time it’s a non-human identity and a human identity.” [36:06]

4. "What’s on Your Mind?" – Final Thoughts

• Rob: Celebrates schools banning phones, observing happier, more social students.

  • Quote: “…children talking to each other and having one on to one or one to many conversations through the air and not through a device.” [35:19]

• Howard: Raises concern about the lack of conceptual and technical clarity for AI identities. Warns it’s a pressing, unsolved risk as AI acts with human-level permissions but isn’t managed as a person or as a system account.

  • Quote: “It is a non-human as a human identity. We don’t actually have a category for that… It is a completely unmanaged risk at this point.” [36:06]

Noted Timestamps for Key Segments

• [03:01] — Google launches Private AI Compute for secure cloud AI tasks
• [04:32] — SAP fixes critical hard-coded credential flaw
• [05:35] — UK cyber insurance claims triple; ransomware dominates payouts
• [07:48] — China-linked threat actors use Anthropic’s Claude AI for autonomous attacks
• [09:42] — Insider threat: US citizens enable North Korean IT infiltration
• [15:10] — US CISA reauthorization post-shutdown: security as a political afterthought
• [20:53] — Windows 11 bringing passkey passwordless infrastructure
• [26:29] — Electric bus kill switch controversy in Norway and Denmark
• [35:19] — Rob’s favorite non-security (but societal) news: phone bans in schools
• [36:06] — Howard’s concern: the missing category and risk of AI (non-human human) identities

Style and Tone

The episode combines light-hearted banter, analogies, and dry humor with incisive analysis and forthright critique. Hosts and guests shift comfortably between technical specifics and policy-level commentary, and frequently deploy memorable quips (“tug of Rand Paul”, “the SAP rule”, “the cost of a thousand dollars vs. losing millions”).

Conclusion

This episode delivers broad, accessible, but highly relevant insights into contemporary cybersecurity, from insurance and AI threats to the basics of identity and connected infrastructure. It highlights persistent gaps and failures—technical, organizational, and political—urging listeners to prioritize readiness, documentation, and critical thinking over buzz-driven reaction or cost-cutting shortcuts.

For full stories, visit cisoseries.com.