Podcast Summary:

Cyber Security Headlines – Week in Review: AI Powered Cyberattacks, Chinese Time Hacked, the 72 Hour Workweek
Host: CISO Series
Guests: David Cross (CISO, Atlassian) & Montes Fitzpatrick (CISO, Navis)
Date: October 24, 2025

Episode Overview

This Week in Review episode dives into the biggest cybersecurity headlines of the past week, focusing on major stories such as AI-driven cyberattacks, the AWS outage, China’s allegations against the NSA, the intensifying “996” work culture in tech, high-profile breaches, and evolving community responses as CISA faces layoffs. The hosts and veteran guests offer candid, expert insights while maintaining humor and relatability.

Key Discussion Points and Insights

1. The Human Impact of CISA Layoffs & Community Response

Timestamps: 02:12–03:15, 22:51–25:00

• Layoffs at CISA (Cybersecurity and Infrastructure Security Agency) and their ripple effect, especially for small and medium enterprises that rely on its expertise.

• Both guests underscore the civic-minded, mission-driven nature of CISA employees and the pressing need for the cybersecurity community to unite and fill the upcoming support gap.

  “I think this is one of the interesting challenges that we may be facing here in the near future…maybe we need a greater community to kind of help out.” – David Cross [02:12]

• Discussion on alternative support models:

  • Civil organizations, peer-to-peer networking, existing groups like InfraGard, and leveraging local law enforcement partnerships.
  • Strong call to action for collective community participation.

  “We really need to have a place people can go…especially small to medium enterprises…they need help. This community, we need to bond together and kind of help nourish these communities to defeat the common enemy.” – David Cross [22:51]

  “There is certainly no harm in getting together and talking with your peers, having that partnership with local law enforcement because there may be some intelligence that they might be able to bring to you. And honestly…these are things that we all should be doing anyway.” – Montes Fitzpatrick [23:49]

2. AWS Outage and Internet Resilience

Timestamps: 03:51–08:55

• AWS Outage Explained: Major AWS services went down due to a DNS race condition impacting DynamoDB—highlighting the fragility of “critical infrastructure” in the cloud era.

• The guests share real-world impacts (e.g., digital ticketing for football games affected) and reflect on dependency risks.

  “This makes you take a step back and say…what if there was something on security I was depending upon at that moment? Would I totally be lost, not have security?” – David Cross [05:38]

  “You just can't trust technology. And I think that…we aren't really just focused in on one particular stream…that's on, you know, incumbent upon us to ensure the availability of our systems…and that may mean diversification.” – Montes Fitzpatrick [04:52]

• Is AWS "Critical Infrastructure"?

  • Debate whether providers like AWS and Cloudflare should be treated as critical, not just operational, infrastructure.
  • Consensus that organizations hold ultimate responsibility for building resilience—multi-cloud, redundancy, and failover systems.

3. Geopolitics & Cyber: China Accuses NSA of Hacking National Time Center

Timestamps: 08:55–11:29

• China accuses NSA of hacking its National Time Service Center—a critical underpinning for national infrastructure. The hosts note the potentially massive consequences but also the cyclical, tit-for-tat nature of these accusations.

  “There are spies, there’s activities, there’s some stealth activities, and sometimes they get exposed…this is what governments do to plan for various things in the future.” – David Cross [09:50]

  “It is sort of funny…that this was an accusation levied against us just after we levied an accusation against China…everybody’s doing a little of everything.” – Montes Fitzpatrick [10:34]

• The incident underscores how cyber has fully entered the geopolitical toolkit and acts as a signal of capability, not just an operational threat.

4. Tech Work Culture: The Spread of the “996” / 72-Hour Workweek

Timestamps: 11:29–16:12

• The Rise of “996” in the US: The infamous Chinese tech “9am-9pm, 6 days a week” work schedule is reportedly spreading to US startups, especially in AI, semiconductors, and quantum fields.

• The guests debate whether CISOs or security teams could—or would—adopt such a grueling schedule, touching on compensation, burnout, and organizational risk.

  “Wow. 72, wow, what a dream that would be…You make a choice…Is the 100 hour workweek worth a million dollar bonus or not?” – David Cross [12:51]

  “There’s a risk-reward if you are duly compensated for the extra time...but unless you are entrepreneurial in spirit, that’s not just something that can be really tractable…You’re going to burn out.” – Montes Fitzpatrick [13:53]

  “There’s a term in Japanese called karoshi, which means death from overwork…and they had to move that back because karoshi just doesn’t help the workforce overall.” – Steve Prentice (producer) [15:52]

• Studies and personal experience emphasize that productivity and sustainability collapse under constant overwork, making these approaches risky not just for individuals but for organizational strategy as well.

5. Major Breaches: F5 BIG-IP Exposure & Lessons Learned

Timestamps: 17:14–21:19

• F5 BIG-IP Breach: Over 262,000 devices remain exposed after Chinese nation-state attackers penetrated F5’s deployment and engineering systems.

• The breach echoes previous large-scale incidents (e.g., log4j), triggering “do we have this?” questions across organizations and underscoring the challenge of maintaining up-to-date asset inventories.

  “Being in for at least a year, that is quite a while to check underneath the shorts there, that’s for sure…are we asking [security companies] to solve a problem that is maybe a bit beyond…their current resources?” – Montes Fitzpatrick [18:38]

  “This is the time again. Do you have an asset inventory? Do you have a software inventory, hardware inventory?...And I think that’s the friendly reminder that we all got after this case.” – David Cross [20:39]

• Guests praise F5’s transparency and communications post-breach.

6. Cutting-Edge Attacks: Laser Fault Injection and Side Channel Risks in Automotive Chips

Timestamps: 25:00–28:30

• Laser Fault Injection Attacks: French researchers introduce insulating oxide layers in automotive chips to defend against attacks that could manipulate circuitry with lasers—raising both sci-fi-like intrigue and reminders of practical risk management.

• Both guests maintain humor but use the story to underscore the ever-present need to consider (even rare or esoteric) side-channel attacks.

  “Have we really seen this happening? It’s possible, technically possible…but it’s like winning the lotto…I think we’re cool where we are today.” – David Cross [26:50]

  “What it illustrates is the side channel attacks…I think, you know, security professionals…we don’t necessarily forget about that, but sometimes we sort of, you know, put it to the side…” – Montes Fitzpatrick [27:29]

Notable Quotes & Memorable Moments

• On AWS Outages:

  “Would I totally be lost, not have security? …What if there was something on security I was depending upon at that moment?”
  – David Cross [05:38]

• On Work/Life Balance:

  “You make a choice…Is the 100 hour workweek worth a million dollar bonus or not?”
  – David Cross [12:51]

• On Burnout & Company Strategy:

  “How does that affect long term strategy for an organization if you’re going to have a churn of people who just can’t handle this for more than a six month period? It seems like it’s playing with fire…”
  – Steve Prentice [15:04]

• On Laser Auto Cyberattacks:

  “It’s possible, technically possible… but it’s like winning the lotto…”
  – David Cross [26:50]

Important Segment Timestamps

• CISA Layoffs, SME Impact, & Community Gaps: 02:12–03:15, 22:51–25:00
• AWS Outage Root Cause & Critical Infrastructure: 03:51–08:55
• China’s National Time Center Hack & International Cyber Tit-for-Tat: 08:55–11:29
• 72 Hour “996” Workweek in Tech: 11:29–16:12
• F5 Breach & Asset Inventory Lessons: 17:14–21:19
• Laser Fault Injection & Side Channel Attacks: 25:00–28:30

Overall Tone and Takeaways

The conversation is candid, smart, and occasionally irreverent, balancing serious insights with a touch of industry in-jokes and banter. Key takeaways include:

• The increasing importance of community-driven initiatives in supporting cybersecurity, especially as public resources like CISA are cut back.
• The fragility of modern digital infrastructure—even the biggest names face failures with wide-reaching impact.
• Cyber operations are a routine part of geopolitics—attribution and escalation games are par for the course.
• Overwork may offer compensation, but it’s not sustainable for long-term security teams or organizations.
• “Basic” security hygiene like up-to-date asset inventories remains critically important.
• Side-channel and hardware-level attacks remind us to keep an eye on emerging threats—without losing sight of the practical likelihood.

Find the full episode and more at CISOseries.com