Cybersecurity Today – Episode Summary
Episode Title:
Checkout.com Takes a Bold Stance, SolarWinds Case Dismissed, and FCC Reverses Mandate
Host:
David Shipley (sitting in for Jim Love)
Date:
November 24, 2025
Overview
This episode of Cybersecurity Today dives deep into the powerful interplay between technology, public policy, and business decisions shaping the current cybersecurity landscape. Host David Shipley covers three headline stories:
- Checkout.com refuses a ransom demand and supports cyber research instead.
- The SEC closes its landmark case against SolarWinds and its CISO.
- The FCC pulls back on a critical cybersecurity mandate, drawing fierce debate over America’s national security posture.
Throughout, Shipley emphasizes the importance of policy, leadership decisions, and the implications for organizations, executives, and practitioners in the field.
Key Discussion Points and Insights
1. Checkout.com’s Ransomware Response: Donate, Don’t Pay
[00:22 – 04:45]
-
Breach Details:
- Shiny Hunters, a known cyber extortion group, accessed an old (pre-2020) third-party cloud storage environment.
- Stolen data included onboarding materials, operational docs, and merchant info.
- The breach did not affect current production systems.
-
The Ransom Demand:
- Shiny Hunters demanded payment—Checkout.com refused outright.
- Instead, the company publicly pledged to donate the equivalent of the ransom demand to Oxford and Carnegie Mellon to support cybersecurity research.
-
Industry Implications:
- Shipley praises this as a “bold, principled stance” and a “powerful signal” to customers, attackers, and the market.
- He highlights increasing confidence among some organizations to refuse ransom payments—supported by improved incident response, legal clarity, and the ability to absorb breach fallout.
-
Disputed Data on Ransom Payments:
- Different analysts report diverging payment rates:
- Coveware (Oct 2025): Only 23% of victims paid ransom in Q3; for data exfiltration-only attacks, just 19%.
- SOPOS: Nearly half of surveyed retail organizations admitted to paying at least once in recent incidents.
- “None of these numbers are wrong... but we’re not going to know the true global payment rate because most jurisdictions don’t require companies to report when they pay.” (Shipley, 03:27)
- Different analysts report diverging payment rates:
-
Call for Policy Reform:
- Shipley urges governments to mandate disclosure of ransom payments to better inform policy, risk, and defense planning.
- “We can’t fix what we can’t measure.” (Shipley, 03:36)
-
Lessons for Listeners:
- Stay on top of legacy systems.
- Audit third-party integrations.
- Be prepared to consider refusing to pay a ransom as part of breach rehearsals.
2. SolarWinds and CISO Accountability: A Legal Turning Point
[04:45 – 08:25]
-
Case Conclusion:
- The SEC drops its high-profile civil case against SolarWinds and CISO Tim Brown after a joint motion.
- The case had shaped global debate about cyber accountability post-2020 SolarWinds supply chain hack.
-
Origins and Outcome:
- SEC originally claimed SolarWinds misled investors about cyber risk and ignored internal warnings.
- Most claims were tossed in 2024—judges ruled the SEC relied too heavily on hindsight and conflated cyber controls with financial controls.
-
Enduring Industry Concerns:
- SolarWinds’ CEO calls this the end of a challenging chapter.
- Even with the dismissal, CISO personal liability remains a hot topic—underscored by other cases like Uber’s Joe Sullivan (probation, $50k fine).
-
Broader Regulatory Context:
- In Canada, Parliament is debating Bill C8—set to require mandatory cyber reporting by critical infrastructure and possibly expose execs to penalties.
- Shipley—who testified on this in Ottawa—argues against individual CISO liability:
- “If lawmakers want to continue to hold someone in an organization responsible... it should be corporate directors or CEOs... Otherwise, laws risk increasing the flight of experienced talent...” (Shipley, 07:58)
-
Key Policy Point:
- Vague or retrospective liability risks chilling transparency and discouraging effective incident response.
- Legal requirements must align with organizational realities—otherwise, “we risk discouraging transparency rather than improving security outcomes.” (Shipley, 08:18)
3. FCC Reverses Cyber Mandate: National Security at Risk
[08:25 – 13:25]
-
Mandate Withdrawn:
- On Nov 19, the US FCC reversed its January 2025 ruling, which had mandated enhanced cyber controls for US telecoms under CALEA.
- The original rule clarified telcos’ duty to secure both equipment and network operations, requiring risk management plans and annual certification.
-
Reason for Reversal:
- FCC (majority) claims previous rule “misconstrued CALEA” and was “unlawful and ineffective.”
- Major US carriers argued they had already improved cyber postures voluntarily.
-
Dissent and Criticism:
- FCC Commissioner Anna Gomez (the sole dissent):
- “Removing the requirements will leave Americans less protected than they were the day the Salt Typhoon breach was discovered.” (Gomez, 10:47)
- Senator Maria Cantwell calls Salt Typhoon “one of the worst cyberattacks in US history” and labels the now-repealed mandate as “the only concrete federal regulatory action” taken in response.
- FCC Commissioner Anna Gomez (the sole dissent):
-
Salt Typhoon Recap:
- A Chinese state-linked operation breached core US telecom systems, including wiretap infrastructure, geolocation data, and communications of senior officials—even affecting the president and vice president.
- Many carriers still haven’t documented remediation of the exploited vulnerabilities.
-
Policy Fallout:
- Reversal is seen as a “pattern of weakness” on national security and risks a repeat of catastrophic attacks.
-
Notable Quote:
- “Critics of the reversal say that without clear cybersecurity requirements tied to CALEA obligations, the US lacks the regulatory backbone needed to prevent a repeat of Salt Typhoon.” (Shipley, 12:38)
4. Policy as the Battlefield: Technology, Law, and Leadership
[13:25 – 14:50]
-
Central Thesis:
- Cybersecurity is shaped as much by legislation and policy as by technology, tools, and operational decisions.
- Decisions in boardrooms and SOCs matter, but so do those in legislatures and agencies.
-
Call to the Community:
- Shipley urges professionals to engage proactively with policymakers:
- “Your expertise does matter. Your voice can and does help shape the legal systems and the infrastructure we all depend on.” (Shipley, 14:34)
- Recounts volunteering at the BSides Ottawa Policy Village—educating tech pros on Canadian cyber, privacy, and digital law.
- Shipley urges professionals to engage proactively with policymakers:
-
Takeaway:
- The cyber community must help lawmakers understand real-world impacts to avoid bad policy, overreaching or inadequate regulation, and national security gaps.
- It’s not about politics, but about clarity, impact, and collective security.
Notable Quotes & Memorable Moments
-
On Ransom Payment Reporting:
- “We can’t fix what we can’t measure.”
—David Shipley [03:36]
- “We can’t fix what we can’t measure.”
-
On Corporate Resilience:
- “While checkout.com didn’t avoid a breach, they avoided being controlled by the breach.”
—David Shipley [03:47]
- “While checkout.com didn’t avoid a breach, they avoided being controlled by the breach.”
-
On CISO Liability:
- “If lawmakers want to continue to hold someone in an organization responsible for cyber actions or lack of action, it should be corporate directors or CEOs... Otherwise, laws risk increasing the flight of experienced talents that we need right now in our critical infrastructure sectors...”
—David Shipley [07:58]
- “If lawmakers want to continue to hold someone in an organization responsible for cyber actions or lack of action, it should be corporate directors or CEOs... Otherwise, laws risk increasing the flight of experienced talents that we need right now in our critical infrastructure sectors...”
-
On Regulatory Rollback:
- “Removing the requirements will leave Americans less protected than they were the day the Salt Typhoon breach was discovered.”
—FCC Commissioner Anna Gomez [10:47]
- “Removing the requirements will leave Americans less protected than they were the day the Salt Typhoon breach was discovered.”
-
On Professional Responsibility:
- “We all can’t sit on the sidelines and just simply complain about bad laws or weak enforcement after the fact. We need to be in the room where these conversations are happening.”
—David Shipley [14:23]
- “We all can’t sit on the sidelines and just simply complain about bad laws or weak enforcement after the fact. We need to be in the room where these conversations are happening.”
Key Timestamps
- 00:22 — Checkout.com breach recap & ransom refusal
- 03:36 — The critical need for mandatory ransom payment reporting
- 04:45 — SolarWinds/SEC legal case dismissal explained
- 07:58 — Advocacy against CISO personal liability
- 08:25 — FCC’s reversal of telecom cyber mandates
- 10:47 — Commissioner Gomez’s warning
- 12:38 — Critics’ warning: insufficient backbone for telecom security
- 13:25 — The fundamental role of public policy in cybersecurity
- 14:34 — Community engagement and calling for action
Conclusion
This episode underscores the profound influence of policy, leadership, and informed advocacy on cybersecurity outcomes. By examining case studies, legal battles, and regulatory shifts, Shipley calls on practitioners to step up—not just to defend networks and data, but to help shape the laws, standards, and frameworks on which everyone’s digital safety relies.