A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST.

B

Checkout.Com refuses to pay ransom, donates to research instead SEC walks away from case against solar winds and their CISO FCC bizarrely pushes undo on cyber standards for US telcos this is Cybersecurity Today and I'm your host David Shipley, back home in New Brunswick after a great visit last week to BSides Ottawa. Let's get started. UK fintech heavyweight checkout.com, a payments processor behind brands like Ikea, klarna, Samsung and HelloFresh, confirmed that the cyber extortion group Shiny Hunters accessed one of its old third party cloud storage systems, bleeping computer reports that this wasn't a production system breach, it was a legacy environment from 2020 and earlier. The stolen data included onboarding materials, operational documents and merchant information. Shiny Hunters came knocking, demanding a ransom. Checkout.com's answer? We're not going to pay. Instead, we're going to donate that money to Oxford and Carnegie Mellon to support cybersecurity research. That's a bold, principled stance, and it's an example of what can happen when a company has confidence in its instant response, solid legal footing and the capacity to weather the fallout of a breach. Checkout.com's move of not paying is one that some reports are saying is happening more and more. But accurately measuring ransom payment rates is exceptionally difficult. Different reports often produce very different numbers. For example, Coveware's most recent analysis from October 2025 showed only 23% of victims paid in Q3 2025, a historic low and part of what they say is a six year downward trend for data exfiltration only attacks, which now dominate the landscape. The payment rate drops to around 19%, they say. On the other hand, SOPOS recently had a different report with a different methodology. That said, nearly half of surveyed retail organizations admit to having paid at least one ransom in recent incidents. None of these numbers are wrong. They come from different organizations doing different studies with different data sources. And we're not going to know the true global payment rate because most jurisdictions don't require companies to report when they pay. That's a problem. Without accurate data, policymakers, insurers, and defenders are flying partially blind if governments want to further disrupt the ransomware economy and give organizations the confidence to do what checkout.com just did, then mandatory reporting of ransom payments should be on the table everywhere. We can't fix what we can't measure. While checkout.com didn't avoid a breach, they avoided being controlled by the breach. By refusing to pay and instead donating to cyber research, they flipped the often terrible narrative. Instead of funding criminals, they're funding the people who make criminals lives harder. That's a powerful signal to customers, to attackers, and to the market. And this story is a reminder to everyone listening. Make sure you're on top of legacy systems and retire out old things. When the time has come, audit your third party integrations and in your breach rehearsals, prepare for the possibility that refusing to pay is the right call the U.S. securities and Exchange Commission has formally ended its long running case against Solar Winds and their Chief Information Security Officer Tim Brown, a case that has shaped global conversations about cybersecurity accountability since the 2020 supply chain attack. In a joint motion filed Nov. 20, the SEC, SolarWinds and Brown asked a federal court to dismiss the lawsuit. The commission had originally alleged that SolarWinds misled investors about its cybersecurity posture and and ignored internal warnings prior to The Russian linked APT29 compromise. The hacker News reports that most of those allegations were significantly weakened last year. In July 2024, a US district court judge threw out the bulk of the SEC's claims against solar Winds, ruling they relied too heavily on hindsight and attempted to treat cybersecurity controls as if they were financial accounting controls, something the law did not support. What remained of the case continued for more than a year, but without those foundational claims, the SEC has now elected to walk away. The commission emphasized the decision does not necessarily end quote, reflect its stance on future cybersecurity related enforcement. SolarWinds CEO said the dismissal marks the end of a challenging chapter for the company, which has since invested significantly in strengthening its cybersecurity practices. While the Dismissal brings the SolarWinds story to a close, it lands amidst a broader environment where the questions around CISO accountability remain hotly debated. And this case follows years of scrutiny by executives about their personal liability, including high profile criminal cases such as the one involving Uber's CISO Joe Sullivan. Sullivan was sentenced to three years probation and a $50,000 fine in that criminal case. He appealed, but the case was upheld in March 2025. While SolarWinds was a civil case and Sullivan's was a criminal case, both shaped industry concern about how far regulators and prosecutors might go in holding security leaders personally responsible after major incidents. The Solar Winds dismissal may ease some of that pressure and by showing the limits of existing legal frameworks, but it does not eliminate the expectation that companies must provide accurate, timely and consistent disclosure about cybersecurity risk and incidents. Here in Canada, these developments come as Parliament considers Bill C8, legislation that would impose mandatory cybersecurity requirements and reporting on critical infrastructure sectors, and introduces the possibility of penalties that could touch individual executives. While C8 is still under active debate, the SolarWinds outcome highlights an important issue for lawmakers. If individual liability is contemplated, legal standards have to be clear and they have to be aligned with operational and organizational decision making reality. The US Cases show how ambiguous expectations, especially those based on hindsight, can make enforcement difficult, and they risk discouraging transparency rather than improving security outcomes. As Canada and other countries modernize their cybersecurity regulatory frameworks, these lessons will be important to consider and for full transparency. I've testified to an all party parliamentary committee on the previous bill to this bill C26 and I've consistently advocated against personal liability for CISOs. If lawmakers want to continue to hold someone in an organization responsible for cyber actions or lack of action, it should be corporate directors or CEOs, the folks who actually set organizational risk appetite and the budget. Otherwise, laws risk increasing the flight of experienced talents that we need right now in our critical infrastructure sectors more now than ever. With the onslaught of cyber threats thanks to increased geopolitical instability and the mass proliferation of hacking capability thanks to AI, now is not the time to be making CISO flight from the field. Worse, the U.S. federal Communications Commission has reversed one of the only federal cybersecurity mandates created in response to the sweeping SALT typhoon hacks, a decision that has drawn sharp criticism both inside and outside the agency and raised new questions about U.S. national security preparedness. On Wednesday, the FCC withdrew its January 2025 declaratory ruling that required U.S. telecommunications providers to adopt and certified enhanced cybersecurity measures. Those requirements had been issued under calea, the Communications Assistance for Law Enforcement act, which governs lawful intercept capabilities in telecom networks. The January ruling was significant because it formally clarified that telecom carriers are responsible for securing both their equipment and the way that they operate their networks, particularly against unlawful access and interception. It also included a proposed rulemaking that would have required carriers to build and maintain cybersecurity risk management plans and certify those plans annually. Last week's reversal nullified all of that. The commission said the earlier order misconstrued CALEA and called the previous framework unlawful and ineffective. According to The FCC months of engagement with major US carriers showed they had strengthened cybersecurity on their own and committed to additional urgent and coordinated efforts to protect their networks. Sure they did. The decision was not unanimous. FCC Commissioner Anna Gomez, the only commissioner to vote against the reversal, warned that removing the requirements, quote, will leave Americans less protected than they were the day the Salt Typhoon breach was discovered, end quote. Senator Maria Cantwell, who leads the Senate Commerce Committee, echoed those concerns, calling Salt Typhoon, quote, one of the worst cyber attacks in U.S. history and pointing out that the January ruling was, quote, the only concrete federal regulatory action, end quote, taken in response to those attacks. She also noted the reversal follows heavy lobbying by the same telecom providers compromised by Salt Typhoon. Given the scale of the damage over the last two years and the strategic importance of US telecommunications infrastructure, the Salt Typhoon operation attributed to a Chinese state sponsored threat actor, targeted core network systems at major carriers including AT&T T Mobile, Verizon, Lumen, Windstream and others. As a reminder, federal investigators say the attackers were able to access wiretape, access wiretap related systems used by US law enforcement, geolocate millions of Americans, intercept phone calls and even target high ranking government officials, including the President and Vice president. Officials warn the techniques used, especially the exploitation of telecom routers and trusted network interconnections, remain a risk. Critics of the reversal say that without clear cybersecurity requirements tied to CALEA obligations, the US lacks the regulatory backbone needed to prevent a repeat of Salt Typhoon. Senator Cantwell warned that the decision fits a pattern of weakness on national security issues, noting that some carriers have still yet to provide documentation on how they remediated vulnerabilities Salt Typhoon exploited. Commissioner Gomez put it plainly. Without strong federal controls, it is unlikely Salt Typhoon will be the last attack of its kind or the last successful attack of its kind. And that brings us to the bigger theme running throughout today's episode. You'll notice I spend a lot more time than usual talking about policy, about what governments decide, what regulators enforce, and how legal frameworks shape the incentives and pressures on organizations. There's a clear reason for that. Cybersecurity doesn't exist in a vacuum. It isn't just about firewalls, detection tools, vulnerabilities and patch cycles. It lives at the intersection of technology, economics, public safety and, yes, public policy. The checkout.com breach, the SolarWinds case and the FCC's reversal all point to the same reality. The decisions made in boardrooms and in SOCs matters, but the decisions made in legislatures, courts and regulatory agencies matter just as much, and in some cases more, as they drive organizational decisions. If rules are unclear, we get confusion instead of accountability. If incentives are wrong, we reward the wrong behaviors. And if lawmakers don't understand the technology, we end up with policy that either goes too far or not far enough. Or, in the case of the fcc, reversal undermines national security preparedness. As technology and security experts, we all can't sit on the sidelines and just simply complain about bad laws or weak enforcement after the fact. We need to be in the room where these conversations are happening and decisions are made. So to everyone listening, whether you're writing code, running a SoC, building tools, leading teams, your expertise does matter. Your voice can and does help shape the legal systems and the infrastructure we all depend on. That's why last week I was in Ottawa volunteering my time at the B Sides Policy Village to help educate the technology community about the state of Canada's cyber, digital and privacy laws. Because if we want better policy, we need more people in our community to understand what's happening and how to shape it. And I want to be really, really clear. This isn't about politics or taking partisan sides. It's about all of the people who make laws and policies, understanding the impact of their actions or non action. We are doing them and the broader world a favor, a service by helping to educate them. We're always interested in your feedback and you can contact us@technewsday.com or leave a comment under the YouTube video. Please help us spread the word about the show. Like subscribe or leave a review and if you enjoyed today's episode, tell others about it. We want to continue to grow our audience and we need your help. I've been your host David Shipley, Jim Love will be back on Wednesday.

A

Once again we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises and working with their partners, Meter Designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. You can book a demo@meter.com CST that's M-E-T-E-R.com CST.