Summary6 min read

Podcast Summary: Cybersecurity Today

Episode: RSAC Presenter Says "Time to Kill One of Cybersecurity's Most Overworked Terms"

Host: David Shipley
Date: March 25, 2026

Episode Overview

This episode covers David Shipley’s report from the RSA Conference (RSAC) in San Francisco, featuring his take on one of RSAC’s most provocative presentations: a call to retire the term “Advanced Persistent Threat” (APT). The episode also tackles major policy moves by the US government affecting router sales, exposes controversial activity by Webinar TV, explores a destructive campaign targeting Iranian infrastructure, and examines a brewing debate around terrorism insurance for cyberattacks.

Key Discussion Points and Insights

1. The Call to Retire the "APT" Label (00:20–03:45)

Key Session at RSAC:
David highlights a presentation by Robert Lepofsky, Principal Threat Intelligence Researcher at ESET, who argues the term “Advanced Persistent Threat” (APT) has become so diluted it has lost its analytical value.
Blurring of threat actor lines:
Lepofsky notes:
- Nation-state actors increasingly use commodities and off-the-shelf tools.
- Some criminal groups now operate as or more capably than certain state actors.
- Hybrid groups blur espionage and criminal motives within the same operation.
Proposed Solution:
Lepofsky suggests describing threat actors by activity and motivation (“espionage actor,” “e-crime threat actor,” “nation-state hacker”), not by implied sophistication.
Industry Pushback:
The APT term sticks partly because it’s an easier sell to board leadership during crisis communications.

Quote (Robert Lepofsky via David Shipley, 01:44):
"It used to signal nation state espionage actors, sophisticated, well resourced, patient. Now it gets slapped on almost anything, including highly capable cybercriminal groups that have had nothing to do with state sponsored espionage."

2. Trends and Standouts at RSAC 2026 (03:46–05:56)

Diminishing “Zero Trust” Buzzworthiness:
“Zero trust” appears less everywhere—maybe on its way out as a marketing buzzword.
Rise of AI—and ‘Agentic AI’
In its place, “AI” dominates: “AI everywhere,” with “agentic AI” being plastered across booths.
Booth Highlights:
- Crowdstrike: Maintains top-tier production, with cyberpunk APT character statues.
- Mindguard (AI security firm): Wins “most clever” for a 90s-themed booth.
  - Aaron Portnoy (Mindguard), 05:02:
  “AI security is in a state that's very reminiscent of the late 1990s in terms of the maturity, how easy it is to hack things back then, and how easy it is to hack AI things now.”
- Commvault: Builds a full wrestling ring with a luchador.
- Other creative efforts: dragon castles, horror movies, and wild west booths.

3. FCC Bans Non-US Routers (05:57–07:41)

Policy Move:
The FCC bans the sale of all newly released Wi-Fi router models not made in the US—a reaction to national security concerns about supply chain risks.
Background:
Foreign-made routers seen as vulnerable to exploitation, referencing Volt, Flax, and Salt Typhoon attacks.
Impact:
- Ban applies only to new models—legacy routers unaffected.
- Even US-headquartered brands usually manufacture overseas, so industry-wide disruption likely.
- Exemptions possible, but only with concrete plans to “onshore” manufacturing.

David Shipley, 07:07:
“Most routers, including those from US Headquartered firms like Netgear, are manufactured in Taiwan, Vietnam or China. ... And you thought RAM was getting expensive.”

4. Webinar TV Controversy: Recording and Republishing Zoom Calls (07:42–10:11)

Description:
Webinar TV scrapes publicly available Zoom meeting links, records the sessions, and generates AI-driven podcasts with synthetic hosts “Phil” and “Amy.”
Discovery and Consent Issues:
- Most hosts only learn about the republishing by receiving a sales pitch email from Webinar TV.
- Some meetings are recorded intentionally to remain private, including sensitive discussions.
Notable Incident:
- Speaker recalls a teacher, Tan Rademacher, who organized a sensitive, undocumented call—only to have it seized and turned into a podcast.
Investigations:
- Cyber Alberta uncovers Webinar TV’s use of browser extensions and AI note-takers as entry vector.
- Webinar TV offers paid promotions to webinar owners—described as ransoming your own content.
Leadership and Legal History:
- CEO Michael Robertson previously founded MP3Tunes, losing a massive copyright suit.
- Webinar TV claims DMCA compliance, but users say takedown requests are often ignored.

David Shipley, 09:05:
"For some, it's seen as effectively ransoming your content back to you under the guise of marketing."

5. Malware Attack Targeting Iranian Infrastructure (10:12–11:38)

Ongoing Campaign:
Team pcp, linked to the recent Trivee vulnerability scanner supply chain attack, is now targeting Kubernetes clusters with a wiper payload aimed at Iranian systems.
Mechanism:
- Malware checks for Iranian time zone/locale and presence of Kubernetes.
- On matches, it launches a container named “Kamikaze” erasing host directories and rebooting.
- On non-Kubernetes Iranian systems, it runs a recursive delete.
- For non-Iranian victims: installs a persistent Python backdoor.
Campaign Evolution:
Shift from Kubernetes-based spread to SSH, using stolen keys and logs to propagate further.

6. Should Terrorism Insurance Cover Cyberattacks? (11:39–13:08)

US Treasury Policy Review:
Federal government asks if terrorism insurance (TRIP) should be expanded to cover cyber incidents.
Key Issues:
- Current TRIP law only covers cyber losses officially certified as terrorism—a narrow bar.
- Catastrophic cyber events not meeting strict criteria would be excluded.
- Comments on changing definitions or cost-sharing for cyber risk are open until May 8, 2026.
Host’s Perspective:
David Shipley expresses skepticism—he fears government insurance will worsen the cyber insurance problem by encouraging risk transfer rather than true risk mitigation.

David Shipley, 12:50:
"Cyber insurance was used too often to do risk transfer instead of investing in security tools and processes. That led to the cybercriminal industry growing like an old school Japanese style giant monster. Now Godzilla is here and it does so much damage that insurance can't cover it. And organizations are starting now to shift from risk transfer to actual risk mitigation. But if big government foots the bill, that monster could get even worse."

Notable Quotes and Memorable Moments

On the APT label (01:44):
“It used to signal nation state espionage actors, sophisticated, well resourced, patient. Now it gets slapped on almost anything, including highly capable cybercriminal groups that have nothing to do with state sponsored espionage.” — David Shipley, summarizing Lepofsky
On AI security (05:02):
“AI security is in a state that's very reminiscent of the late 1990s in terms of the maturity, how easy it is to hack things back then, and how easy it is to hack AI things now.” — Aaron Portnoy (Mindguard)
On router industry impact (07:07):
“Most routers, including those from US Headquartered firms like Netgear, are manufactured in Taiwan, Vietnam or China. ... And you thought RAM was getting expensive.” — David Shipley
On Webinar TV’s model (09:05):
“For some, it's seen as effectively ransoming your content back to you under the guise of marketing.” — David Shipley
On government cyber insurance (12:50):
"Now Godzilla is here and it does so much damage that insurance can't cover it. ... But if big government foots the bill, that monster could get even worse." — David Shipley

Timestamps for Important Segments

00:20 – Retiring the “APT” term (RSAC session recap)
03:45 – RSAC show floor trends & booth highlights
05:57 – FCC bans sale of new foreign-made Wi-Fi routers
07:42 – Webinar TV recording Zoom calls controversy
10:12 – Iranian-specific cyber wiper campaign
11:39 – Cyber insurance & terrorism risk policy debate
12:50 – Shipley’s take: why government cyber insurance could backfire

Conclusion

This episode delivers a rapid, insight-packed rundown of the RSAC’s atmosphere, exposes concerning new developments in cyber threats and policy, and makes room for a sharply-argued industry critique of both cyber insurance and obsolete terminology like “APT.” The episode is essential listening for anyone seeking to stay current on cybersecurity’s evolving language, regulatory risk, and the creative chaos of the industry’s big stage.

Loading summary

Transcript3 lines

[00:00]
A
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST A researcher
[00:19]
B
says it's time to kill one of cybersecurity's most overused terms. The FCC has banned the sale of any new WI fi router models not made in the United States. A company is secretly recording Zoom calls and turning them into podcasts, A hacking group is deploying a wiper that specifically targets Iranian systems, and the US Government is asking whether terrorism insurance should foot the bill for cyber attacks. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. I'm here at RSAC in San Francisco this week and one of the sessions that caught my attention came from Robert Lepowski, principal threat Intelligence researcher at eset. His argument it's time to retire the term advanced persistent threat. Lepofsky's case is that the APT label has been stretched so far it's almost lost all of its meaning. It used to signal nation state espionage actors, sophisticated, well resourced, patient. Now it gets slapped on almost anything, including highly capable cyber criminal groups that have had nothing to do with state sponsored espionage. Part of what's driven that is a genuine blurring of lines. Many nation state groups have moved away from custom built tools and started using the same commodity malware and tactics that criminal groups use. And on the flip side, some financially motivated cybercriminal groups have grown so capable that some are now on par with or outpacing less sophisticated state actors. And in hybrid groups running espionage and financially motivated attacks as part of the same operations, the old categories really stop making sense. Lepofsky's proposed fix is straightforward. Describe what groups are actually doing espionage actor, nation state, threat actor E crime motivation and activity, not implied sophistication. Now some groups have held on to that APT label because it sometimes made it easier to explain a breach to leadership or the public. But his point is that that framing matters less than how companies respond to breaches. You can read the full story@technewsday.com Speaking of RSAC, I spent many hours walking through the massive show floor on Monday and Tuesday. Here's the good news. If you were sick and tired of the industry's overuse of the term zero trust, well, it looks like it's being put out to pasture. Here's the bad news. AI. AI everywhere. With perhaps the most overused term being agentic AI as many places as it could possibly appear in terms of booth themes. Well, keep in mind this massive conference with tens of thousands of people is like the Oscars for cybersecurity vendors, so everyone came out in their finest. I mean some of these setups cost more than a million dollars so you can expect that some were pretty awesome. The usual top tier contenders like Crowdstrike always put on a great booth with their villain like cyberpunk style giant statues of APT team characters. But my favorite, it wasn't one of the most expensive setups, but I thought it was one of the most clever for its core message. Mindguard, an AI security firm, had a 90s themed room complete with old school CRT monitors. They chose that 90s theme deliberately. As Aaron Portnoy put it, AI security is in a state that's very reminiscent of the late 1990s in terms of the maturity, how easy it is to hack things back then, and how easy it is to hack AI things now. It was a back to the future ish theme. Honorable mention goes to the hilarious huge production value that the team at Commvault put on for having a full on wrestling ring complete with a luchadore style wrestler. You can bet that definitely got attention. In addition to that there were castles with dragons, a full on horror movie themed booth setup, and even a western style booth. And while the industry is gathered in its finest for this massive conference, big things were also happening in Washington D.C. this one is a big deal for anyone looking to buy a new router for their home or small business. The US FCC has banned the sale of any new WI Fi router models not made in the United States. The order, reported by Michael Kahn at PCMag, stems from a White House National Security Determination issued last Friday. The reasoning? Foreign made routers introduced supply chain vulnerabilities that can be exploited by hackers and cyber spies. The FCC specifically pointed to the Volt, Flax and Salt Typhoon attacks on US Telecommunications infrastructure as part of the justification. The ban only applies to new models going forward. Routers already purchased or previously authorized for sale are not affected, but it effectively blocks any new foreign produced router from receiving FCC authorization, which is required to sell in the US Market. That's a problem for virtually the entire industry. Most routers, including those from US Headquartered firms like Netgear, are manufactured in Taiwan, Vietnam or China. Router makers can apply for an exemption from the Pentagon or the Department of Homeland Security, but they need to provide a concrete plan to shift manufacturing to the United States and you thought RAM was getting expensive. A company called Webinar TV has been quietly scanning the Internet for publicly accessible Zoom meeting links, joining those calls, recording them and turning them into AI generated podcasts, complete with two synthetic hosts named Phil and Amy who recap the highlights and banter with each other. The company claims to host more than 200,000 such webinars. In many cases, the people whose meetings were recorded only found out when Webinar TV emailed them to say their call had been turned into a podcast, framed as a sales pitch. The boilerplate email comes from a Sarah Blair, VP of communications whose profile photo appears to be AI generated and who has no verifiable online presence. One of Mayberg's sources, a teacher named Tan Rademacher, had organized a Zoom Call for educators to discuss keeping kids safe from ICE enforcement. He deliberately chose not to record it because of the politically sensitive nature of the conversation and professional risks for some of the participants. Months later, Webinar TV emailed him a link to the full recording, an AI video summary, chapter markers, and a Phil and Amy episode about his meeting. Cyber Alberta, an organization that supports cybersecurity across the Canadian province, published their own investigation after a Government of Alberta ministry found one of their webinars on the platform without their permission. Their findings shed light on how Webinar TV actually operates. The primary vector appears to be third party browser extensions, AI transcription and note taking tools. At least one extension of the Chrome Web store is listed as being developed by Webinar TV directly. The business model is also worth understanding. Webinar TV scrapes meetings en masse, then turns around and offers the people whose content has been taken a paid lead advantage service to promote their own webinar, with bidding starting at $20. For some, it's seen as effectively ransoming your content back to you under the guise of marketing. Webinar TV CEO Michael Robertson has defended the platform publicly on LinkedIn and Reddit. Cyber Alberta also noted Robertson appears to be the same Michael Robertson whose previous company, MP3Tunes, was found liable for copyright infringement in 2014 and ordered to pay $41 million. Webinar TV says it's DMCA compliant and will remove any content on request, but multiple users report that takedown requests are ignored or delayed. Cyber Alberta's full technical report is on its website. If you caught Monday's episode, you'll remember the supply chain attack on the Trivee vulnerability scanner. There's a new development on that story, and it's a significant escalation. Bill Teulis at Bleeping Computer reports that Team pcp, the group behind the Trivia attack, has now been linked to a campaign targeting Kubernetes clusters that includes a destructive wiper payload aimed specifically at systems configured for Iran. Researchers at Aikido confirmed the connection through shared infrastructure, the same command and control server, the same backend code, and the same file drop path used in the trivia attack and related NPM campaign called Canister Worm. Here's how the campaign works. When the malware hits a system, it checks for Iran's time zone and locale settings. If it finds a match and Kubernetes is present, it deploys a privileged container named notably Kamikaze that deletes all top level directories on the host file system and forces a reboot. On Iranian systems without Kubernetes, it simply runs as a recursive delete command and against every file the process can reach. On non Iranian systems, it installs a persistent Python backdoor instead. A more recent variant has dropped the Kubernetes based spreading mechanism and switched to SSH propagation, parsing authentication logs for valid credentials and using stolen private keys to move through environments. And finally, here's a policy story worth watching if you're in the cyber insurance space. Tim Starks at Cyberscoop reports that the U.S. treasury Department is soliciting public comment on whether federal terrorism risk insurance programs should be expanded to cover cyber related losses. The program, known as TRIP, was created after 911 to make terrorism risk insurance more available and affordable by providing a federal backstop to the private insurance market. With the underlying law set to expire at the end of 2027, some experts have been pushing Congress to tie a CY insurance backstop. 2 Its reauthorization the catch is a significant one. Under the current law, only losses from cyber attacks formally certified as acts of terrorism would qualify for coverage. That's a narrow definition. Attacks need to be deemed dangerous to life, property or infrastructure and designed to influence the US population or government. A catastrophic cyber attack that doesn't meet the buyer would fall outside of the program entirely. Treasury is asking for comments specifically on whether those definitions should change and how that cost sharing mechanism might be modified to better account for cyber losses. Comments are open until May 8th. The timing is notable given the Stryker attack, which was reportedly carried out by an Iranian government linked group called Handala. And this is exactly the kind of incident that can test the line between cyberattack and active terrorism. I commented earlier this week to another media organization about whether government backstops are a good idea. And honestly, I think they're going to make the cyber insurance problem worse. Cyber insurance was used too often to do risk transfer instead of investing in security tools and processes. That led to the cybercriminal industry growing like an old school Japanese style giant monster. Now Godzilla is here and it does so much damage that insurance can't cover it. And organizations are starting now to shift from risk transfer to actual risk mitigation. But if big government foots the bill, that monster could get even worse. This was Cybersecurity Today for Wednesday, March 25, 2026. I've been your host, David Shipley. Thanks for listening and thanks to everyone who has been leaving ratings, reviews and sharing the show with others. We're getting into the top five tech news podcasts in a number of countries and that's thanks to your help. We'd love to continue to reach even more people this year and we continue to need your help to do that. Thanks for listening and stay safe out there.
[13:44]
A
We'd like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and even run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the the way to data centers. Book a demo@meter.com CST. That's M E T E R COM CST.