CyberWire Daily – "A new front in the data sovereignty debate."

Date: February 25, 2026
Host: Dave Bittner (N2K Networks)
Guest Interview: Andrew Dunbar, CISO of Shopify

Episode Overview

This episode dives into the expanding debate over data sovereignty and its global implications, highlighting recent moves by the US government to challenge international data localization efforts. It covers major news in cybersecurity, from controversial export controls on AI chips and large-scale hacks to a feature interview with Shopify's CISO, Andrew Dunbar, about how identity and trust now form the new perimeter in digital commerce. The episode wraps up with a look at privacy debates sparked by Ring's Super Bowl ad.

Key News Summaries & Analysis

1. US Pushback Against Global Data Sovereignty Rules

[00:31–01:32]
The Trump administration has instructed US diplomats to actively oppose foreign regulations that would control how American tech companies handle citizens' data (seen in a February 18 cable, signed by Secretary of State Marco Rubio).
The guidance criticizes Europe’s GDPR for being overly restrictive and warns that data localization policies from the EU, China, and others may choke off global data flows, increase cyber risks, and stifle AI and cloud advancement.
The cable urges support for the Global Cross Border Privacy Rules Forum.
Quote:
“The cable argues that data sovereignty and localization laws could disrupt global data flows, increase costs and cybersecurity risks, and limit artificial intelligence and cloud services.” — [00:50]

2. AI/Export Controls: China’s DeepSeek and Nvidia Chips

[01:33–02:18]
US officials allege that Chinese AI startup DeepSeek trained models on Nvidia’s restricted Blackwell chips, potentially violating export bans.
DeepSeek may have attempted to hide the chips’ origins.
The situation spotlights enforcement gaps and the geopolitical tension around advanced semiconductors.
Quote:
“Officials also said the model likely used distillation, drawing on leading US AI systems. The case underscores concerns about enforcement gaps and China’s continued reliance on American semiconductor technology.” — [02:10]

3. Chinese Hacking Group Gallium (UNC2814) Disrupted

[02:19–03:19]
Google discloses it stopped a China-linked group (Gallium) that had breached at least 53 organizations across 42 countries.
The attackers abused Google Sheets as command and control to avoid detection and installed a backdoor named Grid Tide.
The campaign is considered part of broader long-term surveillance efforts.
Quote:
“Google said the attackers used Google Sheets to blend into normal network traffic, not by exploiting a flaw in Google products.” — [02:55]

4. New Zealand Hack: Patient Records Tampered

[03:20–04:21]
Metamap, a healthcare portal in New Zealand, suffers a major breach—patient records weren’t just accessed but altered (e.g., living people marked as deceased).
Healthcare providers reverted to manual processes, highlighting the impact on patient safety and data integrity.
This incident intensifies scrutiny on New Zealand’s health cybersecurity posture.
Quote:
“Altering core status data raises patient safety and data integrity concerns beyond a typical data theft.” — [03:58]

5. Mental Health Apps Found Riddled with Vulnerabilities

[04:22–05:05]
Researchers uncovered over 1,500 vulnerabilities in 10 popular mental health apps with 14.7 million downloads.
Major flaws included exposure of therapy transcripts and insufficient input validation; app names were withheld.
Mental health data is deemed especially valuable on the dark web.

6. Wynn Resorts Data Breach: Employee Data Stolen

[05:06–06:01]
Attackers (Shiny Hunters group) stole 800,000 employee records and demanded $1.5M in Bitcoin.
The breach originated from an Oracle PeopleSoft vulnerability and privileged credentials.
Wynn activated incident response and offered credit monitoring, but did not specify if the ransom was paid.

7. New York Cyber Rules Scaled Back After Lobbying

[06:02–07:09]
New York’s Public Service Commission removed wireless and broadcast TV firms from upcoming cybersecurity regulations, largely under telecom industry pressure.
The scaled-back rules now apply only to gas, water, and electric utilities.
Quote:
“Critics…called the move concerning and questioned the rationale. The scaled back rules will now apply only to gas, water and electric utilities.” — [06:53]

8. Russia Targets Telegram Founder, Escalating App Restrictions

[07:10–08:06]
The Kremlin is criminally investigating Telegram founder Pavel Durov, accusing him of abetting terrorism.
Russia threatens to ban Telegram, accusing it of ignoring content takedown requests and enabling extremism.
Durov denies the charges, calling them attacks on privacy and free speech.

9. US Defense Insider Imprisoned for Selling Cyber Weapons to Russia

[08:07–09:00]
Peter Williams, a former defense contractor employee, sentenced to over seven years for stealing and selling classified cyber tools to a Russian exploit broker—tools potentially impacting US and Australian intelligence.

Feature Interview: Andrew Dunbar, CISO of Shopify

“How Identity and Trust Become the New Perimeter”
[13:28–24:24]

The Future of Commerce: Agentic Shopping and Trust

Transforming Discovery and Commerce with AI
- AI agents are now integral to shopping—from discovering products to managing purchases.
- Personalized, conversational shopping is the new norm.
- Quote:
  “People have really attached themselves to the idea that they have a personalized, conversational way that they can discover the things they want to buy…” — Andrew Dunbar [13:40]
Buyer Hesitation and Securing Transactions
- Consumers are cautious about entrusting AI agents with spending their money without oversight.
- Shopify’s approach ensures agents don’t make purchases autonomously; instead, they mediate product discovery, authentication, and post-purchase support.
- The relationship requires mutual trust between buyer and merchant:
  - Merchants need assurance of customer authenticity.
  - Buyers need confidence in merchant honesty (no hidden fees, accurate representation).
- Quote:
  “Commerce is inherently a two-way relationship of trust. This is not just something where merchants...want anyone who shows up...to be able to buy from them. They want confidence that the purchaser is authentic as well.” — Andrew Dunbar [15:13]
Universal Commerce Protocol: An Open Standard for Agent-Based Commerce
- Shopify, in partnership with Google, launched an open protocol to standardize digital commerce interactions for AI agents.
- The protocol extends beyond payment tokenization to cover the full end-to-end experience (catalog, product discovery, authentication, returns, subscriptions, etc.).
- Importance of openness: more entrepreneurs, a thriving open internet, interoperability, and more innovation.
- Quote:
  “We always want to take the path that leads to more entrepreneurs. And so whether or not people are building on Shopify, we prefer the open Internet.” — Andrew Dunbar [18:08]
Solving Complex Problems in an Intermediated Shopping Space
- In agent-based shopping, there’s often no direct interaction between buyers and merchants—everything is mediated.
- Ensuring the merchant’s product data (e.g., offers, coupons) is rich, structured, and discoverable for agent interaction was a major challenge.
Security and Identity: The New Perimeter
- Legacy checkout is oddly unauthenticated (“just a form”).
- Proper identification and authentication of buyers (and agents) in commerce protocols is now essential.
- Open identity standards are needed but are difficult to implement universally.
- Quote:
  “The traditional checkout experience...it's layering the idea of just using a form, typing in a credit card number...” — Andrew Dunbar [19:19]
Future-Proofing Protocols
- By collaborating across the industry, protocols can evolve to address security needs as they arise.
- Building protocols for “cart generation” and other advanced commerce functions makes the system adaptable as commerce evolves.
Practical, Behind-the-Scenes Operation
- While consumers won’t see the protocol directly, merchants must provide product info in machine-consumable formats for agents/LLMs.
- Merchants’ focus shifts to properly structuring catalogs; Shopify handles much of the protocol complexity in the background.

Notable Quotes & Memorable Moments

On the Evolving Nature of Digital Commerce:
“Commerce is inherently a two-way relationship of trust.” — Andrew Dunbar [15:13]
On Openness:
“We prefer the open Internet. And we always take decisions that lead to proliferation of the open Internet. It leads to choice on behalf of businesses.” — Andrew Dunbar [18:11]
On Checkout Security:
“The traditional checkout experience, it's an unauthenticated experience, which is kind of weird.... Typing in a credit card number and a name and address is sufficient to identify yourself and then make a purchase. But...there is no true authentication.” — Andrew Dunbar [19:19]
On Future-Proofing:
“...Every time there's a new version, every time there's a new thought of here's a good way to enhance security, we can just embed that into the protocol and then everyone can benefit.” — Andrew Dunbar [20:53]

Privacy Spotlight: Ring Cameras and AI (“Search Party” Super Bowl Ad)

[26:08–end]
Ring’s ad about neighborhood cameras locating lost pets raises privacy uproar—audience worries the same system could surveil people.
Social media backlash prompts the Fulu Foundation to offer a $10,000 bounty for a solution to make Ring run footage locally, not on Amazon’s cloud.
Highlights enduring questions around data ownership and privacy for consumer IoT.
Quote:
“A lingering question when you buy the camera, who really owns the footage?” — [26:49]

Important Timestamps

US Data Sovereignty Directive: [00:31–01:32]
DeepSeek/Nvidia AI Export Controversy: [01:33–02:18]
Google Thwarts Gallium Hackers: [02:19–03:19]
New Zealand Patient Record Tampering: [03:20–04:21]
Mental Health App Vulnerabilities: [04:22–05:05]
Wynn Data Breach: [05:06–06:01]
NY Cyber Rules Scaled Back: [06:02–07:09]
Russia v. Telegram: [07:10–08:06]
US Defense Insider Imprisoned: [08:07–09:00]
Andrew Dunbar (Shopify) Interview: [13:28–24:24]
Ring’s Super Bowl Ad Privacy Backlash: [26:08–end]

Summary

This episode presents a global snapshot of evolving cybersecurity, regulation, and privacy. The US is ramping up opposition to foreign data localization, major hacks and vulnerabilities surface across sectors, and the core concepts of trust and identity are shifting in digital commerce. The interview with Shopify’s CISO reveals how the future of shopping will require robust protocols for both security and trust, designed for an open, agent-driven internet—a future already arriving, quietly built in the background, but with immense impact on everyday commerce and safety online.