Tim Starks (12:36)

That's very accurate.

Dave Bittner (12:37)

All right. So how are you keeping track of all of it these days? There's so much going on. I feel like you must be in a bit of a whirlwind.

Tim Starks (12:47)

Yeah. You sit down to say, oh, I'm going to really dive into this subject. Right. As a reporter, you're like, I'm really going to dive into this. And then the next moment something comes along that's if not as important, more important. So it's been tough, honestly.

Dave Bittner (13:05)

Well, let's talk about some of the things that I think have been top of mind, certainly to folks tuned into D.C. i mean, we have the whole situation with former CISA director Chris Krebs. And what in my opinion can only be or perhaps is most easily labeled as retaliation from the Trump White House for Krebs statement that the 2020 election was fair and that President Trump did indeed lose that election. But the White House coming after not just Chris and his security clearance, but also the company that he works for.

Tim Starks (13:46)

Yeah, it's, it's, I, there was, there was somebody who was, who was saying on one of the social media sites, not surprised but still shocked. It is a kind of constant state of mind. It feels like in the Trump administration, the idea that you can just know somebody that the president doesn't like and suddenly find your business being threatened is it's the kind of thing that you think just can't happen in America until it does. I would say that one of the things that's interesting about this administration versus the previous administration is I think for the most part, I say this for better or worse, because when I was covering cybersecurity in the first Trump administration and I was like, there's so much wild stuff happening in all these other agencies and all these other parts of the government. But cybersecurity was pretty tame in the Trump administration until the very end, of course, with Krebs, when Krebs the election results were pretty much already known. But when Krebs got not pretty much, but they were known, essentially when Krebs was fired, he was already on his way out. When he was saying, you know, doing things like the rumor control, you know, there was some discussion he was doing the rumor control thing when the election was still happening. But when he got fired, it was entirely predictable and well known that, that he wasn't going to be around much longer because of the Trump administration was going to be ending. So that was about the most dramatic thing that happened in the cyber world in the first Trump administration was Krebs related. Now there's so much dramatic stuff happening in every area of the government, including cybersecurity. They fired the Cyber Command director, they fired a bunch of people at cisa. They've done so much. So the Krebs shoot is just the latest to drop, the domino's to fall. And it is entirely disturbing that he essentially said something that the president didn't like four, how many years ago? Five years ago at this point.

Dave Bittner (15:55)

Yeah.

Tim Starks (15:56)

And now he has the president saying, we're going to bring the weight of the government to bear on you and your company and the people you work with. It's really, really, really, really upsetting that this is happening in our country.

Dave Bittner (16:11)

Well, I mean, let's dig into some of the goings on at CISA itself. I saw a recent report that I think the number I saw was 1300 people probably going to be eliminated from CISA, both full time employees and contractors as well. It's about half of their workforce, I believe, and can't imagine that's not gonna put a dent in our defensive posture.

Tim Starks (16:39)

Yeah, I mean, I think, you know, there was an early sign that they were going to be, or it could be because it's so. So. But I think they only cut about 130 people. Now, I'm not saying that's not a significant number. It is. But looking at some of the things that are happening, like HHS, where they're cutting 10,000 people, that seemed mild by comparison at the time. There were still concerns that there were going to be more cuts at CISA and then 130 people were fired. But I don't think anybody thought that half. I mean, that's a huge number. I was just talking to Andrew Gabarino, the congressman, who is the chair of the Cybersecurity Subcommittee of the House Homeland Security Committee, and he thought Republicans now get that CIS is important, but cutting half of the workforce is going to have a huge impact. I mean, there are people who thought the agency was not near as big as it should have been. People in the cyber world have thought that it needs to be a. A $5 billion agency or something like that. And that's Republicans, too. I mean, it was John Catko, I think, who first said, we need this agency to have a $5 billion budget. So if we're going to cut half of the people, it's definitely going to affect the cyber work. It does. It is an agency that is largely about. And this is another thing that's interesting about it. If you're a Republican, you're thinking, oh, you know, we're concerned about the size of government. We don't want overregulation. CISA doesn't really have regulatory power. It's just an agency that just sort of helps. I mean, that's a weird way to boil it down, but it just sort of helps the businesses, it helps the government. You know, it gives them advice, it creates guidelines, it doesn't do anything regulatory. And here it is being cut just because it seems like, I mean, there's not one of these things where people have said, oh, we're going to cut it this much because we think it's this much, it's doing too much, or it's doing. It's not doing what it should be doing, and therefore it needs to be cut back because it's not useful. There's nobody saying that. So the idea of it being cut in half, essentially, is. It just baffles the mind, really. You, you, you're looking for, if you're a reporter, you're looking for a reason. Why. Why is it. Why is this happening? Right.

Dave Bittner (18:54)

Why half? Yeah. Is it arbitrary?

Tim Starks (18:56)

Just because.

Dave Bittner (18:58)

Yeah. Well, you mentioned, you know, speaking with Republican Congress members, this notion, the sort of original sin of CISA as described by the Trump White House, is that they were censoring Republican voices. How much does that argument still carrying water when you're talking to Republicans? Are they leading with that? Are they acknowledging that? Is that, you know, how seriously are they taking that, either publicly or behind the scenes?

Tim Starks (19:34)

I think they certainly at least were taking it seriously. I think in 2023, there was a vote from House Republicans, the majority of whom said, we're going to cut CIS's budget by 25% because of this kind of thing. But that's a very small percentage of the work it did. And I'm not saying the work equals censoring Republican voices. I mean, work on disinformation was a very small percentage of what it did. I think Brandon Wales testified before Congress, Brandon Wells being a former top CIS official, that it was less than 1% of CISA's budget. So, yes, I think for some Republicans, and among them, you know, Senator Rand Paul, who was the chair of the Homeland Security Committee on the, on the Senate side, that is a reason that CISA is a bad agency, that, that singling out that part of the things. But it did feel like this would be a moment, if you were concerned about CISA as a Republican, to say, well, now we're in charge of it, and if there's, if there's some amount of that, we can get rid of it and there's a nominee to lead cisa that is someone who could hope to say, hey, we need you to change these things. It seems like this would be a moment where you could stop and say, let's reevaluate. Instead, it seems like from the top, it's just chop it, just cut it. And I do think, you know, that, yes, there are things that Republicans can point to and say, we don't like this about the agency. And Trump obviously didn't like that. Chris Krebs had said that these things that he was saying about the election were misinformation. But I don't think that quite gets to the point where you say, oh, yeah, we're not going to cut this agency in half. It just doesn't quite get there.

Dave Bittner (21:15)

Well, speaking of the nominee to lead cisa, Senator Wyden has pledged to put a hold on the confirmation there. What's going on with that story?

Tim Starks (21:28)

Yeah, this is a little similar to what he did with Chris Krebs. Believe it or not, everything kind of comes. Comes and comes and goes. Huh. Big full circle. Just related to concerns about telecom vulnerabilities and, you know, surveillance is what Senator Wideness is concerned about. He got what he wanted in order to lift the hold from, from, from last time. This time it seems like he wants more. So we'll see how much that holds things up. I think it's one of those kinds of things where I'm not saying it's not meaningful, but it is somewhat symbolic. It's nothing to do with concern about the nominee himself. It's very little to do with the agency itself. It's an opportunity for Senator Wyden to bring up a concern he's had and execute that concern using a nominee that is only vaguely related to what he's concerned about.

Dave Bittner (22:19)

Right. It's a point of leverage that he has, so he's taking advantage of it.

Tim Starks (22:23)

Exactly.

Dave Bittner (22:24)

Yeah. Yeah. All right, well, Tim Starks is senior reporter at cyberscoop. Tim, thank you so much for sharing your knowledge, expertise and experience with us. And I look forward to catching up with you soon.

Tim Starks (22:37)

I don't Dave, I don't look forward. I'm kidding. It's a wild world. I do appreciate talking to you. Thanks again. All right, see you.

Dave Bittner (23:00)

Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. And finally, if AI coding assistants were chefs, they'd be whipping up recipes on the fly, sometimes tossing in a mystery spice that no one remembers buying. Welcome to the world of slop squatting, where attackers scoop up the hallucinated ingredients fake packages that your friendly LLM invented, and serve them back as malware. Coined by developer Seth Larson and popularized by Andrew Nesbit, slop squatting targets the packages AIs like Copilot and ChatGPT dream up, but that don't actually exist. Yet attackers register these ghost packages, waiting for some unwitting dev to copy paste them into their project. A recent study found that nearly 20% of packages recommended by 16 code generating LLMs are pure fiction. Worse, these hallucinations are often weirdly consistent and suspiciously plausible. With vibe coding on the rise, devs are more likely to install first and question later. The moral of the don't trust that suspiciously convenient import. Your AI might be freelancing for the bad guys. And that's the cyber wire for links to all of today's stories. Check out our daily briefing@the cyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast, Apple. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Looking for a career where innovation meets Impact Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguard jobs.com.