Loading summary
A
You're listening to the Cyberwire Network powered by N2K.
B
This episode is supported by Black Hat usa. If you follow the research, you know a lot of it breaks on Black Hat stages hundreds of peer reviewed briefings, more than 100 hands on trainings and the largest business hall in Black Hat's history. Six days to learn the skills you'll need tomorrow, August 1st through the 6th, use code CYBERWIRE for $200 off your briefings pass@black hat.com we'll see you in Vegas. The White House keeps frontier AI models on a short leash Russian threat actors increasing target secure messaging platforms Dirty clone is a high severity Linux kernel privilege escalation flaw. An investigation claims federal websites are violating privacy rules. Microsoft dismantles a sophisticated malicious browser extension campaign. Setting up a GitHub repository could trick AI coding agents into executing malicious payloads. The DOJ shuts down illegal World cup streamers. An anonymous linked hacker gets 18 months for website defacement. We've got your Monday business briefing. Our guest is Dylan Dylan Sandlin, Program Manager for Digital and Cybersecurity Content at the national association of Corporate Directors. We're discussing cyber risk as a board concern and in healthcare AI patient privacy needs a second opinion. It's Monday, June 29, 2020. I'm Dave Buettner and this is your Cyberwire intel briefing. Happy Monday everybody. It is great to be back from a very nice vacation. My thanks to Maria Vermazes for filling in and the entire N2K CyberWire team for making it possible. It's great to have you here with us today. The Trump administration is taking a more interventionalist approach to frontier artificial intelligence, treating advanced AI less like commercial software and more like strategically important dual use technology. Over the weekend, officials approved limited access to Anthropic's Mythos 5 for a small group of vetted US organizations while overseeing a tightly controlled preview of OpenAI's GPT 5.6 family. The moves come as Chinese firms rapidly advance AI powered cybersecurity capabilities, with reports suggesting competitors are approaching Mythos performance in vulnerability discovery. Notably, OpenAI argues GPT 5.6 remains below the cyber risk threshold that prompted tighter controls on Mythos. The broader trend suggests governments may increasingly regulate frontier AI like export controlled technology, even as foreign competitors continue developing comparable systems that could outpace regulatory efforts. US Cybersecurity officials are warning that Russian intelligence linked threat actors are increasingly targeting secure messaging platforms, particularly Signal, through sophisticated phishing campaigns that steal verification codes and account pins. In a joint advisory CISA and the FBI said attackers impersonate trusted contacts, service providers or security teams to trick users into surrendering authentication credentials, allowing them to hijack accounts despite signals end to end encryption remaining secure. The campaign primarily targets government personnel, military members, journalists and activists, but officials warn the tactics could affect any user. The agencies recommend enabling signals registration lock, never sharing verification codes or PINs, verifying unexpected requests through secondary channels, and staying alert to malicious links and spoofed websites. The advisory underscores that nation state actors increasingly exploit user trust rather than encryption flaws. JFROG has released technical details and a proof of concept for Dirty Clone, a high severity Linux kernel privilege escalation flaw. The vulnerability is part of the dirty frag family and exploits flaws in how the kernel handles shared memory between the page cache and networking buffers, allowing local users to gain root privileges. Systems missing the full chain of related patches remain vulnerable, particularly Debian, Fedora and Ubuntu. JFrog warns the flaw poses significant risk to multi tenant cloud environments, kubernetes, clusters and containerized workloads. An investigation by the Guardian alleges that the White House's National Design Studio, created in 2025 and staffed largely by former Doge personnel, has quietly rebuilt several federal websites handling passports, voter registration, prescription drug pricing and children's savings accounts. The report claims the sites used commercial tracking software without required federal privacy disclosures and operated outside normal government oversight with no publicly documented funding or contracting records. Privacy advocates argue the arrangement could violate federal law and concentrate sensitive citizen data under White House control. The White House said National Design Studio personnel comply with all legal requirements and are improving public access to government services. Following the Guardian's inquiries, the reported tracking software was reportedly removed from some sites. Questions about the Office's oversight, funding and data handling remain unresolved. Microsoft has dismantled Stego Ad, a sophisticated malicious browser extension campaign that operated on the Edge Add on store for at least two years, infecting roughly 2.6 million users through 119 seemingly legitimate extensions. The malware remained dormant for days after installation and concealed its payload using steganography, hiding malicious JavaScript inside images and font files to evade detection. Once activated, the extensions performed ad fraud, hijacked affiliate commissions, stole Google and WordPress credentials, and provided attackers with a remote code execution backdoor. Microsoft observed the campaign continually evolving its evasion techniques as defenses improved. While Microsoft has not attributed the operation, Koi Security has linked related infrastructure to the Chinese threat group Dark Spectre. Users are advised to remove affected extensions immediately and reset potentially compromised credentials. Researchers at Mozilla's zero day Investigative Network or ODIN have demonstrated a proof of concept attack showing how AI coding agents such as Claude Code could be tricked into executing a hidden malicious payload while setting up an otherwise benign GitHub repository. The technique requires no malicious code in the repository itself. Instead, the AI follows standard setup instructions, automatically runs an initialization command to resolve an error, then executes a shell script that retrieves a command from an attacker controlled DNS record. The result is an interactive shell running with the developer's privileges, potentially exposing API keys, configuration files and other sensitive data. While currently theoretical, researchers warn the method could be distributed through fake job postings or tutorials, and recommend AI agents disclose the complete execution chain for all setup commands, including dynamically fetched code. The US Justice Department has seized nearly 400 domains used to illegally stream 2026 FIFA World cup matches as part of Operation Offsides, a coordinated international enforcement effort working with law enforcement agencies in multiple countries and partners including FIFA and the alliance for Creativity and Entertainment. Authorities targeted piracy infrastructure across Europe and Latin America. Officials said the illegal streaming sites not only violated copyright laws but also exposed users to malware and other cybersecurity risks. The seized domains now display law enforcement notices. Anonymous linked hacker Aubrey Cottle has been sentenced in Canada to 18 months in prison and after pleading guilty to charges related to the 2021 defacement of the Texas Republican Party website. The attack, carried out after compromising Web hosting provider Epic, replaced the site's homepage with protest content opposing a Texas abortion law and involved the theft of 180 gigabytes of sensitive data, which Cottle later shared online. Cottle, a former security researcher, has already served much of his sentence in pretrial custody but still faces possible extradition to the United States, where separate federal charges could carry an additional five year prison term. In court, Cottle expressed remorse and said he plans to complete his education and start a cybersecurity company. Turning to our Monday business briefing, cybersecurity companies attracted significant investment and deal activity last week led by Israeli operational technology security firm dream, which raised $260 million at a $3 billion valuation to expand its sovereign AI and national cyber defense platforms globally. Spanish AI security startup neural Trust secured $20 million in seed funding to advance its agentic AI security platform and expand across Europe, while India's Mitigata raised $15 million to grow its cybersecurity compliance and resilience platform. Mergers and acquisitions were equally active. Accenture acquired a majority stake in Dragos and fully acquired Run Zero and Netrise in deals valued at roughly $4.2 billion, integrating the companies into Dragos industrial security platform. Elsewhere, Francisco Partners acquired Efficient ip, Cisco announced plans to buy identity security startup Widefield Security, Frances Idocto acquired Stelo and workforce training firm M3 purchased Cybersecurity Education provider Caps Lock. Be sure to check out our complete business briefing that is on our website. It's part of Cyberwire Pro. Coming up after the break, my conversation with Dylan Sandlin from the national association of Corporate Directors. We're discussing cyber risk as a board concern and in healthcare AI, patient privacy needs a second opinion. Stay with us.
A
Heat up your Fourth of July at the Home Depot with our wide variety of grills under $300 and make every gathering one to remember. Give your outdoor space a glow up whatever your budget is, with savings on seasonal plants starting at $5. With the grill fired up and your backyard set to perfection, you'll be able to invite friends and family over to camp. Kick off the party, start celebrating. With low prices guaranteed at the Home Depot, prices may vary by store. Exclusions apply. See homedepot.com Pricematch for details. Study and play come together on a
B
Windows 11 PC and for a limited
A
time, college students get the best of both worlds. Get the unreal college deal, everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer law supplies last ends June 30th terms at aka mscollegepc.
B
Dylan Sandlin is program manager for digital and cybersecurity content at the national association of Corporate Directors. We got together to discuss cyber risk as a board concern.
A
You know, Dave, I would say that the biggest change is a cultural shift among the boardroom community, one where technology is not seen so much as either a cost center or as purely operational, but it's really taken on strategic significance. And with that, an understanding that if we're going to deliver value to the business with technology, we need to be able to secure it as well. So I think there's really been a ramping up in how boards are approaching cybersecurity. More standardized, more routinized, and they're applying a lot more rigor in how they are approaching this risk category, specifically with the recognition that the ultimate goal is driving business value from the technology investments they're making.
B
Well, I know you've said it's important to distinguish between awareness and preparedness. What does that GAP look like in practice?
A
Looking specifically at awareness that deals most heavily with boards education. So how are individual directors making themselves aware of the specific threats that are facing their organizations? One of the things we're seeing is that directors are individually pursuing more educational opportunities on their own so that they can be more prepared for those cybersecurity conversations in their board meetings. However, when we think about preparedness, we're talking about translating that additional education and knowledge about cybersecurity into specific boardroom practices. Right. So delegating authority to appropriate committees, setting up agenda time focused on the most critical topics, not necessarily looking backwards so much at backward looking metrics, but really bringing the conversation into that strategic arena so that the conversation is really at a level where boards can provide value on the strategy and not so much just a compliance checklist.
B
Well, of course we have to touch on AI, which I think it's fair to say is a board level issue these days. What are directors trying to do to balance between that business opportunity, potential return on investment, but also the growing risk of AI enabled attacks?
A
You know, David, this is really where the conversation these days is meeting the rubber, is meeting the road in the boardroom. When it comes to cybersecurity, it's all around AI. I think from my perspective, the conversation around Mythos really broke through in a way that I hadn't previously seen. I think a lot of board directors heading into this year anticipated artificial technologies or artificial intelligence technologies to contribute to overall business growth. But there wasn't necessarily so much of an emphasis on the risk side of things. And that was seen in our survey data. But now what we're seeing in the second quarter of this year is that cybersecurity risks have really jumped back into the conversation because there is an understanding that these new technologies and these new capabilities offer a really significant risk to the business, whether it's through offensive cyber capabilities, as well as getting a greater understanding of the latent risk within the organization's tech stack by using it to uncover previously unknown vulnerabilities. So board directors now have a much clearer understanding of the risk that exists within their organization if they're leveraging these AI technologies. But the real test will be if directors are able to use this additional awareness of the risk within the organization to actually drive better prioritization of where they're going to allocate resources, what risks they're going to tolerate and what risks they're going to have to mitigate. Right. So that's where really we're looking to see how boards are responding to AI moving forward.
B
I'm curious what kind of things you all are seeing here, both in your survey data and also the folks that you interact with. Are you seeing more hesitation these days, or does it still seem to be full speed ahead when it comes to AI?
A
David? I think it's still full speed ahead. And I think one of the things that I'm really focusing on is understanding how this push to really achieve the return on investment that companies have made in these technologies, how that's balanced with how much risk are we willing to adopt to achieve that. You're seeing in some other survey data where CEOs are talking about how cyber risk is now their top risk category right now. And I think that has to be looked at in the context of the fact that the boardroom community is expecting these technologies to pay off. Right? They're expecting to receive a return on the investments that they've made. But I think what needs to re enter the conversation is do we understand, as a board and as a management team, do we understand the actual risks that these technologies are introducing? And if now that we have a greater awareness of what these tools can do right? Or now with these new capabilities that we're aware of, what assumptions might we need to rethink about how much value we can anticipate or where might we need to rededicate resources in order to mitigate some of that risk that we didn't necessarily understand that we were taking on to begin with?
B
Have you been seeing any sort of shift in the types of people that organizations are looking to put on their boards? In other words, is more of awareness and knowledge of this particular area more desirable?
A
I would say there's definitely an effort to identify specific cybersecurity or more broadly, technology expertise. For many boards, there's clearly an understanding that technology is going to be a driver of business model success moving forward. And so making sure that the right people around the table have that expertise is essential to making sure that your strategic priorities, that your business objectives are achievable, and that you're able to provide a healthy skepticism to what management is telling you about their progress on these fronts. So there definitely is an effort to bring in more additional cybersecurity expertise from director candidates. But there's also an effort to uplift the entire board's fluency, as well as engaging third party expertise to make sure that you're getting a third party perspective so that you can maintain that independent perspective.
B
I know you and your colleagues there at NACD recently updated your Cyber Handbook. Can you give us a little preview of what folks can expect to find within that?
A
Sure. I think one of the things that we've really endeavored to do is to ground the cybersecurity conversation in the organizational strategic conversation. Right. Recognizing that cyber risk is an enterprise risk and that any successful strategy in today's world is going to necessarily have a technology and cybersecurity component attached to it. Within the handbook, we've really structured it to try to give boards specific activities that they can do, along with specific success indicators that they can use to evaluate that. So again, grounding the conversation and strategy, as well as focusing on the fact that reporting around cybersecurity is getting much more standardized as well as it's becoming data backed and data informed. We're trying to incorporate the conversation around quantifying cyber risk in financial terms so that the language that's being spoken between management teams and board members is one and the same, so that the board can be better informed to make those strategic decisions, to make those resource allocation and capital allocation decisions in a much more informed manner.
B
Do you have any advice or words of wisdom for directors, CISOs, executive leaders? Just the types of things that they should understand about cyber governance. Things that are going to matter most over the next few years.
A
Yeah. So I think in terms of what's going to matter over the next couple of years, I think one of the things to always make sure that any conversation that security leaders are having with the board always is grounded in strategy. Right. A clear understanding of how what the cybersecurity team is doing relates to the overall business's objectives. So when CISOs or other technology leaders are presenting to the board, I think it's very helpful to understand exactly how what the security program is doing relates back to the business strategy, as well as having clear KPIs and Kris that link back to an agreed upon risk appetite statement.
B
Right.
A
That's quantified where it's possible so that again, board members can be better informed and that you're speaking those board members language and how they are evaluating cybersecurity. I think another thing to look out for on the horizon is making sure that when CISOs come and present to boards or when security leaders are interacting with board members, that they have a clear understanding that board members are always looking on the horizon. They're always looking to what are the next emerging technologies, whether that's quantum computing, whether that's new AI capabilities, and they want to know what your perspective is and they also want to understand that you've been thinking about this in a strategic manner that gives them a lot of confidence that those within the organization are approaching these developments with security risks or new technology capabilities in a manner that moves the organization forward and has strategy front and center in everyone's mind.
B
That's Dylan Sandlin from the national association of Corporate Directors Foreign. What happens when AI agents gain access to the same systems, applications and credentials as your employees? According to Arvind Nithra Kashayap, CTO and co founder of Rubrik, that reality is already here. As AI agents proliferate across enterprise environments, organizations face a growing how do you govern systems that operate at machine speed? To learn more about AI sprawl, the risk it creates, and how organizations can prepare, visit explore.thecyberwire.com Rubrik to hear the full conversation.
A
When you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications, and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored Jobs so good, so good, so good. New summer arrivals are at Nordstrom Rack stores Now. Get ready to save big with up to 60% off brands like Rag and Bone, Levi's, Adidas and Free people. Join the NordicLub to unlock exclusive discounts. Shop new arrivals first and more. Plus, buy online and pick up at your favorite Rack store for free. Great brands, great prices. That's why you wreck.
B
And finally, medical AI may be good at spotting disease, but it also appears surprisingly good at remembering who taught it. Researchers in Germany found that so called membership inference attacks can identify with near perfect accuracy whether an individual's medical data was used to train diagnostic AI models that could expose sensitive information about a patient's medical history. Even when training datasets are anonymized, the risk is especially high for underrepresented groups whose data stands out more. In training sets, attackers need only partial patient data, such as blood test results, to probe a model's confidence and infer membership. Given the frequency of healthcare data breaches, researchers argue the threat is far from theoretical. They recommend stronger privacy protections, including differential privacy techniques, broader representation in training datasets, and privacy audits that measure risks to individual patients, not just overall data sets. It turns out AI isn't just learning from patients, it's remembering them. In healthcare, that's one diagnosis nobody wants, And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. N2K's lead producer is Liz Stokes, we're mixed by Trey Hester with original music and sound design by Elliot Kaltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
A
This episode is brought to you by Google Chrome. You think you know a browser, but Gemini and Chrome? That's new. It can help you with practically anything on the web, like restoring a vintage pitch motorcycle from a 50 page restoration block. Or finally break down that long article you've had open for weeks. Gemini and Chrome is here for it, ready to make anything online make sense. There's no place like Chrome. Check responses Setup required compatibility and availability various 18 plus.
Host: Dave Bittner, N2K Networks
This episode delivers a fast-paced roundup of key cybersecurity news, with a particular focus on AI at the intersection of policy, regulation, business risk, and privacy challenges. The show covers U.S. government controls on advanced AI, major threat campaigns, technical vulnerabilities, business deals in cybersecurity, and a deep-dive interview with Dylan Sandlin of the National Association of Corporate Directors on cyber risk as a board concern—especially in a world rapidly adopting and regulating AI. The closing segment examines the sensitive issue of patient privacy in medical AI.
"The moves come as Chinese firms rapidly advance AI powered cybersecurity capabilities, with reports suggesting competitors are approaching Mythos performance in vulnerability discovery." (01:18)
"Nation state actors increasingly exploit user trust rather than encryption flaws." (03:03)
“Cottle ... expressed remorse and said he plans to complete his education and start a cybersecurity company.” (08:46)
(Interview begins at 13:54)
"The biggest change is a cultural shift ... technology is not seen so much as either a cost center or as purely operational, but it’s really taken on strategic significance ... We need to be able to secure it as well." — Dylan Sandlin (14:07)
"The conversation around Mythos really broke through ... anticipated AI to contribute ... to business growth. But there wasn’t so much of an emphasis on the risk side of things, which has now jumped back into the conversation." — Dylan Sandlin (16:22)
"I think it’s still full speed ahead ... companies are expecting these technologies to pay off ... but what needs to re-enter the conversation is: do we understand ... the actual risks that these technologies are introducing?" — Dylan Sandlin (18:12)
"...make sure that any conversation ... is always grounded in strategy—how what the cybersecurity team is doing relates to the overall business’s objectives ... have clear KPIs and KRIs that link back to an agreed upon risk appetite statement ... Board members are always looking on the horizon ... quantum computing, new AI capabilities ...” — Dylan Sandlin (22:07-22:47)
“It turns out AI isn’t just learning from patients, it’s remembering them. In healthcare, that’s one diagnosis nobody wants.” (26:55)
"Nation state actors increasingly exploit user trust rather than encryption flaws." (03:03)
"Technology is not seen so much as either a cost center or as purely operational, but it’s really taken on strategic significance." — Dylan Sandlin (14:07)
"[Boards should] ground the cybersecurity conversation in the organizational strategic conversation ... quantifying cyber risk in financial terms so that ... board can be better informed to make strategic decisions" — Dylan Sandlin (20:50)
"AI isn’t just learning from patients, it’s remembering them." (26:55)
This episode underscores the rapidly expanding complexity and stakes of AI in the security landscape—from governmental controls and cyber threats, through the evolving expectations in boardrooms, all the way to novel privacy risks in healthcare. Through interviews and expert commentary, the episode highlights how business, policy, and technology leaders must constantly revise their strategic assumptions and governance structures to keep pace with the dual-edged advances of artificial intelligence.