A

You're listening to the Cyberwire Network powered by N2K.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. The US Withdraws from global cybersecurity institutions A maximum severity vulnerability called NIGHTMARE allows full compromise of a workflow automation platform. Cisco Patches ISE researchers uncover a sophisticated multi stage malware campaign targeting manufacturing and government organizations in Italy, Finland and Saudi Arabia. The growing rift of defining AI risk Microsoft gives 365 admins a one month deadline to enable MFA the Illinois Department of Human Services inadvertently exposed personal and protected health information of more than 700,000 residents. An Illinois man is charged with hacking Snapchat accounts to steal nudes. Our guest is Caitlin Clark, Senior Director of Cybersecurity Services at Venable, with insights on CISA 2015 and facial recognition. That's barely controversial. It's Thursday, January 8th, 2026. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. The Trump administration is suspending U.S. support for several international organizations, including two focused on cybersecurity as part of a broader withdrawal from multilateral institutions. An executive order signed yesterday by Donald Trump directs the United states to exit 66 international bodies, including 31 affiliated with the United nations, on the grounds that continued participation is contrary to U.S. interests. Among the affected organizations are the Global Forum on Cyber Expertise, which supports global cybersecurity capacity building, and the European Centre of Excellence for Countering Hybrid Threats, which focuses on countering blended cyber information and political threats. Federal agencies have been instructed to end participation and funding where legally permitted. Secretary of State Marco Rubio said many of the targeted bodies are redundant, mismanaged or driven by ideological agendas that conflict with U.S. priorities. The withdrawals also include organizations focused on climate, human rights and international law, marking one of the most extensive pullbacks from multilateral engagement in years. A maximum severity vulnerability called Nightmare or Natemare there's an eight in there allows remote unauthenticated attackers to fully compromise locally deployed instances of the N8N workflow automation platform. The flaw carries a 10.0 severity score and affects more than 100,000 exposed servers, according to researchers at Ciera. The issue stems from content type confusion in how N8N parses webhook data, allowing attackers to bypass file upload protections and read arbitrary files from the underlying system. This can expose secrets such as API keys, credentials and session data and may enable further compromise. N8N developers warn there's no official workaround beyond restricting public webhooks and urge users to upgrade to the latest version to fully remediate the risk. Cisco has released patches for a vulnerability in its Identity Services Engine or ISE network access control platform after public proof of concept exploit code appeared online. The flaw affects Cisco ISE and ISE Passive Identity Connector regardless of configuration. According to Cisco, attackers with valid administrative credentials could exploit improper XML parsing in the web interface to read arbitrary files, including sensitive data. Cisco reports no act of exploitation, but urges customers to upgrade promptly. Meanwhile, the US Cybersecurity and Infrastructure Security Agency has flagged a critical HPE1 view vulnerability as actively exploited in the wild. The flaw allows unauthenticated attackers to achieve remote code execution on unpatched systems, according to CISA and Hewlett Packard Enterprise. The issue affects all OneView versions before 11.0 and has no mitigations. Federal agencies must patch by January 28, and others are urged to update immediately. Researchers at Sibel Research and Intelligence Labs have uncovered a sophisticated multi stage malware campaign that uses a shared commodity loader across multiple threat actor groups. The operation targets manufacturing and government organizations with confirmed activity in Italy, Finland and Saudi Arabia. Phishing emails posing as purchase orders deliver weaponized Office files, SVGs or zip archives containing link shortcuts, all funneling victims into the same evasive loader. The campaign deploys remote access trojans and information stealers including PureLog, Asyncrat and Remcos. Attackers use layered obfuscation steganography hosted on legitimate platforms, trojanized open source code and process hollowing to evade detection. Analysts assess the shared infrastructure and evolving techniques as evidence of coordinated high maturity threat activity. Microsoft is pushing back on claims that several issues reported in its Copilot AI Assistant qualify as security vulnerabilities, Underscoring a growing rift between vendors and researchers over how AI risk is defined, security engineer John Russell said Microsoft dismissed four reported flaws, including prompt injection system prompt leakage, sandbox command execution, and a file upload restriction bypass using base 64 encoding. Microsoft argues these behaviors do not cross a security boundary and therefore fall outside its vulnerability criteria. Some researchers agree the issues reflect known limitations of large language models rather than exploitable flaws. Others counter that competing tools such as Claude from Anthropic appear more resistant, suggesting gaps in input validation. The OWASP Genai project takes a middle ground, warning that prompt disclosure matters only when it enables real world impact. The debate highlights unresolved questions about what secure means for generative AI systems. Elsewhere, Microsoft will begin fully enforcing Multi Factor Authentication for all users accessing the Microsoft 365 Admin center starting February 9th of this year. After that date, administrators without MFA enabled will be blocked from signing in to key admin portals, according to Microsoft. The move builds on a rollout that began in early 2025 and is intended to reduce the risk of account compromise from phishing and credential abuse. Microsoft is urging organizations to enable MFA now to avoid administrative access disruptions. The Illinois Department of Human Services disclosed that it inadvertently exposed personal and protected health information of more than 700,000 residents by posting data to public online mapping platforms. The information, including names, addresses and benefits status, remained accessible for up to four years before removal in September. Affected individuals include disabled clients and Medicaid and Medicare Savings Program recipients. While no misuse is known, the data falls under HIPAA protections, prompting policy changes to prevent similar disclosures. An Oswego, Illinois, man has been charged in a federal case involving the hacking of Snapchat accounts. Prosecutors say 26 year old Kyle Svara obtained Snapchat access codes for nearly 600 women and unlawfully accessed more than 50 accounts to steal nude images. He faces charges including aggravated identity theft, wire fraud and computer fraud. Authorities allege he was hired by former Northeastern University coach Steve Waithe, who is already imprisoned. Svara is scheduled to appear in federal court in Boston on February 4th. Coming up after the break, my conversation with Caitlin Clark, senior director for cybersecurity services at Venable. We're discussing insights on CISA 2015 and facial recognition. That's barely controversial. Stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes. That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep. Get started@vanta.com cyber that's V A N-T A.com cyber. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave, and with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. Caitlin Clark is Senior Director for Cybersecurity Services at Venable. I recently caught up with her to Discuss insights on CISA 2015.

A

I describe the Cybersecurity Information Sharing act of 2015, which I will be very clear. I say the full acronym so that we don't confuse it with an agency. I see it as a voluntary framework that authorizes private sector entities to monitor and operate defensive measures on its own information systems and then authorizes those entities to share or receive cyber threat indicators with the federal government and with other private entities. And the key part of this legislation is, as part of that voluntary sharing framework, that there is legal protections for those who are involved in the information sharing activity so that they are protected from antitrust, from federal and state disclosure requirements, from how the US Government can potentially use that information for enforcement actions. It's limited, and so it is a voluntary framework that does not require entities at all to participate, but it provides clarity and certainty around the legal environment in which information sharing can happen.

B

And so what did it enable, what did it allow to happen between the private sector and the government.

A

So I think it's really important to recognize that information sharing happened before the passage of this legislation in 2015. What the legislation provided was clarity around protections, as I just described, for companies who were sharing information. So if I were a bank and I had information about a cyber threat that was impacting my systems or network, I could share that information with another bank through an information sharing analysis center or other information sharing arrangements without fear that I am violating any, you know, antitrust rules or that I might be sued for sharing that information with that other bank and then with the government. It's an ability, ability to share what you're seeing on your network with the government who's getting additional reporting in, and they're able to provide a picture of potentially ongoing cyber campaigns or new tactics, techniques and procedures that are being seen by one company that could help protect others. And so it's just, it really sped up that process. So as I said, information sharing was happening before, but oftentimes you'd bring in your lawyers to say, hey, I want to share this piece of intelligence with somebody else. Can you review it and give me the permission to share? And that would potentially take some time to get to. Yes or not everything could be shared because they would, there would be concern about, again, liability, risk of sharing whatever it is that you had. The beauty of the voluntary framework is it took that discussion out of the mix and so information sharing was sped up. You did not need to bring your lawyers into the conversation. If I was a cyber threat intelligence analyst and I had a piece of information that I thought was helpful to share with other companies or with the government, I could do so because I felt I had the clarity around sharing that information and it just, it sped up cyber defenses for the last 10 years.

B

Well, it strikes me that this was, I guess, comparatively non controversial. Was there anyone who came out against this sort of thing?

A

There were, there were some concerns about the types of information that may be shared and particularly around privacy and if the, you know, if there was any personally identifiable information that could be incorporated into a cyber threat indicator. And Congress specifically added a requirement in the legislation in 2015 that said PII must be remove from any cyber threat indicator or defensive measure before it can be shared. And Congress also added language restricting the government's disclosure and retention and use of the cyber threat information for very specific purposes, again for protecting federal networks or further sharing, for protecting other critical infrastructure networks. So the challenge here was kind of around what could be chaired under the CISA 2015 framework and that was really addressed through Congress, adding the language around requirements for removing pii. And I think I've seen a ton of OIG reports in the year since. And the inspector generals have not seen any violation of that clause in the legislation where PII was shared inappropriately that they've seen that in fact, it is stripped out before information is shared.

B

Well, how successful has it been looking back? Do people consider this to be overall a good thing?

A

Yes, I think that they do. You know, again, information sharing was happening prior to the passage of this legislation in small pockets of trust. Right. The telecommunications sector was sharing information, the financial sector was sharing information. But what, what you saw after the passage of the Cyber Information sharing Act of 2015 was the Standup of a lot more information sharing organizations. You saw things like the Cyber Threat Alliance Stand up, which is a bunch of cybersecurity companies who have a lot of telemetry and visibility across multiple companies and they were able to share information amongst themselves. Right. So it's, it kind of, it opened the aperture from very small circles of trust to an apparatus for cyber defense that really enables real time sharing in many different sectors across the US Economy.

B

Well, we had the recent government shutdown and this legislation lapsed. Where do we find ourselves today?

A

Well, since the continuing resolution was passed, the CISA 2015 authorities have been extended to the length of the continuing resolution. So the end of January 2026, what I think you saw is what during that lapse is what we saw prior to CISA 2015 in that information was still being shared, but there was additional friction in the process. Right. Because lawyers had to be brought back in. They had to. And I, and I work in a law firm and I love lawyers. I'm not one myself, but, you know, they slow things down. Sometimes it takes a while for them to do a risk assessment and get to. Yes, and I think that there has been some anecdotal evidence that, yes, information sharing still occurred, but not as quickly as it would have occurred if the protections were clearly in place.

B

That's Caitlin Clark from Venable. Just a quick program note. This is an interview from the Caveat podcast. So if you'd like to hear the complete version, do check out Caveat. You can find that on our website or wherever you get your favorite podcasts. And finally, when a grizzly injured a group of school children near Bella Coola, Canada, in late 2025, officials launched a determined hunt for the responsible bear. Helicopters flew, traps snapped shut, DNA was tested, and four very innocent bears were briefly inconvenienced before being released. After three weeks, the case went cold. The suspect, a mother grizzly with cubs, remained anonymous. Bears, it turns out, all look suspiciously like bears. That frustration helps explain growing interest in facial recognition for wildlife. Tools like Bear ID use artificial intelligence to identify individual bears by facial geometry, even as their bodies swing seasonally from lean to fat. Bear Week Finalist for ecologists, this promises better population counts and behavior tracking. For humans, facial recognition remains controversial, often described as dangerous, invasive and error prone. For bears, the ethical stakes are lower. No surveillance capitalism, no constitutional rights, just fewer mistaken identities and possibly fewer wrong bears getting hauled off for questioning. The bears have yet to lawyer up. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning, and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.