A

You're listening to the Cyberwire network. Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at. The House passes a defense policy bill that includes new provisions on cybersecurity and AI Senator Wyden accuses Microsoft of gross cybersecurity negligence after a 2024 ransomware attack crippled health care giant Ascension. The White House shelves plans to split U.S. cyber Command and the NSA. The Pentagon finalizes its long awaited Cybersecurity Maturity Model Certification rule. Akira Ransomware Group targets sonicwall devices. Officials warn solar powered highway infrastructure should be checked for hidden radios. The Atlantic Council maps the global spyware market. Researchers uncover serious flaws in Apple's AirPlay, a European DDoS mitigation provider thwarts a record breaking attack. My caveat? Co hosts Ethan Cook and Ben Yellen unpack the cyber elements of the big beautiful bill and who fixes the vibe code? It's Thursday, September 11th, 2025. I'm Dave Buettner and this is your CyberWire Intel Brief. Thanks for joining us here today. It's great to have you with us. The US House of Representatives has passed an $848 billion defense policy bill that includes new provisions on cybersecurity and artificial intelligence. The National Defense Authorization act was Approved in a 231 to 196 vote and sets Pentagon policy for the year. While less sweeping than past cyber debates, the bill still carries weighty digital measures. It directs the NSA to brief lawmakers on plans for its Cybersecurity Coordination center and requires Combatant commands to report on Cyber Command's support. The Pentagon would also build a software bill of materials for AI enabled tools and pursue up to 12 initiatives using generative AI for cybersecurity and intelligence amendments adopted Allow threat sharing between the NSA and the private sector and task the DoD with studying the National Guard's cyber response role. The Senate will take up its version next week. Senator Ron Wyden is urging the Federal Trade Commission to investigate Microsoft after a 2024 ransomware attack crippled Catholic healthcare giant Ascension. Wyden accuses Microsoft of gross cybersecurity negligence, citing its default support for RC4 encryption, a 1980s era standard vulnerable to a hacking method called Care Bear Roasting. Attackers allegedly exploited this weakness in Ascension's Microsoft Active Directory, spreading ransomware that disrupted 140 hospitals across 19 states and exposed data on nearly 6 million patients. Wyden argues Microsoft failed to warn customers clearly, instead burying guidance in obscure blog posts. Microsoft acknowledges RC4's risks but said abruptly disabling it would break systems, pledging instead to phase it out by 2026. Wyden likened Microsoft to an arsonist selling firefighting services. Given its market dominance in enterprise IT the Trump administration has decided to keep US Cyber Command and the NSA under dual hat leadership, shelving plans to split the roles due to the complexity and risks of restructuring. Officials concluded a separation could take six years, slowing national security priorities. Army Lt. Gen. William Hartman, currently acting leader, is Trump's choice to head both agencies, permanently reinforcing the arrangement's benefit for speed, coordination and unified direction. Lawmakers largely support the move, warning a split could weaken US Cyber and intelligence capabilities. The Pentagon has finalized its long awaited Cybersecurity Maturity Model certification rule requiring stricter cyber standards for defense contractors. The framework, first proposed in 2019, aims to safeguard sensitive but unclassified information across the Defense Defense industrial base, which includes over 300,000 companies rolled out in three phases over three years starting November 10th. CMMC sets three security levels contractors handling federal contract information may self attest, while those with more sensitive data must undergo third party or Defense Industrial based Cybersecurity Assessment center certification. The program reduces the original five levels to three, easing compliance concerns for small businesses. Still, experts warn, most contractors lack strong governance and encryption practices. Ultimately, nearly all defense vendors will need to adjust operations to meet the new requirements. In August 2024, SonicWall disclosed an SSL VPN flaw affecting their Gen 5 through Gen 7 firewalls. Though patches were released, incomplete remediation left devices exposed. The Akira ransomware group has since exploited this, combining the CVE with two additional over provisioned access from ssl, VPN default groups and public exposure of the virtual office portal, which attackers use to Hijack MFA setups. Rapid7 has observed rising intrusions and urges organizations to patch enforce MFA restrictions, restrict portal access, rotate local accounts and monitor SSL VPN activity closely. The U.S. department of Transportation has issued a security advisory warning that solar powered highway infrastructure such as EV chargers, traffic cameras and weather stations should be checked for hidden devices like undocumented radios, Reuters reports. Officials say foreign made inverters and battery management systems have been found with rogue components often linked to Chinese suppliers. These devices could enable remote tampering, triggering outages or data theft. Experts warn they might also sabotage roadside systems or autonomous vehicle networks. The advisory urges transportation operators to inventory inverters, use spectrum analysis to detect unauthorized signals, remove rogue radios and ensure network segmentation. The warning comes amid wider US Efforts to limit Chinese technology and critical infrastructure, including restrictions on Chinese made cars set to take effect by 2026. Spyware the commercial intrusion software enabling covert access to devices poses acute human rights and national security risks. The Atlantic Council's updated Mythical Beasts project maps the market through 2024, expanding its data set to 561 entities across 46 countries. Notably, U S Based investors now make up the largest share despite US Sanctions, visa restrictions and diplomacy aimed at curbing proliferation. Resellers and brokers have also emerged as critical under researched intermediaries that obscure vendor buyer links and expand regional reach. Recent events underscore the stakes. NSO group was fined $168 million in the US over Pegasus targeting WhatsApp. The report highlights persistent patterns like jurisdiction hopping, serial entrepreneurship and hardware partnerships, and major transparency gaps in corporate registries. Policy recommendations center on tightening oversight of outbound US Investment, boosting disclosure and due diligence, scrutinizing intermediaries and improving public registries to increase accountability and slow the spread of abusive malware. Researchers at Oligo uncovered serious flaws in Apple's AirPlay protocol and SDK dubbed Airborne, that could enable remote code execution, data theft and man in the middle attacks. One bug allows wormable zero click exploits. Ologo demonstrated attacks on Apple CarPlay showing hackers could connect via USB, Wi Fi or Bluetooth due to weak authentication. In CarPlay's IAP2 protocol, attackers can impersonate iPhones, steal Wi Fi credentials and hack systems Apple patched back in April. But most automakers have yet to deploy fixes, leaving millions of vehicles exposed. A European DDoS mitigation provider was hit by a record breaking attack, peaking at 1.5 billion packets per second. The assault launched from thousands of compromised IoT devices and Microtik routers across 11,000 networks was mitigated by Fastnetmon using the customers scrubbing facilities and ACLs on edge routers. Though the target wasn't named, the attack highlights the growing weaponization of consumer hardware. Fastnetmon's founder warned that without proactive ISP level filtering, such massive UDP floods could overwhelm defenses and cause widespread service disruptions. Coming up after the break, my Caveat Co hosts Ethan Cook and Ben Yellen unpack the cyber elements of the Big Beautiful Bill and who fixes the vibe code? Stay with us. Compliance regulations, third party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com Cyber. This episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again.

B

You fix the problem. So why wait to hire the people.

A

Your company desperately needs? Use Indeed sponsored Jobs to hire top.

B

Talent fast and even better, you only pay for results.

A

There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast.

B

Terms and conditions apply.

A

The Caveat podcast is where my co host Ethan Cook and Ben Yellen and yours truly look at policy issues affecting cybersecurity. On our latest episode, Ethan and Ben unpack the cyber elements of the Big Beautiful Bill. All right, well, let's start at a high level here. I mean, for folks who May not have followed every detail. Ethan, unpack this for us. What is the big beautiful bill and why has it generated so much debate?

B

Yeah, so the big beautiful bill, for context is, or it's, you know, illegally known as HR1, is the, I guess the, the stepping stone for the Trump administration and its major funding effort for the next four years. Obviously there's going to be other funding that comes through, but this is a really big hallmark on what its intentions are for the next four years and what it is trying to do. So some of the big things that came through this were the extension of the tax cuts that from 2017, obviously I already mentioned the social program cuts, but also a massive influx in spending. I believe it's 150 billion with a B billion dollars into defense as well as there's another 150 billion put into border security. Not going to cover that portion today, purely looking at the defense aspect. But in here we have things related to procuring new technologies, improving supply chain resiliency, things along those lines. And the spending is kind of crazy. It puts the US spending on military over $1 trillion. And this money, while I say 150 billion is a lot worth noting, it is over the next four years. It's not just 2025, 2026. It is a four year program for a lot of these things. But I do think it's worth looking at what these programs are because it is very indicative of what the Trump administration is trying to do from a defense perspective.

A

Yeah. Can I be snarky and say, should we call it defense or war?

B

I think they put on the website.

A

That.

B

The Department of War is just a nickname. It's not legally changing it.

A

Well, because it requires an act of Congress to legally change it. And I guess they'll have trouble with that.

C

There is a new placard, though, outside.

B

Of there is a new placard.

C

Secretary of Hegseth's office. So we do have that. Yep.

A

Yeah. Yeah. All right, well, so enough of my snark. Let's dig into some of the details here. I mean, my understanding is that a big part of this is defense modernization. What exactly do they mean by that?

B

So I think the defense modernization aspect is saying that for the next 10 years minimum that wars, and I guess the lead up to a war is not going to be won by just raw manpower, it's going to be won by technological advancement. And some people are going to say, well, that's obvious. You know, that's the way it's been forever. Right. You Know, whoever developed the bow and arrow over the other group was better. Right.

A

Gunpowder.

B

But I think what that means for the modern context is things like investing in mesh networks and communication capabilities. There's 300 million just provisioned just for mesh networks in, in the Indo Pacific region. They also are putting $400 million into advancing and the development of advanced command and control tools, $500 million for accelerating the integration of 5G and 6G technologies across the military and many others that are. And we can go on. I think one of the most important ones was the $500 million to prevent the delay of delivering AI related military capable tools.

A

Hmm. Ben?

C

Yeah, I mean, I think there's a theme here. I think it's reflected in the $1 billion for offensive cyber operations, which is a really significant investment and I think signifies an acceleration of a strategy that we, all, the three of us have talked about pushing to more offensive cyber operations as a weapon of foreign policy. You, the rest of it seems like they could have been bipartisan investments in the Department of Defense. I don't think if you were to go line by line here, there's anything that most members of Congress would per se object to in the context of a much larger bill. It is a significant increase in defense spending. And depending on what your priorities are, I mean, I think the controversy is whether that money would have better been been spent elsewhere. Like, I don't think there's anything particularly controversial about the line items in the section here for the Department of Defense.

A

Yeah. So Ethan, you mentioned that one of the bill's focal points is the Indo Pacific Command. What makes that region a priority?

B

China. The simple answer to that is China. I think the Trump administration has obviously always been very anti China, even under his first administration. And while the Biden administration was also not on the best of terms with China, the second Trump administration, I expect to be just as hostile, if not more, more so over that relationship. And I think the massive amount of money that they poured it from just this bill alone into the Indo Pacific Command is very indicative of where they say we need to focus our money. We need to not just keep diverting resources, but add resources, because again, this is in addition to the money we have already spent to boost that region. We're putting billions of dollars more into that effort. And I think it's not just about building advanced technologies. It's about building a series of networks and control in that area with allies with, to ensure that because it's so large we can communicate efficiently, those areas have the infrastructure in place to really make sure that we can control and have predictability in the area and make sure that there's nothing happening that we can't control or that we can't respond to very quickly.

A

Yeah. This bill also has a lot of funding for supply chain resilience. What's the concern there for both the military and the broader economy?

B

So I think from the supply chain aspect, I think a key part of it is making sure the US always has access to critical minerals for semiconductors and AI related products. I believe that there was $5 billion put in for investments into critical mineral supply chains, among other similar ones. They also are expanding not just the raw ability to acquire, but the ability to predict and analyze what is needed. They put 25 million, which now that doesn't sound like a lot, but that's purely for the expansion of their industrial policy workforce. So they're putting 20 million to just expanding the Department of Defense's ability.

C

Nice stimulus for law and policy analysts out there.

B

Yeah, exactly. And I think that that is that the reason why that stood out to me was because at a time when the US Government, and specifically the Trump administration, has been cutting not just within certain agencies but across the board, has been cutting positions within the DoD, within CISA, et cetera, this marked a, hey, we're not cutting here, we're expanding. This is something that we're investing in that industrial policy. Security is really important, especially under the Department of Defense. I think that was a huge indicator of what they're trying to do and to really ensure that the department has. The military has not only access to these consistently, but not for right now, but for the next 10, 15 years.

A

Be sure to check out the complete episode of Caveat wherever you get your favorite podcasts.

B

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom's 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more at WhatsApp.com Abercrombie is an.

A

Official fashion partner of the NFL and I'm CeeDee Lamb, wide receiver for the Dallas Cowboys. You know I'm here for Abercrombie's Cowboys gear. That's not a question, but I need a whole wardrobe to go with it.

B

No shit to the guys, but I'm.

A

Used to having the best tunnel fits.

B

This season, Abercrombie has me covered. Shop NFL by Abercrombie in the app, online and in store.

A

And finally, the rise of Vibe coding that magical process where AI generates the software that looks fine until it implodes has given birth to an unlikely cottage industry. Vibe Code Fixers what began as a LinkedIn meme about cleanup specialists has become a legitimate business. Freelancers like Hamid Siddiqui now offer to fix clunky front ends, optimize messy code, and rescue apps that crash whenever somebody sneezes. Companies such as Ulam Labs openly advertise post Vibe cleanup services, while vibecode fixers.com connects desperate founders with seasoned developers. The common issues are as predictable as they are tragic broken features when new ones are added, inconsistent design and what one founder calls credit burn wasted money on AI usage fees as apps unravel in their final stages. Despite the chaos, Vibe coders remain emotionally attached to their Franken apps. As Swantantra Soni puts it, AI may help people prototype, but humans will still be needed to keep this AI on the leash. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

B

And Doug Limu and I always tell you to customize your car insurance and save hundreds with Liberty Mutual. But now we want you to feel it.

A

Cue the emu music.

B

Limu Save yourself money today. Increase your wealth. Customize, ease and save. We save. That may have been too much feeling.

A

Only pay for what you need@liberty mutual.com Liberty Liberty Liberty Liberty Savings Very unwritten by Liberty Mutual Insurance Company and affiliates. Excludes Massachusetts.