Cybercrime has a hefty price tag. - CyberWire Daily

Summary9 min read

Podcast Summary: CyberWire Daily - "Cybercrime has a Hefty Price Tag"

Podcast Information:

Title: CyberWire Daily
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program includes interviews with a wide spectrum of experts from industry, academia, and research organizations worldwide.
Episode: Cybercrime has a Hefty Price Tag
Release Date: July 10, 2025

1. Overview of Cyberattacks on UK Retailers

Key Events:

Arrests Made: Four individuals under the age of 21 were arrested in connection with significant cyberattacks targeting major UK retailers, including Marks and Spencer, Co-Op, and Harrods.
Impact of Attacks: The National Crime Agency highlighted that the April ransomware attacks were the most severe, halting online clothing sales for nearly seven weeks and resulting in a loss of approximately $400 million in operating profits.
Nature of the Offenders: The perpetrators were identified as loosely aligned parties led by a group named Dragon Force. The FBI was involved in the investigation.

Notable Quote:

"[...] two recent major incidents in the UK went unreported." — Archie Norman, M&S Chairman [04:55]

Implications: Archie Norman emphasized the necessity for laws mandating the reporting of serious cyberattacks, pointing out gaps in current regulations that allow significant breaches to remain unnoticed.

2. International Arrests and Legal Actions

A. Arrest of Russian Basketball Player Daniil Kasatkin

Details of Arrest: French authorities detained Daniil Kasatkin, a 26-year-old Russian basketball player, at Paris's Charles de Gaulle Airport on June 21. This action was taken at the request of the U.S., accusing him of involvement in a ransomware hacking ring.
Allegations: Kasatkin is alleged to have negotiated ransom payments for a group responsible for hacking approximately 900 companies and two federal agencies between 2020 and 2022.
Kasatkin’s Defense: He denies the charges, asserting he merely purchased a used computer and lacks proficiency with computers.
Current Status: The Paris court denied his bail, keeping him in custody with possible extradition.

Notable Quote:

"Kasatkin denies the charges, claiming he bought a used computer and is useless with computers," — Dave Bittner [08:15]

B. US Sanctions on North Korean Hacker Song Kum Hyuk

Sanctioned Individual: Song Kum Hyuk, associated with the Andariel group (a sub-cluster of Lazarus), has been sanctioned by the U.S. Treasury.
Criminal Activities: Song facilitated schemes using stolen U.S. identities to secure remote jobs at American companies, diverting income to fund North Korea's weapons programs. Additionally, he orchestrated the installation of malware and data theft from employers.
Operational Background: Andariel, also known as APT45 or Silent Kolima, operates under North Korea's Reconnaissance General Bureau.

Notable Quote:

"Andariel operates under North Korea's Reconnaissance General Bureau," — Dave Bittner [12:10]

3. Legal Rulings and Regulatory Developments

A. German Court Ruling Against Meta

Ruling Details: A German court in Leipzig ordered Meta to pay €5,000 to a Facebook user for unauthorized embedding of tracking pixels and SDKs in third-party websites, violating GDPR.
Broader Implications: Meta's tracking technology collects personal data even when users aren't logged into Facebook or Instagram, facilitating profitable profiling.
Potential Consequences: Experts warn this ruling could pave the way for massive class-action lawsuits against Meta and websites utilizing its tracking tools without consent. The financial repercussions could be substantial, especially for sites with large user bases.

Notable Quote:

"This precedent allows other users to sue without proving individual damages," — Dave Bittner [09:45]

B. European Union's New AI Regulations

Regulatory Framework: The EU has introduced new rules under the AI Act, targeting powerful general-purpose AI systems developed by companies like OpenAI, Microsoft, and Google.
Requirements:
- Transparency: Companies must disclose training data.
- Risk Assessments: Mandatory evaluations to prevent misuse, such as the creation of biological weapons.
- Protection Measures: Limiting copyright violations and ensuring public safety.
Implementation Timeline:
- Voluntary Code of Practice: Effective August 2, 2025.
- Enforcement of Penalties: Starting in 2026.
Industry Response: While the EU claims the regulations foster innovation and safety, critics argue they were diluted to gain industry support, potentially impacting Europe's competitiveness against the US and China. Major firms like Google and OpenAI are currently reviewing the guidelines, whereas Microsoft has declined to comment.

Notable Quote:

"The rules promote innovation and safety, but some fear strict regulation will hamper Europe's competitiveness," — Dave Bittner [10:30]

4. Cyberattacks and State-Sponsored Threats

A. Iran International's Cybersecurity Breaches

Nature of Attacks: Iran International, a London-based Persian language news network, confirmed that their journalists' hacked Telegram accounts were linked to cyberattacks in summer 2024 and January 2025.
Attribution: The attacks were conducted by groups Banished Kitten (Storm 0842) and Dune, operating under Iran's Ministry of Intelligence.
Impact: Hackers may have installed malware on journalists' computers via compromised Telegram accounts, part of a broader intimidation campaign that includes physical threats against staff.
Protective Measures: Iran International has fortified its defenses to protect employees and remains committed to delivering independent, uncensored news despite ongoing threats.

Notable Quote:

"The channel stated it has taken measures to protect employees and will continue its mission of delivering independent, uncensored news," — Dave Bittner [11:40]

B. Microsoft’s Widespread Windows Update Issue

Problem Description: Microsoft identified a significant issue affecting Windows Server Update services, hindering organizations from syncing with Microsoft Update and deploying the latest Windows updates.
Technical Details: The malfunction stems from a problematic update revision in the storage layer, causing connection failures and timeouts since approximately 12:30 AM Eastern Time.
Current Status: No workarounds are available at the moment, and Microsoft is actively working on a fix.

Notable Quote:

"Microsoft says they are working on a fix," — Dave Bittner [13:00]

5. Labor Developments in the Entertainment Industry

Resolution of the Hollywood Actors' Strike

Outcome: Video game, voice, and motion capture actors have signed a new contract with game studios, ending a nearly year-long strike.
Contract Highlights:
- AI Protections: Inclusion of AI consent and disclosure requirements to safeguard performers.
- Safety Measures: Provision of medics for high-risk motion capture jobs.
- Compensation: A 15% pay increase with additional raises projected through 2027.
Union Perspective: SAG-AFTRA highlighted AI protections as a key achievement, with negotiation committee member Sarah El Male stating, "AI is the centerpiece of our proposal package."

Notable Quote:

"AI protections are the key achievement," — Sarah El Male, SAG-AFTRA [14:20]

6. Emerging Cyber Threats: ClickFix Social Engineering

Analysis by Palo Alto Networks Unit 42

Threat Overview: ClickFix is a rising social engineering tactic where attackers deceive users into executing malicious commands disguised as quick fixes for computer issues.
2025 Campaigns: Notable campaigns include NetSupport, RAT, Lactrodectus, Malware, and Lumastealer, targeting sectors such as finance and healthcare.
Tactics Employed:
- Brand Exploitation: Abuse of legitimate brands like DocuSign and Okta.
- Clipboard Injection: Instructing victims to paste harmful PowerShell commands.
Bypassing Defenses: These attacks bypass standard detection methods as victims willingly execute the malware, leading to credential theft, RAT infections, and ransomware deployment.
Recommended Countermeasures:
- Monitoring: Regularly review run and MRU registry keys, EDR telemetry, clipboard usage, and Event ID 4688 for suspicious process launches.
- Education: Train employees to recognize and avoid such deceptive tactics.
- Detection Strategies: Implement strong detection mechanisms to identify and mitigate evolving ClickFix campaigns.

Notable Quote:

"ClickFix lures often abuse legitimate brands and exploit clipboard injection," — Dave Bittner [16:05]

7. In-Depth Discussion: AI Regulation Preemption and Password Insecurity

Participants:

Dave Bittner: Host
Ben Yellen: Co-host (Caveat Podcast)
Ethan Cook: N2K Colleague

A. AI Regulation Preemption

Topic Introduction: The conversation centers around Congress's recent attempt to limit AI regulation through preemption, aiming to override state-level AI laws.
Ethan Cook's Insights:
- Legislative Attempt: A moratorium was introduced in the House to use federal preemption to nullify all existing and future state AI regulations for a decade.
- Political Dynamics: The provision faced bipartisan criticism, ultimately failing in the Senate with a 99-1 vote against it.
- Rationale Behind the Attempt: Proponents argued that excessive state regulations were hindering economic advancement and technological innovation, though this stance lacked political popularity.

Notable Quote:

"This whole moratorium felt completely opposite to the value states have," — Ethan Cook [15:25]

Ben Yellen’s Perspective:
- Constitutional Framework: Discussed the Supremacy Clause, emphasizing that federal laws can preempt state laws if within Congress's enumerated powers.
- Impact on State Autonomy: Highlighted the importance of state governments in experimenting with laws and being nimble in addressing rapidly evolving sectors like AI.
- Potential Consequences: Without state regulations, there’s a void in protecting citizens from AI-related risks until federal regulations are potentially enacted.

Notable Quote:

"States are well-positioned to protect the health, safety, and welfare of their citizens," — Ben Yellen [18:12]

B. Historical Context and Constitutional Considerations

Supremacy Clause: Federal laws take precedence over state laws when within the scope of Congress's powers.
Preemption Criteria: The Supreme Court requires federal preemption to be explicit and specific.
Historical Examples:
- Medicaid Expansion: President Obama's approach with the Affordable Care Act faced legal challenges when the Supreme Court deemed it overly coercive towards states.
- Previous Preemption Instances: Compared to other preemption cases like setting drinking ages or speed limits.

Notable Quote:

"Congress has to be pretty specific and explicit about preemption," — Ben Yellen [20:58]

C. Future Implications and State Actions

State Regulations on AI:
- Governance Structures: States establishing frameworks to govern AI usage.
- Restrictions: Laws limiting AI in political advertising and criminal applications.
Potential Nullification: The failed moratorium would have rendered these state laws void, stifling regional innovation and tailored protections.

Notable Quote:

"California passed a law restricting the use of artificial intelligence in political advertising," — Ben Yellen [25:00]

8. Conclusion and Final Remarks

Dave Bittner wrapped up the episode by directing listeners to the complete discussion on the Caveat podcast and encouraging engagement through audience surveys. He also mentioned sponsor messages briefly but ensured they did not overshadow the core content.

Notable Quote:

"Stay with us," — Dave Bittner [27:10]

Key Takeaways:

Economic Impact of Cybercrime: The arrest of young cybercriminals underscores the significant financial losses businesses face due to ransomware and other cyberattacks.
International Legal Actions: Cross-border cooperation in cybersecurity law enforcement is critical, as seen in the arrest of international individuals involved in cybercrime.
Regulatory Landscape: Increasing legal actions against tech giants like Meta highlight the tightening grip of data protection laws in Europe, potentially leading to broader implications for global businesses.
State vs. Federal Regulation: The debate over AI regulation preemption illustrates the challenges in balancing federal authority with states' rights to innovate and protect their citizens.
Emerging Threats: Evolving social engineering tactics like ClickFix require continuous vigilance and adaptive security measures from organizations.
Industry Dynamics: Labor negotiations in the entertainment industry reflect the growing importance of AI protections and proper compensation in creative sectors.

For More Information:

Visit CyberWire Daily for daily cyber security news and analysis.
Access the full episode discussion on the Caveat Podcast.
Participate in the annual audience survey to provide feedback.

This summary encapsulates the key discussions and insights from the CyberWire Daily episode titled "Cybercrime has a Hefty Price Tag," providing a comprehensive overview for listeners and those interested in the latest cybersecurity developments.

Loading summary

Transcript24 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K foreign police make multiple arrests in the retail cyber attack case French authorities arrest a Russian basketball player at the request of the US A German court declares open season on Meta's tracking pixels the European Union unveils new rules to regulate artificial intelligence London's Iran International News confirms cyberattacks from banished kitten treasury sanctions a North Korean hacker over fake IT worker schemes Microsoft confirms a widespread issue preventing organizations from deploying the latest Windows updates agreements over AI Help end a year long Hollywood strike Researchers take an in depth look at Click Fix I'm joined by Ben Yellen and Ethan Cook for a look at Congress's recent attempts to limit AI regulation through preemption and password insecurity. A side of fries It's Thursday, July 10, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It's great as always to have you with us. Four people, all under the age of 21, have been arrested over cyber attacks that hit major UK retailers including Marks and Spencer Co Op and Harrods. The National Crime Agency said the April ransomware attacks on Ms. Was the most severe, shutting down online clothing sales for nearly seven weeks and costing about $400 million in operating profit. Those arrested were detained in London and the West Midlands on suspicion of blackmail, money laundering, computer misuse and organized crime. MNS Chairman Archie Norman said the attackers were loosely aligned parties led by Dragon Force, and he noted FBI involvement He urged laws requiring firms to report serious cyber attacks, revealing two recent major incidents in the UK went unreported. French authorities arrested Russian basketball player Daniil Kasatkin, age 26, at Paris's Charles de Gaulle Airport on June 21 at the request of the US, where he's accused of involvement in a ransomware hacking ring. U.S. officials allege Kasatkin negotiated ransom payments for a group that hacked about 900 companies and and two federal agencies between 2020 and 2022. Kasatkin denies the charges, claiming he bought a used computer and is useless with computers, according to his lawyer. The Paris court denied his bail, meaning he remains in custody facing possible extradition. Kasatkin, who played for Penn State in 2018 and 2019 and most recently for Moscow's Mba Mai, had traveled to France with his fiance. His lawyer said his physical condition in detention threatens his basketball career. A German court has ordered meta to pay €5,000 to a Facebook user for embedding tracking pixels and SDKs in third party websites without user consent, violating GDPR, the Leipzig Regional Court ruled. Meta's tracking technology collects personal data even if users aren't logged in to Facebook or Instagra, enabling profiling for profit. This precedent allows other users to sue without proving individual damages, experts warn. The ruling could lead to massive class action lawsuits against Meta and any websites using its tracking tools without consent, potentially resulting in business breaking fines. Experts called it one of Europe's most significant rulings this year, noting €5,000 per visitor could multiply rapidly for sites with large user bases. The European Union has unveiled new rules to regulate artificial intelligence, targeting powerful general purpose AI systems like those from OpenAI, Microsoft and Google. The guidelines, part of the AI act passed last year, require companies to improve transparency, limit copyright violations and protect public safety. Tech firms must disclose what data trains their models and conduct risk assessments to prevent misuse, such as creating biological weapons. The voluntary code of practice takes effect on August 2, with penalties enforceable from 2026. While EU officials say the rules promote innovation and safety, critics argue they were weakened to gain industry support. Some fear strict regulation will hamper Europe's competitiveness against the US and China. Google and OpenAI are reviewing the guidelines. The Microsoft declined to comment. The rules follow growing concerns about AI misuse, including recent anti Semitic comments by Elon Musk's chatbot Grok. The AI act will take full effect in the coming years. Iran International, a Persian language 24. 7 television news network based in London, confirmed that materials published from its journalists hacked Telegram accounts on are linked to two cyber attacks in summer 2024 and January of this year. The news outlet said hackers may have installed malware on journalists computers through compromised Telegram accounts. Iranian state media published screenshots from internal chats earlier this week. The attacks were carried out by Banished Kitten, also known as Storm 0842, and Dune, a group operating under Iran's Ministry of Intelligence. Iran International said the hacks are part of a broader intimidation campaign, including physical threats against staff. The channel stated it has taken measures to protect employees and will continue its mission of delivering independent, uncensored news. Iran International has been labeled a terrorist organization by Tehran and has faced threats before, including the stabbing of one of their hosts in London in 2024 and and a terrorist conviction against a man filming its premises in 2023. The US treasury has sanctioned North Korean hacker Song Kum Hyuk for his role in the Andariel group, a sub cluster of Lazarus focused on ransomware and crypto heists. Song facilitated schemes using stolen US Identities to help DPRK IT workers get remote jobs at American companies, splitting their income to fund North Korea's weapons programs. Some workers also installed malware and stole data from employers. Andariel, Also known as APT45 or Silent Kolima, operates under North Korea's Reconnaissance General Bureau. Microsoft has confirmed a widespread issue affecting Windows Server Update services, preventing organizations from syncing with Microsoft Update and deploying the latest Windows updates. The system normally syncs daily, but since last night admins have reported failed sync attempts with errors such as a connection attempt failed and net timeouts. Microsoft identified the root cause as a problematic update revision in the storage layer that blocks synchronization. The issue began about 12:30am Eastern Time and affects both automatic and manual syncs. Microsoft says there are currently no workarounds and that they are working on a fix. Hollywood video game, voice and motion capture actors have signed a new contract with game studios ending a nearly year long strike. The deal includes AI consent and disclosure requirements to protect performers, along with safety measures and medics for high risk motion capture jobs. Actors will receive a 15% pay increase with additional raises through 2027. SAG AFTRA highlighted AI protections as the key achievement, with negotiation committee member Sarah el male calling AI the centerpiece of their proposal package. Palo Alto Networks unit 42 has published an in depth analysis of ClickFix, the rising social engineering technique where attackers trick users into running malicious commands disguised as quick fixes for computer issues. Campaigns in 2025 include NetSupport, RAT, Lactrodectus, Malware and Lumastealer targeting sectors from finance to healthcare. ClickFix lures often abuse legitimate brands like DocuSign or Okta and exploit clipboard injection, instructing victims to paste harmful PowerShell commands. These attacks bypass standard detection as victims execute malware themselves, enabling credential theft, rat infections, and ransomware. Hunting tips include reviewing run, MRU registry keys, EDR telemetry, clipboard use, and event ID 4688 for suspicious process launches. Palo Alto urges organizations to deploy strong detection, educate employees, and remain vigilant as click fix evolves rapidly across global attack campaigns. Coming up after the break, my conversation with Ben Yellen and Ethan Cook. We're looking at Congress recent attempt to limit AI regulation through preemption and password insecurity with a side of fries. Stay with us. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V a n t a dot com cyber foreign and now a word from our sponsor, CloudRange. At CloudRange, they believe cybersecurity readiness starts with people, not just technology. That's why their proactive simulation based training helps security teams build confidence and skill from day one by turning potential into performance. They empower SOC and incident response teams to respond quickly, smartly, and in sync with evolving threats. Learn how cloud range is helping organizations stay ahead of cyber risks@www.cloudrange.com. ben Yellen is my co host over on the Caveat podcast and on our most recent episode, we were joined by our N2K colleague, Ethan Cook. We took a look at Congress's recent attempt to limit AI regulation through preemption. So, Ethan, you have written up quite a set of notes for us to discuss preemption here today. Maybe I start with you, give us a little insights into this journey as you took on this topic.
[15:17]
Ethan Cook
Yeah. So, you know, there was a weird thing going on in Congress that we haven't seen in a little bit. And it's not that it's haven't happened before and it's not that it's not been, you know, popular before, but it's not necessarily the flashy thing to talk about, but it had a lot of impact. And that was a moratorium going through the House at the time and has now gone through and failed in the Senate. But the whole point of it was to use federal preemption to ban all state. Not bad. Negate all state AI laws that have been passed already and prevent any other ones from being passed for the next 10 years, which when you say that out loud, sounds really extreme and kind of convoluted and the antithesis of what honestly both parties kind of put forward, which is that we value states having opinions. There's a value there. No one really ever says states shouldn't ever be able to have any say over a matter. And this whole moratorium felt completely the opposite. It felt like it was a complete removal of power. And this has been done before and it gained a lot of notoriety very quickly. And you know, as we were talking, Ben pointed out that this while is a kind of off the beat subject. It had a lot of relevance and should was worth looking into. And you know, since then, and after doing my research and writing this up, I mean, I would agree this is a very interesting topic and I think it's going to set up a larger conversation about what AI policy looks like in the next five years.
[16:51]
Dave Bittner
Ben, what do you make of this?
[16:53]
Ben Yellen
So first of all, I want to thank you guys and our audience for indulging because this is really nerding out on a legal concept. But I hope to try and illustrate why I think preemption is such an important topic because a lot of what we discuss on this podcast are laws and policies. And in case you haven't noticed, Congress, though they've been a little bit more productive this year, is slow to address societal problems. It's polarized. It is famously inefficient. It has arcane rules that prevent just the routine passage of small pieces of legislation. Things like requiring unanimous consent in the Senate for most things and having a 60 vote threshold for most things to get through the Senate. So that leaves the states, and the states generally are well positioned. The Constitution gives states police powers to protect the health, safety and welfare of their citizens. As long as states are not violating the federal constitution or their own state constitutions, they can pass laws on anything. And they do. I think I mentioned in one of our previous episodes that Maryland just officially labeled the Orange Crush as our official cocktail. Wow, I didn't know that.
[18:10]
Dave Bittner
I did not know that.
[18:13]
Ben Yellen
Always on top of the critical issues here. Okay, so what makes preemption so interesting is it's the federal government taking the keys away from state governments and their ability to experiment with laws and regulations, Especially on topics like artificial intelligence, where things are rapidly developing and state legislators and legislatures need to be nimble and to be able to develop fast acting policy solutions to address problems that are impacting their citizens. And the reason that this AI provision, which ultimately failed, as you said, raised my eyebrows, is that this would have handcuffed the states from responding to new developments in AI. If we've had executive orders from the past two presidential administrations, not much of that is kind of like binding policy. So it would be all right. Federal government hasn't passed any AI regulation, State governments can't pass any AI regulation, so who's going to protect us?
[19:16]
Dave Bittner
So before we dig into the details of this AI policy, Can we touch on some of the history here? I mean, what is there in the Constitution that gives the feds the power to preempt the states?
[19:31]
Ben Yellen
So this comes from the Supremacy Clause, which says that federal laws are the supreme law of the land. The caveat to that, so to speak, is that Congress is limited to its enumerated powers. So Congress could only pass laws pursuant to Article 1, Section 8 of the Constitution, which has a list of things Congress can do because this was written in the 1780s. A lot of these items that are listed in Article 1, Section 8 seem kind of silly, but there are few things that that still apply. Raising and supporting armies, protecting intellectual property, those are domains of the federal government. The kind of catch all that's been used to justify a lot of federal action is Congress's ability to regulate interstate commerce. So if Congress wanted to step in and regulate artificial intelligence, they could say, and Supreme Court precedent would back them up, that because this has a substantial effect on interstate commerce, Congress has the power to regulate it. So when you're in an area where Congress has an enumerated power because of the Supremacy Clause, whatever Congress does usurps or supersedes the actions of state governments. So that's where the notion of preemption comes from. What the Supreme Court has held is that Congress has to be pretty specific and explicit about preemption. State action.
[20:59]
Dave Bittner
Yeah. All right. Well, Ethan, what can you tell us about the history of this AI preemption? Any insights on its origin?
[21:10]
Ethan Cook
Yeah. So as many people have probably been aware of, there is a bill that just recently got passed that I think has been the big, beautiful bill, right?
[21:20]
Dave Bittner
Yeah.
[21:21]
Ethan Cook
And it is our reconciliation bill for this year. And it has got a lot of feedback, both good and bad, over the past couple weeks. And probably the most infamous moment it had was when it passed the House the first time, when a 2015-2014 vote, very, very narrow. And there was a lot of criticism, specifically to Republican lawmakers who had the majority, that this bill came together very quickly. It was not read through. It was voted upon and passed to the Senate without really any debate or discussion. And one of the things that happened after it went to the Senate was people started kind of breaking it down and actually looking what was in this thing. And they discovered this moratorium. And it gained a lot of pushback instantly from people basically saying that on both sides of the aisle. By the way, this was not just a Democratic pushback, saying that this is not what we're about. We don't have anything in place federally to kind of COVID our bases. Were taking away efforts. Obviously, state legislators were very. A lot of state lawmakers came out, were very perceived about this. And the only real argument in favor of this was basically saying that, yeah, we are pulling this because we currently have too many state laws, and it is creating confusion. And what it. What this whole process is doing is causing us to both lose economic advancement and technological innovation. And that was the crux of the argument of why we should preempt state laws in this. And then, you know, and. And then I think the maybe goal was we would pass something eventually that would, at the federal level that would legislate this and, you know, bring some guidance. And then it went to. While in the Senate, and after it was approved by the Senate, parliamentarian Republicans pretty much unanimously pulled support for the moratorium, and it overwhelmingly failed to pass in the Senate and was killed before.
[23:21]
Ben Yellen
It was passed back to House.
[23:23]
Ethan Cook
And the reconciliation bill was eventually passed in general.
[23:26]
Ben Yellen
So this bill provides AI empowered broadband funding to help set up rural broadband across the country. And states would only be eligible for that broadband money if they did not regulate artificial intelligence. So it was kind of the carrot instead of the stick approach.
[23:44]
Dave Bittner
Right. Like the old 55 mile an hour.
[23:46]
Ethan Cook
Speed limit or the classic drinking age. If you bring it to 21, we won't slash your funding. But if you keep it under, you can. You can, but you just won't get the money.
[23:57]
Dave Bittner
Right.
[23:57]
Ben Yellen
And so it was. That sort of approach was held to be constitutional in those two circumstances. But then President Obama, through Obamacare, tried a different tactic in terms of conditioning funding. So they passed the Affordable Care act with this pretty large expansion of Medicaid. And they said to the states, you either accept this expansion of Medicaid or you will lose all of your Medicaid funding. And the Supreme Court said that that was too coercive. It was the state bas. It was the federal government basically putting a gun to the head of the state. So I don't know how courts would have seen this. I think this is somewhere between drinking age and Medicaid. I don't think it's on either polar end. But that's kind of where the constitutional question would have lied. Is this policy overly coercive? Is it forcing states to do something basically completely against their will? But then I think Marsha Blackburn kind of started to pull away from that deal. And I think Cruz realized he didn't have the votes. They actually put an amendment up during consideration of the bill in the Senate to strip out this AI preemption provision. It passed 99 to 1, which is just very interesting. So what's the point in supporting this provision? It's not like it's politically popular.
[25:27]
Dave Bittner
Wasn't worth fighting over. Yeah, I saw at one point he tried to cut it down to five years instead of 10.
[25:34]
Ben Yellen
Yeah, I mean, I think he tried.
[25:36]
Ethan Cook
Like four different things. They were going back to negotiations to try and make it work. It was approved by the parliamentarian, it was then unapproved by the parliamentarian, it was then reapproved by the parliamentarian. So it went back and forth through multiple iterations within the Senate and ultimately just never gained the support that it needed.
[25:54]
Ben Yellen
Yeah. And so at the end of the day, this provision didn't pass. You know, I think from our perspective, it's worth noting what kind of state regulations this would have preempted. States have started to take action on AI policy, setting up governance structures for AI, promulgating rules on which AI tools can be used by various government agencies, doing inventory of AI systems in state government offices, certainly in the criminal realm. Restrictions on deep fake pornography. California passed a law restricting the use of artificial intelligence in political advertising. So depending on the version of this moratorium that would have passed, all of those laws would have been declared null and void because of this preemption provision.
[26:52]
Dave Bittner
Be sure to check out the complete episode of Caveat right here on the N2K CyberWire network, or wherever you get your favorite podcasts. And now a word from our sponsor. Threat Locker, the powerful zero Trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from threat locker on WhatsApp, no one can see or hear your personal messages. Whether it's a voice call message or sending a password to WhatsApp, it's all just this. So whether you're sharing the streaming password in the family chat or trading those late night voice messages that could basically become a podcast, your personal messages stay between you, your friends and your family. No one else, not even us. WhatsApp message privately with everyone. And finally, if you're applying to McDonald's these days, prepare to charm Olivia, the AI chatbot gatekeeper who screens resumes and asks personality test questions with all the warmth of a soggy french fry. But Olivia had a secret her platform, run by Paradox AI could be breached with the cybersecurity equivalent of leaving the Drive Thru cash drawer open. A password of 123456. Security researchers Ian Carroll and Sam Curry stumbled upon this password tragedy while wondering why burger flippers needed to impress a chatbot. Within half an hour of applying, they accessed up to 64 million applicant records dating back years, thanks to laughably weak security and basic web vulnerabilities. Paradox AI swiftly admitted the oversight, insisting no one else access the data and vowing to launch a bug bounty program. McDonald's, meanwhile, said it was disappointed in Paradox AI. It was never their intent to serve up a potential data leak. You want fries with that? And that's the cyber wire links to all of today's stories. Check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show Notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive Producer producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Krogle is AI built for the enterprise soc, fully private schema free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogle.com that's C R O G L com.