Dave Bittner (11:50)

Let's be real. Navigating security compliance can feel like assembling Ikea furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing it and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, are trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times and the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber that's v a n t a dot com.

Unknown Guest (13:02)

Foreign.

Tim Starks (13:12)

Secure.

Dave Bittner (13:12)

Access is crucial for US public sector missions, ensuring that only authorized users can access certain systems, networks or data. Are your defenses ready? Cisco's security service Edge delivers comprehensive protection for your network and users. Experience the power of zero trust and secure your workforce wherever they are. Elevate your security Strategy by visiting cisco.comgo.sse that's cisco.comgosse it is always my pleasure.

Tim Starks (13:59)

To welcome back to the show Tim Starks, senior reporter at cyberscoop. Tim, welcome back.

Unknown Guest (14:05)

It's always my pleasure to be back.

Tim Starks (14:07)

Well, Tim, you recently had an article over on Cyberscoop about the WhatsApp vs. NSO group case.

Dave Bittner (14:16)

Some of the legal ramblings that are going on there. Wranglings, I should say.

Tim Starks (14:21)

Paging Dr. Freud. Wranglings, I should say. Bring us up to date here.

Dave Bittner (14:28)

Well, I guess before we do, just.

Tim Starks (14:30)

Briefly explain what the lawsuit between WhatsApp and NSO Group is all about.

Unknown Guest (14:34)

Yeah, there's a couple different cases that are happening. Well, there's more than a couple, but there are a couple particularly big ones that have had some happenings of late. One of Them and I think the biggest of them, the biggest of all the lawsuits really against CNSO Group or any spyware maker for that matter is WhatsApp versus NSO group. And WhatsApp alleged and hearing that case that began several years ago that NSO Group is guilty for spying on something like 1,400 of its users, Innocent Group is saying that's illegal under the cfaa, the sorry Computer Fraud and Abuse act and some other reasons. Privacy invasive. NSO Group says essentially we're not the people who hack anyone. We're just the people who make the, and make the technology that hacks people. And there's the rub. So that's what the case is about. There was a hearing, or rather say an order that came that was handed down this week that was important to how things were going to proceed. So a judge said, we find NSO to be guilty of this behavior. So now they're in the damages phase, deciding how much anybody's going to get out of this. And so a ruling came down this week on what kind of evidence could be happening, what each side could enter when making their case. That's what the ruling was this most recent week.

Dave Bittner (16:00)

Well, what is significant that NSO can no longer bring up.

Tim Starks (16:06)

What are they restricted?

Unknown Guest (16:09)

It's fairly penalizing just by my read. They can't talk about who their clients are. They can't talk about the professions or identities of the alleged victims. And those are pretty big. You know, one of the people I talked to for the story said this kind of goes to the strategy of, the basic fundamental strategy of what NSO Group was going to try to argue, which is, hey, we're, we're representing governments that are doing things that, to crack down on terrorists and criminals. And this really limits what they can argue on that front. There are some other limitations as well on the other side, but they're not as strict. And there were some restrictions I touched on in the story that go to both the plaintiff and the defendant in this case saying essentially, we're leaving reputational harm out of this entirely. We're just not going to get into it on both sides. So it's a really fascinating ruling. As someone who's been following the legal ramifications, the legal battles over spyware, it was a really fascinating ruling saying, hey, innocent group, you're going to try to say we're the good guys. We're not going to let you really say that. And one of the things that was interesting about the ruling is that the judge was really skeptical of NSO Greep's argument, they're saying, hey, look, we're the good guys. We're helping these people catch terrorists, but we can't actually say who the people we work for are. But also, we're the good guys. It was kind of this sort of circular argument that made it so that the judge said, look, you're just not gonna be able to do any of that. Like, you can't be saying, oh, we represent the good guys, but not say who the good guys are. And you can't say, oh, we don't know what they're doing, but we also know that they're doing good things. It was kind of a circular argument that the judge was like, nope, you're not gonna be able to do this.

Dave Bittner (17:51)

So does this shift the focus of.

Tim Starks (17:53)

The trial towards.

Dave Bittner (17:56)

NSO group's conduct rather than their client's conduct?

Unknown Guest (18:00)

Yeah, big time. I mean, one of the. One of the issues. One of the big issues involved in this case was how. How guilty is NSO group for the behavior of the people who use this technology? And. And this. This. This really makes it harder for them to say, you know, we're hands off. We're not. This isn't anything to do. We license. But the judge is basically putting them in a position of saying, you know, look, you are responsible. So now we're just. Now it's just coming down to how much damage are we going to award to the plaintiffs, because we've already found you responsible, and any of the arguments they might have used to mitigate that even, are somewhat restricted now.

Dave Bittner (18:41)

All right, well, before I let you.

Tim Starks (18:43)

Go, you also recently reported on a new, I guess, second in command over at cisa. Who do we have here?

Unknown Guest (18:51)

Oh, no, I actually haven't said his name aloud. So I've got to.

Tim Starks (18:56)

Oh, I see. Oh, I see a print guy on a podcast. The advantage is mine.

Unknown Guest (19:03)

Okay. I'm gonna do my best, and I apologize. To the future. To the future. SISA number two, Gatumakala.

Tim Starks (19:12)

I think that's pretty good.

Unknown Guest (19:13)

I think that's pretty good. But I had not said it out loud because what's interesting is, you know, that they. This. Actually, this wasn't announced by CISA originally. It was announced by. By South Dakota. He's the former CIO and head of their, like, sort of technology division there, the state government. So a lot of this kind of, like, broke late Thursday that he was going to be the person. And I really just had email exchanges with anybody trying to figure out who he was and whether it was true. Cisa has confirmed he is in fact going to be the new deputy director. It's something that's probably a month or more away because he doesn't leave his job in the state position until May 16th. But he's someone who does have a tech background. You and I have talked about some of these appointments, some of these appointments from the Trump administration have not had much in the way of tech or cyber experience. He definitely does have that in multiple jobs. So he looks to be someone who isn't just hired just because. Although I'm sure it has a connection to the fact that he worked for Christian Ohm, who is now the Secretary of Department of Homeland Security and had been the South Dakota governor. So looks like a candidate coming in who has some experience, but we might not get him for more like a month.

Tim Starks (20:22)

Okay.

Dave Bittner (20:22)

All right. Well, progress underway, I suppose. And as they say, time will tell.

Unknown Guest (20:28)

Time will tell. We say it often, you and I, Dave.

Tim Starks (20:31)

We do. We do.

Dave Bittner (20:32)

Because it's true.

Unknown Guest (20:33)

Because it's true. That's why we do it. That's right.

Dave Bittner (20:35)

That's right.

Tim Starks (20:36)

All right. Tim Starks is senior reporter at cyberscoop.

Dave Bittner (20:39)

Tim, thanks so much.

Unknown Guest (20:40)

Thank you.

Dave Bittner (20:58)

And now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com.

Tim Starks (21:40)

And finally, ever heard of vegetative electron microscopy? No. Good, because it's total nonsense. But thanks to a string of scanning errors, translation mixup, and a little AI mischief, this completely made up scientific term has wormed its way into real academic papers. It all started when 1950s research got poorly digitized, blending unrelated words into something that sounded impressive but meant absolutely nothing. Then, a tiny mistranslation in Farsi helped the error spread even further. Now large AI models, including GPT3 and GPT4, faithfully regurgitate the fake term as if it's a cornerstone of modern science. Researchers are calling it a digital fossil, a mistake now permanently trapped in the AI training ecosystem. And fixing it is next to impossible. So the next time someone drops vegetative electron microscopy in a paper, just know. Science, courtesy of AI sometimes makes stuff up, too. And that's the Cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we got a programming note. There's a special edition that explores the benefits of the cyber startup ecosystem with our partners at Microsoft. You can catch the details of it in our show notes and find it in your cyberwire daily Podcast feed in your favorite podcast app. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian Show Every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Dave Bittner (24:40)

And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's Holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.