National security in the digital age. - CyberWire Daily

Summary6 min read

CyberWire Daily: National Security in the Digital Age Release Date: January 14, 2025
Host: N2K Networks

Episode Overview

In this episode of CyberWire Daily, hosted by N2K Networks, Dave Bittner delves into the pressing cybersecurity issues affecting national security in the digital age. The discussion covers a wide array of topics, including the Biden Administration's Cybersecurity Executive Order, emerging threats targeting critical infrastructure, vulnerabilities in major technology platforms, and the evolving landscape of executive protection. The episode features an insightful interview with Chris Pearson, CEO and founder of Black Cloak, who provides expert perspectives on digital executive protection in the wake of increasing cyber threats.

Key Topics and Insights

1. Biden Administration's Cybersecurity Executive Order

The episode begins with an in-depth analysis of a draft Cybersecurity Executive Order aimed at strengthening defenses across federal agencies, contractors, and even extending to space systems. The order addresses a broad spectrum of issues, including cybercrime, artificial intelligence (AI), and quantum computing.

Encryption and Contractor Security: The order mandates encrypting federal mail and enhancing security oversight for contractors.
AI and Quantum Computing: It emphasizes the use of AI to protect critical infrastructure and directs agencies to advance post-quantum cryptography.
Continuous Cybersecurity Assessments: Space systems deemed vital to national security will undergo ongoing cybersecurity evaluations.

Notable Quote:
"The order underscores the urgency of addressing evolving cyber threats," noted Dave Bittner at [01:36].

2. Fortinet Firewalls Under Siege

Security researchers have identified a mass exploitation campaign targeting Fortinet firewalls, exploiting an unpatched zero-day vulnerability. The attacks, primarily conducted by unauthorized access through exposed management interfaces, indicate a significant breach in network security.

Attack Patterns: The campaign involved automated login attempts via spoofed IPs, leading to altered firewall configurations and stolen credentials.
Response and Mitigation: Fortinet is investigating the issue, urging affected organizations to monitor systems and implement immediate mitigations.

Notable Quote:
"Security teams are advised to monitor systems and implement mitigations immediately," emphasized Dave Bittner at [02:53].

3. Rise of the Huon Guarantee Illicit Marketplace

The podcast highlights the alarming growth of Huon Guarantee, a Chinese-language illicit online marketplace facilitating $24 billion in transactions. The platform offers services such as escrow, money laundering, victim data sales, and deepfake tools, becoming a central hub for scammers.

Operational Dynamics: Huon heavily relies on platforms like Telegram and Tether for transactions, presenting vulnerabilities for law enforcement interventions.
Impact on Cybercrime: Researchers warn that disrupting Huon's operations could significantly hinder global scam networks.

Notable Quote:
"Suppressing its operations now could significantly disrupt global scam networks," stated Dave Bittner at [03:59].

4. CISA's Alert on Beyond Trust Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a second vulnerability in Beyond Trust's privileged remote access solutions. The flaw allows remote command execution and is actively exploited by the Silk Typhoon Group, a Chinese state-sponsored actor.

Mandatory Patching: Federal agencies are required to patch the vulnerability by February 3rd, with broader recommendations for organizations to address related security weaknesses.

Notable Quote:
"Agencies must patch by February 3rd per federal mandates," conveyed Dave Bittner at [04:37].

5. UK's Proposition to Ban Ransomware Payments

The UK government proposes a ban on ransomware payments by public sector and critical infrastructure organizations to deter cyberattacks on essential services. This initiative includes mandatory reporting of ransomware incidents and the establishment of a payment prevention regime.

Potential Consequences: While aimed at disrupting ransomware activities, experts caution about unintended repercussions, such as increased targeting of private businesses.

Notable Quote:
"Ransomware remains the UK's most immediate cyber threat," highlighted Dave Bittner at [05:36].

6. Critical Flaw in Google's Authentication System

A significant vulnerability in Google's "Sign in with Google" authentication flow exposes millions of user accounts to unauthorized access. The flaw allows attackers to exploit Google's OAuth implementation by recreating email accounts of defunct companies.

Exploitation Risks: Sensitive data, including Social Security numbers and banking information, are at risk due to this vulnerability.

Notable Quote:
"Over 100,000 vulnerable domains have been identified," reported Dave Bittner at [06:22].

7. OWASP's Non-Human Identities Top 10

The Open Web Application Security Project (OWASP) released its first Non-Human Identities (NHI) Top 10, addressing cybersecurity risks associated with automated systems like APIs, bots, and cloud services. With NHIs outnumbering human credentials by 10 to 50 times in organizations, securing these identities is paramount.

Mitigation Strategies: OWASP recommends using ephemeral credentials, enforcing least privilege policies, and employing advanced tooling for managing NHIs at scale.

Notable Quote:
"Securing NHIs becomes critical for resilience against cyber threats," emphasized Dave Bittner at [07:15].

8. Microsoft's Legal Action Against Azure OpenAI Tools Abuse

Microsoft has filed a lawsuit against ten individuals accused of bypassing safety controls in its Azure OpenAI tools, including DALL-E. The defendants allegedly used stolen API keys and custom software to generate harmful content, undermining Microsoft's AI safeguards.

Legal and Security Implications: The lawsuit aims to seize infrastructure related to the illicit activities and enhance Microsoft's AI security protocols.

Notable Quote:
"The company seeks to disrupt the operation and improve its AI security protocols," explained Dave Bittner at [08:10].

Interview: Digital Executive Protection with Chris Pearson

The highlight of the episode is an engaging interview with Chris Pearson, founder and CEO of Black Cloak, focusing on Digital Executive Protection—a critical area of cybersecurity aimed at safeguarding executives from evolving digital threats.

Key Discussion Points:

Impact of High-Profile Attacks: Following the tragic killing of the United Healthcare CEO, there has been a surge in demand for enhanced protection measures for top executives.
- Quote:
  "How can we mitigate the digital breadcrumbs that are out there... and what steps can we take to reduce this inherent risk?" – Chris Pearson at [14:53].
Expanding Scope of Protection: The conversation delves into protecting not just executives but also their families, emphasizing the importance of securing personal data and minimizing digital footprints.
- Quote:
  "We're safeguarding the role in the position that they have," remarked Dave Bittner at [17:11].
Budgeting for Executive Protection: Pearson discusses the financial aspects, highlighting that the costs of proactive protection are significantly lower than potential legal and remediation expenses resulting from breaches.
- Quote:
  "The costs of digital executive protection... are dwarfed by the legal costs, remediation costs, incident response costs," stated Dave Bittner at [20:46].
Common Blind Spots: Pearson identifies typical oversights, such as vulnerabilities introduced by home network setups and the inadvertent exposure of personal accounts.
- Quote:
  "A lot of things that were for good security purposes have actually introduced more holes," explained Dave Bittner at [21:42].
Building Trusted Relationships: Emphasizing the need for trust between executives and their protection teams, Pearson advocates for solutions built with privacy from the ground up.
- Quote:
  "You want the executive to understand and to participate in their protection because you're going to have greater success," highlighted Dave Bittner at [19:24].

Conclusion:
The interview underscores the necessity of integrating digital and physical security measures to protect executives effectively. As cyber threats continue to evolve, organizations must prioritize comprehensive executive protection strategies to mitigate risks and ensure the safety of their leadership.

Closing Remarks

The episode wraps up with a discussion on AI compliance in the healthcare sector, emphasizing the importance of preventing discrimination and safeguarding patient privacy. The HHS Office for Civil Rights has mandated that healthcare providers audit their AI systems to align with anti-discrimination laws and HIPAA regulations, highlighting the complex interplay between technological advancement and regulatory compliance.

Final Quote:
"The ultimate goal is tech that heals, not harms," concluded Dave Bittner at [27:18].

Additional Resources

For more detailed insights and daily updates on cybersecurity threats and solutions, visit The CyberWire.

This summary captures the essential discussions and expert insights from the CyberWire Daily episode on "National Security in the Digital Age." For the full experience, listening to the complete podcast is recommended.

Loading summary

Transcript40 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K.
[00:12]
Chris Pearson
And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises.
[00:18]
Zscaler Representative
Have spent billions of dollars on firewalls.
[00:20]
Chris Pearson
And VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than.
[00:39]
Zscaler Representative
Ever with AI tools. It's time to rethink your security Zscaler.
[00:44]
Chris Pearson
Zero Trust plus AI stops attackers by.
[00:48]
Zscaler Representative
Hiding your attack surface, making apps and.
[00:50]
Chris Pearson
IPs invisible eliminating lateral movement connecting users.
[00:55]
Zscaler Representative
Only to specific apps, not the entire network continuously verifying every request based on.
[01:01]
Chris Pearson
Identity and context simplifying security management with AI powered automation and detecting threats using.
[01:08]
Zscaler Representative
AI to analyze over 500 billion daily transactions.
[01:12]
Chris Pearson
Hackers can't attack what they can't see.
[01:15]
Zscaler Representative
Protect your organization with Zscaler Zero Trust and AI. Learn more at Zscaler.com Security.
[01:37]
Chris Pearson
A draft Cybersecurity Executive Order from the Biden Administration seeks to bolster defenses. Researchers identify a mass exploitation campaign targeting Fortinet firewalls. A Chinese language illicit online marketplace is growing at an alarming CISA urges patching of a second beyond trust vulnerability. The UK proposes banning ransomware payments by public sector and critical infrastructure organizations. A critical flaw in Google's authentication flow exposes millions to unauthorized access. Owasp releases its first non human identities top 10aMicrosoft lawsuit targets individuals accused of bypassing safety controls in its Azure OpenAI tools. Our guest is Chris Pearson, founder and CEO of Blackcloak, discussing Digital Executive Protection and the Feds remind the health care sector that AI must first do no harm. It's Tuesday, January 14, 2024. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us. It is great to have you with us here today. A draft Cybersecurity Executive Order from the Biden Administration seeks to bolster defenses across federal agencies, contractors and even outer space cyberscoop reports. Aimed at countering threats like those from China and cybercriminals, the order assigns agencies 53 tasks over timelines spanning 30 days to three years. Measures include encrypting federal mail, strengthening contractor security oversight and enhancing the cybersecurity and infrastructure security agencies ability to detect threats across federal systems. The order also addresses broader issues like cybercrime, artificial intelligence, and quantum computing. It calls for using AI to protect critical infrastructure and directs agencies to advance post quantum cryptography and directs agencies to advance post quantum cryptography. Space systems deemed vital to national security would undergo continuous cybersecurity assessments. Recognizing the burden of minimum cybersecurity standards on private industry, the Commerce Department is tasked with developing guidance on common practices. While ambitious in scope, the order underscores the urgency of addressing evolving cyber threats. Security researchers have identified a mass exploitation campaign targeting Fortinet firewalls, likely using an unpatched zero day vulnerability. The attacks, which began in November of 2024 and peaked in December, involved gaining access to fortigate firewalls with exposed management interfaces. Arctic Wolf labs observed tens of intrusions with attackers altering configurations, creating admin accounts and exploiting SSL VPN access to steal credentials and enable lateral movement. The attacks used automated login Attempts via spoofed IPs on web based CLI ports with changes to firewall settings starting in late November. Significant configuration changes occurred between December 4 and 7 while attackers were removed before completing their objectives. Researchers suggest ransomware may have been a motive. Fortinet has acknowledged the issue is under investigation, but has not confirmed the vulnerability or issued a patch. Affected firmware includes versions released between February and October of 2024. Security teams are advised to monitor systems and implement mitigations immediately. The scam ecosystem is thriving, with Huon Guarantee emerging as a dominant player in enabling online fraud, a story in Wired says. This Chinese language marketplace, described as the largest illicit online marketplace, has reportedly facilitated $24 billion in transactions, doubling its activity in under a year, offering services like escrow, money laundering, victim data sales and deepfake tools. Huon has become a one stop shop for scammers, its activities mostly on Telegram, utilize the Tether stablecoin for transactions and include gambling like platforms suspected of laundering money. Despite efforts to expand with proprietary tools like a stablecoin crypto exchange and messaging service, Huon still relies heavily on centralized platforms like Telegram and Tether potential vulnerabilities for law enforcement. Elliptic researchers stress the platform's critical role in industrializing online scams and its growing influence, warning of the challenges posed if Huon becomes fully independent. Suppressing its operations now could significantly disrupt global scam networks. CISA is urging federal agencies to patch a second vulnerability in Beyond Trust, privileged remote access and remote support solutions after evidence of active exploitation. The medium severity flaw allowing remote command execution was identified during an investigation into a Chinese state sponsored attack on the US treasury attributed to the Silk Typhoon Group. Agencies must patch by February 3rd per federal mandates, while organizations are advised to prioritize addressing this and related vulnerabilities. The UK government has proposed banning ransomware payments by public sector and critical infrastructure organizations to deter attacks on essential services like hospitals, schools and transportation. Part of a 12 week Home Office consultation, the measures include mandatory reporting of ransomware incidents to boost intelligence sharing and assist international law enforcement efforts such as Operation Chronos against the Lockbit Gang. The plan also suggests a ransomware payment prevention regime to guide victims and block payments to criminal groups. While the proposals aim to disrupt ransomware actors, financial incentives experts warn of unintended consequences such as increased targeting of private businesses and prolonged disruptions to critical services. Ransomware remains the UK's most immediate cyber threat, with attacks on public services causing significant disruptions, data breaches and economic losses in recent years. A critical flaw in Google's sign in with Google authentication flow exposes millions of accounts to unauthorized access, particularly for users of failed startups. The vulnerability stems from Google's OAuth implementation, which ties access claims to email domains. Attackers can exploit this by purchasing domains of defunct companies, recreating email accounts, and accessing sensitive SaaS platform data like HR systems and private chats. The issue is exacerbated by inconsistent unique user identifiers in Google's system, leaving many platforms reliant on domain names for authentication. Sensitive data such as Social Security numbers and pay stubs are at risk, with over 100,000 vulnerable domains identified. Initially dismissed by Google, the case was reopened after a security researcher demonstrated its impact. Google has promised a fix but provided no timeline. Meanwhile, users are urged to enable SSO with two FA for critical services. OWASP has released its first Non Human Identities Top 10 Addressing cybersecurity risks tied to automated systems like APIs, bots and cloud services. With NHIS outnumbering human credentials 10 to 50 times in organizations, they represent a massive attack surface for cybercriminals. Vulnerabilities such as secret leakage over privileged accounts and insecure cloud deployments are key risks. Recent breaches, including Microsoft's midnight blizzard attack and Okta's support system compromise, highlight the need for stronger NHI management. OWASP's guidance emphasizes mitigation strategies like ephemeral credentials, least privilege policies, and advanced tooling for managing nhis at scale. As automation expands, securing nhis becomes critical for resilience against cyber threats. The report provides a roadmap for prioritizing actions and strengthening identity management in today's highly interconnected digital landscape. Microsoft has filed a lawsuit against 10 unnamed individuals accused of using a hacking as a service scheme to bypass safety controls in its Azure OpenAI tools, including Dall E. The defendants allegedly exploited stolen API keys and custom tools to generate harmful content, violating Azure's AI safeguards. Microsoft claims the individuals used software to mimic legitimate API requests, subverting checks designed to prevent abuse, such as generating violent or inappropriate images. The company first detected the exploitation in July 2024 and has since revoked access and implemented countermeasures. The lawsuit, filed in a Virginia court, seeks to seize related infrastructure, including a domain hosting the illicit service. Microsoft aims to disrupt the operation, gather EV and improve its AI security protocols. Coming up after the break, Chris Pierson from Black Cloak discusses digital executive protection and the Feds remind the health care sector that AI must first do no harm. Stay with us.
[12:26]
Zscaler Representative
And now a word from our sponsor, KnowBe4. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, Effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35. Vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.
[14:00]
Chris Pearson
Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. It is always my pleasure to welcome to the show Dr. Christopher Pearson. He is the CEO and founder of Black Cloak. Chris, welcome back.
[14:52]
Dave Bittner
Hey, it's great to be here, Dave.
[14:54]
Chris Pearson
I know you know a lot of us have responded and seen the terrible news of the killing of the United Healthcare CEO. And I wanted to check in with you on that because obviously you and your colleagues at Black Cloak are in the middle of protecting executives. I wanted to get your insights. Like, after that event happened, what were the phone calls you were getting? Was there a mandate coming to you from CEOs and boards saying, find us better protection for ourselves? Yeah.
[15:33]
Dave Bittner
So, I mean, you know, unfortunately, massively tragic events. But I mean, what this has really shown is, is that, you know, the risks have changed. What people wanted to talk about, both chief information security officers and chief security officers, after that point in time, what they really wanted to focus on is how can we go ahead and mitigate some of the risks to our executives, board members, and their families? How can we mitigate the digital breadcrumbs that are out there that lead folks to where they might be in terms of their location, in terms of their presence, in terms of their residences, even in terms of their personal private email addresses and phone numbers? And what types of steps can we security professionals on the inside of the company do to kind of reduce this inherent risk to an acceptable level of risk? And it went beyond, you know, your traditional physical security review of the home alarms, professional drivers into an area which is, hey, what types of threat intelligence is out there? How can we go ahead and assess the privacy better? How can we go ahead and help reduce that attack surface? So it really has become something that huge amount of incoming from boards of directors, from executives, and from both CISOs and CSOs. And, you know, we're obviously happy to field the call, but, you know, it does seem like a lot of those risks and the risk appetite in this area has dramatically changed.
[17:04]
Chris Pearson
Have things settled down from the initial, Is it fair to say, emotional response to this?
[17:11]
Dave Bittner
Not so much. Not so much at all. I think that this is one of those things that, you know, are our kind of take on things has always been that the home is the next battleground, the home is the new battleground. And so what this has done is just like Covid, opened up people's eyes to the fact that the home network is an actual attack vector for cybercriminals in nation states, into corporate devices that are being used at home and then into the network. This has also opened up people's eyes to the fact that the personal lives of the executives and their family members is something that needs to be safeguarded. You're not safeguarding Jennifer the CEO, or Bob the cfo, or Larry, who's The cto, you're not, you know, safeguarding them per se. You're safeguarding the role in the position that they have. And that's what the boards care about. That's what the executives and the protection teams care about. I think eventually what's going to happen is that's what the SEC is going to care about. Are you taking care of those things? And so I think this is going to usher in a new era of executive protection for those persons.
[18:21]
Chris Pearson
So perhaps these things become table stakes.
[18:24]
Dave Bittner
Absolutely. I think that this is just going to become number one. It's going to become a corporate mandate. First of all, boards of directors, corporations, the enter the enterprise risk management committees, these are all going to be asking questions about what are we doing? What are we doing to protect our executives? What are we doing to protect those people that are kind of on the About Us, the leadership page of our website. But also I have a feeling that what we're going to do is just like public reporting documents. How are you compensating folks? What are you doing that are the key level officers of the company? It's going to be a how are you protecting not just the company from a cybersecurity or personal protection perspective, but how are you actually going ahead and mitigating those risks and protecting them that fall 24 7, how do you counsel.
[19:10]
Chris Pearson
People on when they've crossed that threshold? I'm thinking specifically of physical security here. At what point do I need someone to come with me to my kid's baseball game?
[19:25]
Dave Bittner
I mean, a lot of it can be gleaned from an executive threat assessment. So literally a risk profile on that individual and their family. It also can and should include the kids. And that's really a conversation that needs to be had between the security folks, that security professionals that are on the inside of the company and that executive. But there's some things that are just going to be table stakes and mandated as a result of you being the CEO cfo. We will have a driver for you, you will have an armed driver in other countries. We will have kidnap and ransom, you will have the Mayo Clinic executive physicals. Right once a year type of thing. And that's really where digital executive protection is headed. You will have personal protection, cyber protection for you and your family as a result of your role. And that really is something that I think is going to be baked in more and more. But that executive threat assessment is a great first step and it's a great first step at awareness. And also the key to this is you Want a willing participant. You want the executive to understand and to participate in their protection because you're going to have greater success.
[20:35]
Chris Pearson
This is a sunk cost for most companies. You don't make money off of your executive protection. What's the budgeting component here? How do you dial it in to make it make sense?
[20:47]
Dave Bittner
Well, I mean in some cases I think it was reported in prior years. It's like Facebook spends $17 million a year on Mark Zuckerberg's personal privacy detail for him and his family and all the rest because they're just big, big targets. The fact of is that the costs of digital executive protection for those persons is going to be dwarfed by the legal costs, remediation costs, incident response costs, investor relation costs, filing costs for SEC stuff. So it's the harm there and the amount of money being spent there. On the latter end, it just absolutely, absolutely towers over the costs of getting in protection to mitigate. Right. Nothing's going to be 100% but to mitigate those risks on the front end.
[21:32]
Chris Pearson
Are there common blind spots that folks have when you meet with people to talk about this sort of thing, what are the things that come up where they'll say I never thought of that.
[21:43]
Dave Bittner
Yeah, that's a great, great question. The first thing I would say is the extent to which their home network and home devices play in a lot of cases, the things that actually gave them better security. So hey, we have cameras all around the house that are professionally installed or you have a professionally installed managed firewall system. A lot of those things that were for good security purposes have actually introduced more holes and vulnerabilities into their systems. So that's always an interesting takeaway. The second is going to be the role that the other persons in the home, especially the kids, play in this. We actually just had one CEO have their teenage son poke a hole in through their corporate firewall that was at home and literally open up a port so they could have and host a gaming server at the home. Which of course I know we both are chuckling Dave.
[22:36]
Chris Pearson
No, well, I mean to make this about me, when my wife and I were bringing up our two boys, we agreed that we may be able to outsmart our kids, but there's no way we're gonna outsmart our kids and all of our kids friends, right?
[22:52]
Dave Bittner
Well that's right. But I mean it's one of those stories where the home security was great, spared no expense. And then you have the, well, the K are at least home, they're gaming. So this is a Positive attribute. They're not down by the river doing something else. But all of a sudden you have a hole in the firewall that the corporate laptop comes into each night. And then third, the exposure of the personal accounts. So the personal Gmail, Yahoo, whatever it is that they're using, they do a great job at work.
[23:22]
Chris Pearson
Yep.
[23:22]
Dave Bittner
I've got dual factor authentication, I've got the Yubikey, I've got the authenticator. But then they say I got nothing interesting on my Gmail. Well, you got all your personal financial communications, banking communications, legal communications, where you're actually traveling because a lot of those airline reservations come back to the centralized email. It exposes a lot of information. So it's always interesting when we're, when the team is meeting with people after the fact of being onboarded in terms of what we're able to find the exposures and then obviously needs a solution for.
[23:54]
Chris Pearson
I suppose there's a certain amount of letting go that they have to do when it comes to trade offs with privacy. Right. Like if you've got a team of people keeping an eye on your stuff, that's a trusted relationship.
[24:08]
Dave Bittner
You gotta, it starts all with a trusted relationship. All always. The nice thing is, you know, you know, speaking, you know, for us and our platform is that since it's built from the ground up, it's built with privacy in mind. And Dave, as you know, I mean, you know, former chief privacy officer, you gotta instill that in the company and the people, the value, the product, all the rest and build it with privacy, you know, in there by design. I think overall what we've seen on the corporate side is corporate executives, board members have had trusted relationships with their professional drivers, the private jets, with the folks that are in charge of kidnapping, ransom or medical and all the rest. And even financial. I mean sometimes corporations have financial and tax experts that are hired by the company to help and assist those executives so they don't have to worry as much about that personal side of things. And so what we've seen is those relationships grow over time. I think it's a trend that's going to continue especially as those are value enhancing for the executive, but also provide real value and real mitigation into the company.
[25:18]
Chris Pearson
Dr. Christopher Pearson is CEO and founder of Black Cloak. Chris, thanks so much for joining us.
[25:24]
Dave Bittner
Hey, thank you.
[25:40]
Chris Pearson
Do you know the status of your compliance controls right now? Like right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But get this more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access, reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.
[26:44]
Melanie Fontes Rainer
This episode is brought to you by Indeed. We're driven by the search for better. But when it comes to hiring, the best way to search for a candidate isn't to search at all. Don't search match with Indeed. Use Indeed for scheduling, screening and messaging so you can connect with candidates faster. Listeners of this show will get a $75 sponsored job credit to get your jobs more visibility@ Indeed.com SBO terms and conditions apply.
[27:18]
Chris Pearson
And finally, federal regulators are giving the healthcare sector a friendly nudge or maybe a firm shove to ensure that AI and other tech marvels don't accidentally play favorites or worse, discriminate. In a letter, HHS Office for Civil Rights Director Melanie Fontes Rainer reminded providers and insurers to align their AI use with Section 1557 of the ACA, which prohibits discrimination based on race, age, sex, disability and other factors. This isn't just a polite suggestion. The law's affirmative requirements kick in May 1st of this year, compelling healthcare entities to proactively root out potential biases in their AI tools. That's easier said than done. Many organizations rely on third party AI systems with complex, opaque algorithms, making it tricky to peek under the hood and spot issues. Experts recommend auditing AI systems and ensuring diverse data sets during training, but even that's a tall order when the tech feels like a black box. And don't forget HIPAA. Fontes Rainier stressed that safeguarding patient privacy while navigating AI's complexities is non negotiable. Adding to the mix, HHS rolled out a 200 page strategic AI plan aiming to improve healthcare efficiency, equity and safety while addressing AI driven cybersecurity risks. Whether this ambitious vision survives a pending leadership change remains to be seen. For now, healthcare providers are urged to plan ahead because ignoring AI compliance isn't just legally risky, it might also hurt patients. After all, the ultimate goal is tech that heals, not harms. And that's the cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.