CyberWire Daily — April 7, 2026

Episode Title: Proposed cuts put CISA in focus
Host: Dave Bittner, N2K Networks
Featured Guest: John Anthony Smith, Founder & CSO, Phoenix 24

Episode Overview

This episode centers on the proposed $707 million budget cut to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), placing the agency’s future and priorities into sharp focus. Alongside this central theme, the episode dives into significant global cybersecurity incidents, emerging cyber threats, and the reality that increased investment in technology alone hasn’t made organizations safer. The highlight is an in-depth interview with John Anthony Smith about why technology hasn’t been a panacea for cyber risk and what true resilience should look like for modern organizations.

Key Discussion Points & Insights

1. CISA Budget Cuts and Strategic Shift ([00:53])

The Trump administration proposes a $707M cut to CISA for FY2027, reducing its budget to ~$2B.
The aim: refocus CISA on federal network and critical infrastructure protection, removing "weaponization and waste."
Programs to be eliminated: school safety, international affairs, stakeholder engagement, and counter-misinformation.
Context: Prior proposed cuts were reduced by Congress; CISA seeks to hire over 300 mission-critical employees after earlier workforce reductions.
Leadership update: Nick Anderson is acting director, Sean Plenke renominated.

2. Russian-Iranian Cyber Cooperation in the Middle East ([02:24])

Ukrainian intelligence alleges Russian satellites surveyed dozens of Middle Eastern sites, supporting Iranian missile/drone strikes.
Claims of increased Russia-Iran hacker group collaboration against regional infrastructure, notably Israeli energy.
U.S. officials downplay the operational impact; Reuters could not verify the assessment.

3. New BPF Door Malware Variants ([03:28])

Rapid7 Labs identifies 7 new BPF door malware variants (e.g., HTTPShell, ICMPShell), enhancing attacker stealth and persistence.
These malware samples use kernel-level Berkeley Packet Filters, activated by magic packets, enabling advanced evasion and covert access, especially in global telecom infrastructure.

4. Cybercrime and Account Takeovers Surge ([04:28])

FBI’s Internet Crime Complaint Center (IC3) reports increasing account takeover fraud (5,100+ complaints, $262M+ losses since Jan 2025).
Ongoing issues: impersonation scams (spoofed IC3 officials), spoofed harvest websites, mail theft enabling check fraud.
Takeaway: Social engineering, credential theft, and impersonation remain top attack vectors.

5. GPU Rowhammer Attacks Advance ([05:38])

University of Toronto researchers unveil “GPU Breach,” a Rowhammer attack targeting GPU memory (GDDR6), enabling privilege escalation.
Attackers can flip bits in GPU page tables for arbitrary memory access, elevating privileges when combined with Nvidia driver flaws—a risk heightened in multi-user cloud environments.

6. Northern Ireland School IT Breach ([06:48])

Cyber attack on Centralized C2K school networks disrupts access for ~300,000 students and 20,000 teachers.
Response: Systems shut down to contain breach; recovery efforts underway, prioritizing exam students.
No confirmed personal data loss so far.

7. Hacking-for-Hire and Ransomware Suspects Charged ([08:34])

Emit Forlet extradited to the US, charged with leading a global hacking-for-hire scheme—linked to millions in fraud and prestigious clients like ExxonMobil.
German police identify Daniil Maksimovich Shukin as the REvil/GandCrab ransomware mastermind, implicating him in $40M+ in global damages.

Featured Interview: Why More Technology Hasn’t Made Us More Secure

Guest: John Anthony Smith, Phoenix 24
Segment: [12:23] – [24:14]

The Myth of the Technology “Silver Bullet”

"We leaders commonly believe ... that purchasing a new tool is going to solve problems. ... Most of these tools are largely not configured in the context of what threat actors are able and willing to do."
— John Anthony Smith ([12:36], emphasis added)
Organizations invest in security tools expecting quick fixes, but most are poorly or incompletely configured, limiting effectiveness.

Real-World Failures: Backup and Recovery Shortfalls

"84% of organizations ... do not have a single survivable copy of backups." ([13:46])
Even with notable backup solutions (Zerto, Rubrik, Veeam, etc.), features often aren’t used properly or are implemented without a breach-oriented mindset.
The rush to SaaS and remote work has increased exposure as users log in from unmanaged or personal devices, risking authentication token and credential theft.

Alert Fatigue and the Limits of DIY Security Operations ([15:56])

Most organizations’ Security Operations Centers (SOCs) struggle with alert fatigue and are "never ... tooled properly," not in tech but in "people and process and policy."
"Many orgs have had ... alerts that should have demonstrated ... an attacker in their environment, but they were being ignored or they weren’t being responded to quickly." ([16:08])
Attack dwell time is now commonly 15 minutes to 72 hours, so delayed alert response jeopardizes recovery.

Tool Sprawl & Complexity as a Double-Edged Sword ([17:54])

Extra tools add complexity—sometimes to harmful levels—but some complexity is necessary for true resilience.
"The only way to actually solve a complex problem is with a complex solution ... it's not commonly a factor of spend." ([18:17])

Executive Guidance: Prioritize Resilience ([20:11])

"It is unlikely that one, you’re going to have a recovery, two, that you’re going to have a timely recovery" unless leadership prioritizes resilience over prevention.
"If you’re going to spend focus, time, and money elsewhere ... it needs to be resilience." ([20:31])
Recovery objectives (RTO/RPO) are often unrealistic: "If you are an org that believes that your critical ... app ... is going to be back online in four hours ... you’re probably living in a farce." ([21:48])

Organizations Set Up for Success vs. Failure ([23:02])

Success comes from "invest[ing] significantly in resilience instead of believing ... they can prevent all forms of breaches."
Keys to readiness: Multiple backup copies, “multiple identity planes,” immutability, hardware and infra segmentation, digital air-gapping.
"Organizations that have focused ... their first and really doubled down on their investments around resiliency ... are really set up for success." ([23:12])

Notable Quotes & Memorable Moments

On the “Silver Bullet” Fallacy
"The real problem is ... organizations are making these investments ... looking for silver bullets by buying something and making a problem go away ... and simply it's not playing out that way, in truth."
— John Anthony Smith ([12:36])
Alert Fatigue Reality
"There is a lot of alert fatigue. ... Many orgs have had ... alerts that should have demonstrated ... an attacker ... but they were being ignored or ... not responded to quickly."
— John Anthony Smith ([16:08])
On Executive Focus
"You’re probably spending enough money today on prevention ... your IT org needs to be, should be hyper focused on resiliency."
— John Anthony Smith ([20:31])
Recovery Fantasies
"If you are an org that believes ... you’re going to be back online in four hours with less than 30 minutes of data loss after a ... destructive act, you’re probably living in a farce."
— John Anthony Smith ([21:48])

Threat Briefs & Emerging Issues

Blue Hammer Windows Zero-Day Released ([24:14])
- Frustrated researcher ("Chaotic Eclipse") posts proof-of-concept exploit for an unpatched privilege escalation flaw, "Blue Hammer," potentially allowing full system takeover via local access.
- Microsoft notified, investigating; defenders reminded that "local access required" provides limited comfort in real-world breaches.

Timestamps for Key Segments

CISA Budget Cuts & Policy ([00:53])
Russian-Iranian Cyber Operations ([02:24])
BPF Door Malware Variants ([03:28])
IC3 Cybercrime/Fraud Update ([04:28])
GPU Rowhammer Attacks ([05:38])
Northern Ireland School Breach ([06:48])
Forlet Indictment, Shukin Identified ([08:34])
Interview: John Anthony Smith ([12:23]–[24:14])
Blue Hammer 0-day Released ([24:14])

Conclusion

This episode underscores the shifting landscape for national cybersecurity priorities amid proposed CISA budget reductions and illustrates—through news and expert insight—why organizational security is ultimately about resilience, not perfect prevention. The conversation with John Anthony Smith highlights the gap between wishful thinking (“silver bullet” tech) and effective, reality-based defense planning. For security leaders, practitioners, and anyone invested in cyber risk management, the message is clear: resilient recovery and realistic preparedness—not more tools—are the foundation of being truly secure.

CyberWire Daily — April 7, 2026

Episode Title: Proposed cuts put CISA in focus
Host: Dave Bittner, N2K Networks
Featured Guest: John Anthony Smith, Founder & CSO, Phoenix 24

Episode Overview

Key Discussion Points & Insights

1. CISA Budget Cuts and Strategic Shift ([00:53])

The Trump administration proposes a $707M cut to CISA for FY2027, reducing its budget to ~$2B.
The aim: refocus CISA on federal network and critical infrastructure protection, removing "weaponization and waste."
Programs to be eliminated: school safety, international affairs, stakeholder engagement, and counter-misinformation.
Context: Prior proposed cuts were reduced by Congress; CISA seeks to hire over 300 mission-critical employees after earlier workforce reductions.
Leadership update: Nick Anderson is acting director, Sean Plenke renominated.

2. Russian-Iranian Cyber Cooperation in the Middle East ([02:24])

Ukrainian intelligence alleges Russian satellites surveyed dozens of Middle Eastern sites, supporting Iranian missile/drone strikes.
Claims of increased Russia-Iran hacker group collaboration against regional infrastructure, notably Israeli energy.
U.S. officials downplay the operational impact; Reuters could not verify the assessment.

3. New BPF Door Malware Variants ([03:28])

Rapid7 Labs identifies 7 new BPF door malware variants (e.g., HTTPShell, ICMPShell), enhancing attacker stealth and persistence.
These malware samples use kernel-level Berkeley Packet Filters, activated by magic packets, enabling advanced evasion and covert access, especially in global telecom infrastructure.

4. Cybercrime and Account Takeovers Surge ([04:28])

FBI’s Internet Crime Complaint Center (IC3) reports increasing account takeover fraud (5,100+ complaints, $262M+ losses since Jan 2025).
Ongoing issues: impersonation scams (spoofed IC3 officials), spoofed harvest websites, mail theft enabling check fraud.
Takeaway: Social engineering, credential theft, and impersonation remain top attack vectors.

5. GPU Rowhammer Attacks Advance ([05:38])

University of Toronto researchers unveil “GPU Breach,” a Rowhammer attack targeting GPU memory (GDDR6), enabling privilege escalation.
Attackers can flip bits in GPU page tables for arbitrary memory access, elevating privileges when combined with Nvidia driver flaws—a risk heightened in multi-user cloud environments.

6. Northern Ireland School IT Breach ([06:48])

Cyber attack on Centralized C2K school networks disrupts access for ~300,000 students and 20,000 teachers.
Response: Systems shut down to contain breach; recovery efforts underway, prioritizing exam students.
No confirmed personal data loss so far.

7. Hacking-for-Hire and Ransomware Suspects Charged ([08:34])

Emit Forlet extradited to the US, charged with leading a global hacking-for-hire scheme—linked to millions in fraud and prestigious clients like ExxonMobil.
German police identify Daniil Maksimovich Shukin as the REvil/GandCrab ransomware mastermind, implicating him in $40M+ in global damages.

Featured Interview: Why More Technology Hasn’t Made Us More Secure

Guest: John Anthony Smith, Phoenix 24
Segment: [12:23] – [24:14]

The Myth of the Technology “Silver Bullet”

"We leaders commonly believe ... that purchasing a new tool is going to solve problems. ... Most of these tools are largely not configured in the context of what threat actors are able and willing to do."
— John Anthony Smith ([12:36], emphasis added)
Organizations invest in security tools expecting quick fixes, but most are poorly or incompletely configured, limiting effectiveness.

Real-World Failures: Backup and Recovery Shortfalls

"84% of organizations ... do not have a single survivable copy of backups." ([13:46])
Even with notable backup solutions (Zerto, Rubrik, Veeam, etc.), features often aren’t used properly or are implemented without a breach-oriented mindset.
The rush to SaaS and remote work has increased exposure as users log in from unmanaged or personal devices, risking authentication token and credential theft.

Alert Fatigue and the Limits of DIY Security Operations ([15:56])

Most organizations’ Security Operations Centers (SOCs) struggle with alert fatigue and are "never ... tooled properly," not in tech but in "people and process and policy."
"Many orgs have had ... alerts that should have demonstrated ... an attacker in their environment, but they were being ignored or they weren’t being responded to quickly." ([16:08])
Attack dwell time is now commonly 15 minutes to 72 hours, so delayed alert response jeopardizes recovery.

Tool Sprawl & Complexity as a Double-Edged Sword ([17:54])

Extra tools add complexity—sometimes to harmful levels—but some complexity is necessary for true resilience.
"The only way to actually solve a complex problem is with a complex solution ... it's not commonly a factor of spend." ([18:17])

Executive Guidance: Prioritize Resilience ([20:11])

"It is unlikely that one, you’re going to have a recovery, two, that you’re going to have a timely recovery" unless leadership prioritizes resilience over prevention.
"If you’re going to spend focus, time, and money elsewhere ... it needs to be resilience." ([20:31])
Recovery objectives (RTO/RPO) are often unrealistic: "If you are an org that believes that your critical ... app ... is going to be back online in four hours ... you’re probably living in a farce." ([21:48])

Organizations Set Up for Success vs. Failure ([23:02])

Success comes from "invest[ing] significantly in resilience instead of believing ... they can prevent all forms of breaches."
Keys to readiness: Multiple backup copies, “multiple identity planes,” immutability, hardware and infra segmentation, digital air-gapping.
"Organizations that have focused ... their first and really doubled down on their investments around resiliency ... are really set up for success." ([23:12])

Notable Quotes & Memorable Moments

On the “Silver Bullet” Fallacy
"The real problem is ... organizations are making these investments ... looking for silver bullets by buying something and making a problem go away ... and simply it's not playing out that way, in truth."
— John Anthony Smith ([12:36])
Alert Fatigue Reality
"There is a lot of alert fatigue. ... Many orgs have had ... alerts that should have demonstrated ... an attacker ... but they were being ignored or ... not responded to quickly."
— John Anthony Smith ([16:08])
On Executive Focus
"You’re probably spending enough money today on prevention ... your IT org needs to be, should be hyper focused on resiliency."
— John Anthony Smith ([20:31])
Recovery Fantasies
"If you are an org that believes ... you’re going to be back online in four hours with less than 30 minutes of data loss after a ... destructive act, you’re probably living in a farce."
— John Anthony Smith ([21:48])

Threat Briefs & Emerging Issues

Blue Hammer Windows Zero-Day Released ([24:14])
- Frustrated researcher ("Chaotic Eclipse") posts proof-of-concept exploit for an unpatched privilege escalation flaw, "Blue Hammer," potentially allowing full system takeover via local access.
- Microsoft notified, investigating; defenders reminded that "local access required" provides limited comfort in real-world breaches.

Timestamps for Key Segments

CISA Budget Cuts & Policy ([00:53])
Russian-Iranian Cyber Operations ([02:24])
BPF Door Malware Variants ([03:28])
IC3 Cybercrime/Fraud Update ([04:28])
GPU Rowhammer Attacks ([05:38])
Northern Ireland School Breach ([06:48])
Forlet Indictment, Shukin Identified ([08:34])
Interview: John Anthony Smith ([12:23]–[24:14])
Blue Hammer 0-day Released ([24:14])

Proposed cuts put CISA in focus.

Summary

CyberWire Daily — April 7, 2026

Episode Overview

Key Discussion Points & Insights

1. CISA Budget Cuts and Strategic Shift ([00:53])

2. Russian-Iranian Cyber Cooperation in the Middle East ([02:24])

3. New BPF Door Malware Variants ([03:28])

4. Cybercrime and Account Takeovers Surge ([04:28])

5. GPU Rowhammer Attacks Advance ([05:38])

6. Northern Ireland School IT Breach ([06:48])

7. Hacking-for-Hire and Ransomware Suspects Charged ([08:34])

Featured Interview: Why More Technology Hasn’t Made Us More Secure

The Myth of the Technology “Silver Bullet”

Real-World Failures: Backup and Recovery Shortfalls

Alert Fatigue and the Limits of DIY Security Operations ([15:56])

Tool Sprawl & Complexity as a Double-Edged Sword ([17:54])

Executive Guidance: Prioritize Resilience ([20:11])

Organizations Set Up for Success vs. Failure ([23:02])

Notable Quotes & Memorable Moments

Threat Briefs & Emerging Issues

Timestamps for Key Segments

Conclusion

Summary

CyberWire Daily — April 7, 2026

Episode Overview

Key Discussion Points & Insights

1. CISA Budget Cuts and Strategic Shift ([00:53])

2. Russian-Iranian Cyber Cooperation in the Middle East ([02:24])

3. New BPF Door Malware Variants ([03:28])

4. Cybercrime and Account Takeovers Surge ([04:28])

5. GPU Rowhammer Attacks Advance ([05:38])

6. Northern Ireland School IT Breach ([06:48])

7. Hacking-for-Hire and Ransomware Suspects Charged ([08:34])

Featured Interview: Why More Technology Hasn’t Made Us More Secure

The Myth of the Technology “Silver Bullet”

Real-World Failures: Backup and Recovery Shortfalls

Alert Fatigue and the Limits of DIY Security Operations ([15:56])

Tool Sprawl & Complexity as a Double-Edged Sword ([17:54])

Executive Guidance: Prioritize Resilience ([20:11])

Organizations Set Up for Success vs. Failure ([23:02])

Notable Quotes & Memorable Moments

Threat Briefs & Emerging Issues

Timestamps for Key Segments

Conclusion