Summary8 min read

CyberWire Daily – "The M5 just met its memory problem."

Date: May 18, 2026
Host: Dave Bittner, N2K Networks
Guest: Jason Madigan, Director of Commercial Cloud Security, Booz Allen

Episode Overview

This episode of CyberWire Daily focuses on groundbreaking events in the cybersecurity landscape: a significant exploit challenging Apple’s latest hardware protections, emerging concerns about the future of CISA, the impact of AI and data residency on cloud security, new threats in the NPM package ecosystem, and the collision of modern cyber-resilience strategies with evolving global data laws. In a key interview, Jason Madigan dives deep into the tension between resilience goals and data residency requirements in cloud architectures. The episode concludes with a tribute to influential security researcher Peter G. Neumann.

Headlines and Key Discussion Points

1. Apple’s M5 Memory Protections Defeated

[01:12–03:00]

Researchers develop the first public MacOS kernel memory corruption exploit for Apple’s M4.5/M5 silicon.
Despite Apple's hardware-assisted Memory Integrity Enforcement (MIE) aimed at curbing such exploits, the chain uses standard system calls to escalate local privileges to root.
AI-assisted research powers breakthrough:
Researchers credit Mythos Preview, an AI-assisted vulnerability research tool, for helping identify bugs and rapidly develop the exploit—built in just five days.
Implications:
- AI is enabling much faster identification and weaponization of vulnerabilities, even on advanced hardware.
- “The work highlights how AI-assisted vulnerability discovery may challenge even advanced hardware security mitigations.”

2. CISA Leadership and Resource Concerns

[03:00–05:00]

Tom Parker, IBM Security exec, is floated as a potential new director of CISA.
Major worries about CISA’s future:
- ~30% staff attrition in the past year.
- Proposed 30% budget cuts loom.
- Concerns these reductions could harm programs like the Known Exploited Vulnerabilities Catalog and Secure by Design.
Expert sentiment:
- “Defenders increasingly rely on CISA as a neutral source of vulnerability prioritization, operational guidance and cross industry coordination as AI compresses the time between disclosure and exploitation.”
Context:
Past nominee Sean Planke joins UFORCE (a defense drone firm); his withdrawal from CISA nomination leaves the agency’s future leadership in flux.

3. Malicious NPM Packages and the Shai Hulud Clone

[05:00–07:00]

AUX Security discovers 4 malicious NPM packages carrying infostealer malware.
- Packages include typo-squatted variants targeting Axios users.
- Over 2,600 weekly downloads collectively.
- Malware includes direct, non-obfuscated code from leaked Shai Hulud infostealer, tied to group "team pcp."
Capabilities:
- Steals credentials, cloud configs, crypto wallets, environment variables, IPs.
- One package enrolls infected systems into a DDoS botnet.
Actionable advice:
- Users urged to uninstall, rotate credentials, check for malicious configurations, and monitor for compromise.
- “The cloned malware may have been inspired by a recently leaked Shai Hulud code release.”

4. The Rise of AI-Generated “Slop” in Bug Bounties

[07:00–08:00]

Massive surge in low-quality, AI-generated bug reports:
- Bugcrowd reports a 4x increase in submissions in three weeks—“most submissions proving false.”
- Notable programs (Curl, Nextcloud) temporarily shut down after being flooded.
Security community opinion:
- AI tools are lowering the barrier for entry (enabling more automated, inaccurate scanning), forcing a rethink in how bounties are triaged and vetted.
- On the flip side, “AI is also helping experienced researchers discover legitimate flaws more efficiently.”

5. Healthcare Data Breaches and the HHS Tracker

[08:00–09:00]

Several new major breaches logged:
- Largest: NYC Health and Hospitals, with attackers accessing systems via a third-party vendor (impacts 1.8 million people).
- Others: Erie Family Health Centers, Florida Physician Specialists.
Sensitive data exposed:
- Medical, insurance, biometrics, financial.
Growing threat:
- Reinforces challenge around third-party risk and data protection in healthcare.

6. 7-Eleven Data Breach by Shiny Hunters

[09:00–10:00]

711 confirms breach after claims from Shiny Hunters hacking group:
- Over 600,000 Salesforce records compromised.
- Exposed information: franchise application documents with personal details.
- Group leveraged phishing, third-party integrations, and Salesforce misconfigurations.
- Attempted extortion with threat to leak data.

7. OpenClaw AI Vulnerabilities

[10:00–11:00]

Sierra cybersecurity discloses 4 chained vulnerabilities in the OpenClaw AI assistant:
- Together (the “Claw Chain”), these can enable attackers to escape the sandbox, escalate privileges, and gain persistent host access.
- Highest CVSS: 9.6.
- Over 60,000 affected instances.
- OpenClaw patched the flaws within a day of disclosure.

8. Santa Clara County Sues Meta Over Scam Ads

[11:00–12:00]

Allegation:
Meta (Facebook/Instagram) knowingly allows scam ads (crypto frauds, impersonation, scam cures) to proliferate to protect ad revenue.
- County claims Meta limited enforcement to avoid revenue losses over 0.15%.
- Meta responds: 159 million scam ads removed last year, and more partnerships initiated.
Broader trend:
Legal and regulatory pressure intensifies for platforms enabling large-scale fraud.

9. Cybersecurity Investment and M&A Trends

[12:00–13:45]

AI and automation in the spotlight:
- Exaforce: $125M Series [round] for AI-powered SOC platform.
- Frame Security: $50M for AI security awareness.
- Funding announcements from Autonomous Cyber, White Circle, Secludi.
- Acquisitions: Boost Security, Cycurian, Watchguard, Cymotive.
Takeaway:
- “Continued investor confidence in AI-centric cybersecurity platforms as organizations race to improve detection, automation and resilience against increasingly complex threats.”

FEATURE INTERVIEW: Resilience vs. Data Residency – Navigating the New Cloud Security Dilemma

[15:39–28:23]

Main Theme

How increasingly strict global data residency laws are creating significant tension with organizations’ needs for cyber resilience in cloud environments.

Key Insights & Discussion Points

Data as the Core of Resilience
- Jason Madigan [15:52]:
  “In the cloud, we can always rebuild services natively... but the data itself is the core to functionality and the ability to continue running.”
- Ransomware, destructive attacks, and new tactics (e.g., mass deletions) mean data must be both secure and easily recoverable.
Traditional Resilience Practices
- Dave Bittner [16:44]:
  “I have understood that resilience systems usually depend on things like geographic distribution and redundancy.”
- Historically, resilience meant distributing data/services across regions.
The Data Residency Challenge
- Jason Madigan [17:01]:
  “When you’re looking at a single region for say aws... what is your answer? Is the problem we’re seeing being in a country with a singular deployment of a hyperscaler without two separate areas...?”
- Example: Bahrain’s law requiring all data stay within borders, but with limited in-country cloud regions, resiliency options are restricted.
Government Motivations
- Jason Madigan [19:10]:
  “In some cases, it’s that their citizens’ data is what they’re trying to protect… or there’s possibly an adversarial type relationship with the United States.”
- Aimed at protecting privacy and sovereignty, but can limit cloud flexibility and recovery options.
Collision Point: Resilience vs. Residency
- Jason Madigan [20:25]:
  “We’re seeing [requirements] collide where folks are now at a cloud-first mindset, but the hyperscalers don’t always have multi-region support...”
- Example: Singapore partners with hyperscalers for a “sovereign region” while others, like Bahrain, struggle.
Risk of Single Points of Failure
- Dave Bittner [21:49]:
  “Are these strict localization requirements unintentionally creating single points of failure?”
- Jason Madigan:
  “I don’t know if it would be single points of failure as much as a catastrophic event... customers remember downtime.”
Organizational Compromises
- Jason Madigan [23:02]:
  - Identify and classify critical data (“crown jewels”).
  - Evaluate resilience and recovery requirements case by case.
  - Accept increased costs and operational complexity.
  - “I can recover services... but if I don’t have that data on the back end, I might not be able to provide the end user the experience they expect.”
Regulatory Understanding
- Dave Bittner [25:18]:
  “Do they recognize or even sympathize with the resilience risks…?”
- Jason Madigan [25:31]:
  “It will be country by country... time will tell how regulators will pivot. Going forward, there should be conversation for the larger enterprises: ’I need another place to store my data and it may not be in country, it may be a partner country they’re secure with.’”
Future Outlook
- Jason Madigan [26:39]:
  - Predicts continued fragmentation based on each country’s stance.
  - GDPR and the Cloud Act are models for local decision-making.
  - Real-world example: Needed to use physical colo in France rather than AWS; resulted in operational challenges and the need for unique, locality-tailored solutions.
  - “That is another possibility…understanding how to still keep infrastructure and patching…through code, but in multiple different systems on the back end.”

Notable Quotes

On cloud resilience vs. regulatory constraints:
- “You really should understand what data’s out there, what data you’re trying to protect and what data needs to be recoverable.”
  — Jason Madigan [23:48]
On recovery priorities:
- “I can recover services, I can rebuild servers… but if I don’t have that data on the back end…I might not be able to provide the end user experience they are expecting and then becomes loss of reputation…”
  — Jason Madigan [24:05]
On the evolving landscape:
- “There was a time we were doing medical workloads in Europe, but when we were operating within France…we had to work out of a physical colo…couldn’t use a hyperscaler due to their rules…”
  — Jason Madigan [27:00]

In Memoriam: Peter G. Neumann

[29:34–31:00]

Legendary computer security pioneer Peter G. Neumann passes away at 93.
Over 50 years at SRI International; championed secure computing, led the Risks Forum, contributed to Multics, Emerald, and the DARPA Sherry program.
Remembered as “generous, deeply curious and quietly influential…more focused on solving problems than seeking recognition.”

Timestamps Overview

[01:12] – Apple M5 exploit, AI in malware research
[03:00] – CISA leadership, resource challenges
[05:00] – Malicious NPM packages
[07:00] – AI-generated bug bounty “slop”
[08:00] – Healthcare breaches
[09:00] – 7-Eleven Salesforce breach
[10:00] – OpenClaw AI vulnerabilities
[11:00] – Santa Clara Meta suit
[12:00] – AI cybersecurity investment, M&A
[15:39] – Jason Madigan interview: data residency vs. resilience
[29:34] – Obituary for Peter G. Neumann

Tone and Style

The episode maintains an urgent, analytical, and forward-looking tone—characteristic for CyberWire Daily—balancing industry news with expert-driven context and caution for what’s next.

Summary for Non-Listeners

This episode delivers a snapshot of the evolving risks and priorities in cybersecurity, where advances in AI threaten once-impenetrable hardware, regulators and organizations grapple with data sovereignty versus business continuity, and the challenges of securing critical infrastructure and cloud environments multiply. The feature interview provides invaluable real-world perspective on architectural, legal, and operational trade-offs in multinational cloud deployments. A poignant closing pays tribute to one of cybersecurity’s most respected pioneers, Peter G. Neumann.

Loading summary

Transcript25 lines

[00:02]
N2K CyberWire Announcer
You're listening to the Cyberwire Network powered by N2K.
[00:09]
Maria Varmazis
Do you know how the space and cybersecurity domains connect? T Minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis host here at N2K CyberWire and I'm excited to share that T Minus is back now as a weekly podcast, the T Minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together, Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth. So join me for T Minus Space Cyber Briefing. New episodes every Sunday.
[01:13]
Dave Bittner
Quick question have you watched Project Hail Mary yet? Humanity is facing an existential threat and racing to solve it with the clock ticking for security teams, that probably hits close to home with AI use rapidly spreading. Everyone's using AI marketing, sales, engineering, Chris the intern without security even knowing about it. That's where Nudge Security comes in. Nudge finds shadow AI apps, integrations and agents on day one and helps you enforce policy without blocking productivity. Try it free@nudgesecurity.com cyberwire. Researchers crack Apple's M5 memory protections with a kernel exploit An IBM security executive emerges as a possible CISA pick. Researchers uncover four malicious NPM packages, AI generated slop floods, bug bounty programs, major health care breaches hit The HHS tracker 711 confirms a breach and chained open claw AI flaws could enable full host compromise Santa Clara county sues Meta over alleged scam ads we got our Monday business breakdown. Our guest is Jason Madigan, director of Commercial Cloud Security at Booz Allen, discussing the tension between resilience and data residency laws and a fond farewell for a security pioneer. It's Monday, may 18, 2026. I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today. Happy Monday. It is great as always to have you with us. Researchers say they developed the first public Mac OS kernel memory corruption exploit targeting Apple's M4.5 silicon. Despite the company's hardware assisted memory integrity enforcement protections, the exploit chain targets macOS 26 and reportedly achieves local privilege escalation from an unprivileged user to a root shell using standard system calls. The researchers said the chain relies on two vulnerabilities and several exploitation techniques on bare metal M5 hardware with kernel MIE enabled Calif. Researchers credited Mythos Preview, the AI assisted vulnerability research system, with helping identify bugs and support exploit development. According to their report, the exploit was built in roughly five days. Apple designed MIE specifically to make memory corruption attacks significantly harder, the researchers argue. The work highlights how AI assisted vulnerability discovery may challenge even advanced hardware security mitigations Cybersecurity leaders are urging the Trump administration to stabilize and strengthen CISA as IBM security executive Tom Parker emerges as a possible candidate to lead the agency. Industry leaders say CISA has lost roughly one third of its workforce over the past year, while the administration's proposed fiscal year 2027 budget would cut another 30% from the agency. Security professionals warned that reduced staffing could weaken programs like the Known Exploited Vulnerabilities Catalog and Secure by Design initiatives, both widely used to prioritize active threats and improve software resilience. Multiple experts said AI driven vulnerability discovery is accelerating attack timelines, making centralized coordination and threat intelligence more critical. Defenders increasingly rely on CISA as a neutral source of vulnerability prioritization, operational guidance and cross industry coordination as AI compresses the time between disclosure and exploitation. Meanwhile, Sean Planke, the former nominee to lead the Cybersecurity and Infrastructure Security Agency, is joining defense technology company UFORCE as its US Chief executive officer. U Force, a London based company formed from nine Ukrainian firms, develops combat drones for air, land and sea operations. The company said it plans to launch U S made unmanned surface vessels this summer. Planke withdrew from consideration for the CISA director role last month after facing Senate opposition. He previously served in the first Trump administration and recently retired from the US Coast Guard. Researchers at AUX Security have identified four malicious NPM packages containing infosteeler malware, including what appears to be a direct, non obfuscated clone of the recently leaked Shai Hulud malware source code. The packages, including typo squatted names targeting Axios users, were uploaded by the same threat actor and collectively logged more than 2,600 weekly downloads. Researchers said the malware variants steal information such as cloud configurations, cryptocurrency, wallet data environment variables and IP addresses. One package also reportedly turns infected systems into a distributed denial of service botnet. AUX Security believes the cloned malware may have been inspired by a recently leaked shy Hulud code release tied to team pcp. Researchers urged users to uninstall the packages, rotate credentials, inspect developer tools for malicious configurations, and monitor for signs of compromise. Companies that pay independent researchers to find software vulnerabilities are struggling with A surge of low quality AI generated bug reports that security teams must manually review and verify bug bounty. Platform bugcrowd said reports quadrupled during a three week period in March, with most submissions proving false. Curl and nextcloud both suspended their bug bounty programs after what they described as an explosion of AI generated slop reports. Security experts say generative AI tools are lowering the barrier to entry for vulnerability research while also enabling automated scanning and submission systems that flood programs with inaccurate findings. At the same time, platforms like HackerOne say AI is also helping experienced researchers discover legitimate flaws more efficiently. The shift is forcing bug bounty programs to rethink validation, triage and researcher vetting as AI reshapes vulnerability, discovery, economics Several large healthcare data breaches were recently added to the U.S. department of Health and Human Services breach tracker, revealing impacts affecting hundreds of thousands of patients. The largest confirmed incident involves New York City health and hospitals, where attackers reportedly access Systems through a third party vendor between November 2025 and February of this year, exposing personal medical insurance, biometric and financial information to tied to 1.8 million individuals. Additional breaches at Erie Family Health Centers, Florida physician specialists and other providers collectively impacted hundreds of thousands more. 711 has confirmed a data breach after the Shiny Hunters hacking group claimed it stole more than 600,000 Salesforce records from the convenience store chain. The company said it detected unauthorized access on April 8 in systems used to store franchisee application documents. According to breach notifications filed in Maine, unspecified personal information submitted during franchise applications was exposed. Shiny Hunters later claimed responsibility, threatening to leak the data unless a ransom was paid and offering the information for sale online. The group has recently targeted multiple organizations through phishing, third party integrations and misconfigurations tied to Salesforce environments. Cybersecurity firm Sierra has disclosed four vulnerabilities in the OpenClaw AI assistant that can be chained together to compromise the underlying host system and establish persistent access. The attack chain, dubbed Claw Chain, begins with code execution inside the open shell sandbox through prompt injection, malicious plugins or compromised external input. Researchers say attackers can then exploit multiple flaws, including race conditions and improper access controls, to bypass sandbox protections, leak sensitive credentials, escalate privileges and ultimately write outside the sandbox boundary. The final vulnerability carries a CVSS score of 9.6 and could allow attackers to plant backdoors and maintain long term control of affected systems. Ciera says more than 60,000 publicly accessible open Claw instances may be exposed. Open Claw maintainers released patches one day after disclosure in California, Santa Clara county has filed a lawsuit against Meta, accusing the company of knowingly allowing scam advertisements to spread across Facebook and Instagram in order to protect advertising revenue. County officials allege Meta weakened its own fraud prevention efforts and allowed fraudulent advertisers to bypass moderation systems despite repeated warnings about scam activity. The lawsuit cites allegations that Meta maintained revenue guardrails, limiting enforcement actions if they threaten more than 0.15% of company revenue. Officials referenced financial scams, cryptocurrency fraud impersonation schemes and fake medical cures among the alleged deceptive ads. Meta denied the claims and said it removed more than 159 million scam ads last year while expanding fraud prevention partnerships and tools. The case highlights growing legal pressure on major platforms over their role in enabling online fraud and deceptive advertising. Turning to our Monday business breakdown, several cybersecurity companies announced major funding rounds and acquisitions this week, with investors continuing to back AI driven security platforms and automation technologies. Agentic security operations center provider Exaforce raised $125 million in series funding to expand its AI powered detection and response platform globally. Frame Security emerged From stealth with $50 million for AI focused security awareness training, while Autonomous Cyber White Circle and Secludi also announced new funding tied to AI security model protection and privacy technologies. Meanwhile, industry consolidation continued with acquisitions involving Boost Security, Cycurian, Watchguard and automotive cybersecurity firm Cymotive. Multiple companies said the deals will strengthen AI assisted detection, code analysis, cloud security and operational defense capabilities. The announcements reflect continued investor confidence in AI centric cybersecurity platforms as organizations race to improve detection, automation and resilience against increasingly complex threats. Coming up after the break, my conversation with Jason Madigan from Booz Allen about the tension between resilience and data residency laws and a fond farewell for a security pioneer. Stay with us.
[14:34]
Home Depot Advertiser
Have you ever rearranged your furniture and discovered the carpet underneath looks brand new while the rest of it looks, well, not so new? It's time for a carpet upgrade at the Home Depot, we have stylish choices at simple prices from all the top brands. Best of all, we can install it for you starting at only 49 cents per square foot. So all you have to do is pick your perfect floor. Start your carpet project today at the Home Depot. How doers get more done Exclusions apply for licenses homedepot.com license numbers
[15:04]
Microsoft Advertiser
study and play come together on a Windows 11 PC and for a limited time, college students get the best of both worlds. Get the unreal college deal Everything you need to study and play with select Windows 11 PCs eligible students get a year of Microsoft 365 Premium and a year of Xbox game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc.
[15:39]
Dave Bittner
Jason Madigan is Director of Commercial Cloud Security at Booz Allen and in today's sponsored Industry Voices segment, we discuss the tension between resilience and data residency laws.
[15:52]
Jason Madigan
When we're looking at cyber resilience, at the end of the day, we're really looking at your data. In the cloud, we can always rebuild services natively, we can always bring over images and containers, but the data itself is the core to functionality and the ability to continue running. And so when we look at cyber resilience, it's not just recoverability, disaster recovery, it's also how you respond to and protect from cyber attacks. Ransomware encryption, data exfiltration, or now the new thing of just deleting things and erasing all of your data and your backups and then understanding that you have to architect to protect from those things. And what makes it really interesting is now the new laws that are occurring around data itself is making things a lot more challenging.
[16:45]
Dave Bittner
Well, help me understand here. I mean, I have understood that resilience systems usually depend on things like geographic distribution and redundancy. You don't want to keep everything in one place. Has that been the mindset in the past?
[17:02]
Jason Madigan
Generally, yes. But as we moved towards the multi zone for the redundant hyperscaler regions, we have seen a move away from a full geographic type of resilience. And so what I mean by that is, yes, in the U.S. for example, folks will go live in the east coast and then maybe have a backup set up in the west coast, but they're still relying on the backplane of a hyperscaler and they're within the U.S. now, when we start speaking about international clients and we're talking about data residency and sovereignty, things get a little bit more sticky. A good example would be in Bahrain. They have laws that your data must stay within that country's borders. And you know, the type of data that you're talking about would have to fit within those laws, but generally your application data would have to stay within that area. And when you're looking at a single region for say aws, and we're looking at the kinetic attacks that occurred during the war, that definitely can affect you. If, say there's four zones within Bahrain and three of them went down from that attack, did you have your infrastructure built in that fourth zone? Or was your data striped and backed up to that fourth zone? Or did you lose data or what? What is the answer? Is the problem we're seeing to being in a country with a singular deployment of a hyperscaler without two separate areas within that country? For example, we have US East 1 and we have US West 2. But do they have that in those countries with the data residency laws or do they not? And then what is your answer there? What data can move? How do you identify the data that you have to maybe find an on premise private cloud to back up to just for recoverability sake?
[19:00]
Dave Bittner
So when we're talking about these data residency laws, what are the governments setting out to do here? What's their goal? What are they trying to protect?
[19:11]
Jason Madigan
That's a good question. In some cases it's that they're citizens. Data is what they're trying to protect. They're trying to make sure that their citizens data itself is not leaving the country, as well as thinking about how there's possibly an adversarial type relationship with the United States. So if you're in a country where there's a possible adversarial relationship, they have to be concerned that one, the data is being exfiltrated to possibly someone in the US or or another nation state actor or the other option or concern would be such as what happened during the conflict with Russia and Ukraine where the Azure platform had to say hey, everybody out. Or it's limited what you can do, or the national data that existed within that platform was now at risk of possibly United States actors gaining access to it for some reason. And so they had to come out of that cloud. So these are the types of things that we are seeing as a question from different industries that we're attempting to solve.
[20:18]
Dave Bittner
So at what point do these resilience requirements start to conflict with the data residency requirements?
[20:26]
Jason Madigan
And that is the point of where we're at. We are seeing that to begin to collide where generally folks are now at a cloud first mindset. And the hyperscalers don't always have the multi region support in certain countries or they possibly don't have a data sovereign region for a customer to leverage, such as Singapore. Right. They partnered with a hyperscaler to build a sovereign region to overcome some of these questions and concerns that may have existed for the Singapore government. Other countries don't always have that ability to deploy a sovereign region. And even then when you have a sovereign region and such as what happened Bahrain, you still need to think through is this data so critical that if a kinetic attack occurred, I can't recover from losing all of that data from a physical attack. So what do I do? Do we start looking at some of these smaller private clouds? Do I just go get a closet in a colo. But then in that case is that data center the exact physical location that the hyperscaler is existing in as well? So things are getting very challenging to understand what an impact of a kinetic attack would be to your uptime and resiliency or even recoverability.
[21:49]
Dave Bittner
So are these strict localization requirements unintentionally creating potential single points of failure?
[21:57]
Jason Madigan
I don't know if it would be single points of failure as much as a catastrophic event. And so in that case, you're not going to concern yourself with these possible outcomes for every platform and app. But you will have to understand which data types or which platform will cause you the biggest issue regulatory wise. Or it could just be loss of reputation to customers, because downtime are what clients remember. Customers remember downtime, they don't remember always slowness, they don't always remember functionality. But many of them in this environment will remember when your platform went down. So understanding what that impact would be, a case by case basis, will really help you understand where you need to spend time and focus to address those concerns or architect around it.
[22:51]
Dave Bittner
So what sort of compromises do organizations need to make to satisfy both sides of this, the resilience goals and their residency obligations?
[23:02]
Jason Madigan
A lot of it is going to come down to time and effort and cost. And right cost is what can tell you how much time and effort you can spend. So identifying where what can be called crown jewels or your most critical data exists, or where you start looking first and then you start understanding what the impact would be from certain events and then what you can handle for downtimes or efforts to recover from those events. In many cases, we won't really see issues for most clients. It will be a unique event today for you to have these concerns. But as we move forward, we are seeing that this has to be understood in a future state for these clouds or hyperscalers that exist in other countries, that you really should understand what data's out there, what data you're trying to protect and what data needs to be recoverable. Because I can recover services, I can recover architectures, I can rebuild servers and applications all day, but if I don't have that data on the back end, I might not be able to provide the end user the experience that they are expecting and then becomes loss of reputation and then on top of that, when I look at all those different levels and the data and what can be recovered, I need to be sure that if it is data that I need for my business itself, analytics, planning purposes, because agentic AI is driving the need for data so, so heavily that I need to also know is even though it may not provide the backend support for an app, I may need it to make my decisions for the next 1, 2, 3, 4 years for a device, a product, or just my business. So the data is extremely important when it comes to this when we're looking at how to architect around it. But I would also state that data is also the most important thing to making money nowadays because it allows you to make correct decisions about where your business is going to go. And then knowing where that data exists and how you're going to recover from it is very important.
[25:18]
Dave Bittner
What about the regulators themselves? I mean, do they generally recognize or even sympathize with the resilience risks and that maybe localization requirements can introduce some of those risks?
[25:32]
Jason Madigan
I think that's a great question and I think it will be country by country and it just depends on what the continued relationship is with the US we're seeing a little bit of a change out in the world based on questions that our clients are asking internationally. And I think that time will tell how regulators will pivot based on just the example I gave in Bahrain. I have a client, they got impacted. What does that mean? And what is their next step? Thankfully, it wasn't critical and they kept their data. But going forward, there should be a conversation with some of these countries for the larger enterprises of I need another place to store my data and it may not be in country, it may be a partner country that they're very secure with. But those questions will have to be answered as we move forward.
[26:28]
Dave Bittner
Where do you suppose we're headed from here? Is this a temporary tension that's going to become kind of the new normal? Or where do you suppose things are going?
[26:40]
Jason Madigan
That's a really good question. We look at the Cloud act and we haven't really seen the outcomes fully occur across the board. Or we look at some of the GDPR rule sets about data that can leave Europe. I think that we are going to see different countries look at those specific new regulatory requirements coming in and make decisions on their own of whether they want to keep their data or allow it to go into different geographical regions. But for the most part, because I can't tell where we're headed, we are seeing the movement of each individual country or governing body make a decision for the data within their country and then we're just going to have to pivot and address that in a secured manner to make sure that we are adherent to their rules. There was a time where we were doing medical workloads in Europe, but when we were operating within France itself, we had to work out of a physical colo so we couldn't use a hyperscaler due to their rules. I can see something like that happening and it does increase efforts to support it. I would build things in code for the AWS cloud. We would use cloudformation, but the moment that we wanted to do the same thing in France, I had to write everything in puppet and bring it directly to the servers there and work through the environment. So that is another possibility that we may see is understanding how to still keep infrastructure and patching and all that through code, but in multiple different systems on the back end.
[28:23]
Dave Bittner
That's Jason Madigan, Director of Commercial Cloud Security at Booz Allen.
[28:40]
N2K CyberWire Announcer
When you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored Jobs Some follow the noise. Bloomberg follows the money. Whether it's the funds fueling AI or crypto's trillion dollar swings, there's a money side to every story. Get the money side of the story. Subscribe now@bloomberg.com.
[29:34]
Dave Bittner
And finally, Peter G. Newman, one of the most respected voices in computer security research, has died at the age of 93. Colleagues remembered him not only for his technical brilliance, but for decades of thoughtful warnings about insecure software, weak privacy protections, and the long term risks of short term thinking in technology. Neumann spent more than 50 years at Sri International and remained active in security research until his death. He helped pioneer secure computing concepts through projects like Multics Emerald and the DARPA funded Sherry program, which developed hardware based protections against common software vulnerabilities. He also edited the Influential Risks Forum for decades, documenting computer failures and security flaws with insight and humor. Friends and colleagues described Newman as generous, deeply curious and quietly influential, a researcher more focused on solving problems than seeking recognition. And that's the Cyber Wire for links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week, you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Iban. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
[32:11]
Columbia Sportswear Advertiser
Foreign. You can't reason with the sun. Trust us, we've tried. This summer, it's time to put that angry ball of fire on mute. Columbia's Omnishade technology is engineered to protect you from the sun's harsh rays that can burn and damage your skin. The sun is relentless, but so is our gear. Level up your summer@columbia.com to spend more time outside and less time slathering on aloe lotion. You're welcome, Columbia. Engineered for whatever.