Tim Starks (13:01)

Foreign.

Dave Bittner (13:09)

Hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. Deleteme also offers solutions for businesses helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. And now a word from our sponsor, Threat Locker. Keeping your system secure shouldn't mean constantly reacting to threats. Threat Locker helps you take A different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. it is my pleasure to welcome back to the show Tim Starks. He is a senior reporter at cyberscoop. Tim, welcome back.

Tim Starks (15:15)

Hi there, Dave.

Dave Bittner (15:16)

There are two of your articles that I want to highlight in our time together here today. The first I want to touch on. You were there when Sean Cairncross was getting grilled, his aspirations to be national cyber director. Tell us about that.

Tim Starks (15:36)

Yeah, I think he was grilled in some. I know you used that phrase loosely, but there was one topic that I think he got grilled on. The rest of the questioning was relatively friendly, relatively open to the idea of Sean Cairn cross. The subject he got grilled on was the cuts at cisa. You know, that he's obviously coming there and talking about how important cybersecurity is, and he's, you know, touting himself for the job. And lawmakers naturally ask, well, okay, if cyber's so important, how are you going to be ultimately presiding over these gigantic $495 million cuts to CISA? In one sense, it's a fair question to ask him. In another sense, it's not because he's obviously not directly responsible for CISA's budget. But, you know, he specifically mentioned the authority he has with OMB to set budget guidance. That's something that is an authority that has been used by past people who have run this office. So he does have some say in that budget. And he more or less sidestepped the question. There are a couple different ways he kind of answered around, around the edges of it, saying, you know, well, we're going to look at the most efficient way to do things, form follows function, a lot of cyber defenses in the private sector. But he never directly said this is okay because. Or he never said this is wrong because. So I think that's a topic I grilled on. And they touched on the sort of things that you might expect, bigger picture vision, the threats that he's most worried about, that kind of thing.

Dave Bittner (17:03)

Yeah. What about his, I guess, comparative lack of cyber experience? How much did he get questioned about that?

Tim Starks (17:10)

He got one question on that, but he answered it rather extensively. I don't get the impression it was an answer that the lawmakers found unsatisfactory. He pointed out that he has management experience, which I think is true. He does have. He talked about running operations with thousands of people and billions of dollars. He talked about surrounding himself with smart people. I think the answer that was maybe a little less credible is that he said, I've dealt with cyber on the user end of things.

Dave Bittner (17:39)

Well, haven't we all?

Tim Starks (17:43)

He can rightly say, oh, you know, I've dealt with the FBI intelligence community on attacks against organizations I was part of. Obviously he was part of the rnc and that was an organization that probably dealt with a fair share of cyber attacks. But I don't know if that, you know, that answer was a little less, that was a little weaker answer. You know, if you look at the people who endorsed him in a letter earlier this week, included a lot of industry officials, included a lot of past intelligence and cyber folk from administrations, mostly GOP administrations, but not entirely. They talked up his management piece. And I think that's an argument that he can point to and say, this is why I deserve the job. Those were people who were a little bit, those were people who were very cyber experts. We said, we're still endorsing from the job, didn't mention his lack of cyber experience. They seem to think the other parts of his resume were more important. And he came off as a serious guy. It seemed like he'd done his homework. He didn't, he didn't fumble any answers. You know, at the same hearing, there was a person who, who was, who was at fema. And even though there was the, the recent kerfuffle with the, with the story about the FEMA director not knowing when hurricane season was, this person failed the answer. So if you're looking at his credibility from that standpoint, he, he really did seem to me like someone who had, who was taking this very seriously and, and has studied up on the subject. Whatever, whatever information he lacked before he came off, he came off as someone who had a grasp, if not command of the issues.

Dave Bittner (19:08)

Yeah. Was your sense that the folks who were doing the questioning came along satisfied that he's up for the job?

Tim Starks (19:17)

Unclear. Gary Peters, who's the top Democrat on that committee. A couple reporters tried to ask him, how are you going to vote? And he said, basically, you'll find out when I vote. There's probably a little bit of snake bitten quality to Democrats having voted for some of these Republican nominees who they've later turned out to just really think are doing a terrible job. So I don't know. I don't know if he gets much of a benefit of the doubt from Democrats. You know, obviously he can get confirmed as long as he has Republicans on his side in the Senate. So it may not matter that much. But the answers that he gave on CISA's budget were not satisfactory to the senators who asked about it is what I would say. So we'll see how it goes. A little unclear if he won over anyone, but I don't think he hurt himself per se in the sense that he needs Republicans and there was no sign that Republicans were dumping shit.

Dave Bittner (20:04)

Yeah. I want to shift here to another story. You wrote you had a scoop here. This was a letter that Representative Garbarino wrote about CISA's mobile app security program and he's taking issue with that program coming to an end.

Tim Starks (20:21)

Yes, it's like I say, cyberscoop. It's in the name.

Dave Bittner (20:26)

So we shouldn't be surprised when these scoops come one after the other, right?

Tim Starks (20:31)

That's one way to look at it.

Dave Bittner (20:33)

Yeah.

Tim Starks (20:33)

Yeah.

Dave Bittner (20:33)

So when the legislators are thinking to themselves, who should I give this scoop to?

Tim Starks (20:37)

Wait, what's publication has scoop in their name?

Dave Bittner (20:41)

Right. Yes. It's very smart of you all.

Tim Starks (20:43)

Yes. Good marketing. So, yes, this is an example of where Republicans and the administration are not necessarily seeing eye to eye. There's been a lot of lockstep. I think one of the issues where there hasn't been lockstep is on cyber. The Republicans have, in a number of positions of power have been raising some doubts about what the administration wants to do on cyber. In this case, Andrew Garbarino, who's the top, top Republican on the cybersecurity subcommittee of House Homeland, had sent a letter to Christine Ohm saying, hey, you're ending this so called mobile app vetting program in June. I think that's maybe a bad idea. The program is used to help agencies in the federal civilian executive branch test out apps that they either create or third party apps. There was a clever bit of craftsmanship on this letter that I'll talk about in one second, but the gist is garbage. Thinks this is a good program. It's very helpful, especially in a time when salt typhoon affected the telecommunications sector and it was discovered in the executive branch first if accounts were to be believed. So the craftsmanship part that I found entertaining and interesting was it pointed to ice, the Immigration Custom Enforcement Agency having made use of this program. And I think we all know how near and dear ICE is to the administration. They're talking about plussing it up. They're obviously making thousands of arrests. So I think it was smart to say, hey, look, I's had some problems with some untrustworthy, risky apps. They turn to this program as part of the solution to that.

Dave Bittner (22:26)

And he requested a briefing here. He's on a bit of a timeline.

Tim Starks (22:31)

Yeah, he asked for one by June 13th. We will see if they get that. As I pointed out, Garbarino and others on the House Homeland Security Committee have said, hey, we're waiting for answers and briefings on CISA personnel cuts. That was a few weeks ago. They may have gotten an answer since then, but I have not heard that they have. So, yeah, he's asked for what that he also did bring up something that we, you know, you and I talked recently about the salt typhoon series that we did at cyberscoop, where one of the points that people made, it wasn't unanimous, but that some people brought up was, hey, CISA has so many sector Risk Management Agency responsibilities. They're the lead coordinator essentially for certain critical infrastructure sectors and working with the private sector on all sorts of security issues. CISA has eight of those out of the 16 sectors, I believe. And I think DHS broadly has, I think, part of at least 10. So one of the things people have suggested to me from my story was, hey, look, these agencies, the telecom sector doesn't seem to be getting the kind of attention it needs. The relationship is not as strong as it should be. And maybe one of the reasons is that is that CISA has too much going on on its plate. Maybe they gave short shrift to the telecom sector at a time when they shouldn't have. So as part of this letter, he also said, hey, you need to prioritize your review, Christine, of the idea of whether CISA should have these kinds of SMRA roles. And that would be something he wants as part of the briefing as well.

Dave Bittner (24:03)

It's interesting to me. Well, my take, and I'm very curious to see if you agree with me, is that my impression is that with the answers I've seen Kristi Noem give when questioned about CISA and the funding and the future of the organization, they all come back to the, the beef that the Trump administration has with CISA going back to the 2016 election. And it just seems to me like that's this bump in the road that they just can't get past. Like it's, it doesn't seem to me an objective argument. It's an emotional one. Am I on base there?

Tim Starks (24:47)

I think you are potentially on base. I think if you look at, let me suggest an alternative hypothesis here. If you look at the proposal that the Trump administration has for fiscal 2026 for CISA, and you look at some reporting in Axios that others have confirmed that not only are they proposing in the budget cutting more than 1,000 people, we're talking about approximately a third of the agency that if you look at it, they actually already have cut those numbers. And if you look at the numbers, they're not all coming out of the election security piece of things where the, where the administration, where the conservatives have been very fired up towards CISA about this, that's 14 people. 14.

Dave Bittner (25:30)

Right.

Tim Starks (25:31)

14 out of 10. 83. And if you look at who they're proposing cutting or who have they actually have already cut, it's every kind of person. And they're not filling vacancies. Naturally. Those jobs are cyber jobs. They're not just jobs where you're like, oh, these people incidentally worked on misinformation. They didn't. So it might be more a justification for doing something that the argument they're making is look at how dangerous this so called censorship was when in fact they're just looking for a reason to cut the size of government overall. And this is sort of the face of that. This is the tip of the spear toward getting rid of a vast amount of the federal government.

Dave Bittner (26:13)

Yeah. And I suppose, I mean, it could be my own failure in that, you know, Kristi Noem, when speaking about this, that is the thing I think she is most passionate about. So maybe I'm, you know, in my own mind I'm taking great measure of that because with the determination that she speaks with it and maybe that's not justified.

Tim Starks (26:32)

No, I think, I think, I think that's the thing that, yeah, the things, when you bring up cisa, the first words out of her mouth is we're getting back on mission, we're not going to have this censorship that we had in the past. So I think that's definitely what she's most interested in CISA about. But I think there's also, I think it's possible that both hypotheses are true here. Right. That it's this idea that this agency is bad because it did something bad ever in their minds and. Or it's also an excuse to cut down the size of government.

Dave Bittner (27:02)

Yeah. All right, well, Tim Starks is senior reporter at cyberscoop. We will have a link to both of these stories in our show notes. Tim, thank you so much for taking the time for us.

Tim Starks (27:11)

Thank you, Dave.

Dave Bittner (27:25)

Compliance regulations, third party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear. There is a better way. Banta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber and finally, our Jolly Roger desk tells us millions of Brits are reportedly risking prison time for using hacked Amazon fire sticks to stream their favorite shows on the cheap. According to the Mirror, this national pastime of streaming Netflix, HBO and Disney for the price of a takeaway coffee may now come with a side of malware or a court date. These jailbroken devices, which disable Amazon's restrictions to allow third party apps, can expose users to shady software and hackers eager to swipe your personal information. Worse still, the money saved might be lining the pockets of a 21 billion pound black market empire. Sellers promote pirated bundles on Facebook and close deals via WhatsApp, that favored tool of modern pirates and high school group chats alike. Authorities aren't amused. Kieran Sharp of the Federation Against Copyright Theft warns users are breaking the law. And yes, some sellers have already done time because nothing ruins movie night like malware and a court date. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights and until the end of August this year, there's a link in the show notes and we do hope you will check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Tim Starks (31:08)

SA Foreign.

Dave Bittner (31:38)

From our Sponsor Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.