Security Now (Audio)

Episode 1062: AI-Generated Malware - Ireland Legalizes Spyware
Hosts: Steve Gibson and Leo Laporte
Date: January 28, 2026

Overview

In this episode of Security Now, Steve Gibson and Leo Laporte tackle a trio of urgent cybersecurity concerns impacting the global landscape: the uncertain future of the US's Cybersecurity and Infrastructure Security Agency (CISA), the dramatic implications of Ireland’s new law that legalizes governmental spyware and broad interception powers, and the watershed moment arrived at with the discovery of "VoidLink," the first advanced malware demonstrably authored using AI. The discussion is rich with technical insight, political nuance, and dire warnings for enterprises and individuals alike.

Key Discussion Points

1. The Uncertain Future of CISA (Cybersecurity and Infrastructure Security Agency)

[14:09 - 23:14]

• CISA History & Effectiveness:

  • Steve describes CISA as a rare, successful government agency that’s been central in improving US national cybersecurity since 2015.

    "Since its creation 11 years ago 2015, CISA has been a huge win for our nation's cybersecurity." — Steve Gibson [14:09]

• Funding and Reauthorization Problems:

  • CISA was not initially set up as a permanent agency. Its continued operation relies on recurring Congressional funding and reauthorization.
  • Recent funding bills only offer short-term extensions, creating uncertainty and causing industry pause, especially in areas requiring liability protection for information sharing.
  • Senator Rand Paul is identified as a potential stumbling block, drafting a bill to remove critical liability protections; Steve expresses dismay at this possibility.

    "If the government wants to know what's going on, as it should, then protecting those who are voluntarily disclosing is the entire point." — Steve Gibson [21:35]

• Outlook:
  The podcast underscores the risk of reverting to a pre-CISA landscape if political dysfunction stymies reauthorization or removes essential protections.

2. Ireland Legalizes Government Spyware and Sweeping Surveillance

[23:18 - 40:00]

• Legislative Development:

  • Ireland has passed new lawful interception legislation granting law enforcement and intelligence agencies wide powers to surveil all modern communication channels—including encrypted ones—and to use covert spyware.

• Main Provisions of the Law:

  • Applies to all forms of digital communications (IoT, messaging, email).

  • Explicitly legalizes the use of spyware (“covert surveillance software”) to access data on electronic devices.

  • Obligates service providers to cooperate with government operations.

    "Now it's a law. Now it's legal." — Steve Gibson [18:01]

• Encryption Under Siege:

  • The law positions all forms of encryption as fair game, setting a precedent that may ripple across other EU states.

  • Steve and Leo discuss how governments, after realizing strong encryption is mathematically unbreakable, are maneuvering to require access not through breaking encryption, but by obtaining data before it is encrypted—on the user's device.

    "What they're recognizing is, well, we can't demand clear text from Signal, WhatsApp... So, we'll just get on everybody's phone. This is the next step." — Leo Laporte [37:29]
    "They're going to outlaw their inability to spy." — Steve Gibson [40:11]

• The Slippery Slope:

  • The episode highlights the risk of normalization, with Steve asserting that this is the legal codification of what some states were already doing covertly.

  • Both hosts believe that ultimately, governments will seek to mandate pre-encryption access, possibly requiring apps or even hardware changes for “lawful interception.”

    "Eventually only criminals will be able to use unbreakable encryption." — Steve Gibson [56:02]

• Opposition:

  • European Digital Rights Organization (EDRi) has launched a campaign and a document pool to challenge spyware normalization and document its abuses, but Steve is skeptical this will overcome the powerful government appetite for surveillance.

3. The Commercial Spyware and Zero-Day Market

[44:46 - 56:34]

• Spyware as Big Business:

  • The global commercial spyware market is now worth €12 billion per year, with over 880 governments as customers.
  • Market thrives in secrecy, absence of accountability, and cross-border opacity.

    "This market is now worth billions of euros... allowing companies to operate across borders and evading accountability." — EDRi Document [44:46]

• Zero-Day Vulnerabilities:

  • The demand for exploits drives a lucrative gray/black market:
    • iOS zero-days: $5–7M
    • Android zero-days: up to $5M
    • Chrome/Safari: up to $3.5M
    • WhatsApp/iMessage: $3–5M
  • Most “innovation” in spyware is fueled by new vulnerabilities—Apple and Google are in a perpetual arms race to defend their OSes.

4. Microsoft, BitLocker, and Encryption Key Disclosure

[63:40 - 102:44]

• Forbes Revelation:

  • Microsoft provided the FBI with BitLocker recovery keys in 2025 under court order—the first known such instance.
  • Microsoft receives ~20 requests/year, can only provide keys if users have stored them in the cloud.
  • This key escrow is a convenience feature for password recovery but represents a major privacy concern.

    "It is simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users’ encryption keys." — Sen. Ron Wyden, D-OR [66:45]

• Comparisons with Apple and Meta:

  • Apple and Meta (WhatsApp) do not design their systems so that they can access user keys, thus cannot comply with such law enforcement requests.

    "If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the only company that's not doing this, ... it's a little weird." — Matthew Green, Johns Hopkins [66:45]

• Steve’s Take:

  • Praises default encryption as a net benefit for consumers.
  • Emphasizes trade-offs: the convenience to recover your data if you forget your key versus the risk that keys could be lawfully obtained by government.

    "On balance, I would venture that many, many, many more Windows users’ data have been saved by this policy than... compromised by a law enforcement subpoena." — Steve Gibson [91:00]

• Technical Recommendations:

  • Advanced users can opt out of Microsoft key escrow, rotate their keys, or print/store them physically.
  • Apple’s approach is highlighted: users generate a recovery key themselves, not automatically stored by Apple.

5. AI and the Future of Malware: The “VoidLink” Case

[132:33 - 157:36]

• Checkpoint Research Discovery:

  • Detection and analysis of “VoidLink”—the first high-quality, modular malware authored almost entirely via an AI-powered IDE (Trey, by ByteDance).
  • The project was developed by a single individual using AI agents, resulting in “enterprise-level” sophistication in just one week.

    "Voidlink stands as the first evidently documented case of this era as a truly advanced malware framework authored almost entirely by artificial intelligence." — Checkpoint Research (read by Steve) [132:33]

• Technical Methodology:

  • The developer employed “spec-driven development”—using AI to generate project architectures, documentation, implementation, iterative improvement, and even simulated “multi-team” structures.
  • Operational mistakes by the threat actor allowed Checkpoint to observe large portions of the development process, confirming the critical role of AI.

• Implications for Cybersecurity:

  • AI now enables even unskilled or moderately-skilled threat actors to rapidly create sophisticated, custom malware.

  • This lowers the entry barrier—Steve likens it to eliminating the “script kiddie” tier; anyone can now create dangerous tools.

  • Steve expresses strong concern about the clear asymmetry: AI favors attackers by automating and accelerating malware development, while defenders have no comparable force-multiplier.

    "We are almost certainly facing a forthcoming explosion in the volume and variety of malicious attacking code." — Steve Gibson [153:54]

  • Steve: “I would like to be able to imagine some form of silver lining for the defenders in this asymmetric war, but... I have been unable to come up with any. The benefit... is in no way even close to being symmetric.” [153:54]

• Final Warning:

  "A great many of the world’s enterprises are sitting ducks, and entire new generations of would-be hunters who have been using slingshots have all just been up-armed with advanced cyber-rifles." — Steve Gibson [156:22]

6. Listener Feedback and Practical Security Insights

[104:35 - 128:00]

• AI in Enterprise Software:

  • Alex Niehaus warned of repeating past mistakes by using AI as a simple developer replacement. AI should augment, not replace, skilled workers.

• Real-world Database Exposure:

  • Listener Gavin described knowingly exposing production databases due to budget constraints and the gradual process of securing them correctly as resources allowed.

• ISP DNS and Privacy Practices:

  • Steve describes how ISPs are uniquely positioned to track user activity and explains how encrypted DNS (DoH/DoT) and encrypted TLS handshakes (TLS 1.3/ECH) are the best current defenses.

7. Other Memorable Moments

• The “Podcast Rewinder” Joke:

  • Listeners riff on the obsolete Blockbuster “Be Kind, Rewind” with tongue-in-cheek requests for a “podcast rewinder”. Steve and Leo riff on potential (AI-powered, of course) solutions, poking fun at the idea of asynchronous podcast rewinding with parallel threads.

    “We need asynchronous podcast rewinding for sure.” — Leo Laporte [130:00] “Fire up a thousand threads and give each one a podcast.” — Steve Gibson [130:15]

• Notable Quote:

  “When bad guys began hiding behind the same encryption that everyone else was using because it was there, law enforcement... were told... we, the providers of this technology, were unable to comply with lawful court orders to turn over their users’ data. They didn't really understand that modern encryption is absolutely unbreakable. That's what the industry created, period.” — Steve Gibson [34:27]

Episode Timestamps

• Main Theme Introduction: [00:00 – 01:33]
• CISA and Its Uncertain Future: [14:09 – 23:14]
• Ireland’s New Spyware Law: [23:18 – 40:00]
• Commercial Spyware Market and Zero-Days: [44:46 – 56:34]
• Microsoft, BitLocker, and Cloud Key Controversy: [63:40 – 102:44]
• Listener Feedback & AI in the Enterprise: [104:35 – 128:00]
• DNS Privacy and ISP Tracking: [118:34 – 128:00]
• VoidLink AI-Generated Malware Report: [132:33 – 157:36]
• Closing Thoughts and Outlook: [157:36 – End]

Conclusion

This episode of Security Now marks a turning point in the show’s chronicling of cybersecurity trends, with the arrival of genuinely AI-generated malware and the accelerated erosion of privacy through legislative changes. Steve and Leo urge their audience to understand the tradeoffs in security—whether with government-mandated spyware or convenient but risky cloud key backup—and to recognize that the AI genie, both for development and for attack, is irreversibly out of the bottle. The future, they warn, will be less secure for those who do not keep up—making education, vigilance, and critical thinking more vital than ever.

For detailed references, show notes, and transcripts, visit GRC.com or the Security Now episode page.