![Pentagon Declares Anthropic a Supply Chain Risk — 2026-03-02 - Talkin' Bout [Infosec] News cover](/_next/image?url=https%3A%2F%2Fimg.transistorcdn.com%2FJ0T2NYHmTRiubXYlFy2wVVB1EjdgscS0uVJOuDavVUI%2Frs%3Afill%3A0%3A0%3A1%2Fw%3A1400%2Fh%3A1400%2Fq%3A60%2Fmb%3A500000%2FaHR0cHM6Ly9pbWct%2FdXBsb2FkLXByb2R1%2FY3Rpb24udHJhbnNp%2Fc3Rvci5mbS8wYzg5%2FYmVjYjk3NmM5MTJh%2FOTAwNTk2MTMxYTIx%2FNDkzYy5qcGc.jpg&w=1200&q=75)
Talkin' Bout [Infosec] News — Episode Summary
Episode: Pentagon Declares Anthropic a Supply Chain Risk (March 2, 2026)
Release Date: March 6, 2026
Host: Black Hills Information Security (BHIS) team
Panel: John Strand, Ralph, Bronwyn, Wade, Ashley, Megan
Main Theme / Purpose
This week’s episode explores the Pentagon’s declaration of Anthropic (creator of the Claude AI model) as a supply chain risk, the larger implications for government contractors and AI use in critical infrastructure, and a detailed look at recent news in cybersecurity including new attack trends with AI, major breaches, legislative moves around technology, and critical vulnerabilities affecting infrastructure. The hosts balance news discussion with expert perspective, humor, and a few historical and cultural reflections.
Key Discussion Points & Insights
1. Pentagon Labels Anthropic a Supply Chain Risk
- [09:04] Ralph: Recaps a brewing feud between Anthropic and the Pentagon. Anthropic refused Pentagon requests:
- “Two hard nos: 1) no carte blanche for autonomous killbots, and 2) no mass surveillance of US citizens.”
- [10:42] John Strand: Points out: “There’s no law against killbots, just internal policy. That’s crazy to me.”
- Pentagon responded by declaring Anthropic a supply chain risk. Contractors are told to replace use of Claude within six months.
- [11:58] John Strand (Joking): “OpenAI signed a contract with the government. They were like, we love killbots. We’re working and we love mass surveillance. These things are awesome.”
Industry and BHIS Response
- The team uses Claude heavily and are not planning to stop unless forced.
- [15:29] John Strand: “We don’t make decisions based on one idiot in the Pentagon. If we get actual policy documents, we’ll have another conversation.”
- [16:16] John Strand: “It’s within Anthropic’s rights to say, ‘we’re willing to work with you under these conditions,’ and they did. You can’t Darth Vader it and change the terms later.”
2. Governments Banning/Regulating AI Usage
- [17:03] Ralph: Notes the EU Parliament has now banned built-in AI tools (e.g. Copilot, ChatGPT, Claude) on official devices.
- [19:16] Bronwyn: Points out these bans are easier against default tools, but real challenge is controlling third-party/online AI use.
- [19:34] John Strand: Discusses EU countries investing in open source replacements for US-based SaaS and AI products.
3. AI in Cyber Offense & Defense
- [21:19] Ralph: Details how AI increasingly empowers both attackers and defenders, referencing a Mexican government breach obtained with AI (possible via Claude).
- [23:28] Ralph: Summarizes CrowdStrike Global Threat Report: “AI-enabled adversaries increased operations by 89%. If you’re not using AI, you’re doing it wrong—as a threat actor or pen tester.”
- [25:23] Ralph: “CrowdStrike says mean time to lateral movement is now 29 minutes. But this often means moving on to access more data/services, not just another host.”
Offense-Defense "Arms Race"
- [27:23] John Strand: “A lot of vendors promise AI will solve the SOC. Offensively, others say AI has solved pen testing. In the end, hackers show us the way—whatever tools work, both sides will use.”
Vendor Lock-In, Supply Chain, and Economic Risks
- [30:26] John Strand: Warns that companies viewing AI as a “rip and replace” for IT/infosec staff will be disappointed.
- [31:10] Ralph: “Vendor lock... You become the market, and then you say: so boys, how much should a token cost?”
- Discussion of the future if access to “frontier models” like Claude is locked off — could undermine capabilities for both crime and defense.
4. Critical Infrastructure & Supply Chain Vulnerabilities
- [41:47] Ralph: Discusses CISA’s emergency directive for Cisco SD-WAN devices (CVE-2026-20xxx): unauth bypass and admin privilege exploit, nation-state level exploitation since 2023.
5. ShinyHunters Hit on Dutch Telecom (Odido)
- [44:06] Bronwyn & John Strand: ShinyHunters exfiltrated customer data (addresses, bank details, IDs) and attempted extortion. Emphasis on over-collection of sensitive data and lack of true protections even at national telecoms.
6. Smart Glasses and Privacy
- [53:59] Ralph: Reports on an app that detects if someone nearby is wearing Meta Ray-Ban smart glasses by their Bluetooth signature — demonstrates how privacy countermeasures can “out” surveillance tech in public.
- Panel notes that disabling the “recording light” is already an underground service, and this is part of a long continuum from spy cams to Google Glass “glassholes” to today’s AI-powered sunglasses.
7. Regulatory & Legislative News
- [46:16] Ralph & Ashley: California’s dalliance with requiring operating systems to verify user age. Satire about feasibility (“Click the floppy disk to proceed!”) but also concern about sweeping, unimplementable laws.
- Recognition that regulatory ‘overreach’ (especially in California/EU) could backfire, create pseudo-compliance, or drive innovation in unexpected directions.
8. Other Topics, Memorable Moments, and Lightning News Round
- GrapheneOS & Motorola partnership leak: Possible privacy-centric Android phones beyond Pixel. Cautious optimism about consumer choice and “DIY SaaS.”
- Vulnerabilities: Reference to a new Wi-Fi exploit (but highly academic, unlikely to be practical at scale for now).
- Battle between Defender and Attacker Tech: Panel returns to the reality that as offensive AI improves, defensive AI must keep pace, but “AI is not the silver bullet.”
- Password manager attacks: Gentle reminder that everything can be popped; still better to use strong managers.
Notable Quotes & Memorable Moments
- [09:35] John Strand: “That seems like an oversight. No, killbots should be a law.”
- [13:07] John Strand: “So basically, what if we outsource it?”
- [15:29] John Strand: “We don’t make decisions based on one idiot in the Pentagon... If we start getting actual policy documents, we’ll have another conversation.”
- [16:16] John Strand: “You can’t Darth Vader it and be like, we’re changing the terms, pray we don’t change them any further.”
- [23:28] Ralph: “AI-enabled adversaries increased operations by 89%. If you’re not using AI, you’re doing it wrong.”
- [30:26] John Strand: “A lot of companies are looking at AI as a rip and replace or downsize. Instead, it should augment the team.”
- [44:59] John Strand: “Talk about legislation we need: you need to have some type of security around [identity images]. But almost every time, something bad does happen.”
- [47:00] John Strand: “This gets into this balance—’Won’t somebody think of the children?’... If you try to have privacy arguments, they’re like, ‘But you support criminals!’”
- [54:37] Ralph: “Someone made an app that tells you if someone nearby is wearing Meta Ray-Ban smart glasses…I love this so much.”
- [63:27] Ralph: “I only use transport over carrier pigeons, which, so far, none of these attacks work.”
- [63:54] John Strand: "The other thing to keep in mind is what do you call a pigeon in a blender? Fragmentation reassembly."
Timestamps for Important Segments
- [09:04] – Backstory: Anthropic, killbots, and Pentagon risk label
- [11:58] – OpenAI wins government contract, willingness for mass surveillance
- [15:29] – BHIS stance on continuing to use Claude
- [17:03] – EU bans built-in AI on official devices
- [21:19] – Mexican government breach & rise of attack "chains" with AI
- [23:28] – CrowdStrike report: 89% of attacks now AI-enabled
- [25:23] – 29-minute lateral movement in e-crime; definition(s) debated
- [27:23] – Defensive vs Offensive AI: vendor promises vs reality
- [41:47] – Critical Cisco SD-WAN zero day and government exploitation
- [44:06] – ShinyHunters breach at Dutch telecom Odido
- [53:59] – Bluetooth alert app for Meta smart glasses
- [46:16] – California’s plan to require OS-level age verification
- [61:36] – Academic Wi-Fi exploit—analysis and real-world risk
- [63:54] – Carrier pigeons as a (not so) secure transport protocol
Flow, Tone, and Style
The panel deploys an irreverent, conversational style, often joking about news items even as they deliver significant technical insights. There is a strong focus on the real-world impact of government and vendor decisions, measured skepticism about "silver bullet" solutions (especially for AI), and refreshing candor about cyber offense and defense realities. The hosts encourage nuanced takes, relate points to past events, and maintain a playful, community vibe.
Bottom Line
- This episode is a can’t-miss for listeners eager to understand how AI supply chain decisions cascade through government, industry, and the security community.
- Strong focus on the power—and double-edged sword—of AI in the hands of both attackers and defenders, and the tangled regulatory and practical implications of real-time, government-level tech decisions.
- Practical insights, witty banter, and plenty of tech “inside baseball” make this a valuable orientation for the coming year in infosec and AI policy.
For further reading, check show notes or referenced reports for full details on CrowdStrike’s threat findings, EU/US bans, and technical writeups of the vulnerabilities discussed.