Security Now Episode 1062: CISA's Uncertain Future, Legalized Spyware in Ireland, and AI-Generated Malware Threats

In this episode of the Security Now podcast, Steve Gibson and Leo Laporte discuss several pressing cybersecurity topics, revealing concerning trends and technological developments. One of the first issues addressed is the uncertain future of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Established in 2015, CISA has played a critical role in protecting critical infrastructure and managing exploited vulnerabilities. However, its existence is not permanently guaranteed, as it depends on political decisions for funding and authorization. Steve Gibson expresses concern over the influence of political figures like Senator Rand Paul, who could jeopardize the agency's continuity. CISA has been particularly effective in enforcing strict deadlines for patching critical vulnerabilities, such as those listed in the Known Exploited Vulnerabilities (KEV) catalog. Without this agency, businesses and government entities could lose a vital ally in the fight against cyber threats. Another major topic is Ireland's adoption of a new law on legal interception, which legalizes the use of spyware by law enforcement and intelligence agencies. This law, presented as a necessary update to 1993 legislation, grants authorities broad powers to monitor all forms of communication, including encrypted messages. Steve Gibson notes that this move reflects a global trend where governments seek to bypass encryption by legalizing intrusive surveillance tools. Ireland is not alone; Germany and other European nations are considering similar laws. The legislation also allows authorities to use spyware to access electronic devices, record communications, or disrupt networks used for illegal purposes. Gibson explains that this approach reflects governments' desire to control communications, even at the cost of citizens' privacy. Leo Laporte adds that this strategy could evolve into a requirement for users to install government-mandated apps on their devices to enable pre-encryption surveillance. The podcast also covers the rise of AI-generated malware. Steve Gibson shares a recent discovery by Check Point Research, which uncovered an alarming example of malware entirely created by AI. The developer made a mistake by leaving an exposed directory on a server, allowing researchers to observe the creation process. This revelation highlights the growing risks of using AI to design sophisticated cyber threats. Attackers can now automate malware creation, making attacks faster, more targeted, and harder to detect. Gibson warns that this trend could democratize access to cybercrime tools, even for inexperienced actors. Another discussion point is the response of European Digital Rights (EDRi) to the legalization of spyware in Europe. EDRi has launched a campaign to document abuses related to these tools and advocates for a total ban on spyware in the European Union. According to EDRi, these tools pose a serious threat to fundamental rights, democracy, and civic space. The organization notes that 14 EU member states have already used spyware against journalists, human rights defenders, lawyers, and political opponents. Gibson explains that the spyware market is estimated at around €12 billion annually, with companies exploiting zero-day vulnerabilities to bypass security protections. These vulnerabilities, which can cost between $3 million and $7 million depending on the targeted system, are used to infiltrate devices undetected. This creates a dangerous ecosystem where abuses often remain hidden until exposed by researchers or investigative journalists. Finally, Gibson and Laporte discuss the practical implications of these developments. They emphasize that the legalization of spyware and the rise of AI-generated malware could have severe consequences for privacy and security. Governments could use these tools to monitor not only criminals but also political opponents, journalists, and activists. Additionally, the increasing use of AI in cybercrime could lead to more frequent and sophisticated attacks, posing a major challenge for businesses and individuals. Gibson stresses the need to remain vigilant and understand the technological and political stakes shaping the cybersecurity landscape.