Cyber and AI take center stage.

The House passes a defense policy bill that includes new provisions on cybersecurity and artificial intelligence. Senator Wyden accuses Microsoft of “gross cybersecurity negligence” after a 2024 ransomware attack crippled healthcare giant Ascension. The White House shelves plans to split U.S. Cyber Command and the NSA. The Pentagon finalizes its long-awaited Cybersecurity Maturity Model Certification (CMMC 2.0) rule. Akira ransomware group targets SonicWall devices. Officials warn solar-powered highway infrastructure should be checked for hidden radios. The Atlantic Council maps the global spyware market. Researchers uncover serious flaws in Apple’s AirPlay. A European DDoS mitigation provider thwarts a record-breaking attack. My Caveat cohosts Ethan Cook and Ben Yelin unpack the cyber elements of the Big Beautiful Bill. Who fixes the vibe code?

Today is Thursday September 11th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The House passes a defense policy bill that includes new provisions on cybersecurity and artificial intelligence. 

The US House of Representatives has passed an $848 billion defense policy bill that includes new provisions on cybersecurity and artificial intelligence. The National Defense Authorization Act (NDAA) was approved in a 231-196 vote and sets Pentagon policy for the year. While less sweeping than past cyber debates, the bill still carries weighty digital measures. It directs the NSA to brief lawmakers on plans for its Cybersecurity Coordination Center and requires combatant commands to report on Cyber Command’s support. The Pentagon would also build a “software bill of materials” for AI-enabled tools and pursue up to 12 initiatives using generative AI for cybersecurity and intelligence. Amendments adopted allow NSA-private sector threat sharing and task the DOD with studying the National Guard’s cyber response role. The Senate will take up its version next week.

Senator Wyden accuses Microsoft of “gross cybersecurity negligence” after a 2024 ransomware attack crippled healthcare giant Ascension. 

Sen. Ron Wyden is urging the Federal Trade Commission to investigate Microsoft after a 2024 ransomware attack crippled Catholic healthcare giant Ascension. Wyden accuses Microsoft of “gross cybersecurity negligence,” citing its default support for RC4 encryption, a 1980s-era standard vulnerable to a hacking method called “Kerberoasting.” Attackers allegedly exploited this weakness in Ascension’s Microsoft Active Directory, spreading ransomware that disrupted 140 hospitals across 19 states and exposed data on nearly 6 million patients. Wyden argues Microsoft failed to warn customers clearly, instead burying guidance in obscure blog posts. Microsoft acknowledged RC4’s risks but said abruptly disabling it would break systems, pledging instead to phase it out by 2026. Wyden likened Microsoft to “an arsonist selling firefighting services” given its market dominance in enterprise IT.

The White House shelves plans to split U.S. Cyber Command and the NSA. 

The Trump administration has decided to keep U.S. Cyber Command and the NSA under “dual-hat” leadership, shelving plans to split the roles due to the complexity and risks of restructuring. Officials concluded a separation could take six years, slowing national security priorities. Army Lt. Gen. William Hartman, currently acting leader, is Trump’s choice to head both agencies permanently, reinforcing the arrangement’s benefits for speed, coordination, and unified direction. Lawmakers largely support the move, warning a split could weaken U.S. cyber and intelligence capabilities.

The Pentagon finalizes its long-awaited Cybersecurity Maturity Model Certification (CMMC 2.0) rule. 

The Pentagon has finalized its long-awaited Cybersecurity Maturity Model Certification (CMMC 2.0) rule, requiring stricter cyber standards for defense contractors. The framework, first proposed in 2019, aims to safeguard sensitive but unclassified information across the defense industrial base, which includes over 300,000 companies. Rolled out in three phases over three years starting Nov. 10, CMMC sets three security levels: contractors handling federal contract information may self-attest, while those with more sensitive data must undergo third-party or Defense Industrial Base Cybersecurity Assessment Center certification. The program reduces the original five levels to three, easing compliance concerns for small businesses. Still, experts warn most contractors lack strong governance and encryption practices. Ultimately, nearly all defense vendors will need to adjust operations to meet the new requirements.

Akira ransomware group targets SonicWall devices. 

In August 2024, SonicWall disclosed CVE SNWLID-2024-0015, an SSLVPN flaw affecting Gen5–Gen7 firewalls. Though patches were released, incomplete remediation left devices exposed. The Akira ransomware group has since exploited this, combining the CVE with two additional risks: over-provisioned access from SSLVPN Default Groups and public exposure of the Virtual Office Portal, which attackers use to hijack MFA setups. Rapid7 has observed rising intrusions and urges organizations to patch, enforce MFA, restrict portal access, rotate local accounts, and monitor SSLVPN activity closely.

Officials warn solar-powered highway infrastructure should be checked for hidden radios. 

The U.S. Department of Transportation has issued a security advisory warning that solar-powered highway infrastructure, such as EV chargers, traffic cameras, and weather stations, should be checked for hidden devices like undocumented radios, Reuters reports. Officials say foreign-made inverters and battery management systems have been found with rogue components, often linked to Chinese suppliers. These devices could enable remote tampering, triggering outages or data theft. Experts warn they might also sabotage roadside systems or autonomous vehicle networks. The advisory urges transportation operators to inventory inverters, use spectrum analysis to detect unauthorized signals, remove rogue radios, and ensure network segmentation. The warning comes amid wider U.S. efforts to limit Chinese technology in critical infrastructure, including restrictions on Chinese-made cars set to take effect by 2026.

The Atlantic Council maps the global spyware market. 

Spyware, commercial intrusion software enabling covert access to devices, poses acute human rights and national security risks. The Atlantic Council’s updated “Mythical Beasts” project maps the market through 2024, expanding its dataset to 561 entities across 46 countries (130 new, including 43 founded in 2024). Notably, U.S.-based investors now make up the largest share, despite U.S. sanctions, visa restrictions, and diplomacy aimed at curbing proliferation. Resellers and brokers have also emerged as critical, under-researched intermediaries that obscure vendor–buyer links and expand regional reach. Recent events underscore the stakes: NSO Group was fined $168 million in the U.S. over Pegasus targeting WhatsApp. The report highlights persistent patterns, jurisdiction hopping, serial entrepreneurship, hardware partnerships, and major transparency gaps in corporate registries. Policy recommendations center on tightening oversight of outbound U.S. investment, boosting disclosure and due diligence, scrutinizing intermediaries, and improving public registries to increase accountability and slow the spread of abusive spyware.

Researchers uncover serious flaws in Apple’s AirPlay. 

Researchers at Oligo uncovered serious flaws in Apple’s AirPlay protocol and SDK, dubbed AirBorne, that could enable remote code execution, data theft, and man-in-the-middle attacks. One bug, CVE-2025-24132, allows wormable zero-click exploits. Oligo demonstrated attacks on Apple CarPlay, showing hackers could connect via USB, Wi-Fi, or Bluetooth. Due to weak authentication in CarPlay’s iAP2 protocol, attackers can impersonate iPhones, steal Wi-Fi credentials, and hijack systems. Apple patched CVE-2025-24132 in April, but most automakers have yet to deploy fixes, leaving millions of vehicles exposed.

A European DDoS mitigation provider thwarts a record-breaking attack. 

A European DDoS mitigation provider was hit by a record-breaking attack peaking at 1.5 billion packets per second. The assault, launched from thousands of compromised IoT devices and MikroTik routers across 11,000 networks, was mitigated by FastNetMon using the customer’s scrubbing facilities and ACLs on edge routers. Though the target wasn’t named, the attack highlights the growing weaponization of consumer hardware. FastNetMon’s founder warned that without proactive ISP-level filtering, such massive UDP floods could overwhelm defenses and cause widespread service disruptions.

Who fixes the vibe code? 

The rise of “vibe coding”, that magical process where AI generates software that looks fine until it implodes, has given birth to an unlikely cottage industry: vibe code fixers. What began as a LinkedIn meme about “cleanup specialists” has become a legitimate business. Freelancers like Hamid Siddiqi now offer to fix clunky frontends, optimize messy code, and rescue apps that crash whenever someone sneezes. Companies such as Ulam Labs openly advertise post-vibe cleanup services, while VibeCodeFixers.com connects desperate founders with seasoned developers. The common issues are as predictable as they are tragic: broken features when new ones are added, inconsistent design, and what one founder calls “credit burn”, wasted money on AI usage fees as apps unravel in their final stages. Yet, despite the chaos, vibe coders remain emotionally attached to their Franken-apps. As Swatantra Sohni puts it, AI may help people prototype, but humans will still be needed “to keep this AI on the leash.”

<Credits (M/F)> And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.