Detailed write-ups
CISA contractor leaked AWS GovCloud keys on GitHub — and the political pressure has begun
Brian Krebs reported that a contractor account named “Private-CISA” — tied to Nightwing — sat on a public GitHub repo since November 2025 containing AWS GovCloud admin tokens, plaintext credentials for dozens of internal CISA systems, and 844 MB of artifacts across git history. GitHub’s native secret-scanning had been disabled on the repo, and the AWS keys reportedly remained valid for 48 hours after the takedown notice. The leak is now the cleanest available case study on contractor governance: it pierces every assumption boards make about how a federal cyber agency’s own supply chain manages secrets.
Follow-on Krebs reporting added that other researchers found additional exposed credentials during the cleanup, that Nightwing’s onboarding/offboarding controls did not catch the public-repo configuration, and that CISA is still working through the blast radius. For CISOs, the action list is short and specific: re-baseline secret-scanning on every contractor and vendor org you can see, force a rotation of long-lived cloud keys, mandate OIDC trusted-publishing or short-lived workload identity for any CI/CD that touches production, and have legal review your contractor MSAs for explicit secret-management and breach-notification clauses.
The political dimension matters too. Senator Hassan sent CISA a 12-question letter demanding a briefing by June 5 and separately requested an “urgent” classified briefing. Whatever your federal exposure, expect customers and auditors to ask “could this happen to us?” in the next 30 days — have the secret-scanning, key-rotation, and contractor-repo inventory numbers ready before they do.
Sources: KrebsOnSecurity (May 19) · KrebsOnSecurity (May 22) · Axios
Verizon DBIR 2026: vulnerability exploitation finally overtakes credential theft
For the first time in 19 years of DBIR data, vulnerability exploitation (31%) edged past credential abuse (13%) as the top initial-access vector. Third-party-related breaches jumped roughly 60% year-over-year. Ransomware appeared in 48% of incidents. The harder data point: organizations patched only 26% of CISA KEV entries in the reporting window, down from 38% in the prior year — in a window when AI is compressing time-to-exploit from months to hours.
For board narratives, this is a thesis-shifting year. The decade-long “identity is the new perimeter” framing isn’t wrong, but the marginal dollar now also has to go into KEV-aligned remediation velocity, third-party blast-radius modeling, and exposure-management programs that actually translate scan-to-fix lead times into something measurable on a board pack.
Sources: SecurityWeek
The AI-governance reality-check cluster: the C-suite is the shadow-AI problem
TrustedTech’s 2026 Shadow AI in the Workplace report flipped the conventional story: 65% of decision-makers admit using unapproved AI tools versus 31% of employees below decision-maker level. 78% of decision-makers describe themselves as “confident” using AI vs. 43% of staff; 44% acknowledge their organization lacks any AI-safety training; and roughly a third say they would keep using their AI of choice even if the company explicitly banned it. The people writing the AI policies are bypassing them.
Two companion data points reinforce the picture. CIO’s “AI confidence trap” piece (Grant Gross) cites Economist Impact survey work showing 84% of IT leaders say their AI projects are exceeding estimates, while only 43% require teams to track impact and 39% review AI projects for safety risks after deployment. Eddie Milev’s warning lands: “If companies don’t sustain governance after they deploy AI systems, they run a massive risk to have these systems go rogue.” Splunk’s Hidden Costs of Downtime 2026 then quantifies the consequence side — $600B across the Global 2000 (a 50% jump in two years), $300M average per company, 63% of outages now caused by third parties (up from 24%), and a median $24.5M annual spend on AI outage-prevention tooling that doesn’t yet exist on most CISO budget lines.
Thai Vong’s CIO piece is the operating-model complement: a three-question intake (what data, what action, what consequence if it’s wrong?), mapped to four criticality tiers from “read approved info and summarize” up to “move files, trigger workflows, approve transactions, touch production.” Pair it with NIST AI RMF and OWASP’s Agentic AI threats list for the formal references. Together these four pieces give you a usable board narrative: the data showing why governance is failing, plus a practical structure for fixing it before the next quarterly review.
Sources: Help Net Security (TrustedTech) · CIO (confidence trap) · Help Net Security (Splunk) · CIO (Thai Vong)
CISA “CI Fortify”: plan to run offline, for days
CISA’s new “CI Fortify” initiative pushes critical-infrastructure operators — utilities, transportation, water, communications — to plan for sustained offline operations during a geopolitical cyber crisis, not just rapid recovery from a contained incident. The Record adds that CISA plans “targeted assessments” of defense-critical infrastructure to validate that BCPs aren’t silently dependent on cloud, SaaS, or third-party telemetry.
CISO action items: rehearse a 72-hour degraded-mode tabletop with the BCP team; identify silent SaaS dependencies in your IR runbook; validate that your detection-and-response stack has a working offline mode; and check that any “break-glass” admin paths actually work when SSO is unreachable. This guidance also gives you board cover to invest in the unglamorous operational resilience line items that compete poorly with shinier AI projects.
Sources: Federal News Network · The Record
Telecom sector launches the C2 ISAC — a model for sector self-governance
AT&T, Verizon, T-Mobile, Charter, Comcast, Cox, Lumen, and Zayo jointly launched the Communications Cybersecurity ISAC (C2 ISAC) to share intel on state-sponsored and AI-powered campaigns — a direct response to Salt Typhoon and its successors. The marquee point for CISOs in other sectors: an ISAC stand-up that gets eight major competitors aligned in months, after a year of public regulatory pressure, is a template for what voluntary sector governance can look like before legislation forces it.
If your sector lacks an ISAC or has one that doesn’t produce machine-readable intel, this is a useful comparable to bring to your industry association. Worth tracking how C2 ISAC’s indicator-sharing cadence and TLP discipline develop — success or failure here will shape what other sectors propose.
Sources: Cybersecurity Dive
Debevoise 8-K tracker: two years in, the line on “material” has shifted
Two years after the SEC’s cyber disclosure rule took effect, Debevoise’s data shows only 29 Item 1.05 “material” filings against 50 voluntary Item 8.01 filings — meaning most public-company disclosures are still being made on a non-material, “informational” basis. Debevoise reads SEC enforcement trajectories as tightening, with a sharper line on what counts as material and what doesn’t.
Practical implication: refresh your 8-K materiality determination playbook with audit, legal, and IR; make sure your CFO and audit-committee chair can articulate why a given incident did or did not cross the threshold; and tie this exercise to your incident-classification rubric so the materiality decision is a continuation of the IR workflow rather than a side-process.
Sources: Debevoise Data Blog
Cyber-insurance claim severity is climbing into 2026 renewals
Carrier Management reports on Travelers’ enterprise cyber lead detailing rising frequency and severity of claims, which is pressuring what had been a soft market on pricing. For CISOs, this directly affects renewal economics: expect tighter sub-limits on ransomware and business-interruption, more rigorous control attestations, and harder conversations on segmentation, EDR coverage, and identity hygiene as gating items for preferred terms.
Prep work to do before your next renewal cycle: a clean inventory of identity controls (phishing-resistant MFA coverage, privileged-access lifecycle, service-account hygiene), an honest patch SLA report against CISA KEV, evidence of working backups with restore tests, and a tabletop result you can hand the underwriter. This pairs with the Security Affairs “pure extortion” piece — exfiltration detection and outbound DLP are now line items insurers will ask about.
Sources: Carrier Management · Security Affairs
F5 + Confluence: edge-to-AD compromise as a board-relevant story
Microsoft Threat Intel walked through a real-world intrusion in which an end-of-life F5 BIG-IP appliance was used to pivot through an internet-exposed Confluence instance, and from there into Active Directory. The technical chain is familiar — what makes it board-relevant is the simple framing: EOL appliances and unpatched collaboration tools are quietly carrying enterprise-grade attack chains in 2026, and many organizations still don’t have a clean inventory of EOL network gear or a forced-retirement policy.
Use this case to push edge-appliance lifecycle policy onto your next ops/risk-committee agenda: a current EOL inventory, a forced-replacement budget line, and a measurable burn-down. Pair with the TanStack/Grafana root-cause analysis — both stories underline that a single missed credential or expired appliance turns into a major IP-loss event.
Sources: Microsoft Security Blog · Help Net Security (TanStack root cause)
Policy this week: postponed AI EO, UK deepfake rules, two big takedowns
Bloomberg reported that internal White House disagreements postponed a planned AI cybersecurity executive order — the draft would have touched on AI lab disclosure, Pentagon hardening, cyber hiring, and federal-to-private threat sharing. The postponement is itself the signal: federal AI cyber policy is in flux, and CISOs planning 12-month roadmaps should not assume any specific mandate is imminent. Across the Atlantic, UK Ofcom moved to fast-track Online Safety Act rules requiring hash-matching for non-consensual intimate imagery and AI deepfakes, 48-hour takedown obligations, and fines of up to 10% of global revenue. Any CISO at a UGC platform or general counsel team should be scoping their content-moderation, hash-database, and incident workflow against those numbers now.
On enforcement, Europol’s Operation Saffron dismantled First VPN — a bulletproof service used by 25 ransomware crews since 2014, including Avaddon-lineage groups — seizing 33 servers in 27 countries plus a Ukrainian admin and a ~5,000-account user database. Interpol’s Operation Ramz delivered its first MENA-region cybercrime takedown: 201 arrests, 53 servers seized, 3,867 victims identified, intel shared across 13 countries. Neither is a one-time win — the user/operator lists from both operations will feed pre-positioned IOC and TTP intel into ISACs for months. Watch for ISAC bulletins referencing both operations and feed them into your threat-intel pipeline.
Sources: Bloomberg · The Record (Ofcom) · TechCrunch (Saffron) · The Record (Ramz)
|
