Alex: Monday, March 9th, 2026. This is Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Big show today. The White House dropped a new executive order and a cybersecurity strategy on Friday afternoon, because of course they did. We'll dig into what it actually says and what it means for your programs. We've got Chinese APTs hitting telecom infrastructure in South America with a brand new malware toolkit, and a suspected Chinese breach of the FBI's wiretap network. Krebs has a piece on AI agents as the new insider threat. Anthropic and OpenAI are both gunning for your AppSec budget. A 3.4 million patient breach at a healthcare billing provider. An EU court opinion that could flip the liability model for phishing losses in banking. And the first major HIPAA Security Rule overhaul in decades may land as early as May. Let's get into it.

Jordan: So let's start with the White House, because Friday afternoon document dumps are a time-honored tradition for things administrations want to bury, but this one actually has substance. Trump signed an executive order directing federal prosecutors, cyber defense officials, and diplomats to coordinate a ramp-up against cybercriminal gangs. Alongside that, a five-page national cybersecurity strategy.

Alex: Five pages. I want to note that for the audience. The previous administration's strategy was, what, thirty-five pages? So this is a different document. It's more directional than prescriptive. But the executive order itself has teeth. It's telling DOJ to prioritize cybercrime prosecutions. It's directing diplomatic pressure, which signals that the administration wants to make this a foreign policy lever, not just a law enforcement one.

Jordan: And the emphasis on cybercrime rather than nation-state activity is interesting. It suggests the framing is going to be around criminal gangs, ransomware operators, fraud networks. That's where the enforcement energy is going. For CISOs, the practical implication is that public-private collaboration frameworks are going to shift. If federal prosecutors are being told to ramp up, expect more subpoenas, more requests for cooperation, more pressure on incident reporting timelines.

Alex: Exactly. And if you're in a regulated sector, this is the moment to make sure your incident response playbooks account for federal engagement. Not just notification to regulators, but active cooperation with law enforcement. The political will is there right now. That's a window. Use it.

Jordan: The strategy document also explicitly calls out the scam economy, which is a signal that consumer-facing fraud, pig butchering, romance scams, these are now national security priorities. That may feel distant from enterprise security, but if you're in financial services or telecom, you're the infrastructure those scams run through.

Alex: Good segue. Let's talk about the telecom targeting, because Cisco Talos dropped a report on a China-linked group they're calling UAT-9244. They've been hitting South American telecom providers since 2024 with a trio of newly discovered malware tools designed for persistent access to communications infrastructure. Talos ties this activity to known groups Famous Sparrow and Tropic Trooper.

Jordan: This is classic Chinese intelligence tradecraft. The target selection tells you everything. Telecommunications infrastructure in South America. They're not after the telcos themselves. They're after the communications transiting those networks. Diplomatic traffic, business communications, potentially intelligence on regional political dynamics. The malware suite is purpose-built for persistence and interception, not for disruption.

Alex: And this matters beyond the immediate geography. If you're a multinational with operations in Latin America, your communications may transit these exact networks. If you're a telecom provider anywhere, this is a reminder that APTs view you as a means to an end, not the end itself. Your threat model needs to account for that. You're not just protecting your own data. You're protecting the data of everyone who flows through your pipes.

Jordan: Which brings us to the other piece in the Risky Business roundup. Suspected Chinese hackers breached the FBI's wiretap network. Let that sit for a second. The lawful intercept infrastructure that law enforcement uses to conduct court-authorized surveillance was itself compromised.

Alex: This is the nightmare scenario for anyone who has argued that lawful intercept capabilities can be secured. If the FBI's own wiretap infrastructure can be breached, every argument about building government access into encrypted systems has to be revisited. For CISOs, the practical question is: what is your exposure to lawful intercept systems? If you're a telecom or cloud provider that participates in CALEA compliance, you need to be treating those systems as tier-one targets for nation-state actors.

Jordan: And if you're cooperating with law enforcement on investigations, you should be thinking about operational security for that collaboration itself. The assumption that the government side of the channel is secure is no longer safe.

Alex: Sobering. Let's shift to AI, because two stories converged this week that I think represent a genuine inflection point. Brian Krebs published a deep piece on AI agents, these autonomous programs that have access to your files, your services, your development environments, and can act independently. His argument is that these tools are blurring the line between a trusted tool and an insider threat.

Jordan: And he's right. Look, we've all been watching developers adopt these AI coding assistants at speed. The productivity gains are real. But what Krebs is documenting is the next phase: agents that don't just suggest code, they execute tasks. They have credentials. They can access APIs. They can modify production systems. That's not a tool. That's an identity with privileges.

Alex: And most organizations are not treating them that way. They're not in your identity governance framework. They're not subject to access reviews. They're not monitored the way you'd monitor a contractor or a privileged admin. If you haven't started building a policy framework for AI agents, including acceptable use, access scoping, monitoring, and kill switches, you are behind.

Jordan: The second AI story is about Anthropic's Claude Code Security launch, which apparently rattled cybersecurity stocks. Alongside OpenAI's Codex Security, you now have two foundation model companies making a direct play for application security testing.

Alex: This is a market disruption story, but it has real operational implications. These tools promise deep reasoning about code vulnerabilities, not just pattern matching like traditional SAST tools. If they deliver even seventy percent of that promise, they're going to compress the value proposition of incumbent AppSec vendors significantly.

Jordan: But here's the but. Large enterprises need more than vulnerability detection. They need workflow integration, compliance mapping, remediation tracking, developer experience that doesn't create friction. The AI models are impressive at finding bugs. They're less impressive at fitting into a mature SDLC with governance requirements.

Alex: Agreed. My advice: start piloting now. Run them alongside your existing tools. Measure the delta in detection quality. But don't rip and replace anything yet. This is a two-year transition, not a two-month one.

Jordan: Alright, the TriZetto breach. 3.4 million patients. TriZetto Provider Solutions is a billing services intermediary used widely across healthcare for claims processing. They've begun notifying affected individuals.

Alex: This is a vendor concentration risk story. TriZetto processes claims for a huge number of healthcare organizations. When one of these intermediaries gets breached, the blast radius isn't one hospital system. It's potentially hundreds of provider organizations and millions of patients. If you're a healthcare CISO and TriZetto is in your supply chain, you should already be in contact with them. But more broadly, this is a forcing function to audit your third-party billing and claims processing vendors. How many patients' data flows through a single intermediary? What's your contractual right to audit? What are their incident notification obligations?

Jordan: And it's worth noting that Romania's largest meat exporter went insolvent after a ransomware attack. Different sector, same lesson. A single cyber event can be existential for an organization. When your third parties are in that position, you inherit that risk.

Alex: Two governance stories to close out. The EU Court of Justice Advocate General issued a formal opinion that banks must immediately refund customers for unauthorized transactions, even when the customer is partly at fault through phishing.

Jordan: This is a huge deal for European financial services. If the full court follows this opinion, and they usually do, the liability for phishing losses shifts squarely onto the bank. Not shared liability. Not conditional on the customer's behavior. The bank pays, period.

Alex: Which means the ROI calculation for every anti-fraud investment just changed. Transaction monitoring, behavioral analytics, strong customer authentication, real-time fraud detection. All of those become direct loss prevention, not just compliance checkboxes. European banking CISOs should be taking this opinion to their boards now, because the budget conversation for 2027 planning needs to account for this shift.

Jordan: And domestically, the HIPAA Security Rule is potentially getting its first major overhaul in decades. Finalization could come as early as May 2026. The new requirements would be grounded in modern cybersecurity frameworks, which means things like MFA, encryption at rest and in transit, and incident response capabilities that actually reflect current threat landscapes.

Alex: If you're a healthcare CISO or you work with business associates in the healthcare supply chain, the time to start gap assessments is right now. Don't wait for the final rule. The proposed requirements are clear enough to begin benchmarking against. And frankly, if you're not already meeting these standards, you have bigger problems than regulatory compliance.

Jordan: Looking at the week ahead, Alex, I see a through-line across everything we covered today. It's the erosion of trust assumptions. We assumed lawful intercept systems were secure. We assumed AI tools were just tools. We assumed billing intermediaries had adequate controls. We assumed customers bore some liability for their own phishing losses. Every one of those assumptions got challenged this week.

Alex: And that's the strategic message for CISOs. Your risk models are built on assumptions about where trust boundaries are. This week should prompt you to audit those assumptions explicitly. Where are you trusting a third party, a government system, a technology, or a legal framework to hold? And what happens to your program if it doesn't?

Jordan: That's the right question to take into your Monday morning leadership meeting.

Alex: That's Cleartext for Monday, March 9th. We'll be back tomorrow. Thanks for listening.

Jordan: Stay sharp.