Alex: Welcome to Cleartext. It's Wednesday, March 11th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We've got a packed show today. New leadership at NSA and Cyber Command after a year-long vacancy, the Iran conflict spilling into cyberspace in ways every CISO needs to be tracking, US-built hacking tools showing up in Russian espionage operations, a massive insider threat incident at the Social Security Administration, Salesforce sounding alarms on a live extortion campaign, dueling executive orders creating regulatory chaos, and a couple of notable funding rounds including Kevin Mandia's new venture. Let's start where we have to start, which is the geopolitical picture, because it's moving fast.

Jordan: It is. So yesterday, General Joshua Rudd was confirmed 71-29 by the Senate to lead both NSA and Cyber Command. That dual-hat position has been vacant for nearly a year. Nearly a year. I want to let that sit for a second, because during that vacancy we've had one of the most active threat environments in a generation. China, Russia, Iran, all escalating. And the organization that's supposed to coordinate offensive and defensive cyber operations for the United States has been running without a confirmed leader.

Alex: And the 71-29 vote tells you something too. That's bipartisan but not unanimous. There were real questions about Rudd's priorities given the broader federal restructuring. But the fact that it got done at all is significant. For CISOs, the immediate question is: does this change anything operationally?

Jordan: Short term, probably not overnight. But medium term, yes. A confirmed leader means budget authority stabilizes, strategic direction gets set, and critically, the intelligence sharing posture could shift. When Cyber Command has clear leadership, the declassification and dissemination pipeline for threat intelligence tends to move faster. If you're a CISO at a critical infrastructure operator or a major enterprise, you should be re-engaging your CISA and sector-specific ISAC contacts now, because the volume and quality of government threat intelligence may be about to improve.

Alex: And the timing matters because of story number two. The Iran situation. Military operations are underway, and Cybersecurity Dive is reporting what threat intelligence teams have been saying privately for weeks: US entities face materially heightened cyber risk from Iranian retaliatory operations.

Jordan: This is the story I'd be losing sleep over if I were still in a CISO seat. Iran's cyber capabilities are real. They're not China, they're not Russia, but they don't need to be. Iranian threat actors have demonstrated the ability to conduct disruptive attacks, not just espionage. Wiper malware, destructive attacks on industrial control systems, attacks on water utilities. We've seen the playbook before. What's different now is the motivation. When you're in an active military conflict, the calculus for a retaliatory cyber operation changes entirely. The threshold drops.

Alex: So let's be concrete. If you're a CISO listening to this, what should you be doing today?

Jordan: Three things. One, dust off your incident response plan and make sure it accounts for a destructive attack, not just a ransomware scenario. Two, review your threat intelligence feeds for Iranian TTPs. MuddyWater, APT33, APT34. Make sure your detection engineering team has current signatures and behavioral analytics for those groups. Three, if you have any operational technology, any ICS or SCADA environments, go verify your segmentation right now. Don't assume it's fine. Verify it.

Alex: And I'd add a fourth for the board-facing CISOs: get ahead of this with your leadership team. If something hits, you don't want the first time your CEO hears about Iranian cyber risk to be during an incident. Brief them now.

Jordan: Absolutely. Now let me connect a thread here that I think is underappreciated. Story three. TechCrunch reported that Google's Threat Analysis Group identified iPhone hacking tools used by Russian espionage operators in Ukraine, and the likely developer is a US defense contractor, L3Harris, through its Coruna subsidiary.

Alex: This is a proliferation story, and it's a big one.

Jordan: It's a huge one. The commercial exploit market has been a concern for years. NSO Group, Intellexa, all the usual names. But this is different. This is a US defense contractor building offensive tools that end up in the hands of Russian intelligence and Chinese cybercriminals. Think about what that means for your threat model. The tools built with US defense dollars, presumably under some form of export control, are being used against allies. And if they're being used against Ukrainian targets today, the same exploit chains work against your executive team's iPhones tomorrow.

Alex: For CISOs, this reinforces something we've been saying for a while: mobile device security is not a solved problem. If you're relying on standard MDM and hoping Apple's security updates keep you safe, you're behind. Zero-click exploits exist, and the supply chain for them is apparently less controlled than anyone wants to admit.

Jordan: And it raises serious questions about vendor trust in the defense industrial base, but that's a longer conversation.

Alex: Let's pivot to the DOGE story, because it's both infuriating and instructive. A whistleblower is accusing a former DOGE employee of exfiltrating Social Security Administration data, personal data on Americans, onto a thumb drive, allegedly planning to use it at his next job.

Jordan: I mean, where do you even start? A thumb drive. In 2026. From the Social Security Administration.

Alex: It's the kind of insider threat scenario that every CISO covers in their security awareness training, and yet here we are, at a federal agency with some of the most sensitive PII in the country.

Jordan: This is a failure at multiple levels. Access controls, data loss prevention, removable media policies, personnel security. Pick your control, it apparently wasn't functioning. And look, the DOGE initiative has been controversial for a lot of reasons, but from a pure security standpoint, you're taking individuals, giving them broad privileged access to sensitive systems, and apparently not applying the same insider threat controls you'd expect at any Fortune 500 company.

Alex: And the downstream implications are real. If this data is compromised, we're talking about Social Security numbers, personal information on potentially millions of Americans. The liability, the identity theft risk, the erosion of public trust. For our audience, the lesson is evergreen but apparently needs repeating: privileged access requires proportional controls. DLP on endpoints, removable media restrictions, behavioral monitoring for data exfiltration patterns. If a thumb drive can walk out the door with your crown jewels, your controls have failed.

Jordan: And audit your own house. If the SSA can miss this, so can you.

Alex: Shifting gears to something very actionable. Salesforce put out an alert yesterday about ShinyHunters, a cybercrime gang that's actively exploiting misconfigured Salesforce Experience Cloud guest accounts to steal data and extort companies.

Jordan: ShinyHunters has been around for a while. They're noisy, they're prolific, and they're effective. What's notable here is the attack vector. They're using Google dorking, essentially scanning tools, to find Salesforce customer portals where guest user permissions are misconfigured. These are portals meant to give limited public access, but the configurations are exposing private data and services.

Alex: This is a configuration management problem, not a zero-day. Which means it's entirely preventable. If you're running Salesforce Experience Cloud, and a lot of you are, audit your guest user permissions today. Not next sprint. Today. Make sure public-facing portals aren't inadvertently exposing internal APIs, customer data, or administrative functions.

Jordan: And if your security team doesn't have visibility into your Salesforce configuration, that's a problem in itself. SaaS security posture management isn't optional anymore.

Alex: Two governance stories worth flagging quickly. First, the HIPAA Security Rule is getting its first major overhaul in decades. Finalization could come as early as May. If you're in healthcare or you're a vendor selling into healthcare, start your gap assessment now. The new requirements are going to be grounded in modern frameworks, think NIST CSF alignment, and the compliance lift could be significant.

Jordan: And second, there's a fascinating contradiction playing out in Washington. One executive order is cracking down on cyber fraud enforcement. Good. A separate mandate is easing software security accountability for vendors. Not good. The net effect is regulatory incoherence.

Alex: For CISOs, this means you cannot rely on the government to force your vendors to be secure. Your third-party risk management program and your contract language are your primary levers. Tighten your vendor security requirements in contracts, because Washington isn't going to do it for you consistently.

Jordan: Amen.

Alex: Two quick funding stories. Kevin Mandia, founder of Mandiant, raised $190 million for Armadin, which is building autonomous AI agents for security operations. These are agents designed to learn and respond to threats without human intervention.

Jordan: When Mandia puts his name on something, the market pays attention. $190 million is a massive bet that the future SOC is AI-native. I'd say CISOs should watch this space carefully but keep your expectations calibrated. Autonomous response without human oversight is a bold promise. The technology is moving fast, but the trust model for letting an AI agent take action in your environment, that's still being worked out.

Alex: And Jazz, a startup that just exited stealth with $61 million, is rethinking data loss prevention for the AI era. They're targeting insider risk, shadow AI, and GenAI data exposure using AI agent investigators that analyze context rather than pattern-matching rules.

Jordan: Given the DOGE story we just discussed, clearly the market needs better DLP. If Jazz can actually deliver context-aware data protection that catches what legacy tools miss, especially around employees pasting sensitive data into ChatGPT or shadow AI tools, that's a real problem being solved. Worth tracking.

Alex: Let's close with the outlook. Jordan, when you look at this week's stories together, what's the thread?

Jordan: Control. Or rather, the loss of it. The US lost control of offensive hacking tools that ended up with Russian spies. The SSA lost control of citizen data to an insider with a thumb drive. Salesforce customers lost control of their portal configurations. Washington can't even maintain consistent policy control across executive orders. And now we're building autonomous AI agents and hoping we can maintain control of those too. The theme this week is that the perimeter isn't a network boundary anymore. It's the boundary of your ability to govern access, data, tools, and policy. And that boundary is fraying.

Alex: I agree. And I'd add that for CISOs, the response has to be proactive governance. You can't wait for the government to set clear rules. You can't assume your configurations are correct. You can't trust that your insiders are behaving. The organizations that come through this period intact will be the ones that are actively verifying, actively auditing, and actively preparing for the disruptive scenarios, not just the espionage ones.

Jordan: And specifically on Iran, don't wait for the headline. Prepare now.

Alex: That's our show for today. Cleartext is back tomorrow. Thanks for listening.

Jordan: Stay sharp.