Jordan: CISA just recalled furloughed workers to their desks — without a funding resolution in sight. That's not a normal government budget story. That's the federal cyber safety net operating in legal and financial limbo while adversaries are watching.

Alex: Welcome to Cleartext. It's Wednesday, April 15th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today's show: the CISA funding situation and what it actually means for your threat intelligence pipeline. Pro-Russian hackers hit a Swedish power plant — what that signals for OT security teams in the West. Black Basta's playbook is back, and it spiked last month. April Patch Tuesday is a heavy lift. And OpenAI enters the purpose-built cyber model race. A lot of ground to cover. Let's get into it.

Jordan: So CISA. Here's what we know: DHS ordered furloughed personnel back to work despite an unresolved congressional funding standoff. That sounds like good news on the surface. Workers are back. Lights are on. But the underlying dynamic should concern any CISO who relies on federal threat intelligence pipelines, because what you have is an agency operating under legal ambiguity, with staff who haven't been paid reliably, and no certainty about when that resolves. That degrades institutional focus in ways that don't show up on a dashboard.

Alex: And the downstream effects are real and specific. We're talking about CISA's vulnerability coordination function, their threat sharing programs, the support they provide during significant incidents. If you're a critical infrastructure operator — financial services, energy, healthcare — and you've built CISA responsiveness into your incident response playbook, this is the moment to pressure-test that assumption. What's your fallback if CISA's capacity is degraded during a major event?

Jordan: The other thing worth saying plainly: adversaries read the news. A publicly visible disruption to the federal cyber apparatus is a signal. Not that it triggers attacks by itself, but it factors into adversary calculus on timing and target selection.

Alex: Which connects directly to the Sweden story. Swedish defense officials confirmed that a pro-Russian group attempted to disrupt a thermal power plant in western Sweden — targeting operational technology, and this happened last year. The disclosure now is notable in itself.

Jordan: A few things here for CISOs in energy and utilities, and honestly anyone adjacent to critical infrastructure. First, the geographic expansion of Russian-aligned targeting continues. This isn't new doctrine, but it is accelerating. Sweden as a NATO entrant is a meaningful target set. Second, OT environments remain the soft underbelly. The attack surface between corporate IT and operational technology — that convergence zone — is where these groups are probing. If your OT security strategy is still primarily air-gap mythology, this is a wake-up call.

Alex: And for boards that keep asking whether geopolitical risk is really a security budget line item — Sweden is your answer. This isn't hypothetical threat modeling. It's a confirmed attempt to disrupt physical infrastructure using cyber means.

Jordan: Let's shift to the Black Basta affiliate campaign, because this one is operationally immediate. ReliaQuest tracked a social engineering intrusion campaign that spiked in March, has been running since at least May 2025, and is being operated by former Black Basta affiliates carrying the playbook forward. Dozens of organizations targeted.

Alex: The reason this matters beyond the headline numbers is the word "former." Black Basta as a brand is degraded — their internal chat logs leaked, their infrastructure disrupted. But the affiliates who built their skills inside that operation didn't disappear. They regrouped. They're running fast-scale intrusions using proven social engineering TTPs against enterprises. This is what happens when you disrupt the top of a ransomware hierarchy without addressing the talent base underneath.

Jordan: The specific TTPs are executive-targeted phishing and help desk manipulation. Those two vectors together tell you something important: they're going around technical controls by targeting human decision points. Your EDR doesn't catch a help desk agent resetting MFA for someone who sounds authoritative on the phone.

Alex: So the action items here are concrete. Review your help desk identity verification procedures — specifically the exception handling paths for MFA resets and account recovery. Make sure your SOC has ReliaQuest's published indicators loaded. And if you haven't run a tabletop on social engineering at the executive layer recently, schedule it this quarter.

Jordan: McGraw-Hill is a good pivot to SaaS risk. Hackers exploited a Salesforce misconfiguration, accessed internal data, and then extorted the company. McGraw-Hill confirmed it. This is not a sophisticated nation-state attack. This is basic configuration hygiene failure leading to a breach and a public extortion event.

Alex: And the reason it keeps happening is organizational. In most enterprises, Salesforce is owned by sales operations or marketing. Security has advisory input at best. The team that configured the environment didn't have security as a first-order concern, and the security team didn't have visibility into what was exposed. That gap — between SaaS ownership and security oversight — is where these incidents are born. CISOs need formal SaaS security posture management, not periodic audits. Continuous monitoring of configuration drift in Salesforce, Workday, ServiceNow, and the rest of the stack.

Jordan: Patch Tuesday. April 2026 is a heavy one. Microsoft pushed fixes for 167 vulnerabilities. The two that demand immediate action: a SharePoint Server zero-day that is actively exploited in the wild, and BlueHammer, a publicly disclosed weakness in Windows Defender. Publicly disclosed means exploit code is available or incoming. Treat it accordingly.

Alex: Chrome is on its fourth zero-day of 2026. That is a meaningful trend line. And Adobe Reader has an emergency patch for an RCE flaw that's been actively exploited since at least November 2025. That means if you've been on a standard patching cadence, you've had exposure for months. The SharePoint zero-day and Adobe Reader RCE are your top priorities. Get those into emergency patch cycles today if they're not already in motion.

Jordan: OpenAI's GPT-5.4-Cyber. They're entering the purpose-built security model race directly against Anthropic's Mythos. They're extending access to verified security teams through something called the Trusted Access for Cyber program, and they're claiming internal safeguards and trust signals prevent misuse.

Alex: Let me be direct about where I land on this. The capability is real and the use cases for defensive security operations — threat hunting, alert triage, vulnerability analysis — are legitimate. But "trust signals prevent misuse" is a marketing claim, not a security architecture. The dual-use risk on a purpose-built cyber model is higher than a general-purpose LLM, because you're taking a model specifically tuned for offensive and defensive reasoning and making it more broadly available. CISOs evaluating these tools should be pressing vendors hard on what the verification actually means, what the audit trail looks like, and what the liability framework is if the model is used in a downstream attack.

Jordan: And watch the competitive dynamic. When two major AI labs are racing to capture security team adoption, procurement decisions get accelerated. Don't let vendor urgency outpace your evaluation process.

Alex: Let's close with the broader pattern this week is pointing toward. What we're seeing is a stress test of institutional reliability across multiple layers simultaneously. CISA is operating in funding limbo. The federal threat intel apparatus is uncertain. Adversaries — Russian-aligned groups specifically — are actively probing Western critical infrastructure OT environments. And domestically, a new IANS report out this week puts only 34% of cybersecurity professionals planning to stay in their current roles over the next twelve months. That's not a workforce retention footnote. That's an institutional knowledge crisis in slow motion.

Jordan: If two-thirds of your security team is considering leaving in the next year, your program continuity risk is significant regardless of your tooling investments. The humans who know your environment, your threat model, your vendor relationships — that institutional memory doesn't transfer easily. CISOs need to be having honest conversations with their leadership about compensation, scope, and career trajectory for security staff. The market is signaling something and it isn't being heard loudly enough in most boardrooms.

Alex: What I'm watching heading into next week: whether Congress moves on CISA's funding before the operational impact becomes visible in incident response timelines. And whether the Black Basta affiliate campaign expands its targeting — ReliaQuest's data suggests it's still accelerating.

Jordan: I'm watching the OT threat landscape in NATO-adjacent countries. The Sweden disclosure is likely the visible fraction of a larger pattern. Expect more to surface.

Alex: That's Cleartext for Wednesday, April 15th. If this was useful, share it with a peer. We'll be back tomorrow. Stay sharp.

Jordan: Stay sharp.