Reading view

Onward, Friends

After 26 years, today is my last day at EFF. It's been a terrific and wild ride — the organization has grown from a tiny band of fighty people trying to plant a flag for freedom and justice in the coming digital world into a large, established band of fighty people doing, well, much the same. The world around us has changed enormously. Our core values haven't budged.

cartoon of EFF as superheros

I'm proud of what we've achieved: freeing encryption, defending coders, pushing to rein in government and corporate surveillance and ensure the right to have a private conversation online, standing up for free speech and anonymous speech, fighting for network neutrality and safe voting machines, busting stupid patents, and making sure copyright didn't become the one law that rules the internet. That's only the start. We've stopped more bad legislative, regulatory, and legal ideas than I can count, built tools that millions rely on to protect their privacy, and helped encrypt the web. I've long said EFF is the plumber of the internet — finding the clogs and barriers that prevent technology from serving freedom, justice, and innovation for everyone.  

In addition to presenting cases in courts across the land, testifying in Congress and in California, in the European Parliament and at the United Nations, I went onto the internet with Stephen Colbert and engaged in a healthy disagreement with Jon Stewart.  I wrote a lot of it down in a book, hoping to recruit others to the cause.  The work has been hard and often frustrating at times.  But looking back, the fun parts are what I remember most.   

None of it would have been possible without EFF’s stalwart members. More than 30,000 people, some with big wallets and some with small ones, give us what we need to stand up to bullies and fight for the long haul. EFF has always served as a beacon for people who know that for technology to support freedom, justice, and innovation for all the people of the world, we need a dedicated band of folks working overtime on behalf of users, innovators, and creators. 

There's still plenty left to do. We haven't killed the third-party doctrine, tamed the surveillance business model, or gotten metadata the constitutional protection it deserves. Stupid patents persist as does the overreach of DMCA section 1201 and the Computer Fraud and Abuse Act. The government is now the largest purchaser of data from shady brokers, communities everywhere are fighting license plate readers and other street-level surveillance, and we haven't reined in NSA and FBI spying nearly enough. Meanwhile, the rise of AI is supercharging problems we've fought against for years. 

But I'm proud of what we've built together. I'm grateful to every EFFer — past, present, and future — who threw in with us when the odds were long and the pay was much better elsewhere. I'm grateful to the EFF Board and especially to my mentors and friends Pam Samuelson and Shari Steele, along with my longtime partner in justice, Lee Tien, who has been working with me since the Bernstein case. Fighting for justice is easier when you have a posse: coworkers, co-counsel, coalitions, interns, volunteers, and the heroic clients who trusted us to steward their cases in ways that bent the law toward everyone's benefit. Twenty-six years later, EFF is part of a global diaspora of organizations defending internet freedom — and I'm proud of that too. 

I'm stepping down because good leaders should make way for new ones, and the time feels right. EFF is strong and full of fight. My successor Nicole Ozer — a longtime friend and collaborator — is exactly the right person for this moment. She understands EFF's role and values at a deep level and will protect them while helping the organization rise to meet what's coming. 

As for me, I'm not going far. After a few months off to reflect and walk dogs, I plan to get back into the fight for justice — likely heading back into the courtroom. And I'll be watching, cheering, donating, and wearing the merch from EFF, just like the rest of you.

Cindy Cohn with her 2 Bernese Mountain Dogs at sunset

  •  

Securing Canada’s Digital Future: Why PBMM Matters Beyond Government

Palo Alto Networks is pleased to announce the successful completion of a new Cloud Medium security assessment conducted by the Canadian Centre for Cyber Security (Cyber Centre), significantly expanding the number of Palo Alto Networks cloud services assessed for Protected B / Medium Integrity / Medium Availability (PBMM) environments. This assessment includes a broad range of capabilities across our Cortex®, Cortex Cloud and Strata™ platforms. By achieving this milestone, Palo Alto Networks enables  organizations handling Canada’s most sensitive data to leverage a unified, AI-driven security architecture without compromising on compliance or operational resilience.

For years, many organizations viewed PBMM as something that only mattered to the Canadian federal government. It was often seen as a procurement requirement—a framework tied to public sector cloud adoption, relevant for departments handling Protected B information, but not necessarily for the private sector.

That assumption is changing.

The reality is that the challenges driving PBMM are no longer unique to government environments. Banks, energy providers, transportation networks, healthcare organizations, crown corporations, and other critical infrastructure operators are now facing many of the same pressures:

  • Expanding attack surfaces across hybrid and multi-cloud environments.
  • Increased regulatory scrutiny and privacy obligations.
  • Greater operational dependence on cloud and AI technologies.
  • Increased reliance on third-party providers and software supply chains.
  • The need to maintain operational resilience during cyber incidents and disruptions.
  • A growing expectation that organizations can demonstrate—not just claim—security maturity.

That is why PBMM matters far beyond Ottawa. At its core, PBMM represents a rigorous approach to validating whether enterprise-grade security platforms can operate securely in environments where trust, resilience, and operational continuity are critical.

Increasingly, that level of assurance matters to everyone.

What PBMM Really Represents

PBMM, a rigorous cybersecurity and data classification standard used by the  Canadian Centre for Cyber Security, stands for Protected B / Medium Integrity / Medium Availability. While often associated with federal cloud security requirements, PBMM is not simply a checkbox exercise. It is a comprehensive assessment framework aligned to Canadian cybersecurity guidance and operational security expectations.

What makes PBMM important is that it evaluates whether platforms and services can securely support sensitive and mission-critical workloads in real-world environments.

Palo Alto Networks meeting these rigorous PBMM requirements through three core pillars:

  • Strata (Network Security): Secures data resiliency and zero trust connectivity, driving robust perimeter and cloud edge protection.
  • Cortex Cloud (Cloud Security): Provides complete visibility, security governance, and data protection across complex cloud-native architectures.
  • Cortex (Security Operations): Powers the agentic SOC, combining unified data, AI, and automation to detect and respond to threats in real time.

These are not theoretical requirements. They are practical operational expectations designed for environments where downtime, visibility gaps, or security failures can have significant consequences.

Organizations today are no longer evaluating cybersecurity solely based on features. They are evaluating whether platforms can be trusted to support critical operations at scale.

Why Security Expectations Are Changing

The cybersecurity landscape has evolved dramatically. Infrastructure is distributed across cloud providers, SaaS applications, remote users, third-party integrations, operational technology (OT), AI platforms, and interconnected supply chains. At the same time, attacks have become faster, more automated, and more disruptive.

In this environment, security can no longer be treated as a compliance exercise. Organizations need confidence that their platforms, operational processes, and security controls can function effectively under pressure.

This is why Palo Alto Networks has undertaken independent PBMM assessments across its portfolio, providing customers with greater assurance and trust. By meeting these rigorous standards into Strata and Cortex, we enable non-government entities—like financial institutions and utility providers—to deploy the same defensive rigor used to protect national security systems.

Transforming Critical Infrastructure with a Unified Platform

To effectively manage risk, critical infrastructure operators require a platform approach that helps eliminate security silos, reduce manual intervention, and accelerate threat mitigation.

Key Portfolio Advantages for Critical Infrastructure & Enterprise:

  • AI-Driven Threat Detection & Response: Cortex XSIAM® and Cortex XDR® unify telemetry across endpoints, network, and cloud to deliver unparalleled visibility and automated threat stitching, neutralizing advanced cyberthreats before they disrupt operations.
  • Comprehensive Cloud Native Protection: Cortex Cloud secures applications from code to cloud to SOC, offering posture security, data protection, and continuous compliance monitoring tailored to stringent Canadian data standards.
  • Zero Trust Network Security: Strata enables secure access and consistent policy enforcement across campus, branch, and data center environments, protecting critical OT and IT systems from lateral threat movement.
  • Elite Incident Response: Backed by Unit 42®, organizations gain access to threat intelligence and rapid incident response services to augment their teams and build long-term cyber resilience.

Operational Resilience Is Becoming a Strategic Requirement

One of the most significant shifts occurring across industries today is the growing focus on operational resilience. Organizations are increasingly asking questions that extend beyond traditional cybersecurity controls:

  • Can we maintain critical services during a cyber attack?
  • Do we have visibility across our cloud environments and supply chain dependencies?
  • Can we rapidly detect, respond to, and recover from disruptions?
  • Are our governance processes keeping pace with cloud adoption and AI innovation?

As organizations adopt cloud-native architectures, AI-driven technologies, and interconnected digital ecosystems, resilience has become a board-level concern. The ability to prevent incidents remains important, but organizations are equally focused on their ability to withstand, respond to, and recover from them.

This is where frameworks like PBMM provide value. Beyond evaluating security controls, PBMM assesses the governance, operational processes, monitoring capabilities, and risk management practices that help organizations operate securely.

For critical infrastructure operators, resilience is no longer simply an IT objective—it is a business imperative. Increasingly, the organizations that earn trust are those that can demonstrate they are prepared to operate effectively when disruption occurs.

Final Thoughts: PBMM Reflects the Future of Trust

PBMM may have started solely as a government assessment framework, but its relevance now extends far beyond federal environments. It represents something universal: the ability to operate securely, reliably, and transparently in environments where trust matters most.

By expanding our PBMM-assessed offerings across Cortex and Strata, Palo Alto Networks underscores its commitment to securing Canada's digital future. We provide the validated foundation organizations need to innovate with confidence, protect sensitive data, and maintain operational continuity under any circumstance.

Read the Assessment Summary Report

To learn more about the Palo Alto Networks Cloud Medium security assessment, review the publicly available assessment summary report issued by the Canadian Centre for Cyber Security.

Ready to modernize your defenses with PBMM-assessed solutions? Schedule a demo with our team or contact Unit 42 to learn how we can help elevate your organization's resilience against emerging cyber threats.

The post Securing Canada’s Digital Future: Why PBMM Matters Beyond Government appeared first on Palo Alto Networks Blog.

  •  

Shifting from Data Hoarding to Active Defense: Navigating the New Era of OMB M-26-14

The release of OMB Memo M-26-14 ("Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats") marks a historic turning point in federal cybersecurity. By officially rescinding the M-21-31 directive, the White House has delivered a clear message to federal IT leaders: the era of compliance-driven data hoarding is officially over.

While the previous framework was a well-intentioned response to the SolarWinds breach, its mandate to collect and retain vast oceans of unstructured logging data created unintended, unsustainable operational burdens. For the past several years, federal agencies have faced skyrocketing cloud storage bills and overwhelmed Security Operations Centers (SOCs). Crucially, they have been left with vast quantities of cold data that lacked clear operational utility.

As OMB noted, retaining endless data without operational focus is neither cost-effective nor operationally feasible. With M-26-14, the federal government is pivoting to a smarter, sleeker, and far more decisive strategy: a risk-based, prioritized logging framework driven by AI and machine-speed defense.

The Core Shifts: What Federal Leaders Must Understand

M-26-14 strips away administrative "red tape" to focus on how modern cybersecurity risks have evolved. Nation-state threat actors are actively leveraging advanced automation and Artificial Intelligence (AI) to orchestrate attacks at unprecedented speeds. They move laterally across agencies in minutes, hiding behind legitimate corporate credentials.

To beat machine-speed threats, your data layer must operate at machine-scale. The new memo reorganizes federal visibility around two foundational pillars:

1. Continuous Event Monitoring — Owning the Present

Continuous Event Monitoring demands that logging infrastructure shift from a passive archiving tool to a live-streaming asset. Agencies are now required to monitor network and asset activity in real time, rapidly flag anomalous behavior via behavioral analytics, and initiate immediate mitigation actions directly through their SOCs.

2. Threat Hunting, Investigation, Response, and Forensics — Dominating the Post-Compromise

When a compromise is suspected, agencies can no longer spend days running slow database queries or pulling disconnected csv files. M-26-14 mandates that agencies keep 6 months of logs "hot and searchable" and 1 year fully "retrievable." This allows defenders to immediately stitch together cross-domain attack patterns, perform rapid root-cause forensics, and share threat intelligence seamlessly with CISA and the FBI.

3. Expanding the Blast Radius: Entering IoT and OT

Perhaps the most significant structural change is the explicit inclusion of Internet of Things (IoT) and Operational Technology (OT) systems. Adversaries do not respect the boundary between your corporate IT network and your physical infrastructure. Under M-26-14, your logging and threat-hunting capabilities must aggressively cover the entire enterprise—from public cloud workloads to the physical facility controls and critical infrastructure grids running on an agency's behalf.

The Clock is Ticking: The Aggressive Maturity Deadlines

Agencies cannot afford a passive approach. The timeline established by OMB M-26-14 moves quickly:

  • T+90 Days: CISA will publish the new Logging Reference Architecture (LRA) codifying hybrid/centralized deployments, Zero Trust Maturity Model (ZTMM) integration, and AI-driven monitoring guidelines.
  • LRA +90 Days: Agencies must submit their comprehensive Agency Logging Plans.
  • LRA +120 Days: Achieve Basic Level 1 Maturity.
  • LRA +180 Days: Achieve Intermediate Level 2 Maturity.
  • LRA +320 Days: Achieve Advanced Level 3 Maturity (Advanced/Optimal Effectiveness).

Activating OMB M-26-14 with Palo Alto Networks Cortex

Trying to retrofit a legacy SIEM architecture to meet the advanced or optimal effectiveness tiers of M-26-14 is an engineering and budgetary dead end. Legacy SIEMs scale costs linearly with ingestion and rely on static, human-written correlation rules that fail against AI-fueled threats.

The FedRAMP Certified Palo Alto Networks Cortex platform—anchored by Cortex XSIAM (Extended Security Intelligence and Automation Management)—was engineered from the ground up to solve the exact problems this new memo addresses.

From Disconnected Columns to Cross-Domain "Stitching"

Legacy logging stores data in isolated silos. An analyst trying to track an adversary has to manually look at an identity log, cross-reference it with a network firewall alert, and match it to an endpoint execution.

Cortex XSIAM features a revolutionary Analytics Engine that automatically stitches multi-vendor logs across cloud, network, endpoint, and identity at the moment of ingestion. It transforms raw text into a single, cohesive, context-rich story, instantly aligning incidents with the MITRE ATT&CK framework.  Cortex XSIAM doesn’t just ingest data, it understands the data which enables stitching of multiple data elements into a single, multi-context construct which accelerates analysis via AI and machine learning.

Replacing Static Rules with Cloud-Scale AI

Adversaries use AI to evade signature detection. Cortex XSIAM fights fire with fire, applying out-of-the-box, unsupervised machine learning models to baseline normal behavioral patterns across your entire federal enterprise. When an anomalous lateral movement, data exfiltration attempt, or credential abuse event occurs, XSIAM flags the threat instantly—without requiring your team to spend weeks writing custom correlation code.

Accelerating Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response and Forensics (THIRF)

There is more to CEM than just monitoring network activity.  Activity on endpoints, within your identity management solution(s) and in the cloud are just as important.  Understanding the data, knowing which log records are related to each other across multiple log sources, which events are relevant and the context they provide is required.  

Understanding these events and their contextual relationships is fundamental to providing THIRF in an efficient manner.  Cortex XSIAM provides over 2,900 machine learning models out of the box, models that are trained on the data in your environment so they detect anomalous activity based on what is “normal” in your environment, not trained on generic data from other customers or a lab.  These models can identify threats based on data stitched together from multiple sources to provide a more complete context yielding more accurate and consistent results while decreasing time to value.

Securing the Unmanageable: Agentless IoT/OT Defense

You cannot install an EDR logging agent on a smart building HVAC system or an industrial programmable logic controller (PLC). Palo Alto Networks utilizes non-disruptive, passive network analysis to continuously discover, profile, and generate high-fidelity security logs for IoT and OT infrastructure. These logs stream directly into XSIAM, eliminating critical federal blind spots and protecting your High Value Assets (HVAs) from cross-boundary pivot attacks.

Solving the Storage Conundrum Safely

Keeping six months of high-velocity event logs fully "hot and searchable" under a traditional database indexing model creates a crushing financial burden. Cortex XSIAM fundamentally resets the Total Cost of Ownership (TCO) equation by leveraging an index-free, cloud-native data lake architecture that decouples storage costs from analytical performance. By eliminating legacy ingestion taxes and infrastructure overhead, federal defenders can search petabytes of data in seconds—effortlessly meeting the 6-month searchable and 1-year retrievable thresholds. Furthermore, integrated data masking rules strip away sensitive PII or low-value data noise before it hits the SOC, ensuring agencies only pay for operationally vital intelligence.

 

The Bottom Line for Federal Leaders

OMB M-26-14 is a massive step forward for federal cybersecurity. It frees CISOs from the operational gridlock of untargeted data archiving and empowers them to build faster, modern, and highly responsive security operations.

Meeting the strict 120-to-320-day maturity milestones requires moving past the tools of the last decade. By partnering with Palo Alto Networks and deploying the Cortex suite, federal agencies can seamlessly transition into a risk-aligned, AI-driven SOC. They can confidently check the box on OMB compliance while achieving what the directive actually intends: protecting the resilience and integrity of the federal mission at machine speed.

Palo Alto Networks’ Cortex XSIAM is FedRAMP certified at both the moderate and high levels.

Want to learn more about how to structure your upcoming Agency Logging Plan to meet CISA's upcoming Logging Reference Architecture? 

Contact the Palo Alto Networks Federal Team today to schedule an architectural deep-dive.

The post Shifting from Data Hoarding to Active Defense: Navigating the New Era of OMB M-26-14 appeared first on Palo Alto Networks Blog.

  •  

Trust is the Foundation of Sovereignty

Sovereignty has become the driving principle of Europe's technology conversation. Every policy discussion, every emerging legislative development, every procurement process, every boardroom debate comes back to which platforms and partners to trust.

Trust goes beyond compliance. It demands integrity, accountability, and transparency about the limits of what any provider can guarantee – rather than making commitments that sound reassuring but cannot be verified.

We have spent considerable time listening to public sector organizations, critical national infrastructure operators, and regulators across Europe. This is not a new concern. Over the years,  what organizations are asking for has become increasingly specific. They want their data to remain in Europe. They want to know precisely who can access it and who holds the encryption keys. And they want every access event logged and visible. They want operations managed locally, under local jurisdictions and subject to local laws.

These are governance requirements as much as technical ones. And what they add up to is a demand for verifiable control, not more contractual promises. The distinction matters enormously. Telling an organization you will protect their data is one thing; giving them the architecture and the visibility to verify that protection themselves is another.

It is worth being clear about who is driving this conversation. These requirements are not universal. A large enterprise running productivity tools has different needs from a government ministry managing sensitive national data or a critical infrastructure operator running systems that society depends on for clear drinking water. What we are describing here is what we hear from the most demanding end of the spectrum: public sector and critical national infrastructure. And that is where we focus, because getting it right there matters most.

What We Have Built

The announcement of the Sovereign Cortex with T Security, together with Deutsche Telekom and Google Cloud, is our direct response to these demands and the next step in our long-standing commitment to Europe. It is not a marketing position – it is a framework that provides customers actual controls. It is built on the five elements that reflect how we fundamentally think about sovereignty. One that will set the standard across every solution we build for the region.

  1. Customer data and systems data (telemetry) are stored and processed in Europe and accessed only by personnel in-region.
  2. The encryption keys are held externally under control by the customer. 
  3. Data access events are independently reviewed, logged, visible, and auditable. 
  4. Site reliability engineers and support personnel based in Europe manage and support the service. 
  5. Contracts are signed by a European legal entity, governed by European law.

Each element of this framework was designed from the outside in, with the input of every European organization we collaborated with. 

Why Trust Has to Be Earned, Not Claimed

Here is what I believe, having spent years in this conversation across Europe. Trust is not something a provider can simply assert. It is something that has to be earned, over time, through consistent and verifiable action.

For technology companies operating in Europe, that means placing meaningful control with a trusted local European partner, being transparent about what we can and cannot guarantee, and treating sovereignty not as a compliance exercise but as a design principle.

It also means being honest about the journey. We have done significant work, yet we have further to go. The organizations we serve deserve partners who acknowledge that openly rather than presenting a finished picture.

What drives this work is straightforward: we believe in Europe’s digital future. We believe in the missions of the organizations we work with every day, whether they are protecting critical public services, securing national infrastructure, or safeguarding the data that citizens and institutions depend on. Being a committed partner to those organizations is not a product decision. It is a values decision.

And that is precisely why trust is the measure we hold ourselves to. The direction is clear, the commitment is real. But commitment means nothing without trust – and trust, like everything worth having, has to be earned every day.


Forward-Looking Statements

This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, without limitation, statements regarding the benefits, impact, or performance or potential benefits, impact or performance of our products and technologies or future products and technologies. These forward-looking statements are not guarantees of future performance, and there are a significant number of factors that could cause actual results to differ materially from statements made in this blog. We identify certain important risks and uncertainties that could affect our results and performance in our most recent Annual Report on Form 10-K, our most recent Quarterly Report on Form 10-Q, and our other filings with the U.S. Securities and Exchange Commission from time-to-time, each of which are available on our website at investors.paloaltonetworks.com and on the SEC's website at www.sec.gov.  All forward-looking statements in this blog are based on information available to us as of the date hereof, and we do not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made.

The post Trust is the Foundation of Sovereignty appeared first on Palo Alto Networks Blog.

  •  
❌