Cybersecurity Roundup: Partnerships, Funding, and Emerging Threats – February 20, 2026 | Milano Cortina Scam, Cyber Tax Policy, U.S. Defense Cyber Rules, UWF Cyber Center

Quick preview: fraudsters spin up lookalike Milano Cortina merchandise shops to harvest payment data ahead of the Winter Olympics; policy debates surface on using tax credits and incentives to accelerate private-sector cybersecurity investments; new U.S. defense-industry cyber rules raise the bar — and the compliance burden — for small suppliers; and the University of West Florida launches a Center for Cybersecurity and AI to boost workforce capacity and research. Together these stories show a familiar but widening pattern: attackers keep innovating on social and supply-chain vectors while institutions respond with a mix of regulation, financial incentives, and education to build scaleable resilience. This briefing unpacks each story, analyzes its systemic implications, and gives a practical playbook for CISOs, policymakers, and technology leaders.

Introduction — the converging currents

As we move through 2026, three macro forces are shaping the cybersecurity landscape:

1. Fraud and social-engineering scaling with advertising and agile domain tactics — attackers increasingly use rapid domain registration and paid social advertising to reach victims with convincing, short-lived scams (e.g., fake event or merchandise sites). Keywords: phishing, fraud, domain squatting, paid social scams.

2. Policy levers and fiscal instruments for cyber resilience — governments and advisors are debating tax policies and incentives to encourage private-sector cybersecurity investment (R&D credits, tax breaks for security purchases, or conditional credits tied to baseline controls). Keywords: cybersecurity tax policy, incentives, public goods, fiscal policy.

3. Compliance and capability gaps in critical supply chains — new mandatory cyber requirements (especially in defense and critical infrastructure supply chains) raise operational costs and create potential barriers for small suppliers without mature security programs. Keywords: defense cybersecurity rules, NIST, supplier risk, compliance burden.

4. Workforce & research scale-up through academic centers — universities are expanding centers that combine cybersecurity and AI, providing training pipelines, research testbeds, and public-private partnerships. Keywords: cyber workforce, AI & security, academic research, cyber centers.

This edition walks through four stories that illustrate how these currents interact. For each: factual summary, systemic analysis, tactical implications, and a prioritized checklist you can act on in the next 7/30/90/365 days.

1) Fake Milano Cortina sites: what happened and why it matters

Headline summary: Cybersecurity vendor Bitdefender reported a wave of lookalike websites purporting to be the Milano Cortina 2026 official merchandise store. The sites were promoted via paid adverts on Meta platforms and offered implausible discounts (up to 80%), redirecting buyers to clone storefronts that harvested payment and personal data and often disappeared shortly after processing payments. Bitdefender described the operation as coordinated and quickly rotating to avoid takedowns, risking thousands of victimized shoppers as the Games proceed.

Source: Source: Reuters (reporting on Bitdefender findings).

The anatomy of the scam — technical and operational tactics

• Paid social advertising as an acquisition channel: Fraud operators created new Facebook/Meta pages and bought promoted posts or ads targeting likely buyers (sports fans, local-interest groups). Paid ads inserted the spoof links directly into users’ feeds, bypassing organic discovery limitations and speeding reach.

• Rapid domain rotation and short-lived shops: The actors registered many similar domains within days and launched nearly identical storefronts. These transient sites process payments quickly, then vanish — making refunds and law enforcement traceability difficult.

• High-fidelity visual mimicry: Cloned product photos, branding, color schemes, and product descriptions were used to reduce suspicion. Often the official shop’s language offered modest discounts; the clones pushed extreme discounts to lure impulsive buyers.

• Data harvesting beyond payments: In many cases, attackers captured names, addresses, phone numbers, emails and sometimes login credentials — expanding the scope of later identity theft or targeted credential-stuffing campaigns.

Systemic implications

1. Paid-ad networks are becoming core attack surface. Historically defenders focused on email/TXT phishing and compromised domains. The addition of paid social as an acquisition vector means defenders must treat ad platforms as a threat surface: speed, visibility, and blocking mechanisms differ drastically from classic phishing channels.

2. Short-lived operations increase incident response complexity. Rapid domain churn and ephemeral shops reduce the effectiveness of takedown requests, complicate forensic timelines, and increase the number of victims before remediation occurs.

3. Brand abuse is both reputation and operational risk. Event organizers, partners and official merchandisers must proactively defend brand channels and invest in consumer education and fraud monitoring.

Tactical playbook — immediate steps (7/30/90 days)

7 days

• Run a targeted search for lookalike domains using brand keywords plus common typos; subscribe to domain-watch alerts and block suspicious domains at perimeter DNS and web filters.

• Post consumer advisories via official channels explaining where to buy merchandise, typical price ranges, and how to verify domains (SSL cert, WHOIS age, official social links).

30 days

• Engage ad platforms (Meta, X, Google) programmatically: request priority takedown for fraudulent creatives and pages; negotiate an incident contact path for paid-ad fraud.

• Implement or extend fraud-detection rules in payment pipelines: unusual discount codes, mismatched geolocation vs. billing, and flags for first-time sellers showing high volume.

90 days

• Set up a brand-protection program: registered domain monitoring, brand-infringement triage playbook, and legal-ready evidence collection to accelerate injunctions and takedowns.

• Coordinate with payments partners and card networks to offer expedited customer remediation reports and chargeback assistance.

365 days

• Run cross-sector tabletop incidents simulating large-scale ad-driven fraud to test joint responses with ad platforms, payment processors, and law enforcement.

What CISOs should tell their boards (short memo)

• Attackers are using legitimate ad infrastructures to scale fraud — this increases the blast radius and introduces a new persistent financial loss vector.

• Recommend funding: short-term (ad monitoring tools + legal takedown budget) and long-term (brand protection program + public communication plan).

• Board ask: approve an aggressive consumer-protection communication campaign and a budget to subsidize chargebacks/refunds in case of large-scale incidents.

2) Applying cybersecurity tax policies: can fiscal incentives nudge better security?

Headline summary: Thought pieces and policy analyses are increasingly discussing whether tax policies — credits, accelerated deductions, or conditional incentives — could be used to encourage firms to invest in cybersecurity. Proposals vary from direct R&D credits for secure product engineering to tax credits for purchasing certified security products or funding workforce training. Advocates argue that fiscal incentives can correct underinvestment in resilience; skeptics warn about gaming, regulatory complexity, and the need for measurable baselines. (Help Net Security summarized policy research and proposals.)

Source: Source: Help Net Security (summary/discussion of cybersecurity tax policy proposals).

The logic for tax policy interventions

• Market failure & positive externalities: Cybersecurity investments generate public goods — reducing systemic risk benefits other firms and citizens. Private firms underinvest relative to social optimum because they cannot capture all benefits. Targeted tax incentives can help internalize externalities.

• Skill and SME support angle: Credits for training or tax relief for small-and-medium enterprises adopting baseline security controls can reduce barriers for smaller suppliers who otherwise cannot afford up-front costs.

Proposed incentive structures (typical models)

1. R&D-style tax credits for secure-by-design engineering: Expand R&D credits to include time spent designing and testing secure software components and threat modeling.

2. Capital cost deductions for security tooling: Allow immediate expensing (or an enhanced deduction) for purchases of qualified security solutions that meet certification standards.

3. Workforce development credits: Tax credits for companies that provide cybersecurity training (CPEs, bootcamps) or hire certified security personnel.

4. Conditional credits tied to baseline compliance: Credits granted only if the firm attests and passes an independent assessment of baseline controls (e.g., multi-factor authentication, vulnerability management program).

Trade-offs and policy risks

• Gaming and verification: Credits tied to purchase rather than outcomes are easier to game. Without robust verification, funds could be wasted on low-quality or ineffective solutions.

• Administrative burden: Tax code changes can be slow to implement and require alignment between tax authorities and cybersecurity standards bodies.

• Equity vs. universality: Universal deductions may disproportionately benefit large firms with high tax liabilities; targeted credits for SMEs require more administrative targeting.

Implementation best practices (policy design)

• Outcome-oriented metrics: Prefer credits tied to demonstrable improvements (e.g., reduced time to patch, regular external pen tests) rather than mere purchases.

• Third-party verification ecosystem: Pair fiscal incentives with accredited assessors (e.g., independent test labs) to verify claims and reduce gaming.

• Sunset and audit clauses: Implement trial periods with mandatory audits and sunsets to evaluate effectiveness and cost-efficiency.

Tactical playbook for governments and corporate advocates

For policymakers (7/30/90 days)

• 7 days: Convene a cross-ministry task force (finance, commerce, cybersecurity) to draft a policy framework and pilot plan.

• 30 days: Design a small pilot: e.g., a regional tax credit for SMEs tied to passing a simplified cybersecurity assessment, with randomized controls for evaluation.

• 90 days: Launch pilot, accompanied by an independent evaluation partner to quantify impacts on investment and incident reduction.

For corporate lobbyists and CISOs

• Articulate measurable asks: define the baseline controls, list eligible expenditures, and propose verification partners.

• Offer to co-sponsor pilot programs to test whether tax incentives change behavior (and share anonymized outcomes).

My take (op-ed)

Tax policy can be a useful, underutilized lever to crowd in cybersecurity investments — particularly for SMEs and workforce training. But the devil is in design: incentives must be structured to reward outcomes (improved security posture, lower breach likelihood) rather than simply subsidizing spending on ineffective tools. Governments should run pilots, evaluate, iterate, and scale what demonstrably lowers systemic risk.

3) New U.S. defense-industry cybersecurity rules: a rising bar and a narrowing supplier pool

Headline summary: New cybersecurity requirements imposed on the U.S. defense and aerospace supply chain — intended to safeguard sensitive systems and data — are making compliance more onerous for smaller suppliers. The rules mandate stricter security baselines, continuous monitoring, reporting obligations, and certifications for suppliers working on classified or sensitive programs; some small vendors fear being priced out of defense work due to the cost and operational load of compliance. Reuters reported on the implications and supplier reactions.

Source: Source: Reuters (report on new U.S. defense cybersecurity rules and industry impact).

What the new rules typically require

• Baseline controls & frameworks: Many rules require adherence to standards such as NIST SP 800-171 or Cybersecurity Maturity Model Certification (CMMC)-like frameworks with defined maturity levels.

• Continuous monitoring & incident reporting: Suppliers must implement logging, endpoint detection, identity management, and automated reporting pipelines to defense agencies for certain incident classes.

• Supply-chain transparency and subcontractor oversight: Prime contractors must vet subcontractors and ensure flow-down clauses enforce cybersecurity controls throughout the chain.

• Certification and audit obligations: Regular third-party audits or self-attestations subject to spot checks, with penalties for non-compliance.

Systemic implications

1. Barrier to entry vs. trust assurance: These rules strengthen national security by reducing attack surfaces. But they also raise compliance costs, shifting supplier dynamics toward larger firms or those with consulting budgets to get certified.

2. Concentration risk: If small, specialized suppliers are pushed out, primes may have fewer niche vendors to choose from — concentrating risk and potentially increasing costs and delays in defense programs.

3. Market for compliance services grows: There is commercial opportunity for managed security providers, certification consultants, and secure cloud offerings tailored to defense suppliers.

Practical responses for small suppliers & primes

Small suppliers

• Joint compliance consortia: Small vendors can pool resources to fund shared SOC-as-a-service or certification co-operatives to amortize certification costs.

• Prioritized control adoption: Start with high-impact, low-cost controls (MFA, endpoint management, logging) and build toward full certification.

• Leverage secure managed services: Use FedRAMP-authorized or DoD-approved cloud providers and MSSPs to avoid building complex systems in-house.

Prime contractors

• Supplier uplift programs: Build funding and technical assistance into prime contracts to help small suppliers meet compliance requirements.

• Flexible flow-downs: Where possible, negotiate pragmatic flow-down clauses that align with supplier capabilities while preserving security outcomes.

Policymakers

• Consider transitional or grant funding to help critical small suppliers achieve compliance; otherwise, risk hollowing-out specialty suppliers.

Tactical checklist (for defense primes & suppliers)

7 days

• Map all contracts and identify which suppliers and subcontractors will be impacted by new compliance thresholds.

• Prioritize immediate, low-cost controls across supply chain: MFA for all privileged accounts, endpoint protection, and basic logging.

30 days

• Launch supplier readiness surveys and begin creating prioritized uplift roadmaps, paired with estimated costs and timelines.

• Select accredited assessors or MSSPs to run gap assessments for high-impact suppliers.

90 days

• Implement supplier assistance consortia (cost-sharing models) or negotiate contract amendments to fund compliance remediation.

My take (op-ed)

Security for national programs is non-negotiable, yet policy should avoid unintended harm to a healthy supplier ecosystem. The sensible path combines higher security expectations with transitional support for small suppliers — grants, shared services, and enforceable timelines. Otherwise, we will trade short-term security for long-term concentration risk and supply fragility.

4) UWF launches Center for Cybersecurity and AI — academic muscle for workforce, research, and public-private work

Headline summary: The University of West Florida announced the expansion of its nationally recognized Center for Cybersecurity into the UWF Center for Cybersecurity and AI — a strategic move intended to expand training programs, research capacity and public-private partnerships focused on secure, responsible, and workforce-ready artificial intelligence and cybersecurity. The Center will offer industry certification prep, technical courses, and exercises, and aims to accelerate national and regional impact through training and collaboration.

Source: Source: UWF Newsroom / UWF Center pages.

Why academic centers matter now

• Workforce shortage: The U.S. and many other countries face hundreds of thousands of unfilled cybersecurity positions. Academic centers produce credentials, run certification prep (e.g., CISSP, CompTIA), and help pipeline workers into government and industry roles.

• Research & testbeds: Universities offer neutral venues for adversarial testing, secure-by-design research, and evaluation of new defensive tools in controlled environments — invaluable for evaluating responses to new threats like ad-based fraud or supply-chain compromises.

• Public-private collaboration: Centers can be conveners for multi-stakeholder collaboration: state and local agencies, DoD/DoE programs, industry partners, and NGOs can coordinate training, exercises and research.

Practical opportunities

• Regional upskilling programs: UWF’s Center runs Florida-wide training programs, often free for public-sector employees — a scalable model for other states and regions to expand their cyber capacity.

• AI and security integration: By combining AI research and cybersecurity, the Center can explore both defensive AI (anomaly detection, threat hunting) and AI-specific risks (model poisoning, data leakage), producing tools and curriculum that reflect modern threats.

• Workforce pathways: Internships, cooperative education, and grant-funded certificates make transitions smoother for non-traditional entrants to cybersecurity careers.

Tactical playbook — how organizations should engage

For industry partners

• Sponsor scholarship and apprenticeship programs tied to measurable placement outcomes.

• Fund joint research projects that produce defensible, deployable artifacts (detection models, telemetry standards).

For government

• Expand grant programs that fund state university cyber centers to run free/reskilling programs for public-sector employees.

• Use academic centers as standardized testbeds for procurement pilots before buying commercial solutions.

For CISOs / hiring teams

• Build formal relationships with local university centers: guest lectures, capstone projects, structured internship-to-hire pipelines.

My take (op-ed)

Centers like UWF’s are essential infrastructure — they reduce friction in hiring, provide neutral testbeds for critical tools, and create trusted partnerships for regional resilience. Policymakers should treat investments in such centers as capacity-building, not charity: robust, distributed academic capacity is foundational to national cyber resilience.

Cross-cutting analysis — how the stories fit together

1. Attackers innovate on trust vectors while defenders build governance & capacity scaffolding. The Milano Cortina scam is an instant, market-facing threat exploiting consumer trust and advertising platforms. By contrast, tax incentives, defense compliance rules, and university center expansions are structural responses that operate on different timeframes: immediate technical defenses and long-term resilience building.

2. Policy and procurement shape markets and supplier behavior. Defense cybersecurity rules create compliance demand; tax incentives could shift ROI calculations for security investments; both influence the market for MSSPs, certified tooling, and managed compliance services.

3. Supply-chain and small-supplier fragility is the persistent weak link. If compliance drives small suppliers out of defense markets, we create concentration risks. The sensible path pairs higher standards with uplift funding and shared services.

4. Education centers enable both defense and economic growth. University centers are the bridge: they create trained personnel capable of operating the new security tooling required by defense and industry, and they run research that informs tax policy efficacy and compliance standards.

Priority playbook — what to do now (7/30/90/365 days)

For CISOs & security ops teams

7 days

• Block known lookalike domains and configure web filters to warn on likely clone shops; coordinate with communications to publish consumer advisories related to event-specific fraud.

• Run a rapid supply-chain mapping exercise to identify small suppliers with privileged access or critical roles.

30 days

• Implement ad-platform monitoring: sign up for brand protection APIs or outsource to a vendor that monitors paid-ad placements; set up takedown escalation channels with ad platforms.

• Conduct supplier readiness assessments for new defense cyber rules; prioritize vendors that require immediate remediation.

90 days

• Run tabletop exercises covering ad-driven fraud at scale and supply-chain compromise under new defense rules.

• Develop incident playbooks including liaison points with ad platforms, card networks, and law enforcement.

365 days

• Operationalize a continuous brand-protection program with legal, marketing, and security integration; track metrics on takedown speed and victim remediation.

For policymakers

7 days

• Consider a pilot tax-incentive working group with industry, academics, and fiscal authorities to design an experimental framework.

30 days

• Allocate seed funding to help small defense suppliers upgrade baseline security controls (MFA, logging, endpoint protection).

90 days

• Run pilot tax-incentive experiments linked to measurable security outcomes; publish interim evaluations.

365 days

• Scale effective incentive models; institute supplier assistance programs for defense-critical niches to avoid concentration.

For universities & workforce planners

7 days

• Reach out to local defense primes and industry partners to define high-impact certificate programs aligned with compliance needs.

30 days

• Launch short-term bootcamps for supplier security readiness (for SMEs in defense supply chain).

90 days

• Publish joint research with industry on efficacy of tax incentives and supplier uplift programs.

Technical appendix: detection & mitigation patterns

Detecting ad-driven clone shops

• Ad creative monitoring: Index ad creatives for brand logos and suspicious discount levels; flag creatives promoting extreme discounts (e.g., >50%) for manual review.

• Landing page inspection: On click, inspect landing pages for inconsistent domain history, missing contact info, or lack of HTTPS certificate transparency. Automate scoring.

• Payment friction signals: Monitor payment processor data for unusually high first-time buyer conversion rates on new merchant accounts.

Supply-chain & supplier maturity checks

• Baseline checklist (fast): MFA, EDR/HIPS, centralized logging, vulnerability scanning, patching cadence, access control for privileged APIs.

• Supplier profiling: Tag suppliers by access scope (data sensitivity, privileged APIs) and require higher levels of attestation for higher access tiers.

Tax-incentive verification models (prototype)

• Eligibility: Only firms below a threshold (e.g., SMEs) or that perform qualifying training or control upgrades.

• Verification: Independent assessor reports; sample-based audits.

• Outcome measurement: Track reduction in time-to-detect, reduction in unpatched critical vulnerabilities, or incident-frequency change over 12 months.

Playbooks and templates (copyable)

Incident response checklist for paid-ad fraud

1. Immediate takedown request: Contact ad platform with campaign ID and suspected violation; request emergency pause and evidence preservation.

2. Payment partner freeze: Notify payment gateway/processor to flag merchant ID for refunds/chargebacks and to initiate a freeze pending investigation.

3. Victim communication: Issue a public advisory with explicit verification steps, refund procedures, and a dedicated support channel.

4. Law enforcement referral: Package evidence (ad creatives, server logs, payment trails) for cybercrime units or national reporting portals.

Supplier uplift program template (for primes)

• Phase 1 (assessment): 0–30 days: baseline scans, gap analysis.

• Phase 2 (remediation): 30–90 days: prioritized controls (MFA, EDR, logging).

• Phase 3 (certification): 90–180 days: attestation, audit, continuous monitoring integration.

• Funding model: Prime funds initial remediation; supplier amortizes via contract payments or grant offsets.

What success looks like: metrics for evaluation

• Ad-takedown time: median time from report to ad removal — target < 24 hours for paid-ad fraud.

• Supplier readiness rate: percentage of critical suppliers meeting baseline controls — target 90% within 12 months.

• Tax-incentive impact: pilots should show increased security spend among recipients and measurable improvements in patching and detection metrics vs. control group.

• Workforce throughput: number of certified/retrained personnel produced by academic centers with placement rates — target 60% placement into cyber roles within 6 months.

Honest trade-offs & risks

• Speed vs. verification: Faster incentives (e.g., immediate tax deductions) risk being gamed; slow, heavily verified incentives may not move the needle quickly enough. Pilot testing helps find the balance.

• Centralization vs. resilience: Moving small suppliers to consolidated MSSPs reduces per-supplier cost but can concentrate risk in a few providers — require diversity or circuit breakers in procurement.

• Privacy vs. actionability: Brand protection systems that share user data with law enforcement need privacy safeguards to avoid abuse.

Conclusion — the posture for 2026

These four stories — Milano Cortina ad-fraud, tax policy debates, tougher defense supply-chain rules, and university capacity building — capture a larger narrative: attackers continue to innovate along trust and supply-chain vectors while defenders and policymakers increasingly operate on multiple time horizons. Defensive maturity requires both quick tactical responses (ad monitoring, incident playbooks) and sustained structural investments (tax incentives, supplier uplift, academic centers). The best strategy is layered: harden immediate attack surfaces; build finance and policy instruments that incentivize shared investment in security; and grow the human and institutional capacity to sustain resilience.

If you take nothing else from this briefing, remember these three priorities:

1. Treat ad platforms as part of your threat surface now. If your brand could be impersonated or your customers targeted by event-related scams, allocate resources to monitor and quickly request takedowns from ad providers.

2. Pair higher compliance expectations with uplift funding. Policy and procurement should raise the bar for supplier security while enabling small, critical suppliers to meet those standards through grants, cooperative services, or prime-funded remediation.

3. Invest in talent and research strategically. Academic centers that combine cybersecurity and AI are not luxuries — they are national levers for workforce readiness and neutral evaluation of defensive tools.

Sources

• Source: Reuters — “Fake Milano Cortina sites target thousands with discount scams, cybersecurity firm says.”
• Source: Help Net Security — “Applying cybersecurity tax policies” (policy analysis and proposals).
• Source: Reuters — “New cybersecurity rules for US defense industry create barrier for some small suppliers.”
• Source: University of West Florida Newsroom / UWF Center pages — “UWF Launches Center for Cybersecurity and AI to Advance National and Global Impact.”