At a glance.
- FCC chair announces plans to restore net neutrality.
- The UK adopts a hunt-forward approach to cyber war.
- The effect of the SEC’s new rules on CISOs.
- The UK and US reach a deal on data transfers.
- FTC official says data brokers need to be curbed.
- Poland investigates OpenAI.
- Election security: the Ohio model.
- CISA issues framework for hardware ingredients labels.
- CISA works to Secure Our World.
- Cybercriminal teens on the rise.
- EU official warns about the threat of election disinformation.
- NSTAC report offers guidance on combating abuse of domestic infrastructure.
FCC chair announces plans to restore net neutrality.
Jessica Rosenworcel, chair of the US Federal Communications Commission (FCC) announced plans this week to restore net neutrality rules that were established in 2015 but rescinded during the Trump Administration. Net neutrality would, the FCC said in a factsheet, accomplish four overarching goals:
- "Openness – Establish basic rules for Internet Service Providers that prevent them from blocking legal content, throttling your speeds, and creating fast lanes that favor those who can pay for access."
- "Security – Reclassify broadband internet access to give the FCC and its national security partners the tools needed to defend our networks from potential security threats."
- "Safety – Allow the FCC to enhance the resiliency of broadband networks and bolster efforts to require providers to notify the FCC and consumers of internet outages."
- "Nationwide Standard – Establish a uniform national standard rather than a patchwork of state-by-state approaches, benefiting consumers and Internet Service Providers."
The UK adopts a hunt-forward approach to cyber war.
Lieutenant General Tom Copinger-Symes, deputy commander of the United Kingdom’s Strategic Command, where he holds responsibility for the Ministry of Defence’s offensive and defensive cyber capabilities, told the Record in a long interview that his command has, on the strength of lessons learned from Russia's hybrid war against Ukraine, decided to adopt a hunt-forward strategy similar to that followed by US Cyber Command.
The effect of the SEC’s new rules on CISOs.
Legal Dive offers a closer look at how the US Security and Exchange Commission’s (SEC) newly instated cyber incident reporting rules will impact corporate executives. With the new rules, determining materiality is key, as publicly traded companies are required to disclose cyberincidents within four business days of determining the incident is material to the company’s bottom line. CISOs are responsible for this disclosure, which means they’re also responsible for deciding whether the incident is material, a task that can be challenging to complete in a timely fashion.
CISOs will also be held accountable for ensuring that the C-suite and board are in the know about any cyber incidents. Failure to do so could result in conviction, as seen earlier this year in the Uber ransomware attack cover-up. As a recent survey from Proofpoint shows, the majority (62%) of CISOs are already concerned about liability when it comes to incident response and governance compliance, and the new rules aren’t making things any simpler. For more on the implications of SEC cyber reporting rules, see CyberWire Pro.
The UK and US reach a deal on data transfers.
On Thursday US and UK officials reached an agreement regarding online data flows between the two countries. The handling of data transfers from the UK and EU to the US has been a point of contention for years, with several EU courts determining that the US does not have adequate protections in place to safeguard the data of Europeans. As CyberScoop recounts, an executive order issued by US President Joe Biden last year outlined a slate of surveillance reforms aimed at making the US’s data transfer policies more in line with those of the UK and EU, and in JUly the European Commission reached a data flow agreement with the US.
This UK agreement, while similar to the agreement with the EU, is less stringent, due in part to UK-US partnerships regarding intelligence sharing and surveillance. This is good news for tech companies, alleviating their concerns that their operations would be negatively impacted by their inability to access data from other countries. Joe Jones, director of research and insights for the International Association of Privacy Professionals, states, “It’s a big injection of confidence in the market.”
That said, there are still hurdles ahead. A court challenge to the EU-US agreement has already been issued, and if successful, it could make UK lawmakers reconsider the new pact. As well, later this year US officials will be making a decision on whether not to renew Section 702 of the Foreign Intelligence Surveillance Act, which has drawn criticism from EU lawmakers for potential privacy violations.
FTC official says data brokers need to be curbed.
The US Federal Trade Commission (FTC) is signaling plans to crack down on the data brokerage market, the Washington Post reports. FTC consumer protection chief Sam Levine was scheduled to speak last Thursday at a data summit conference, and in his planned remarks he expressed concerns over some data brokers’ attempts to create “detailed digital dossiers on almost every American.” While regulators and legislators are calling for companies to focus on data minimization, data brokerage firms are doing the exact opposite.
Levine calls on companies to be cautious about brokers with which they partner and to strengthen their data privacy policies. “As your industry faces increased scrutiny from consumer protection agencies, from the Intelligence Community, from Congress, and from the Supreme Court, implementing these steps could go a long way toward addressing serious concerns that are emerging across the government and across the political spectrum,” the planned remarks read. The FTC has already initiated a slate of initiatives aimed at restraining the activities of data brokers, including developing new privacy rules around commercial surveillance and strengthening enforcement of the Children's Online Privacy Protection Act.
Poland investigates OpenAI.
American artificial intelligence research laboratory OpenAI, maker of popular chatbot ChatGPT, is being scrutinized by Polish regulators after a complaint that the platform violates the EU’s General Data Protection Regulation (GDPR). Jan Nowak, President of Poland's Personal Data Protection Office (UODO), explains, "The case concerns the violation of many provisions on the protection of personal data, so we will ask Open AI to answer a number of questions.” The complainant claims that ChatGPT generated false data about them, which OpenAI failed to correct, and when they contacted the company they received only evasive and misleading responses. Reuters notes that OpenAI has not yet commented on the validity of the claims.
What would Ohio do?
The US state of Ohio is setting an example when it comes to election security, and the Messenger offers a closer look at these efforts. Over the past four years, the state’s highest election official, Secretary of State Frank LaRose, has issued a series of aggressive directives to county election administrators focused on better protecting the voting process. Historically, state governments have stayed out of the way when it comes to local governments’ election protocols, but given warnings from US intelligence officials regarding voting interference from Russia and other threat actors, the need for greater state-level oversight has become apparent.
Experts have applauded LaRoses’s efforts to answer that call. “Ohio is definitely at the forefront of states that have recognized the need for statewide leadership on uniform security practices,” said Lawrence Norden, senior director of the Elections and Government Program at New York University’s Brennan Center for Justice. Among his many actions, LaRose has directed local governments to secure their election websites and email systems, against intrusion, proactively prepare response plans, sign up for free assessments from the federal Cybersecurity and Infrastructure Security Agency (CISA), and train staff on physical security procedures. And it’s likely other states will follow in Ohio’s footsteps.
CISA issues framework for hardware ingredients labels.
On Monday the US Cybersecurity and Infrastructure Security Agency (CISA) released its Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management. Created by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, the document provides guidelines by which tech manufacturers can clearly communicate with buyers about the hardware components of their products. The goal is akin to a nutrition label found on a package of food, giving the consumer – in this case, tech purchasers – a clearer idea of the ingredients the product contains, and in turn the inherent risks of using it.
CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington stated in a press release, “With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience. By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.” The framework offers a set of potential use cases that purchasers may have for HBOMs, an format that should be used to create consistency across HBOMs, and taxonomy of component/input attributes that should be included in the HBOM.
As NextGov notes, adherence to the framework is voluntary, but in the absence of mandatory guidance, the task force hopes the document will lead to a more consistent approach. For more on the Hardware Bill of Materials Framework, see CyberWire Pro.
CISA works to Secure Our World.
This week CISA also announced the start of its “Secure Our World” program, a national campaign aimed at spreading cybersecurity awareness. A nationwide public service announcement, digital content, and a toolkit are among the resources that will be offered to help Americans learn more about digital safety. CISA Director Jen Easterly stated, “I’m incredibly excited to launch our nationwide Public Service Announcement campaign, which includes resources and tools every individual and organization can use to stay safe online by practicing good cyber hygiene. As cyber threats continue to evolve, we encourage everyone to do their part to stay cyber-safe.” Some of those parts include using strong passwords, implementing multifactor authentication, learning how to recognize and report phishing scams, and updating software to ensure all necessary patches are installed.
Cybercriminal teens on the rise.
Well, this is taking teen angst to a whole new level. At a Washington Post event on Tuesday, cyber experts and officials warned about the growing number of teenagers turning to cybercrime. Adolescent hackers have been behind several recent cyber attacks, including the casino incidents and the activities of the Lapsus$ gang, and some experts compare the way they’re indoctrinated online to the radicalization of terrorists.
“What we’re seeing is a phenomenon where quite literally juveniles and others here and abroad, have kind of limitless access to an online for-profit criminal ecosystem,” Deputy Attorney General Lisa Monaco stated. “This juvenile hacking phenomenon is not unlike what we saw in the terrorism landscape, individuals radicalized online.” She’s calling on the federal government to support state and local partners to address the issue, but a recent report from the Cyber Safety Review Board highlights the challenges. “Few (and no U.S.-based) cyber-specific intervention programs exist that can help divert potential offenders to legitimate cybersecurity-related activities,” the report states.
Monaco offered at least one possible tactic: cracking down on the web forums where hacking tools are bought and sold. “We see ransomware tools being sold on the dark web,” she said, “and we have been very successful in the last year taking down criminal, illicit marketplaces where access to victims’ networks are being sold by criminal groups.” Other topics discussed at the event include the shifting motivations of threat actors, CISA’s security-by-design guidance, and ransomware awareness.
EU official warns about the threat of election disinformation.
At a press conference on Tuesday, European Commission Vice President Vera Jourova urged tech giants to crack down on the spread of disinformation as elections in Europe approach. As Reuters explains, major online platforms were recently asked to submit data on their activities focused on cracking down on fake news. But that hasn’t been enough to stifle a recent wave of disinformation focused on the parliamentary elections in Slovakia, scheduled for the end of this month, Poland’s October elections, and European Parliament elections next year. "The Russian state has engaged in the war of ideas to pollute our information space with half-truth and lies to create a false image that democracy is no better than autocracy," Jourova stated. "Today, this is a multi-million euro weapon of mass manipulation…The 'very large platforms' must address this risk. Especially as we have to expect that the Kremlin and others will be active before elections.”
Jourova particularly called out X, the Elon Musk-owned social media platform formerly known as Twitter, which left the EU's voluntary code in May. "Mr (Elon) Musk knows that he is not off the hook by leaving the code of practice because now we have the Digital Services Act fully enforced. So my message for Twitter is you have to comply with the hard law and we will be watching what you are doing," she stated. A recent study from the European Commission showed that X has the biggest proportion of disinformation when compared to fellow social media giants Facebook, Instagram, LinkedIn, TikTok, and YouTube. For more on election security and the threat of malign influence, see CyberWire Pro.
NSTAC report offers guidance on combating abuse of domestic infrastructure.
Also on Tuesday, the US National Security Telecommunications Advisory Committee (NSTAC) approved a slate of recommendations focused on fighting cyberattacks targeting domestic infrastructure, Nextgov reports. Among other initiatives, the guidance tasks the federal government with standing up a public-private task force focused on creating a framework of best practices for combatting the foreign abuse of domestic infrastructure (ADI).
The report also calls for the government to work with developers of commercial products and emerging tech to test privacy-enhancing technologies and bolster data-sharing initiatives. NSTAC’s guidance recommends that the strategy be led by the Office of the National Cyber Director and supported by public-private partnerships. "While many facets to combat ADI are currently in place or under development, a strategic, coordinated approach is essential to help unify these efforts," the report states. For more on ADI, see CyberWire Pro.