At a glance.
- UN creates advisory board focused on AI governance.
- UK Prime Minister hosts AI Safety Summit.
- White House issues Executive Order on artificial intelligence.
- International Counter Ransomware Initiative promises to refuse extortion demands.
- FTC modifies breach reporting requirements of the Safeguards Rule.
- Hundreds of millions impacted in massive Indian data breach.
- SEC hits SolarWinds with lawsuit for 2020 data breach.
UN creates advisory board focused on AI governance.
On Thursday the United Nations announced it’s establishing an advisory body centered around the regulation of artificial intelligence tech, Reuters reports. The group’s thirty-nine members will hail from six continents and include international government officials, experts from diverse academic and professional backgrounds, and executives from tech companies like Sony, Open AI, and Microsoft.
UN Secretary-General António Guterres released a statement explaining, "The transformative potential of AI for good is difficult even to grasp. And without entering into a host of doomsday scenarios, it is already clear that the malicious use of AI could undermine trust in institutions, weaken social cohesion, and threaten democracy itself.” The first items on the advisory board’s docket include establishing a global scientific consensus on the risks and challenges posed by AI, and bolstering international cooperation in governing AI-supported tech. The group’s first meeting was held last week, and the board is expected to issue preliminary recommendations for global collaboration in addressing the risks associated with AI by the end of 2023, with final recommendations scheduled for summer 2024.
UK Prime Minister hosts AI Safety Summit.
Meanwhile, in the UK, Prime Minister Rishi Sunak is hosting an AI Safety Summit, gathering approximately one hundred world leaders, tech execs, and academic experts. During the two-day-meeting, they’ll deliberate how to take advantage of the benefits of AI tech while minimizing risks like bio-terrorism, cyberattacks, and deepfakes. The BBC explains that Prime Minister Sunak’s plan is to make the UK a global leader in AI safety, and US Vice President Kamala Harris will be in attendance as well as European Commission president Ursula von der Leyen. China has also been invited, despite its strained relationship with the West.
Many in the private sector have expressed support for the summit, with Emad Mostaque, head of British-based company Stability AI, stating, "We will encourage the government and other policymakers to commit to supporting AI safety right across the ecosystem, from corporate labs to everyday researchers and from long-term threats to short-term risks to keep Britain safe and competitive.” However, some critics say the summit will focus too much on far-fetched threats – like the unlikely possibility that AI could become so powerful it could control itself – and not enough on more realistic risks like job loss and the strain on energy. AI expert Professor Yoshua Bengio stated, "We're going to need to start with small steps that can be implemented quickly. International treaties and agreements take a lot more time... but we should start small and not wait to have built a very complicated global governance system before we start doing things."
The Guardian notes that over one hundred signatories submitted an open letter to Sunak on Monday, expressing their disappointment that the summit is lacking in civil society representatives, making it unlikely that actual legislation will be discussed. The Washington Post notes that some experts worry Sunak’s hesitation to rush into regulation is a strategy to attract the support of influential tech companies, and that his focus on the unlikely scenario of super-intelligence is a means of distracting lawmakers from more pressing governance. Marietje Schaake, a former member of the European Parliament and the special adviser to the European Commission implementing the Digital Services Act, stated, “AI is not a topic of the future, but is already causing problems in the present. We need democratic regulation and independent oversight.”
White House issues Executive Order on artificial intelligence.
Across the pond in the states, US President Joe Biden on Monday signed an executive order focused on the secure usage of AI technology, signaling a much more aggressive approach to AI regulation. As the White House explains, the EO aims to make the US a leader in “seizing the promise and managing the risks of artificial intelligence” and “establishes new standards for AI safety and security, protects Americans’ privacy, advances equity and civil rights, stands up for consumers and workers, promotes innovation and competition, advances American leadership around the world, and more.”
AP News notes that the ambitious document offers guidelines on privacy, civil rights, consumer protections, scientific research, and worker rights. Politico reports that the guidelines prioritize the immigration of highly-skilled individuals with expertise in critical areas to the US, and also call for the creation of new government offices and task forces focused on harnessing the powers of AI for uses in areas like healthcare, housing, trade, and education. Simultaneously, President Biden directs federal agencies to set standards to ensure data privacy and cybersecurity of AI tech, as well as prevent discrimination and monitor competition in the AI industry.
Furthermore, the EO invokes the emergency federal powers of the Defense Production Act (created during the Korean War), which would require major AI companies to notify the government when developing any system that poses a “serious risk to national security, national economic security or national public health and safety.” The New York Times adds that the US president is calling for the developers of the most advanced AI products to submit test results to the government ensuring the tech cannot be used to manufacture biological or nuclear weapons.
Some members of the tech industry worry the order is overstepping when it comes to government oversight and could hamper innovation. Trade group NetChoice says the order is “dangerous for our global standing as the leading technological innovators” and is “ripe for legal action.” But in general, the order received a positive response from tech interest groups, cybersecurity experts, and Democratic lawmakers. (Republicans, the Wall Street Journal notes, largely declined to comment.) Senate Majority Leader Chuck Schumer, a Democrat from New York, says a bipartisan group of lawmakers will meet with President Biden at the White House this week to discuss possible legislation, and the guidance within the order is to be implemented over the course of ninety days to one year. For more reaction to the Executive Order, see CyberWire Pro.
International Counter Ransomware Initiative promises to refuse extortion demands.
This week during the third annual meeting of the International Counter Ransomware Initiative (CRI), dozens of world governments pledged never to pay ransom demands levied by ransomware gangs in cyberattacks. Established by the US in 2021, the CRI, which includes forty-eight countries as well as the European Union and Interpol, is considered the largest cyber partnership in the world, TechCrunch explains.
Governments and cybersecurity experts have long warned that ransom payments not only motivate future attacks but also offer no guarantee that stolen data will be returned. While the agreement does not ban companies from making ransom payments (a move that could inadvertently give ransomware groups increased leverage for extortion), US Deputy National Security Advisor Anne Neuberger says the goal of the pledge is to “counter the illicit finance that underpins the ransomware ecosystem.”
Not all members of the coalition have agreed to the pledge, but Neuberger says “we’re in the final throes of getting every last member to sign.” Details of the pledge have not yet been disclosed, and it’s unclear how member states will be held accountable or if there will be penalties for giving in to ransomware attackers.
As CyberScoop notes, this year’s CRI meeting also focused on using AI, and blockchain analysis to fight ransomware, as well as plans to share a list of blacklisted cryptocurrency wallets associated with ransomware operations. The Register adds that CRI members are also working to bolster their information-sharing capabilities, and two dedicated platforms – one developed by Lithuania and the other a joint effort from Israel and the United Arab Emirates – will allow countries to quickly share threat indicators after ransomware attacks. For more on the CRI agreement, including security industry reactions, see CyberWire Pro.
FTC modifies breach reporting requirements of the Safeguards Rule.
The US Federal Trade Commission (FTC) has announced it will amend the Safeguards Rule that would require non-banking financial institutions to report data breaches impacting more than five hundred individuals and other security events to the agency. Affected organizations include mortgage brokers, motor vehicle dealers, and payday lenders, and under the amendments these institutions will also be required to develop, implement, and maintain a comprehensive cybersecurity program to safeguard customer data. A breach notification must be submitted to the FTC as soon as possible, and no later than thirty days after detection, and must include certain details such as the number of consumers potentially impacted by the incident.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, explained, “Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised. The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”
Hundreds of millions impacted in massive Indian data breach.
The Hindustan Times reports that the data of 81.5 crore (or 815 million) individuals have been exposed in what is being called the largest breach in India’s history. A hacker who goes by the name of pwn001 has published the data, allegedly stolen from the Indian Council of Medical Research (ICMR), on leak site Breach Forums, where it was discovered by American cyber security and intelligence firm Resecurity. The bounty includes details from passports and India’s Aadhaar identification card system, including names, phone numbers, and street addresses, which pwn001 says were extracted from the Covid-19 test details stored in ICMR’s systems.
Pwn001 was selling the database for a mere $80,000, and analysts say the Aadhaar card IDs included in the sample data he offered appear to be valid. Mint adds that the Central Bureau of Investigation (CBI) has launched an investigation. It’s worth noting that in June another hacker claimed to have stolen the personal data and Aadhaar numbers of over 80 crore Indians from CoWIN, the Indian government’s web portal for COVID-19 vaccination registration. As Mint explains, in April the hacking group Hacktivist Indonesia published a list of 12,000 websites they planned to target, including thousands of Indian government websites.
SEC hits SolarWinds with lawsuit for 2020 data breach.
AP News reports that the US Securities and Exchange Commission (SEC) is suing software firm SolarWinds, the target of the now infamous 2020 cyberattack that impacted thousands of the company’s customers, including high-profile private companies and federal agencies. The lawsuit alleges that the firm is guilty of fraud for failure to disclose its cybersecurity deficiencies prior to the attack. Reuters notes that the suit sets a precedent as the first time the SEC has sued a company (rather than merely charging and settling) that was targeted by a cyberattack.
Tim Brown, the company’s then-vice president of security, is also named in the suit, accused of defrauding clients “through misstatements, omissions and schemes” that concealed both the company’s “poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.” SecurityWeek reports that key evidence includes a SolarWinds staffer’s internal presentation, shared with Brown, that indicated that the company’s remote access setup was “not very secure” and that exploitation could lead to “major reputation and financial loss” for SolarWinds. The SEC also alleges that Brown himself gave company presentations in 2018 and 2019 in which he acknowledged that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
SolarWinds released a statement saying that the charges are unfounded, and that the company is “deeply concerned this action will put our national security at risk.” TechCrunch adds that the head of the SEC’s enforcement unit, Gurbir Grewal, said of the case, “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
Cybersecurity expert Jake Williams agreed with the SEC’s sentiments, posting on X, “The SEC litigation against SolarWinds is going to do more to advance security than another decade of breaches would.” However, as SecurityWeek notes, some experts argue that the suit could make CISOs even more hesitant to report security incidents to the proper authorities. SolarWinds President and Chief Executive Officer Sudhakar Ramakrishna wrote in a blog post that the SEC risks “disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines.” Certainly, the suit underscores the need for CISOs to better communicate with executives and regulators about their companies’ cybersecurity standings. Williams said, “CISOs, especially those at publicly traded companies, should take stock of their security programs and ensure that what’s being communicated to the public is rooted in reality rather than spin and wishful thinking. For those in privately held organizations, the SEC is setting a new standard for security disclosures with this lawsuit.”
Jake Williams, faculty member at IANS Research, draws a lesson from the complaint itself. “The headline here is in paragraph 10 of the legal complaint: the commissions and false statements about security would have violated securities laws even if SolarWinds hadn't been targeted," he writes. "That they were targeted only served to highlight the issues. CISOs, especially those at publicly traded companies, should take stock of their security programs and ensure that what's being communicated to the public is rooted in reality rather than spin and wishful thinking. For those in privately held organizations, the SEC is setting a new standard for security disclosures with this lawsuit. Don't be surprised to see that standard used in litigation if you make false, incomplete, or misleading statements about security to customers or business partners.”