At a glance.
- When it comes to AI, are we playing with fire?
- Tech professionals urge EU to scale back CRA.
- Industry response to the SEC’s charges against SolarWinds.
- Sam Bankman-Fried's trial is over. What happens now?
- Blackhat-turned-whitehat arrested for cyber extortion.
- Russian disinformation campaign seeks to influence Latin America against Ukraine and NATO.
- Could X’s new CEO be cracking down on hate speech?
When it comes to AI, are we playing with fire?
As artificial intelligence increasingly becomes a part of our everyday lives, experts continue to debate whether the risks outweigh the rewards. One concern is that AI could intentionally deceive humans, and a presentation at the UK AI Safety Summit last week demonstrated that, even with the best intentions, an AI bot could use its powers for evil. Computing recounts how researchers from Apollo Research convinced a GPT-4 model to knowingly engage in illegal insider stock trading in order to save a company from bankruptcy, then watched as the bot lied to cover its tracks. "AIs that deceive human overseers could lead to loss of human control," the researchers stated. Bots that engage in "strategic deception and deceptive alignment…could allow AIs that don't have our best interest in mind to get into positions of significant power," they concluded.
On the other side of the debate, Dr. Patricia Gestoso pointed out last week at the UK’s Women in Tech Festival that all innovation comes with risks, and it’s up to humans to find ways to reduce that risk without impeding progress. She compared AI to the discovery of fire, stating, “Seven thousand years ago, we decided that we wouldn't let fire do whatever it wanted to… So, you know, we are happy to have fire in an oven and cook a pizza, but if it goes to the curtains or the floor, we give ourselves permission to put it out. We can do the same with AI."
As Computing reports, Gestoso also addressed myths about AI’s negative impact on the workforce, particularly recent studies showing that the technology has pushed women out of the tech field. "Women were the original programmers. We were at Bletchley Park, we were at the ENIAC, we were at NASA… What really pushed women out of technology was patriarchy." She also asserts that AI has hurt UK employment only because it’s being abused by its controllers, not because AI is pushing workers out of the market. She explained, “when you look into the data, it tells us that we as a country are less productive because of the sectors the UK has decided to prioritise; and because we have one of the lowest investments in R&D.” The key, she says, is to ensure that – much like with fire – humans maintain the upper hand when it comes to AI. "We make the decisions," said Gestoso. "This is how we regain power."
Tech professionals urge EU to scale back CRA.
As European lawmakers are scheduled to continue negotiations on the EU’s Cyber Resilience Act (CRA) this week, tech industry leaders are warning that the legislation’s restrictions could stifle innovation, damage the market, and actually weaken cybersecurity. The Information Technology Industry Council (ITI), a global tech trade association based in Washington DC, offers recommendations to ensure the new legislative framework is not so broad that it causes more harm than good. ITI is asking EU legislators to narrow the scope of CRA and more clearly define terms like “remote data processing solutions” and “commercial activity.”
ITI also recommends that lawmakers take a more proportionate approach when assigning risk levels to digital products and determining which are deemed “critical.” ITI also takes issue with the CRA’s proposed mandated reporting requirements for actively exploited vulnerabilities. “Such reporting would unintentionally create a more serious security risk by bringing into scope a broad set of sensitive information instead of mitigating harm,” ITI explains. And finally, ITI asks lawmakers to ensure the CRA doesn’t overlap with other legislation like the NIS 2 Directive and the EU’s Delegated Regulation, causing tedious duplicate efforts.
On Monday electronics makers like Siemens, Ericsson, and Schneider Electric, along with industry group DigitalEurope, issued a joint letter to EU industry chief Thierry Breton and digital chief Vera Jourova warning that the CRA’s restrictions could lead to supply chain disruptions. The letter reads, "The law as it stands risks creating bottlenecks that will disrupt the single market." As Reuters explains, the CRA calls for the manufacturers of smart products to assess the cybersecurity risks and take measures to fix any issues over the lifetime of the products, and industry professionals say the resulting red tape could lead to supply delays on par with those experienced during the height of the pandemic. With the increase in smart components in products in recent years, the disruptions could impact everything from washing machines to toys to critical components for high-tech manufacturing.
Like ITI, the letter’s signatories recommend that the products deemed higher-risk by the CRA should be significantly scaled back, and that tech makers should be given the opportunity to self-assess security risks and remedy known vulnerability risks before being required to conduct time-consuming assessments.
Industry response to the SEC’s charges against SolarWinds.
As we discussed last week, the US Securities and Exchange Commission (SEC) has announced it’s suing IT service management firm SolarWinds, as well as its CISO Tim Brown, for alleged fraud and internal control failures related to the massive 2020 cyberattack that spread like wildfire through the company’s thousands of customers. The lawsuit has the CISO community on high alert as they try to determine how to avoid personal liability for company security failures.
Security Week spoke with industry professionals for their reactions. Igor Volovich, VP of Compliance Strategy at Qmulos, says the SolarWinds incident was less about intentional malfeasance and more about the dangers of divorcing cybersecurity from corporate risk, compliance, and regulatory functions. Volovich states, “Despite the fact that the SEC is presenting the CISO’s internal reporting of security deficiencies, juxtaposed with SolarWinds contradictory regulatory filings disclaiming any knowledge of material deficiencies, as “evidence of malfeasance” and “shareholder fraud,” the more likely scenario is that none of the people responsible for corporate regulatory filings either understood or recognized the significance of reported security issues within the context of “reportable material deficiencies” as defined by the SEC.”
Volovich also notes corporate whistleblowers can be granted special protections under the Department of Justice’s Civil Cyber-Fraud Initiative and the False Claims Act, giving them increased incentive to come forward and leaving CISOs in a vulnerable position. Jason Zuckerman and Matthew Stock of Zuckerman Law agreed, stating, “In our practice representing cybersecurity whistleblowers, we find that all too often, chief information security officers and other information security professionals encounter indifference or retaliation when they raise concerns about vulnerabilities. The SEC whistleblower program offers a powerful incentive for cybersecurity whistleblowers to report violations to the SEC and assist the SEC in taking decisive enforcement actions that will encourage registrants to provide accurate disclosures about cybersecurity and maintain appropriate cybersecurity controls.”
Other insiders says the CISO role has been made less desirable than ever, as the lawsuit demonstrates just how much more pressure CISOs under compared to other members of the C-suite. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens stated, “After this, the CISO role will perpetually be in ill repute…Unless one is on your toes, it is easy to suddenly find oneself at the mercy of external forces at a scale no other CXO is exposed to.” Francesco Trama, CEO and Founder of PacketViper, agreed, stating “It’s high time that Boards and CEOs step up to the plate. They need to be educated about the intricacies of cybersecurity and should be held equally accountable for failures. Cybersecurity is not an IT issue; it’s a business issue that affects the bottom line, brand reputation, and customer trust.”
As the Stack notes, EY Cybersecurity Consulting’s Brian Levine penned a LinkedIn post warning CISOs to be especially cautious when it comes to discussing their companies’ cybersecurity issues. With broad recommendations like, “Do not say anything that could even arguably be considered a false statement or omission,” and “Do not state anything that is subjective and avoid adjectives,” his advice demonstrates just how narrow the path is for a CISO who wants to avoid liability. He also recommends that CISOs thoroughly explain their risk disclosure program “so that readers (and the SEC) understand that you are (a) regularly identifying and considering improvements to your controls; and (b) constantly finding and attempting to handle significant vulnerabilities and weaknesses.”
We note, concerning the SEC’s action with respect to SolarWinds, that it’s a complicated case and, above all, a civil and not a criminal matter.
(Added, 11:45 AM ET, November 11th, 2023.) Craig Clymer, CISO at Inversion6, thinks the SEC enforcement action may well be intended more to deter future avoidable breaches than to deliver clarity about materiality:
“This latest SEC charge against SolarWinds CISO comes on the heels of two other highly related pieces of news. The first is the SEC’s recent guidance requiring strong board oversight of security and rapid disclosure of breaches. The second is the at-the-time unprecedented charging of Uber’s CISO over their own breach.
“The security community has fixated on the breach disclosure element of the SEC guidance, but I find the governance piece more interesting. Especially because of what the SEC did NOT do: Namely, define exactly what would be “material” enough to require disclosure, or provide any guidance whatsoever into appropriate controls. Similarly, with this SolarWinds news the security community is scratching its collective head trying to understand just what degree of disclosure is needed over everyday vulnerabilities that every company has. In the case of the Uber breach, the CISO actively participated in a cover-up of identified risks, even altering reports of findings to better fit the narrative the company wished to portray to the public. With SolarWinds, it appears from the outside to be very similar to the situation most CISOs face with known vulnerabilities, and only so many resources to address them. Is there a risk rating the SEC wants us to target? A particular CVSS score? I think these details all miss the bigger picture.
“I would argue that the consternation among CISOs and other executives and confusion about where the line lies is exactly what the SEC hoped to see. The message they are sending here has nothing to do with the day-to-day operations of a security program. To me, the message is simple: Don’t let a breach like SolarWinds experienced happen on your watch. If it does, the executive team will be scrutinized and held accountable…and most likely, there will be deficiencies to find. If you want to avoid a debate about what is truly ‘material’ then avoid having a breach…’simple.’
“While this feels grim and unrealistic to CISOs who all agree that it’s a matter of “when” not ‘i’” a breach happens, it's not unprecedented. Companies who take credit cards have long had to meet the bar of PCI compliance, and undergo regular audits to prove this. And yet, if credit cards are believed to have been breached they undergo a MUCH more aggressive “PCI Forensic Investigation” that proves virtually 100% of the time that the company was actually NOT fully PCI compliant at the time of the breach. This unfair standard has pushed these companies to invest greatly in new technologies like tokenization to greatly diminish the opportunities for credit card exposure…and credit card breaches have dropped dramatically as a result.”
Sam Bankman-Fried's trial is over. What happens now?
This story, about the trial of former FTX CEO Sam Bankman-Fried, does, in contrast to the SolarWinds matter, describe a criminal case.
After a much-anticipated trial that lasted over a month, Sam Bankman-Fried, former head of the now-defunct cryptocurrency exchange FTX, has been convicted of stealing nearly $10 billion from his customers, the Wall Street Journal reports. A jury in New York found him guilty on all seven counts.
The US Department of Justice released a statement from the US attorney for the Southern District of New York explaining that Sam Bankman-Fried was “charged with a wide-ranging scheme to misappropriate billions of dollars of customer funds deposited with FTX and mislead investors and lenders to FTX and to Alameda Research.” Alameda was FTX’s sister hedge-fund, also owned by Bankman-Fried. After conducting what Attorney Damian Williams called “one of the biggest financial frauds in American history,” the fallen crypto-wunderkind was found guilty on all seven counts brought against him, including wire fraud, conspiracy to commit wire fraud, conspiracy to commit securities fraud, conspiracy to commit commodities fraud, and conspiracy to commit two different types of money laundering. For an overview of the case, see CyberWire Pro.
Blackhat-turned-whitehat arrested for cyber extortion.
A Dutch hacker is facing four years of prison time for attacking and blackmailing over a dozen companies in the Netherlands and abroad. Former cybersecurity professional Pepijn Van der Stap, has been charged with extortion and laundering upwards of 2.5 million euros in cryptocurrency, Bleeping Computer reports.
The Dutch Public Prosecution Service found that Van der Stap and his accomplices targeted both domestic and international companies and institutions with a series of cybercrimes between August 2020 and January 2023. After hacking the companies, the cybercriminals blackmailed the victims, threatening to release stolen data unless they forked over hefty sums, and Van der Stap also sold the sensitive data on the dark web. It’s worth noting that many of the impacted organizations have not yet disclosed the attacks or the extent of their financial losses.
The hacker’s CV includes a position at Hadrian Security, as well as a stint volunteering at the Dutch Institute for Vulnerability Disclosure, and he claims he was on the way to cleaning up his act when he was arrested. Van der Stap stated, "For about 16 months before my arrest, I was not engaged in much illegal activity and wanted to get out altogether. But as much as I wanted to get out, it felt impossible at times."
Russian disinformation campaign seeks to influence Latin America against Ukraine and NATO.
The U.S. State Department yesterday accused the Russian government of running a large-scale disinformation effort in Latin America. "The Social Design Agency (SDA), the Institute for Internet Development, and Structura coordinated on the development of an information manipulation campaign targeting Latin America that aims to promote Russia’s strategic interests in the region at the expense of other countries by overtly and covertly coopting local media and influencers to spread disinformation and propaganda. These are 'influence-for-hire' firms with deep technical capability, experience in exploiting open information environments, and a history of proliferating disinformation and propaganda to further Russia’s foreign influence objectives."
The effort begins, the State Department says, with the organization of an editorial staff in the region (probably in Chile), with local agents of influence recruited locally in targeted countries throughout the region. Content is then created in Russia for subsequent transmission to local agents. Editors in Moscow proficient in Spanish play a central role in such content creation. The Spanish-language outlets Pressenza and El Ciudadano are central to dissemination of the content. A broader network is available for amplification of messages.
The campaign seeks "to launder its propaganda and disinformation through local media in a way that feels organic to Latin American audiences." Its goal is "to undermine support for Ukraine and propagate anti-U.S. and anti-NATO sentiment." The content aims generally to misrepresent Russia as a champion against neocolonialism, its war in Ukraine a just struggle against Western imperialism. Argentina, Bolivia, Chile, Colombia, Cuba, Mexico, Venezuela, Brazil, Ecuador, Panama, Paraguay, Peru, and Uruguay are among the countries targeted.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Could X’s new CEO be cracking down on hate speech?
Since Elon Musk’s purchase of X (the social media platform formerly known as Twitter), the self-described “free speech absolutist” has proclaimed speech freedom as a primary tenet of his new rule, even if that means allowing content that other platforms consider disinformation or hate speech.
However, Business Insider reports this weekend the newly selected CEO Linda Yaccarino made the surprising choice to remove a post that pushed the limits of free speech too far. The Israel-Hamas conflict has stirred a great deal of controversy, and in late October Afnan Ullah Khan, a member of the Senate in Pakistan, published a post declaring his disagreement with the actions of the Israeli Government. The post featured a picture of Adolf Hitler with the caption, “At least now the world know, why he did, what he did.” While staffers struggled with how to react, insiders say advertisers threatened to pull their dollars if the post wasn’t removed. After several hours, during which the post was viewed approximately one million times, Yaccarino directed X's global escalation team to take the post down, not to appease advertisers, she says, but because it violated X’s policies.
In the weeks following Musk’s takeover, the European Commission found that the social media site was both slower at responding to reports of hate speech and was less likely to remove content reported for hate speech, and the New York Times reported that antisemitic tweets rose 61%. It doesn't help that Musk reduced the platform’s trust and safety team from over two hundred employees to just twenty, no doubt making it difficult to stay on top of violations. And in recent weeks X has been cited as a point of origin for misinformation regarding the conflict in Gaza. That said, Yaccarino’s choice to remove the post in question seems to signal that X might be going in a different direction now that she’s in charge. Just a day before the post went up, Yaccarino published a blog post stating that safety is a "critical priority" and that X is working to "combat bad actors and consistently enforce our rules in areas such as hate speech, platform manipulation, child safety, impersonation, civic integrity, and more."