At a Glance.
- New Hampshire House passes new AI election rules.
- Review panel states that Microsoft could have stopped Chinese email hack.
New Hampshire House passes new AI election rules in the wake of Biden deep fakes.
The News.
Last Friday, the New Hampshire House passed new legislation requiring any political ad using artificial intelligence (AI) in a “deceptive” manner to disclose the use of the technology. The bill passed without debate in the House and now moves to the state Senate. With this new bill, organizations must disclose any use of “deceptive” AI in political advertising within ninety days of an election. Additionally, the bill also specifies that these disclosures would be used to explain that the ad’s images, videos, or audio had been either manipulated or created by AI.
The New Hampshire House created this bill after New Hampshire voters received AI-generated phone calls urging them not to vote in the state’s primary election in January. These calls were originally commissioned by Steve Kramer, a political consultant, who was working for a rival candidate running against President Biden. Kramer claims that he commissioned these deep fake phone calls to draw attention to the dangers of AI in politics. New Hampshire’s attorney general commented stating that these calls violated the state’s voter suppression law.
The Knowledge.
With this bill entering the New Hampshire state senate, the state now joins over three dozen other state legislatures that have created new provisions to regulate AI being used to produce election disinformation. While each state is tackling this issue in a variety of different ways, many of these new bills will require political AI advertisers to use disclaimers specifically if AI was used to create the advertisement in any deceptive way as well as specify a variety of different penalties for violating these laws including various criminal misdemeanors charges and/or fines.
In Georgia, the state legislature’s House approved a similar bill aimed at cracking down on AI material that was inherently deceptive or would mimic an individual’s speech or actions that did not occur in reality. To illustrate the dangers of the emerging technology, Representative Brad Thomas created an AI-generated audio clip that mimicked the bill's opponents and acted as if these legislators had switched their stance to now support the bill. With state legislatures across the United States (US) passing new legislation to regulate the technology, the federal government has also taken action with the Federal Communications Commission (FCC) making a move last month to target AI-generated robocalls. With this effort, the FCC official recognized AI-generated voices as “artificial” under the Telephone Consumer Protection Act to make AI-generated robocalls illegal. Additionally, with this classification, the FCC also commented on the need to establish more comprehensive AI regulation.
The Impact.
Given the rapid proliferation of AI and the numerous potential misuse cases, it is not surprising that state legislatures and the federal government are looking to increase their regulatory purview over the technology, especially regarding election security. US citizens should take precautionary measures as election season approaches to protect themselves from deceptive AI-generated content by verifying information sources from official sources and trusted news outlets. Additionally, US citizens should monitor their state legislature to see what new bills are being debated to understand the regulatory impacts associated with each bill.
Lastly, for political campaigners, efforts should be made to ensure that any AI usage in political advertisements follows relevant state legislation to ensure standards are followed appropriately and that fines and legal punishments are avoided.
Review panel determines that Microsoft could have stopped a Chinese cloud email hack.
The News.
On Tuesday, a Cyber Safety Review Board (CSRB) report found that Microsoft could have stopped Chinese hackers from accessing US government officials’ email accounts. The report found that Microsoft made “avoidable errors” during the attack that occurred last July. The board’s report stated that “Microsoft’s security culture was inadequate and requires an overhaul.” Additionally, the report identified a series of decisions taken by Microsoft that had decreased its enterprise security, risk management, and customer trust. The board recommended that Microsoft develop and make security-focused reforms across all its products.
The report continued by stating that “Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.” Microsoft responded to this report stating that it appreciated the investigation and that the attack demonstrated the need to “adopt a new culture of engineering security.” The company continued to state that it would continue to harden its systems against attacks and implement more robust security measures to detect and repel attacks.
The Knowledge.
This attack originally occurred in July 2023 when a Chinese-based attacker was able to gain access to email accounts from twenty-five different organizations that resided in a public cloud, some of these organizations included federal agencies. According to Microsoft, the attacker was attributed to being a part of Storm-0558, a group known for conducting cyber espionage. Microsoft also stated that these hackers gained access to these email accounts after they obtained access to a consumer signing key after a crash occured. These hackers then used the key to forge authentication tokens to access emails. The attackers were able to access emails secretly from May 2023 to July 2023.
From this attack, Storm-0558 is alleged to have stolen hundreds of thousands of emails from twenty-two organizations and over 500 people including notable US government officials such as the Commerce Secretary Gina Raimondo. While no disciplinary action has been taken against Microsoft, the breach drew significant attention to the company’s security practices, and are now “actively engaged” with US officials to improve their security posture.
The Impact.
While this recent report has not resulted in any disciplinary action against Microsoft or enacted any new policies, the report does represent a problem with cloud networking environments. While cloud networks have become increasingly proliferated across many business sectors, they also come with significant security concerns. A report found that from 2021 to 2022, attacks against cloud-based networks increased by forty-eight percent. This same report also found that major CVEs have a high impact on cloud-based networks compared to those operating on-premises.
For organizations that utilize cloud networks, policies and procedures should be thoroughly reviewed and implemented to ensure that cloud networks are properly secured and that sensitive information and accounts are not unnecessarily exposed. Additionally, organizations should always thoroughly review their cloud service providers to ensure that their security tools are comprehensive. Lastly, cloud service providers should understand that as cloud networks become increasingly proliferated, attackers will increasingly target these networks. By understanding how and why attackers are looking to compromise these networks, providers can better improve their security efforts and educate their clients to build more secure cloud environments.
Other Noteworthy Stories.
US updates export curbs on AI chips and tools to China.
What: The Biden administration has revised exporting rules to make it harder for China to access AI chips and chip making tools.
Why: On Friday, the Biden administration updated chip exporting rules to disrupt China’s chip making industry and hamper China’s military efforts. With these new exportation rules, the Commerce Department has announced that the administration has plans to continue updating other restrictions related to technology shipments to China. These new rules will go into effect on April 4th.
Thwarted supply-chain hack sets off alarm bells across DC.
What: A potential supply-chain attack was thwarted after a Microsoft software engineer discovered fragments of malicious code hidden inside two versions of an open-source data compression tool within Linux.
Why: With the discovery of these malicious code fragments last Friday, a rapid effort by both governmental agencies and security professionals started to prevent the compromised code from being launched against Linux users. As a part of these defense efforts, the Cybersecurity and Infrastructure Security Agency (CISA) also issued a guidance report on how to address these vulnerabilities. Due to these efforts, the fallout of the hack was largely prevented; however, concerns are being raised about how these malicious codes got into the software to begin with. While government agencies have not commented on whether this attack was related to a potential nation-state actor, other cybersecurity experts have stated that this connection is very likely. Experts have labeled this attack saying that it would have been on the same levels of severity as the 2020 SolarWinds attack.
FCC to vote on restoring net neutrality rules.
What: The FCC has announced that it will vote on restoring the net neutrality rules later this month.
Why: The net neutrality rules, originally rescinded during the Trump administration, will be debated and voted upon later this month. If the vote is passed, the proposal would restore the net neutrality rules, created during the Obama administration, that barred broadband providers from blocking or throttling internet traffic to websites and speeding up access to others that pay premium fees. Additionally, the proposal would give the FCC greater oversight of broadband companies and allow the agency to address outages, security concerns, and consumer harm.
The FCC’s Chairwoman, Jessica Rosenworcel, stated with this announcement that “after the prior administration abdicated authority over broadband services, the FCC has been handcuffed from acting to fully secure broadband networks, protect consumer data, and ensure the internet remains fast, open, and fair.” The vote is set to take place on April 25th.
Apple faces an antitrust challenge.
What: Apple is set to face an antitrust lawsuit as the Department of Justice (DOJ) and sixteen states sue the company for monopolizing the smartphone market.
Why: On Tuesday, the DOJ sued Apple alleging the company currently maintains an illegal monopoly over smartphones. The DOJ is joined by sixteen other state attorney generals. In this complaint, the DOJ alleges that Apple has continually used anti-competitive measures to keep users buying iPhones by limiting interoperability with devices and services by other companies. Additionally, the lawsuit alleges that Apple has blocked innovative “super apps” and has suppressed cloud-streaming game apps.
Jonathan Kanter, the DOJ’s assistant attorney general of the antitrust division, stated with this lawsuit that “for years, apple responded to competitive threats by imposing a series of “Whac-A-Mole” contractual rules and restrictions that have allowed Apple to extract higher prices from consumers, impose higher fees on developers and creators, and to throttle competitive alternatives from rival technologies.” Apple responded to this announcement by releasing a statement that said the lawsuit “threatens who we are and the principles that set Apple products apart in fiercely competitive markets."