At a Glance.
- EU delays cybersecurity label vote to May.
- Experts state that AI is making ransomware easier to use.
Vote on EU cybersecurity label delayed to May.
The News.
On Monday, European Union (EU) national cybersecurity experts delayed a vote that would have passed the current draft of the EU’s cloud cybersecurity labels scheme to the European Commission. The vote was delayed over intense debate surrounding whether strict requirements should be imposed on large technology companies for them to qualify for the highest level of security in this new certification assurance system.
In the current version of this scheme, the system's authors removed the “sovereignty requirement.” This requirement would have obliged international technology companies to set up joint ventures or cooperate with EU-based companies when storing and processing customer data if the company wanted to obtain this new system’s highest cybersecurity assurance label. While large tech companies have welcomed this change, EU businesses have pushed back against this revision. With this delay, large tech companies will be able to continue bidding for highly sensitive EU cloud computing contracts until May.
The Knowledge.
With this new labeling system, the EU is looking to create a new framework that organizations could voluntarily take part in. Once an organization opts into the certification scheme, the EU would examine the company and grade it based on a set of preexisting cybersecurity requirements. These assurance labels that can be applied are Basic, Substantial, and High. Additionally, these security labels would last for three years and then companies would be eligible for renewal.
As experts have created this new certification program, the EU is looking to improve cloud market transparency for both governments and consumers by assigning security assurance levels based on the provider's associated risks. EU experts believe that this labeling system would boost trust in existing cloud providers while also working to improve the region’s general security posture.
The Impact.
While the existing draft of this scheming system has not yet been signed into law, this new scheming system represents major implications for the cloud market. If this “sovereignty requirement” were to be reintroduced to the certification system, it would demonstrate a significant change in how tech companies, like Amazon and Alphabet, would operate within the EU when bidding for more sensitive cloud service jobs that would most likely require the highest security assurance label.
While this new certification scheming system is voluntary, cloud service providers (CSP) operating within the EU should take time to assess if these new assurance labels would be relevant to their organization. Additionally, CSPs should also review each assurance label's associated security requirements to see if they can qualify for any of these certifications currently or what steps would be needed to obtain a certification. For cloud consumers, this new labeling system is expected to bring more clarity when engaging with cloud markets so that users and organizations can be more confident in the CSP they have selected. However, users should take time to understand these new certifications to understand each level's associated risks.
AI is contributing to the proliferation of ransomware.
The News.
On Tuesday, the United States (US) House Financial Services subcommittee held a hearing where experts discussed how artificial intelligence (AI) is making ransomware faster and easier to use. During this hearing, Megan Stifel, the chief strategy officer at the Institute for Security and Technology, discussed how malicious actors are using AI to create sophisticated deepfakes, which are commonly used as an entry point to launch ransomware attacks. Stifel continued by highlighting how these threats will only become more problematic as the barrier to deploying ransomware has dropped in recent years.
During this hearing lawmakers on the subcommittee discussed what measures could be taken to help reduce how attackers can exploit AI. Some of the proposed measures include increasing resources to federal law enforcement, offering tax credits for organizations that take preventative cybersecurity measures, making cybersecurity insurance more accessible, and incentive cybersecurity training.
The Knowledge.
With ransomware attacks continuing to rise every year, security experts have begun to raise concerns about how AI could be used to improve the success rate of these attacks. These concerns come after the past several years have shown a consistent rise in ransomware usage with last year seeing new records in theft and victims impacted. In 2023, a report found that malicious attackers used ransomware to steal more than one billion dollars from US organizations as well as found that there was a seventy percent increase in the number of impacted victims. This data from 2023, echoes reports from previous years that have shown a consistent climb in the amount of money stolen using ransomware annually. This trend is likely to continue to grow throughout 2024 as there has already been a large ransomware attack that targeted UnitedHealth and is currently expected to cost the organization at least one billion dollars this year.
Coupling the rise in ransomware attacks with AI’s ability to create sophisticated deep fakes, as seen with AI being misused to mimic President Biden’s voice during the New Hampshire primaries, experts are growing increasingly concerned with the implications of how AI could significantly impact ransomware campaigns. While governments have rapidly pivoted their attention to address the emerging technology, AI misuse will most likely continue to grow until comprehensive legislation is passed and enforced.
The Impact.
While the House has not introduced any new legislation with this most recent order, this hearing is representative of the growing pressure that both Congress and the federal government are facing regarding safeguarding the creation and use of AI. With these emerging technologies, the federal government has already turned its attention to regulating AI as several agencies have created guidelines to address the technology and have updated existing regulations.
For consumers and organizations, users should remain vigilant of social engineering attacks as attackers continue to use this technology as an avenue to trick and exploit victims. Organizations should also continue to invest in training for their employees to help educate them and remain vigilant against social engineering attacks. Lastly, for AI developers, proper safeguards should continue to be implemented and updated to secure the technology and prevent misuse.
Other Noteworthy Stories.
Biden administration agrees to provide funding to Samsung for chip manufacturing.
What: The Biden administration has announced a new multibillion-dollar agreement with Samsung to manufacture chips in Texas.
Why: On Monday, the Biden administration announced another new multibillion-dollar deal to increase domestic chip manufacturing capabilities. With this new preliminary deal, the Biden administration would provide $6.4 billion to Samsung to build new chip manufacturing facilities in both Taylor and Austin, Texas. This funding will be provided through the CHIPS and Science Act.
With this new deal, the Biden Administration expects roughly 20,000 new jobs to be created through construction and manufacturing positions. Additionally, Samsung will provide $40 billion in funding efforts over the next several years to build these new facilities.
CISA has announced Russian-based hackers gained access to official correspondence in Microsoft hack.
What: In an April 2nd directive, the Cybersecurity and Infrastructure Security Agency (CISA) warned that Russian hackers had been exploiting authentication details to gain access to Microsoft’s customer systems.
Why: Last Thursday, a CISA directive was released that detailed how Russian hackers were able to access Microsoft’s customer systems. This directive was released only a week after the US Cyber Safety Review Board published its report on a separate attack, attributed to China, that highlighted how Microsoft’s weak security posture and lack of transparency contributed to the attacks’s severity. While CISA did not name what agencies may have been impacted, Microsoft commented that the company was “working with CISA on an emergency directive to guide government agencies.”
Senate Republicans call for investigation into Temu.
What: Republican Senators Tom Cotton and Marco Rubio have called on the Biden administration to investigate Temu.
Why: This week Senators Tom Cotton and Marco Rubio wrote letters to the Biden administration expressing concerns about Temu, an online marketplace. In their letters, the Senators alleged that the site has connections to forced labor and intellectual property theft.
Senator Cotton's letter, originally sent on Monday, urged President Biden to start an investigation to “protect Americans from this dangerous Chinese application.” Senator Rubio followed Senator Cotton by sending his letter to Homeland Security Secretary Alejandro Mayorkas to investigate Temu for “violating [his] Uyghur Forced Labor Prevention Act (UFLPA).” For context, the UFLPA bans the importation of goods produced from the forced labor of the Uyghur ethnic minority in China.
MGM Resorts International sues US Federal Trade Commission.
What: MGM has filed a lawsuit against the Federal Trade Commission (FTC) to block a probe into a cyber attack that occurred last year.
Why: On Monday, MGM filed a lawsuit stating that it was aiming to stop the FTC’s demands for information regarding a cyber attack that occurred last year. For context, this cyber attack resulted in several casinos on the Las Vegas strip being unusable for some time.
MGM has filed this lawsuit stating that the FTC’s demands for information were not relevant as MGM is not a financial institution and not subject to the FTC rules regarding consumer financial data.