At a glance.
- China and the UK address the threat of AI.
- US House Republican speaks out against dual-hatting of NSA and CYBERCOM.
- CISA issues Cybersecurity Strategic Plan.
- Biden administration announces cybersecurity initiatives for K-12 schools.
China and the UK address the threat of AI.
CSO Online reports that UK lawmakers have officially categorized artificial intelligence as a threat to national security. The Cabinet Office’s National Risk Register (NRR), which lists the various threats that have “potential to significantly impact the UK's safety, security, or critical systems at a national level,” now includes AI as a “chronic risk.” The NRR adds that the UK government will be hosting the first global summit on AI Safety, a gathering of international experts focused on monitoring and mitigating the risks posed by AI.
Oliver Dowden, deputy prime minister, stated, "This is the most comprehensive risk assessment we've ever published, so that government and our partners can put robust plans in place and be ready for anything.” Adding AI to the NRR demonstrates that the government is committed to implementing safety measures around the use of AI, and James Ginns, head of risk management policy at The Centre for Long-Term Resilience, stated, "We look forward to supporting their work in identifying and assessing chronic risks and related vulnerabilities, especially in AI and biosecurity, in order to reinforce our resilience."
Meanwhile, in Beijing, the Cyberspace Administration of China (CAC) along with six other government agencies released the final version of the Interim Administrative Measures for Generative Artificial Intelligence Services. Entering into force on August 15, the measures apply to the provision of services that produce texts, pictures, audios, videos or other content to the Chinese public by using generative AI technologies. As cyber/data/privacy insights notes, this final version makes several changes to the draft released in April, including the removal of certain prescriptive obligations on service providers, and placing stronger emphasis on the importance of finding a balance between innovation and regulation.
Among other things, service providers will be required to carry out training activities to ensure data and foundational models are from lawful sources that do not infringe on the intellectual property rights of others. As well, if illegal content is discovered, service providers must take immediate action to suspend its generation.
US House Republican speaks out against dual-hatting of NSA and CYBERCOM.
For a decade, the head of the US National Security Agency (NSA) has also served as the leader of US Cyber Command (CYBERCOM), an arrangement that has been the source of debate among lawmakers. The current administration under President Joe Biden has voiced their support for this dual-hat arrangement, but in an interview last week House Intelligence Committee Chairman Mike Turner, a Republican out of Ohio, told The Messenger, “I believe that the dual-hat needs to end.” He went on to say that he feels the two roles are too much responsibility for any one person, and as cyber threats “exponentially grow” CYBERCOM needs to “be independently led.” Turner’s role gives him significant power over the US intelligence community, but current Democratic control of the Senate means the arrangement is unlikely to change in the near future.
CISA issues Cybersecurity Strategic Plan.
On Friday the US Cybersecurity and Infrastructure Security Agency (CISA) released its FY2024-2026 Cybersecurity Strategic Plan, a roadmap for the agency’s cybersecurity mission over the next three years. In alignment with the National Cybersecurity Strategy, the plan highlights three main goals: addressing immediate threats, hardening the terrain, and driving security at scale. As well, CISA explains, the plan aligns “nine objectives to specific enabling measures and measures of effectiveness to drive accountability.” The Executive Summary of the plan states, “As we progress toward these goals, we must embody the hacker spirit, thinking creatively and innovating in every aspect of our work. The ongoing work of CISA’s workforce—our threat hunters, vulnerability analysts, operational planners, regionally deployed cybersecurity advisors, and others—epitomize this collaborative spirit.”
(Added, 3:30 PM ET, August 7th, 2023.) Some industry comment, generally positive, has come in on the plan. Jason Keirstead, Vice President of Collective Threat Defense at Cyware, commented, "CISA is taking a pragmatic and holistic approach to their 2024-2026 strategic plan. Organizations lack the resources to effectively defend against known and emerging threats, and to outpace the adversary, the industry must collaborate more often and more effectively. Even organizations with mature cybersecurity programs often struggle to adequately safeguard every vulnerability. CISA's focus on collaboration, intelligence sharing, and scalability has potential to measurably strengthen our overall security posture."
Roy Akerman, Co-Founder and CEO of Rezonate, likes the potential for improving detection and incident response. "It's commendable to witness CISA advancing the cybersecurity narrative in such a strategic manner. Drawing from my experiences with cyber defense in Israel, this step accentuates the criticality of prompt detection and response," Ackerman wrote. "The recognition that adversaries will always seek and often find vulnerabilities underscores the importance of evolving our SecOps and Identity and Access security programs. In essence, it's about being several steps ahead, rather than merely reacting."
(Added, 6:30 PM ET, August 7th, 2023.) Wade Ellery, Field CTO at Radiant Logic, thinks the strategy a step in the right direction. "The recent update to CISA’S comprehensive plan marks a significant stride in the nation’s ongoing efforts to bolster its digital security landscape," Ellery wrote. He sees addressing identity as the straegy's centerpiece. "An identity-focused strategy stands out as an indispensable and highly effective approach to fortifying systems across the U.S. Managing identities have become more complicated for organizations, regardless of industry or size. As the government looks to implement a comprehensive plan, it must take into consideration the types of attacks plaguing the U.S. – Identity-related attacks make up the bulk of cyber-attacks, calling into question the way businesses handle their identity data.
"Having clean, unified Identity data has emerged as a central pillar in safeguarding sensitive information, fending off cyber threats and ensuring the integrity of digital environments. This approach centers on verifying and managing the identities of users and allows for full visibility and control over who can access specific resources within a system. This fine-grained access control, integrated into a Zero Trust Architecture, can help minimize the attack surface, limit the risk of unauthorized parties entering the system and detect threats early on."
(Added, 12:15 PM, August 8th, 2023.) Nick Sanna, President of Safe Security, notes the role risk quantification plays in the strategy. “The cybersecurity industry is increasingly highlighting the importance of cyber risk quantification (CRQ), as seen in the new CISA guidelines and the first Forrester’s Wave for CRQ. Cyber risk has emerged as a top business risk, yet too often the CISO and the business are not on the same page when it comes to justifying the security investments needed to reduce risk to an acceptable level. The only true remedy is to use a common language that everybody in the business understands, dollars and cents. A standard CRQ model such as FAIR helps bridge that communication gap and support decisions based on the business impact, measured in financial terms, versus relying on hard-to-understand technical consideration alone.”
Biden administration announces cybersecurity initiatives for K-12 schools.
The White House today announced plans for federal and private industry initiatives focused on bolstering the digital defenses of K-12 learning institutions. The announcement states that In recent years hackers have increasingly targeted schools, and in eight US K-12 school districts were impacted by cyberattacks in the 2022-2023 school year alone, disrupting school operations and leaking sensitive personal and administrative data. Anne Neuberger, the deputy national security adviser for cyber and emerging technology, told the Record the administration is “committed to taking real meaningful steps to ease the minds of parents” by securing digital infrastructure to “make it harder for bad actors” to infiltrate school networks. In an effort to find better ways to prevent such incidents, the White House is hosting the Cybersecurity Summit for K-12 Schools, a gathering of school administrators, educators, and education tech providers.
The White House also plans to devote resources to several new initiatives, including a Federal Communications Commission-led pilot program providing up to $200 million in cybersecurity funding to schools and libraries, the establishment of a Government Coordinating Council in the Department of Education, and updated cyberincident resource guides from the Federal Bureau of Investigation and the National Guard Bureau for education officials.
Palo Alto Networks' Field CTO, Fadi Fadhil, likes the timing. These back-to-school weeks are a good time to turn attention to cybersecurity for schools. "As we approach a new school year, there is no better or more important time to ensure that schools nationwide are equipped to protect their students and educators, their digital assets, and sensitive data on their networks. Palo Alto Networks applauds the administration’s recognition of the critical role that both public and private partners play in enabling secure learning environments. With our comprehensive cybersecurity solutions tailored specifically for K-12 schools and free cybersecurity education resources, we stand at the forefront of safeguarding our nation's K-12 education institutions against the rising tide of cyber threats.”
(Added, 8:15 PM ET, August 7th, 2023.) Allen Drennan, Co-Founder & Principal at Cordoniq, wrote to suggest steps that school districts might consider taking. "As part of an overall strategy for cyber defense for K-12 schools, districts need to consider taking control over their implementation of both their LMS (learning management systems) and their virtual meeting solution," Drennan said. "This is a necessity for controlling available, uptime and scale and handle issues related recovery management and for providing higher security standards and data privacy protection for students and teachers. Solutions that rely solely on cloud-based providers outside of control of the school district are subject to outages, availability concerns and malicious cyber threats."
(Added, 9:45 PM ET, August 8th, 2023.) Emily Phelps, Director at Cyware, is encouraged by the support for building resilient schools. “Since adopting digital technologies to adapt to a post-Covid world, securing public schools has become more challenging and more critical. We're encouraged by the Department of Education's announcement around strengthening cybersecurity resilience for K-12 entities. Working with CISA to develop practical, actionable guidelines and partnerships with private entities that can bolster K-12 public education's defenses reinforces the commitment this administration has made to cybersecurity at federal and local levels. Collaboration and collective defense strategies are increasingly important to our public entities and citizenry, and as private-public partnerships garner attention and success, we hope these examples will motivate similar action.”
Carol Volk, EVP of BullWall, argues that Big Tech has a responsibility to support this effort. “Google and the social media giants should be pumping money into K-12 cyber defenses and education, as they are as much the cause of this firestorm of malicious hacking as they are the benefactors of the younger generations embrace of 24-7 connectivity. With congress tightly focused on the responsibility these companies bear from social media fallout, we can expect these giants to be paying attention to this problem area.”