At a glance.
- US state lawmakers find ways to monitor the impact of AI.
- The challenges of securing open source software.
- Preparing for the SEC’s new incident reporting rules.
- DHS plans $375 million in cyber resilience grants for state and local governments.
US state lawmakers find ways to monitor the impact of AI.
As the innovations in the world of artificial intelligence advance at breakneck speed, US states are attempting to keep up with the inherent risks presented by AI tech. Arkansas Online reports that officials in the US state of Connecticut plan to inventory all of its government systems using AI by the end of 2023, and post the info online. Starting in 2024, officials will analyze these systems on a regular basis to check for any signs of misuse or unlawful discrimination.
State Senator James Maroney says he plans to work with lawmakers in states like Colorado, New York, Virginia, and Minnesota to create model legislation that will also focus on AI use in the private sector. Connecticut will be joining the ranks of at least twenty-five states, Puerto Rico, and the District of Columbia who have introduced artificial intelligence bills in the last year. Texas, North Dakota, West Virginia, and Puerto Rico have established advisory bodies focused on monitoring AI systems used by state agencies, and a new technology and cybersecurity committee in Louisiana is studying the impact of AI on state operations, procurement, and policy.
Heather Morton, a legislative analyst at the National Conference of State Legislatures, commented, "'Who's using it? How are you using it?' Just gathering that data to figure out what's out there, who's doing what. That is something that the states are trying to figure out within their own state borders."
The challenges of securing open source software.
US organizations selling tech to the government must self-attest that their products are in compliance with the National Institute of Standards and Technology’s Secure Software Development Framework. This not only includes the product itself, but also any open-source components used in the software. This open-source element will be extremely challenging, especially given that researchers have found that more than 90% of applications contain open-source components. Further complicating matters, many maintainers of open-source software are unpaid volunteers, meaning that asking them for assistance in validating their security practices is a tall order.
Dark Reading posits one possible solution: companies should ensure that the maintainers behind the open-source components they use are paid to make sure their products are in compliance. Corporate benefactors, foundations, or commercial efforts would likely be necessary to provide this payment, and in some cases the best solution could be for the company itself to sponsor the maintainers’ work.
Preparing for the SEC’s new incident reporting rules.
The US Securities and Exchange Commission’s new cyberincident disclosure rules has many organizations up in arms, and VentureBeat offers a primer on some of the stickier challenges of compliance. Public enterprises will now be required to disclose “material” incidents within four days, but there’s some uncertainty regarding exactly what “material” means. Tom Guarente, VP of external and government affairs at cybersecurity company Armis, says “If the SEC is saying this will be law, they need to be very specific with what they define as ‘material impact. Otherwise, it is open to interpretation.” Companies will have to be vigilant to determine what constitutes materiality depending on the nature of the incident and the firm’s operations. Alisa Chestler, chair of the data protection, privacy, and cybersecurity team at national law firm Baker Donelson, also notes, “It’s very important to realize that while this law is directed at public companies, it’s really going to trickle down to all companies of all sizes.”
Many public firms rely on private firms in their supply chain, so a cyberincident at one firm could have a domino effect. To address this, Chestler recommends establishing vendor management programs instead of just relying on vendor procurement programs and regular contract agreements. In order to meet the four-day reporting window, organizations should streamline their reporting processes to make sure it’s clear exactly who is responsible for reporting and to whom. To pull this off, CISO’s will need to keep boards informed to make sure executives see the importance of making security a business priority, and the SEC’s new rules require more transparency about board members’ cyber expertise. David Homovich, solutions consultant in the office of the CISO at Google Cloud, explains, “A board’s understanding of cybersecurity is more critical than ever…We predict that boards will play an important role in how organizations respond to these trends and should prepare now for the future.”
President of Safe Security Nick Sanna sees a role for real-time predictive monitoring in keeping up with disclosure requirements. “The requirements by the new SEC rule on material cyber risk and incident disclosures and by the Jordanian National Cyber Security Framework to adopt cyber risk quantification are a sign that governments across the world are getting serious about asking organizations to manage cyber risk from the business impact perspective, not just the technical perspective. Jordan is the first government to explicitly mandate cyber risk quantification, as it recognizes that for cyber risk management programs to be effective, organizations must be capable of prioritizing what matters. Many organizations currently do not have the capabilities in place to measure the materiality of cyber event. Real-time predictive monitoring is needed to gain visibility for successful data-driven conversations. Plus, to ensure a complete understanding of their cyber risk, organizations can utilize the FAIR cyber risk quantification model to help to assess their risk.”
DHS plans $375 million in cyber resilience grants for state and local governments.
Yesterday the US Department of Homeland Security (DHS) announced it will be allocating $375 million to state and local governments through the State and Local Cybersecurity Grant Program (SLCGP). The $1 billion program is in year two of its four-year run and is focused on helping state, local, and territorial governments bolster their cyber resilience in the face of increased ransomware attacks. Cybernews reports that last year, all but two states and territories requested funding, and this year governments have until October 6 to apply for the program.
In a statement accompanying the announcement, DHS Secretary Alejandro N. Mayorkas said, “In today’s threat environment, any locality is vulnerable to a devastating cyber attack targeted at a hospital, school, water, or other system. The Department of Homeland Security is helping to ensure that every community, regardless of size, funding, or resources, can meet these threats and keep their residents and their critical infrastructure safe and secure. These cybersecurity grants will help state, local, and territorial governments do just that, and I strongly urge communities across the country to submit an application.” The announcement says funding can be used for “planning and exercising” as well as recruiting and paying for cyber personnel. The Record notes that a number of local governments have suffered cyberattacks in recent months including Spartanburg, South Carolina, George County, Mississippi, and Dallas, Texas.