At a glance.
- White House unveils executive order on tech investments.
- New York reveals new cybersecurity coordination strategy.
- Investigating potential cyber war crimes.
- DARPA-led AI cybersecurity challenge.
White House unveils executive order on tech investments.
US President Joe Biden yesterday issued an executive order establishing a new national security program regulating tech investments in “countries of concern,” and an accompanying annex to the order identifies the People’s Republic of China as one such country. The EO focuses on products critical for military, intelligence, surveillance, or cyber-enabled capabilities and covers tech in three tech sectors: semiconductors and microelectronics, quantum information technologies, and artificial intelligence. The press release states, “This program will seek to prevent foreign countries of concern from exploiting U.S. investment in this narrow set of technologies that are critical to support their development of military, intelligence, surveillance, and cyber-enabled capabilities that risk U.S. national security.”
Overseen by the Department of the Treasury, the program will regulate how citizens notify the department of financial transactions and further prohibit citizens from engaging in financial activity in the aforementioned areas of emerging tech. A senior administration official told NextGov, “This program will complement our existing export control and inbound investment screening tools, with a ‘small yard, high sense’ approach to address the national security threat posed by countries of concern to advancing such sensitive technologies.”
As AP News reports, the Chinese Ministry of Commerce issued a statement in response to the EO, expressing “serious concern” and reserving the “right to take measures.” China also accused the US of “using the cover of ‘risk reduction’ to carry out ‘decoupling and chain-breaking.’” Tensions between the US and China have heightened recently as the White House has limited the export of advanced computer chips and maintained increased tariffs established during ex-President Donald Trump’s tenure, but the Biden administration insists the US has no intention of decoupling from the PRC.
In conjunction with the EO, the Treasury Department has issued an advance notice of proposed rulemaking for the new program in an effort to increase transparency and obtain feedback from stakeholders. As a press release explains, the ANPRM offers an overview of the proposed framework for the EO, including specific categories of covered transactions, possible exceptions, and initial details on the subsets of technologies and products that will be included. The release states, “The Biden-Harris Administration also engaged with industry stakeholders regarding the initiative and its goals, and we look forward to continuing to receive and consider public input through the rulemaking process.” Public comment will be accepted for the next forty-five days.
New York reveals new cybersecurity coordination strategy.
The US state of New York has announced its first-ever cybersecurity coordination plan. As the Office of Governor Kathy Hochul explains, “New York State’s cybersecurity strategy provides public and private stakeholders with a roadmap for cyber risk mitigation and outlines a plan to protect critical infrastructure, networks, data, and technology systems.” The plan offers high-level cybersecurity and resilience objectives and clarifies the roles and responsibilities of state agencies. As well, the state is allocating $600 million to address threats to state and local governments, the private sector, and individuals.
WAMC reports that at a press conference, Governor Hochul emphasized the plan’s focus on unifying the state’s cybersecurity strategies. “Unification means very simple, relining whole of state government against this problem. I have a lot of agencies, a lot of points of entry, a lot of vulnerabilities, we're boosting our cybersecurity information, tools, and information services across the state,” she said. “And it's going to be sophisticated. It’s sophisticated, it’s not just being attacked to then try and how to figure out cleaning up, I am always whether it's crime on the streets, crime on or subways, I'd rather be preventing crimes than solving crimes. The same goes with cybersecurity.” The Daily News notes that last year Hochul’s administration set up the Joint Security Operations Centers, a statewide office focused on enhancing coordination between local cybersecurity offices and providing real-time advice when attacks occur.
Tim Mackey, Head of Software Supply Chain Risk Strategy at Synopsys Software Integrity Group, commented on New York's strategy in an email. “Software is the new target for criminals, and disrupting business – whether private or public – has quickly become a priority for cyber criminals. It is heartening to see NY State tackling the complex issues associated with our modern connected world and the threats that come from inconsistent application of cybersecurity management resources. As NY prioritizes investment to meet the objectives of this Cybersecurity Strategy, I hope that lawmakers will focus more on how consistent usage of existing cybersecurity guidance from NIST and CISA might apply to the needs of NY rather than enacting laws or proposing regulations that differ from. Consistent usage of known and proven best practices that are applied in a risk based manner is a key way to avoid the weakest link syndrome and protect against business risk.”
Investigating potential cyber war crimes.
Victor Zhora, deputy chairman and chief digital transformation officer at Ukraine's State Service of Special Communication and Information Protection (SSSCIP), discussed aspects of Russia's hybrid war at Black Hat this week. Cyberscoop recounts Zhora's thoughts on prosecuting Russian operators for war crimes in cyberspace. The concept of a cyber war crime is not fully developed, and international norms of armed conflict have so far seen only tentative extension to cyber operations. But it seems reasonable to think that the same criteria that make kinetic activity criminal would find application to cyberwar. Those would be military necessity (harm must serve a legitimate military purpose, and not simply be gratuitous), discrimination (non-combatants must be protected, and not made the direct objects of attack), and proportionality (damage done must be proportionate to the military goal served).
Zhora explained how such considerations are informing Ukraine's collection of information about possible cyber war crimes. "So in the case of Russian occupants committing war crimes with prisoners, with civilians on occupied territories and this is achieved through cyber operations, aiming to get available information on them that causes basically the following consequences that can be a part of this war crime," he said. "For instance, when there is a huge attack, cruise missile strike, and then the following attack on the media, for instance, or on critical infrastructure, on the energy sector, which can cause deaths in hospitals or other consequences. Again, this can be considered in my opinion, but we should have this discussion and clearly classify these incidents and these attacks to actually be a cyberwar crime."
DARPA-led AI cybersecurity challenge.
The AI Cyber Challenge, AIxCC for short, will be led by the Defense Advanced Research Projects Agency (DARPA). The goal of the challenge is to “leverage advances in AI to invent the next generation of cybersecurity defenses for today’s digital society.” It’s a public-private partnership. DARPA will be working with Anthropic, Google, Microsoft, OpenAI, the Linux Foundation, the Open Source Security Foundation, Black Hat USA, and DefCon to run the challenge. The first round of applications is due next month. The White House issued its own announcement of the challenge as well, lending the program high-level support.
Chloé Messdaghi, Head of Threat Research, Protect AI, strongly approved of the challenge. "We applaud the administration for its recognition of the crucial role the hacker community can play in identifying, codifying and closing the major security gaps that AI and ML platforms embody, foster or at the least, don’t address," she wrote. “Protect AI has just launched the Huntr platform to pay security researchers for discovering vulnerabilities in open-source software, focusing exclusively on AI/ML threat research. We launched Huntr specifically because we noticed two things.
“First, people in security aren’t aware of all of the vulnerabilities inherent in AI & ML or that improper usage can create and amplify. A platform that helps bug bounty hunters find vulns is critically important to helping drive new generations of safe, secure and effective AI-driven technologies and systems.
“Also, we are offering educational content for security professionals to help them learn and grow as a community through our MLSecOps community platform.
“Again, it’s great to see the Administration, the cybersecurity community and the hacker community come together to help ensure a safe future. The hacker community has been committed to and contributing to exactly this type of future for the last two decades.”
Jon France, CISO of ISC2, also sent on a note of approval. "It’s great to see emergent technology being used in a positive way to address the pressing problem of software security. AI offers many promising use cases, and this “AI Cyber Challenge” marks a practical application, where solving a collective problem of making software more secure is the target." He offered a note of caution as well: AI will not prove a panacea. "However, the problem of security within software is well-known and the solution will be a mix of regulation, tooling and techniques, and a skilled workforce. We must ensure that security is part of the development process of software and services, rather than as a treatment and this extends across the complete lifecycle.
"When used appropriately AI can improve our defenses against cyberattacks by suggesting ways to educate, develop policy, potentially review configurations/code, and generally draw on a large body of knowledge. Given increasing pressures on security teams, there is higher demand for fully autonomous operations and a rise in the adoption of AI technology to automate mundane and time-consuming data-related tasks. However, this does pose risks for cybersecurity teams that require visibility over technology systems, data usage and traffic levels to effectively defend against attacks. Implementing these technologies is not a replacement for hiring skilled cyber talent.”