At a glance.
- US officials testify against TikTok before the House.
- Should the US follow in Australia’s cybersecurity footsteps?
- CISA director warns about the dangers of AI.
- CMMC-like program in the works for civilian contractors.
US officials testify against TikTok before the House.
The US government continues to warn about the imminent threats of TikTok, the US Department of Defense reports. John F. Plumb, US Assistant Secretary of Defense for Space Policy and Principal Cyber Advisor to the Secretary of Defense, says TikTok is a “potential threat vector” to America. Plumb and General Paul M. Nakasone – commander of US Cyber Command, director of the National Security Agency, and chief of the Central Security Service – testified before Members of the House Armed Services Committee's subcommittee on cyber, information technologies, and innovation yesterday to discuss the risks posed by the popular video-streaming service. Nakasone noted that the app’s unprecedented reach is what makes it particularly dangerous, stating, "If you consider one-third of the adult population receives their news from this app, one-sixth of our children are saying they're constantly on this app, if you consider that there's 150 million people every single day that are obviously touching this app, this provides a foreign nation a platform for information operations, a platform for surveillance, and a concern we have with regards to who controls that data." He went on to urge policy makers to establish rules that can rein in the power of TikTok, noting that TikTok’s ties to China make it more dangerous than American platforms. TikTok is owned by Chinese company ByteDance, and Nakasone pointed out that Chinese officials said they would "touch the data at any time they want to touch this data. This concerns me.”
Should the US follow in Australia’s cybersecurity footsteps?
As we've had occasion to note, Australia has seen a recent surge in cyberattacks targeting high profile companies like telecom leader Optus and health insurance giant Medibank. In response, Australian lawmakers say they’re launching offensive efforts to prevent attacks before they happen, and Dark Reading posits that the US should do the same. Some experts say the US is too focused on defense and should instead proactively seek out potential threat actors to stop them before they attack. On top of this, the writer interjects, recent attacks like the December breach of the Federal Bureau of Investigation’s InfraGard program demonstrate that the government’s defensive efforts and response protocols are falling short. Adopting Australia’s approach of hunting down cybercriminals and disrupting their operations could prevent such incidents from occurring in the first place. The joint cyber-policing task force between the Australian Federal Police and the Australian Signals Directorate has already identified the attackers responsible for the Medibank attack, and it serves as a warning to would-be hackers that there will be consequences for their actions. At the industry level, organizations would need to take proactive steps like automating regular password resets, enabling two-factor authentication, and establishing an incident response team. As well, Congress is considering cybersecurity policies for the healthcare sector and has discussed launching a Cyber Defense National Guard.
CISA director warns about the dangers of AI.
The debate over the potential security threats posed by recent advancements in artificial intelligence continues, and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly spoke on the topic at the Atlantic Council earlier this week. Easterly called popular AI platforms like the powerful chatbot ChatGPT "the biggest issue that we're going to deal with this century,” and highlighted the various ways such tech can be abused by cybercriminals to conduct phishing scams or spread disinformation. Easterly went on to say, in the same way that nuclear weapons were the biggest threat of the last century, AI could be the greatest peril facing humanity in the 2000s. She stated, “[AI is] the most powerful technology capability and maybe weapon of this century. We do not have the legal regimes or the regulatory regimes to be able to implement them safely and effectively. And we need to figure that out in the very near term.” She called on policymakers to take a more serious approach to AI regulation, and said that she’s already thinking of ways CISA can “implement certain controls around how this technology starts to proliferate in a very accelerated way.” The Record notes that Easterly’s comments come on the heels of Italy's temporary ban of ChatGPT, and earlier this week Germany’s data protection commissioner said they’re contemplating a similar move.
CMMC-like program in the works for civilian contractors.
As FedScoop explains, American officials recently implemented the US Cybersecurity Maturity Model Certification program (CMMC) in order to ensure that federal defense contractors meet cybersecurity standards to protect sensitive government data. Stacy Bostjanick, the head of CMMC at the Department of Defense, says a similar program is being developed for civilian contractors. Speaking at a virtual event hosted by cloud encryption company PreVail, Bostjanick said a Federal Acquisition Regulation (FAR) rule is in the works that will implement a CMMC-style program across all of the federal government. Currently the FAR requires federal contractors to meet fifteen basic cybersecurity requirements to protect government data, but by adhering to the National Institute of Standards and Technology guidelines, the new rule would increase the number of requirements to 110. Acknowledging that these requirements could seem overwhelming to contractors, Bostjanick says the Department of Defense is “working with the federal CISO Council today to try to make sure that we’re consistent across all of the federal government, how we view those 110 controls, so we’re not going to be onerous on the industry partners.”