At a glance.
- NSA official discusses fears surrounding abuse of AI tech.
- CISA Director highlights importance of "secure by design" principles.
- Will telecoms fight the FCC's new breach reporting rules?
NSA official discusses fears surrounding abuse of AI tech.
Rob Joyce, head of the US National Security Agency’s (NSA) Cybersecurity Directorate, spoke at CrowdStrike's Government Summit yesterday, and during his address he emphasized the dangers of artificial intelligence. While he acknowledged that AI can not yet single handedly carry out cyberattacks, the tech can make human-led attacks faster and more destructive. He said that machine learning and chatbots are "the tools that are going to flow and increase the pace of the threat. It's not going to generate the threat itself." As the Register notes, ML tech can be used to create more convincing phishing messaging, scan massive amounts of data to find the most valuable info, gather intel on targets, and generate code for malware. However, he notes, AI tech can also be used in much the same way by the good guys to defend against attacks. Alluding to NSA’s plans to capitalize on the positive aspects of AI, he stated, "So for the next year we are going to be very focused: what tools come out that will … give us the advantage as defensive folks."
CISA Director highlights importance of “secure by design” principles.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA) also spoke at the CrowdStrike Government Summit yesterday, and she announced that the agency plans to release its secure by design principles this week. CyberScoop notes that an important tenet of the US’s recently released national cybersecurity strategy is placing more responsibility on larger tech companies by urging them to incorporate cybersecurity principles into their products at the design stage. Easterly stated that CISA’s document will be an important first step toward “shifting the burden to software companies from individual users and small businesses.” During her speech, Easterly also reiterated her three “core principles” for technology manufacturers, which include taking responsibility for security outcomes for their customers, providing “radical transparency” to their customers, and improving product design quality by focusing on safety. She stated, “It’s incredibly important that we now focus on ensuring that the software that powers our lives is secure by design and secure by default.” She also stated that going forward CISA will take a closer look at how open source software is being used within industrial control systems and will work on the High-Risk Community Protection initiative, which was announced last month.
Will telecoms fight the FCC’s new breach reporting rules?
The US Federal Communications Commission has announced it will update its data breach reporting rules for telecoms, and CSO Online predicts the changes could be met with pushback from telecom carriers. When the FCC released a notice of proposed rulemaking for its reporting rules back in January, FCC Chairwoman Jessica Rosenworcel stated, "The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements. This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches." The FCC aims to increase transparency about telecom breaches by expanding the definition of what qualifies as a breach and increasing the amount of info carriers must include in customer notifications. However, telecom companies say this expansion will lead to unnecessary action for incidents that actually cause no harm to customers. Verizon told the FCC, "Treating the inadvertent access or disclosure of CPNI as a 'breach' would unnecessarily increase the scope of reporting obligations and require notification when there has been no harm (or even risk of harm) to a customer's privacy interests.” The Commission is also proposing the elimination of the current mandatory waiting period before notification, instead calling on carriers to inform customers “without unreasonable delay" after the discovery of a breach. In general, carriers are in favor of this change because it allows more flexibility and is consistent with most state regulations.