A bipartisan blueprint for American leadership.

U.S. Senators look to enhance American leadership in AI. Federal Agencies Warn of Rising Cyberattacks on Civil Society. The Pentagon says they’re satisfied with Microsoft’s post-breach security pivots. Patch Tuesday updates. A Mississippi health system alerts users of a post-ransomware data breach. The FTC cautions automakers over data collection. CISOs feel pressure to understate cyber risks. On the Learning Layer, Sam and Joe continue their certification journey. Guest Sarah Powazek of UC Berkeley's Center for Long-Term Cybersecurity (CLTC) speaks with N2K’s Brandon Karpf about cyber civil defense clinics. A crypto mixing service developer finds himself behind bars.

U.S. Senators look to enhance American leadership in AI. 

A bipartisan group of U.S. senators has introduced a legislative plan focused on enhancing American leadership in artificial intelligence (AI), proposing $32 billion annually by 2026 for government and private-sector research and development. While advocating for a federal data privacy law and anti-deepfake measures in election campaigns, the plan largely delegates the responsibility of regulating AI, including its potential to cause job loss, health and financial discrimination, and copyright issues, to congressional committees and agencies. The initiative, led by Senate leader Chuck Schumer along with senators Mike Rounds, Todd Young, and Martin Heinrich, follows a yearlong tour gathering insights on generative AI technologies. The proposed legislative approach emphasizes incremental bills rather than comprehensive packages, reflecting the rapid evolution of AI and a preference for fostering innovation over stringent regulation.

Federal Agencies Warn of Rising Cyberattacks on Civil Society 

U.S. cybersecurity agencies, including the FBI, CISA, and DHS, have issued a warning that Russia, China, Iran, and North Korea are increasingly targeting civil society organizations such as NGOs, think tanks, human rights activists, and journalists worldwide. These organizations are considered high-threat targets due to their role in promoting democratic values and often have inadequate cybersecurity defenses. The advisory, supported by cybersecurity insights from multiple countries, identifies specific state-backed groups engaging in intimidation, harassment, and surveillance by installing spyware for more extensive tracking and data access. The advisory suggests that these civil society entities typically lack the necessary resources to fend off sophisticated cyber threats and calls for enhanced cybersecurity measures and support to protect these vital institutions.

The Pentagon says they’re satisfied with Microsoft’s post-breach security pivots. 

Pentagon CIO John Sherman expressed satisfaction with Microsoft's security adjustments following a significant data breach in early 2023 that exposed the personal details of over 20,000 people. In a recent interview at the GEOINT Symposium, Sherman commended Microsoft for conducting a thorough after-action review and making necessary procedural changes to prevent future breaches. He emphasized the ongoing partnership with Microsoft in addressing the incident, which involved sensitive information from various Defense Department components, including U.S. Special Operations Command. Despite the corrective measures, Sherman noted that the full details of the affected DOD entities and the original cause of the data spill remain undisclosed.

Patch Tuesday updates. 

Microsoft has patched 61 new security vulnerabilities, including two zero-day exploits, as part of its latest Patch Tuesday update. One of these zero-days, CVE-2024-30051, discovered by Kaspersky, could allow attackers to gain system privileges and has been observed in conjunction with malware like QakBot. The second zero-day, CVE-2024-30040, potentially allows hackers to bypass OLE mitigations in Microsoft 365 and execute arbitrary code. Additional vulnerabilities addressed include those in Windows Mobile Broadband Driver, Windows RRAS, and others affecting various Microsoft and Adobe software, with potential impacts ranging from remote code execution to privilege escalation and information disclosure.

Adobe has released a security update fixing 35 vulnerabilities across several products, including Adobe Acrobat and Reader, Illustrator, Substance 3D Painter and Designer, Aero, Animate, FrameMaker, and Dreamweaver. The update corrects nine critical vulnerabilities in Acrobat and Reader that could enable code execution attacks. Other products affected include Illustrator with two critical flaws, Substance 3D Painter with critical code execution and memory leak issues, and critical vulnerabilities in Aero, Animate, FrameMaker, and Dreamweaver. Adobe emphasizes the importance of updating these applications to prevent potential exploits, although no current exploits are known.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories on four Industrial Control Systems (ICS) vulnerabilities affecting hardware from Rockwell Automation, SUBNET, Johnson Controls, and Mitsubishi Electric. These vulnerabilities, located in systems critical to infrastructure sectors like manufacturing and energy, could allow attackers to execute code remotely or escalate privileges. CISA's alert includes detailed information on the nature of the vulnerabilities and the recommended updates or mitigations. 

A Mississippi health system alerts users of a post-ransomware data breach. 

Mississippi's Singing River Health System (SRHS) has begun notifying approximately 900,000 individuals that their personal information was compromised during a ransomware attack in August 2023. The breach, first noticed on August 16, allowed unauthorized access to data including names, addresses, Social Security numbers, and medical information. Initially, SRHS reported to the Maine Attorney General's Office that 252,890 individuals were affected; this number was later revised to 895,204. SRHS is now sending notification letters, offering 12 months of free credit monitoring, and providing guidance on protecting against identity theft. The healthcare provider has also enhanced security measures and employee training to prevent future breaches.

The FTC cautions automakers over data collection. 

The Federal Trade Commission (FTC) has issued a warning to auto manufacturers about their practices of collecting and sharing sensitive car data, such as geolocation information, with advertisers. Highlighting the potential illegalities of such practices, the FTC's recent blog post stresses the importance of protecting consumer data and adheres to privacy laws. The post references recent enforcement actions and settlements involving the misuse of geolocation data, indicating a focused regulatory scrutiny on the auto industry's data privacy practices. The FTC underscores the need for companies to ensure that collected data is used solely for legitimate purposes and advocates for data minimization to protect consumer privacy. This warning follows a period of increased legislative pressure on the agency to address privacy violations by automakers.

CISOs feel pressure to understate cyber risks. 

A survey from Trend Micro reveals Senior cybersecurity professionals report feeling pressured by their boards to understate cyber risks, with 79% experiencing such pressure. This 'credibility gap' makes it challenging for Chief Information Security Officers (CISOs) to secure necessary funding for enhancing cyber resilience. Many board members view cybersecurity concerns as repetitive or overly negative, leading to dismissal of the risks. About half of the CISOs feel their C-suite does not fully understand the cyber threats, and many believe only a major breach would change this perception. To bridge this gap, it's suggested that CISOs frame cybersecurity issues in terms of business value and involve themselves more in strategic decision-making, thereby enhancing their credibility and influence within the organization.

Coming up, N2K’s Brandon Karpf caught up with  Sarah Powazek of UC Berkeley's Center for Long-Term Cybersecurity (aka the CLTC) at the 2024 RSA Conference. They talked about cyber civil defense clinics and the CLTC. 

You can find information in our show notes about the CLTC’s upcoming Cyber Civil Defense Summit being held next month at the International Spy Museum in Washington DC. 

Next up on our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey. They discuss how to use the midterm exam and Test Day Strategy video. 

Welcome back. You can find links for the things Sam and Joe talked about in our show notes. 

A crypto mixing service developer finds himself behind bars. 

And finally,  the developer behind Tornado Cash, a cryptocurrency mixing service, has been handed a prison sentence of over five years. His crime? Crafting a digital laundromat that washed a whopping $2.2 billion worth of Ether through its ‘pools,’ making dirty money sparkle with anonymity. The court wasn't buying the "I just made it for privacy" defense, especially when the service ended up scrubbing funds from 36 different thefts, including a notorious heist by the Lazarus Group. Along with a stint behind bars, the developer's flashy Porsche and a treasure trove of cryptocurrencies were seized.

Looks like Tornado Cash stirred up a perfect storm... of legal troubles.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.