Cyber Policy in the News
WAPO: Car makers can collect — and sell — too much data about you, watchdog says
By Andrew Jeong
Car companies are collecting “too much personal data” from drivers, who have little freedom to opt out, researchers wrote in a report assessing the data privacy policies of 25 automobile brands.
All carmakers received “Privacy Not Included” warnings from the Mozilla Foundation, which developed the Firefox browser and advocates for better online privacy and internet safety. This means that the report’s authors have determined the companies’ products to “have the most problems when it comes to protecting a [user’s] privacy.” …
From ADL – From Bad To Worse: Amplification and Auto-Generation of Hate
The question of who is accountable for the proliferation of antisemitism, hate, and extremism online has been hotly debated for years. Are our digital feeds really a reflection of society, or do social media platforms and tech companies actually exacerbate virulent content themselves? The companies argue that users are primarily responsible for the corrosive content soaring to the top of news feeds and reverberating between platforms. This argument serves to absolve these multi-billion-dollar companies from responsibility for any role their own products play in exacerbating hate.
Read Full Article: https://www.adl.org/resources/report/bad-worse-amplification-and-auto-generation-hate?fbclid=IwAR2omOLIR07AaTTEuoqrnSg17cSDTx3jwap2dVrbVHuEFWgdw0pg4YYcOQM
WAPO: Chinese spies who read State Dept. email also hacked GOP congressman
Rep. Don Bacon said he was told of the hacking Monday; he pledged to ‘work overtime’ to win passage of an aid package for Taiwan
Read full article: https://www.washingtonpost.com/technology/2023/08/14/microsoft-china-hack-congress/
ZDNet: We’re not ready for the impact of generative AI on elections
ZDNET’s resident presidential scholar takes a deep dive into political campaign deepfakes in the time of generative AI. This affects much more than the national contests. AI will transform local politics, too.
NBC: Top U.S. cyber official offers ‘stark warning’ of potential attacks on infrastructure if tensions with China escalate
LAS VEGAS — China’s hackers have been positioning themselves to conduct destructive cyberattacks on U.S. critical infrastructure, a top U.S. cyber official warned Saturday.
Speaking at a panel at the Def Con hacker conference in Las Vegas, Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Agency, said, “I hope that people are taking seriously a pretty stark warning about the potential for China to use their very formidable capabilities in the event of a conflict in the Taiwan straits to go after our critical infrastructure.”
Policy Insights: White House Cybersecurity Summit for K-12 Schools
The White House hosted the “Cybersecurity Summit for K-12 Schools” this afternoon:
As part of the effort, resources committed to strengthening the cybersecurity of the nation’s K-12 school systems include the following:
- The FCC is proposing establishing a pilot program under the Universal Service Fund to provide up to $200 million over 3 years to strengthen K-12 cyber defenses.
- The Department of Education will establish the GCC to coordinate activities, policy and communications between, and amongst, federal, state, local, tribal and territorial education leaders.
- CISA is committing to provide tailored assessments, administering exercises and offering cybersecurity training for 300 new K-12 entities over the coming school year.
Additionally, several education technology providers are committing to providing free and low-cost resources to school districts. A few include:
- Amazon is committing $20 million for a K-12 cyber grant program, free security training, no-cost cyber incident response assistance and free security reviews to education technology companies providing mission-critical applications to the K-12 community.
- Google released an updated “K-12 Cybersecurity Guidebook” for schools on the most effective steps education systems can take to ensure the security of their hardware and software applications.
- Cloudflare will offer a suite of free Zero Trust cybersecurity solutions to public school districts under 2,500 students.
Policy Insights:
Allen Drennan, Co-Founder & Principal, Cordoniq:
“As part of an overall strategy for cyber defense for K-12 schools, districts need to consider taking control over their implementation of both their LMS (learning management systems) and their virtual meeting solution. This is a necessity for controlling available, uptime and scale and handle issues related recovery management and for providing higher security standards and data privacy protection for students and teachers. Solutions that rely solely on cloud-based providers outside of control of the school district are subject to outages, availability concerns and malicious cyber threats.”
Emily Phelps, Director, Cyware:
“Since adopting digital technologies to adapt to a post-Covid world, securing public schools has become more challenging and more critical. We’re encouraged by the Department of Education’s announcement around strengthening cybersecurity resilience for K-12 entities. Working with CISA to develop practical, actionable guidelines and partnerships with private entities that can bolster K-12 public education’s defenses reinforces the commitment this administration has made to cybersecurity at federal and local levels. Collaboration and collective defense strategies are increasingly important to our public entities and citizenry, and as private-public partnerships garner attention and success, we hope these examples will motivate similar action.”
Carol Volk, EVP, BullWall: (she/her)
“Google and the social media giants should be pumping money into K-12 cyber defenses and education, as they are as much the cause of this firestorm of malicious hacking as they are the benefactors of the younger generations embrace of 24-7 connectivity. With congress tightly focused on the responsibility these companies bear from social media fallout, we can expect these giants to be paying attention to this problem area.”
Ani Chaudhuri, CEO, Dasera
“The recent initiative by the Biden-Harris Administration to bolster cybersecurity in our K-12 schools is a commendable and urgently needed step. The surge in cyberattacks targeting the institutions that shape our future leaders has highlighted an alarming vulnerability. Imagine a nation where school districts are routinely disrupted, and the sensitive data of our children is compromised and auctioned off to the highest bidder.
In the 2022-23 academic year alone, we’ve seen significant cyberattacks on K-12 school districts that have compromised the personal data of students and employees. This isn’t just about data; it’s about our children’s future, their privacy, and the trust they place in the education system.
It’s heartening to see the federal government respond with vigor. The proposed pilot program, the collaboration between different governmental bodies, and the available resources to strengthen cybersecurity infrastructure are steps in the right direction. And while the involvement of education technology giants such as AWS, Google, and others is promising, it’s crucial to ask ourselves if it’s enough.
The real challenge is ensuring these policies and programs aren’t just reactive. We must be proactive, looking ahead to anticipate and thwart future cyber threats. Collaboration between public and private sectors should be constant, not just when disaster strikes. We must understand that the next generation’s education is now intrinsically linked with cybersecurity, and there is no room for complacency.
The increased attention to cybersecurity in our education system is a clear signal of our times. We need to instill a culture of cybersecurity from the classroom to the boardroom. Let’s not wait for another breach to shake us into action. The safety of our nation’s future is at stake.”
News Insight: U.S. Hunts Chinese Malware That Could Disrupt American Military Operations
The New York Times is reporting that American intelligence officials believe Chinese malware could give China the power to disrupt or slow American deployments or resupply operations, including during a Chinese move against Taiwan.
News Insight:
According to Joe Saunders, CEO, RunSafe Security, “The threat of a ticking time bomb like this malware means we need to double-down our efforts to achieve not just memory safety in software in the long term, but memory protection in software immediately. Otherwise we take the risk of losing our ability to support our warfighters and maintain a normal sense of operation in society.”
Policy Insights: New SEC Rules
The Securities and Exchange Commission has adopted NEW rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
Policy Insights:
According to Lenny Zeltser, a SANS Institute faculty fellow specialized in information security and cybersecurity practices for over 20 years, and the current CISO of cyber firm Axonius:
“The CISO community was excited to see that the SEC considered requiring boards of directors to disclose the extent of their cybersecurity expertise. This would have motivated boards to develop an understanding of cybersecurity.
The final rule doesn’t have this requirement. It’s natural to feel disappointed because it feels like a loss of what we could have had. Thus some proclaim that “the SEC basically let the boardroom largely slip off the hook for cybersecurity governance accountability. However, since that proposed requirement was never enacted, we didn’t actually experience a loss. We’re just disappointed that our thought experiment didn’t turn into reality.
Fortunately, in reality, we gained several cybersecurity-reinforcing requirements included in the final SEC rule. It requires public companies to document “the board’s oversight of risks from cybersecurity threats.” Such disclosures will allow investors to understand the extent of the board’s involvement in cybersecurity. This creates a similar incentive to pay attention to cybersecurity that we hoped to get in the proposed rule. Moreover, the final rule includes the need to promptly report material cybersecurity incidents, increasing the incentive to minimize the occurrence of such incidents. Moreover, the rule requires companies to disclose their cybersecurity risk management process, which offers another lever for cybersecurity leaders.
It’s natural to review the final rule from the perspective of what could have been and not notice the benefits it offers. Cybersecurity professionals in public companies are better off today than before the final rule’s passing, and that’s worth celebrating.
I’m seeing some cybersecurity professionals saying that the new rule requires public companies to disclose material security incidents within 4 days. This isn’t quite right. The rule says that the company needs to file the incident-disclosing form ‘within four business days of determining an incident was material,’ a determination the company must make “without unreasonable delay.
The reference to ‘business’ days gives companies some time. Moreover, the timer starts not after the company detected the incident, but after it determined that the incident was material. This sounds reasonable to me. An important note regarding this, though: The determination of what constitutes a material security incident and what’s considered undue delay should be made by legal professionals, not cybersecurity leaders.”
Ani Chaudhuri, CEO, Dasera said:
“The new rules implemented by the SEC are a notable stride towards transparency in a world where cybersecurity incidents are increasingly common. With digital assets becoming increasingly critical to businesses, timely and comprehensive disclosure of such incidents to shareholders is pivotal.
Material incidents are those that have a significant impact on a company’s financials, operations, or reputation – elements which shareholders would indeed consider crucial in making an investment decision. The same principles apply whether we’re talking about a physical asset like a factory, or digital data. Cybersecurity is no longer a domain exclusive to IT professionals; it’s a concern for everyone.
While the SEC’s approach is admirable, it does bring a set of new challenges to the table. The reporting timeline may indeed seem tight, especially for complex incidents where an understanding of the scope and impact may take longer than four days. Given the technical and complex nature of cyber incidents, it’s important to strike a balance between providing timely information and ensuring that information is accurate and complete.
The additional 180 days granted to smaller companies is also a thoughtful concession, acknowledging that not all entities have the same resources to manage and report cyber incidents.
However, it is the clause about the potential postponement of disclosure in instances where it might pose a significant risk to national security or public safety that can be more contentious. While the intent is certainly valid, the execution must be handled carefully. Defining ‘significant risk’ might be a potential gray area, and companies should not misuse it as a loophole to delay disclosure.
Furthermore, while the rules require companies to provide a concise description of the incident, its impact, and the data compromised, they do not require companies to disclose specifics of their incident response plans or details about potential vulnerabilities. In this sense, the rules are a missed opportunity to push companies towards better preparedness and proactive planning. The more information available, the more we can learn and improve our defenses.
Lastly, let’s not forget that this rule is reactive. Disclosing an incident after it has happened does not prevent the incident in the first place. The real need of the hour is to invest more resources in proactive measures that would make our systems more resilient and reduce the chances of such incidents happening in the first place.
The SEC’s new rules are a positive step towards more transparency in handling cybersecurity incidents. Still, valid concerns and potential challenges must be addressed in implementing these rules. As we continue to rely more heavily on digital assets, the onus is on us to evolve our approach towards cybersecurity, making it a key part of strategic decision-making.”
WAPO: Macron says social media could be blocked during riots, sparking furor
By Lyric Li
July 6, 2023 at 11:08 p.m. EDT
French President Emmanuel Macron’s suggestion that the government might need the ability to block social media access during riots has sparked a backlash in the country, with some arguing that France is going the way of authoritarian regimes.
Read Full Article: https://www.washingtonpost.com/world/2023/07/06/france-macron-social-media-block-riots/
Gigabyte shipped millions of motherboards with a dangerous firmware backdoor
According to cybersecurity experts from Eclypsium, computer hardware manufacturer Gigabyte installed a backdoor in the firmware of its motherboards, putting 271 motherboard models at risk of being hacked. The lengthy list of affected models features nearly every motherboard Gigabyte has put out in recent years, including the latest Z790 and X670 units.
As Eclypsium’s blog explains, Gigabyte embedded a Windows executable into the firmware of its motherboards that runs when the computer boots up. In other words, every time you reboot your computer, code in the motherboard’s firmware initiates Gigabyte’s app center, which downloads and runs an executable payload from the internet.
Full article:
Gigabyte shipped millions of motherboards with a dangerous firmware backdoor