TOP OF THE DAY - How the New EU Regulatory Landscape Will Impact Software Security
The new European Union (EU) cybersecurity regulatory landscape has arrived. Organizations are now being faced with more demanding, challenging and fine-tuned cyber resilience requirements across their entire ecosystem. This is now especially true for a long-waited area, the secure development and end-to-end product security lifecycle. The EU has introduced three critical legislative frameworks – the Digital Operational Resilience Act (DORA), the Network and Information Security Directive 2 (NIS2), and the Cyber Resilience Act (CRA) – to strengthen cybersecurity and operational resilience.
(Pierluigi Paganini – Security Affairs – 7 October 2024)
What if someone is harmed by their own government, but the technology used against them was created by a company based in the United States? Should that person be able to hold the American company responsible? The United States may soon have an answer, as this very question continues to wind its way through the American court system. Europe may have one soon too, though as an unintended result of recent legislative decisions, rather than through deliberations in the courts.
(Iain Nash, Pier Giorgio Chiara – Lawfare – 13 September 2024)
Governance & Geostrategies
Social media giant Meta is resuming its controversial plans to use Facebook and Instagram user posts to train generative AI (GenAI). The practice is effectively banned in the EU at present after the Irish Data Protection Commission (DPC) requested the firm pause its project, in a move Meta branded as “a step backwards for European innovation.”
(Phil Muncaster – Infosecurity Magazine – 16 September 2024)
The following Beijing Municipal industrial policy describes how the city government plans to integrate AI into a wide variety of industries in 2024 and 2025. These industries and sectors include robotics, education, healthcare, scientific research, spatial computing, digital marketing, Party propaganda, the power grid, surveillance, and censorship, among others.
(Center for Security and Emerging Technology – 13 September 2024)
China’s Cyberspace Administration and its Ministry of Public Security have mooted an initiative to create internet identification for netizens in China. Plans are afoot to issue digital identification that will be used by netizens instead of their real identities when opening online profiles. The justification for this move is to safeguard users from sharing personal data, which may be retained by private digital platforms. While the authorities have maintained that applying for internet identification is voluntary, there is apprehension that the Communist Party of China (CPC) will exercise greater oversight over the Net in future. These developments point to Chinese President Xi Jinping tightening his grip on civil society. The exercise is not limited to public life but seems to encompass the education sector and the military as well. The Party leadership met in mid-July for its yearly plenary session, which determined the direction of important policy initiatives. The resolution of the session announced plans to work on a unified national population management system.
(Kalpit A Mankikar – Observer Research Foundation – 13 September 2024)
Agreed strategic priorities and concrete activities demonstrate that the UK–Japan Cyber Partnership has momentum. They also reflect the commitment of each country to cyber as an international policy area.
(Joseph Jarnecki, Philip Shetler-Jones and Pia Hüsch – RUSI – 12 September 2024)
The RansomHub ransomware group has released 487 gigabytes of data it allegedly stole from motorcycles manufacturer Kawasaki Motors Europe (KME). The company disclosed the incident last week, informing customers that it was recovering from an early-September cyberattack that was not successful. –
(Ionut Arghire – SecurityWeek – 16 September 2024)
Access Sports Medicine & Orthopaedics is informing more than 88,000 individuals that their information has been compromised as a result of a cyberattack. The New Hampshire-based orthopedics services provider said it discovered suspicious activity on its network on May 10, 2024. An investigation showed that there had been unauthorized access to files storing personal and health information.
(Eduard Kovacs – SecurityWeek)
The Port of Seattle, which operates the Seattle-Tacoma International Airport (SEA Airport), has confirmed that ransomware was used in an August cyberattack that caused days-long outages. The incident was disclosed on August 24, when the Port announced on X (formerly Twitter) that various services were down after critical systems were isolated in response to a cyberattack.
(Ionut Arghire – SecurityWeek – 16 September 2024)
Apple has filed a motion to drop its lawsuit against Israeli company NSO Group, developer of the Pegasus spyware, citing significant risks to Apple’s threat intelligence program. Developments in the case has resulted in tech behemoth fearing that sensitive information relating to its cyber defensive measures could be publicly revealed and used by other spyware vendors.
(Kevin Poireault – Infosecurity Magazine – 16 September 2024)
Biotech firm 23andMe has agreed to pay tens of millions of dollars to the victims of a major data breach in 2023. Over six million individuals’ information was accessed via the data breach, including a significant number of files containing info about users’ ancestry. –
(Phil Muncaster – Infosecurity Magazine – 16 September 2024)
Malicious actors are spreading false claims that US voter registration databases have been breached, according to a new alert issued by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). The agencies said the claims are designed to manipulate public opinion and undermine confidence in US democratic institutions in the run up to the US Presidential Elections in November.
(James Coker – Infosecurity Magazine – 13 September 2024)
A case involving a medical record hack affecting hundreds of patients and employees at a Pennsylvania healthcare company has been settled for a record-breaking $65m. Filed in March 2023, the case involved nearly 135,000 patients and employees of Lehigh Valley Health Network (LVHN), an independent healthcare network based in Pennsylvania. The plaintiffs, represented by class-action attorneys at Saltz Mongeluzzi Bendesky, sued LVHN after the company suffered a data breach that exposed 600 patients’ and employees’ medical records and personally identifiable information (PII).
(Kevin Poireault – Infosecurity Magazine – 13 September 2024)
Defense, Intelligence, and War
“Can chatbots help you build a bioweapon?” a headline in Foreign Policy asked. “ChatGPT could make bioterrorism horrifyingly easy,” a Vox article warned. “A.I. may save us or construct viruses to kill us,” a New York Times opinion piece argued. A glance at many headlines around artificial intelligence (AI) and bioweapons leaves the impression of a technology that is putting sophisticated biological weapons within the reach of any malicious actor intent on causing such harm with disease.
(Filippa Lentzos, Jez Littlewood, Hailey Wingo, Alberto Muti – Bulletin of the Atomic Scientists – 12 September 2024)
Legislation
“Can chatbots help you build a bioweapon?” a headline in Foreign Policy asked. “ChatGPT could make bioterrorism horrifyingly easy,” a Vox article warned. “A.I. may save us or construct viruses to kill us,” a New York Times opinion piece argued. A glance at many headlines around artificial intelligence (AI) and bioweapons leaves the impression of a technology that is putting sophisticated biological weapons within the reach of any malicious actor intent on causing such harm with disease.
(Chiraag Bains – Brookings – 13 September 2024)