TOP OF THE DAY – Strengthening resilience in the East. How the EU can empower countries against foreign interference
(Nad’a Kovalčíková, Leonardo De Agostini, Beatrice Catena – European Union Institute for Security Studies – 25 September 2024) Hybrid threats in the Eastern Neighbourhood have contributed to the EU adopting a coordinated approach to foreign information manipulation and interference (FIMI) with its strategic partners. This has led to two key developments. – Strengthening resilience in the East | European Union Institute for Security Studies (europa.eu)
Governance
(Varg Folkman – The Parliament – 26 September 2024) To avoid European AI being dominated by American tech firms, policymakers need to strictly enforce competition rules while tearing away the red tape that hampers innovation at home. – Op-ed: The EU’s AI sector needs both more and less regulation (theparliamentmagazine.eu)
(Bryan H. Choi – Lawfare – 26 September 2024) To date, most popular approaches to AI safety and accountability have focused on the technological characteristics and risks of AI systems, while averting attention from the workers behind the curtain responsible for designing, implementing, testing, and maintaining such systems. Efforts like the EU AI Act epitomize this approach, in that they condition regulatory oversight based on technical attributes such as the amount of compute used for training or tuning an AI model. Likewise, the products liability framework for AI points the finger at unsafe product features and minimizes the conduct of human decision-makers. Other proposals such as strict liability or analogies of “sentient” AI to children or wild animals are similarly avoidant of engaging with the human processes by which AI is made. This technological focus allows AI engineers to dissociate themselves from the harms they impose on others. – Negligence Liability for AI Developers | Lawfare (lawfaremedia.org)
(Anastasia Dodd, Megan Shahi – Center for American Progress – 25 September 2024) The February 2024 Center for American Progress report “Generative AI Should Be Developed and Deployed Responsibly at Every Level for Everyone” directed a spotlight onto the “significant disparity between the still minimal safety measures taken by developers in their first-party deployments and the almost nonexistent safety requirements for third parties deploying the models via API.” It recommended a series of commonsense changes for generative artificial intelligence (AI) developers to make, touching on enforcement of existing policies, abuse prevention, data and tooling, reporting, and transparency. Six months after the original report’s publication, this report re-reviews the external-facing policies of six major AI developers—OpenAI, Anthropic, Microsoft, Amazon, Google, and Meta—and finds that none have made the changes recommended by CAP. While some developers have safety requirements in limited areas of third-party deployments, no developer has the comprehensive safety measures recommended in the original report. CAP has emphasized the importance of a focus on these third-party safety requirements in comments to the National Institute of Standards and Technology (NIST) and elsewhere. While the earlier report lists all of CAP’s recommendations for a comprehensive approach to safety in third-party AI deployments, this report urgently highlights four priority policies that should be implemented immediately: end-user reporting, content safety tooling, standardized transparency reporting, and comprehensive documentation to assist deployer compliance. – To Implement AI Responsibly, Third-Party Deployments Must Require Safeguards – Center for American Progress
(Allison Pytlak, Shreya Lad – Stimson Center – 24 September 2024) As one of the first successful examples of global multilateral cooperation on international telecommunications, the International Telecommunications Union (ITU) is an exemplary mechanism for accountability through security. This case study inspects the history and scope of the ITU with a focus on its national training activities, threat incident response programs, and the Global Cybersecurity Index. These programs have helped the ITU promote a culture of resilience-building and cybersecurity internationally, while working with industry and civil society stakeholders. At the same time, it is not immune to geopolitical tensions around digital governance and the future of an open and secure Internet. Yet it is a relevant platform whose activities should be better leveraged in order to promote transparency, cooperation, and cybersecurity. – The International Telecommunications Union (ITU) and Cyber Accountability • Stimson Center
Geostrategies
(Harsh V. Pant, Kartik Bommakanti – Observer Research Foundation – 26 September 2024) In a significant milestone, the United States and India reached an agreement to establish a semiconductor plant in India that will cater to national security and defence. As a Quad member whose interests largely align with the US, India makes for a compelling partner in the face of China’s emergence as a major geostrategic threat and technological challenge. More specifically, this latest agreement is the result of an initiative between Bharat Semi, 3rdiTech, and the United States Space Force (USSF). Critical materials essential for semiconductor development and manufacturing—such as infrared, gallium nitride, and silicon carbide—are central to the agreement. What makes this agreement stand out is its unique collaborative nature, involving a key branch of the US military, the USSF, and Indian industry. – Fab pact: A harbinger of good things ahead (orfonline.org)
(John Villasenor – Brookings – 24 September 2024) Over the past few years, the Bureau of Industry and Security (BIS) of the Department of Commerce has released a series of export control rules aimed at limiting access by China to the most advanced chips used for artificial intelligence (AI) computations. Loopholes based on the use of cloud computing limit the effectiveness of such controls. However, expanding AI export control rules to encompass cloud computing risks collateral damage to AI research at U.S. universities, which would undermine the vitality of the AI innovation ecosystem in the United States. – The tension between AI export control and U.S. AI innovation (brookings.edu)
Security
(Alessandro Mascellino – Infosecurity Magazine – 27 September 2024) A massive data leak exposing the personal information of over 100 million US citizens has been reportedly uncovered by security researchers. The breach, discovered by Cybernews and attributed to a misconfigured database at background check firm MC2 Data, allegedly left 2.2TB of sensitive data accessible online without password protection. – Data Breach at MC2 Data Leaves 100 Million at Risk of Fraud – Infosecurity Magazine (infosecurity-magazine.com)
(Brian McElyea – NextGov – 26 September 2024) This summer’s CrowdStrike outage has been widely discussed across government agencies, boardrooms, CIO/CISO offices, media, professional organizations and in academic settings. The circumstances around the faulty software update provide a rare case study for those focused on continuity of operations. The software update issue hit nearly 8.5 million Windows operating systems and impacted a broad range of Microsoft users, but government agencies and businesses suffered the brunt of the effects. Disruptions to both internal and external operations were so great that companies such as Delta Airlines said the outage cost the company about $550 million and that they are pursuing damages against both Microsoft and CrowdStrike. – Lessons from the CrowdStrike outage – Nextgov/FCW
(Eduard Kovacs – SecurityWeek – 26 September 2024) The US cybersecurity agency CISA on Wednesday reiterated a warning that unsophisticated methods can be used to hack industrial control systems (ICS) and other operational technology (OT). Even so, some threat actors appear to be making exaggerated claims when it comes to attacks on such systems. A pro-Israel hacktivist group known as Red Evil and We Red Evils — known to target Hamas, Lebanon and Iran — this week claimed to have compromised water systems used by Hezbollah, the Lebanese political party and paramilitary group. – Israeli Group Claims Lebanon Water Hack as CISA Reiterates Warning on Simple ICS Attacks – SecurityWeek
(Ionut Arghire – SecurityWeek – 26 September 2024) Threat actors are compromising email accounts at transportation and shipping organizations in North America to deliver various malware families, Proofpoint reports. Starting May 2024, threat actors have been observed injecting malicious content into existing conversations within the compromised inboxes, to deliver malware such as Arechclient2, DanaBot, Lumma Stealer, NetSupport, and StealC. – US Transportation and Logistics Firms Targeted With Infostealers, Backdoors – SecurityWeek
(James Coker – Infosecurity Magazine – 26 September 2024) More than a third (38%) of employees share sensitive work information with AI tools without their employer’s permission, according to new research by CybSafe and the National Cybersecurity Alliance (NCA). The report found that this behavior was particularly prominent among younger generations. Around half (46%) of Gen Z and 43% of millennials surveyed admitted sharing sensitive work information with such tools without their employer’s knowledge. – Over a Third of Employees Secretly Sharing Work Info with AI – Infosecurity Magazine (infosecurity-magazine.com)
(Alessandro Mascellino – Infosecurity Magazine – 26 September 2024) Several major UK train stations, including London Euston, Manchester Piccadilly and Liverpool Lime Street, have been targeted in a cyber-attack, in which Islamophobic messages have been displayed to passengers attempting to connect to public Wi-Fi. In total, 19 railway stations managed by Network Rail have been impacted by the incident which began on September 25. – Cybercriminals Hack UK Rail Network Wi-Fi – Infosecurity Magazine (infosecurity-magazine.com)
(Phil Muncaster – Infosecurity Magazine – 26 September 2024) Security researchers have for the first time found crypto drainer malware exclusively targeting mobile users, after discovering it hidden in an app on Google Play. Check Point Research (CPR) said the app in question, WalletConnect, accrued over 10,000 downloads and stole around $70,000 in cryptocurrency from victims, until it was removed by Google. – First Mobile Crypto Drainer Found on Google Play – Infosecurity Magazine (infosecurity-magazine.com)
(Phil Muncaster – Infosecurity Magazine – 26 September 2024) Security researchers have discovered a new phishing campaign that capitalizes on excitement around the start of the League of Legends (LoL) World Championship this week to spread info-stealing malware. Bitdefender explained in a blog post that it’s spotted malicious social media ads promoting a free download of League of Legends, a popular PC-only game that is in fact already free of charge. –Malicious Ads Hide Infostealer in League of Legends ‘Download’ – Infosecurity Magazine (infosecurity-magazine.com)
(James Babbage – RUSI – 25 September 2024) (UK) Last month the National Crime Agency (NCA) published its National Strategic Assessment of Serious and Organised Crime (SOC). It highlights each of the threats the Agency is focused on tackling, from firearms and drugs to child sexual abuse, modern slavery, human trafficking and economic crime. For the first time ever, the top headline this year is not about criminal behaviour; rather, it is about how much more vulnerable we all are to becoming victims. Changes in organised crime are being driven, more than anything else, by our routine dependence – in our personal and working lives – on online services. Indeed, the majority of crime now occurs online or is enabled by online resources. We have all become more vulnerable to organised crime as a result of living more of our lives online. –Charting the Future of Organised Crime – and the UK’s Response | Royal United Services Institute (rusi.org)
(Newsweek/Center for a New American Security – 24 September 2024) The integrity of U.S. election systems has been a focal point of concern since foreign interference was uncovered in the 2016 presidential election. Synack, a cyber security company founded by former members of the National Security Agency, has hired 1,600 ethical hackers to test the security of government institutions and corporations. – Army of ‘Ethical Hackers’ Defends Election Voting Systems Against Russia | Center for a New American Security (en-US) (cnas.org)
Defense, Intelligence, and War
(Brianna Rosen, Tess Bridgeman – Just Security – 26 September 2024) On Sept. 9-10, 2024, Just Security’s Co-Editor-in-Chief Dr. Tess Bridgeman and Senior Fellow Dr. Brianna Rosen spoke at the second global summit on Responsible AI in the Military Domain (REAIM) in Seoul, South Korea. Brianna Rosen also spoke on a U.K. government panel on the strategic security risks of AI. – Rethinking Responsible Use of Military AI: From Principles to Practice (justsecurity.org)
(Johanna Mohring – French Institute of International Relations – 25 September 2024) In Europe, with Russia’s war of aggression against Ukraine showing little sign of abating, a persistent gap remains between security needs and defense spending. According to a 2006 commitment enshrined at the 2014 Wales NATO summit, the North Atlantic Treaty Organization (NATO) members should disburse no less than 2% of their national gross domestic product (GDP) on defense, out of which 20% is to be spent on equipment and research and development. In 2024, only 23 Allies out of 32 are expected to meet or exceed this target, though a significant improvement from only three in 2014. This total includes the United States (US) devoting 3.38% of its GDP to defense, constituting almost 70% of all NATO member defense spending combined. – EUDIS, HEDI, DIANA: What’s behind Three Defense Innovation Acronyms? | Ifri
(Center for a New American Security – 25 September 2024) The Center for a New American Security released a new report, Integration for Innovation: A Report of the CNAS Defense Technology Task Force, by Michael Brown, former director of the Defense Innovation Unit; the Honorable Ellen Lord, former under secretary of defense for acquisition and sustainment; Andrew Metrick, former CNAS defense fellow; and the Honorable Robert O. Work, former deputy secretary of defense. – Top Former Defense Officials Release New Report on Accelerating DoD Innovation | Center for a New American Security (en-US) (cnas.org)
Legislation
(David DiMolfetta – NextGov – 26 September 2024) A measure introduced Thursday would direct the Department of Health and Human Services to craft a new set of minimum cybersecurity standards for the healthcare sector and require the agency to conduct yearly audits of health entities overseen by those new rules. The Health Infrastructure Security and Accountability Act — led by Sens. Ron Wyden, D-Ore. And Mark Warner, D-Va. — amends the Health Insurance Portability and Accountability Act requirements and directs HHS to build new “mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates” with a special focus on healthcare operations important to national security. – New bill seeks to mandate healthcare cybersecurity standards – Nextgov/FCW