Store zero days, train AI. Liability of the board of directors for cyber attacks. CISA advice on ransomware. Rewards for Justice offers million dollar rewards for cyberattack cheats.
In one look.
- Store zero-days.
- Data privacy and AI training.
- Australia considers administrators’ liability for cyber attacks.
- CISA offers advice to MSPs and small and medium-sized businesses to protect themselves from ransomware.
- The US State Department is offering a million dollar reward for advice on cyber attacks.
Private disclosure and zero-day stock potential.
The record abstract the new cyberspace administration Network Product Security Vulnerability Management Policy, that C4ISRNet said require Chinese citizens to report any discovered vulnerabilities to the CCP, not to people “overseas” except the supplier concerned.
Safety week sees an opportunity to store zero-days, giving Beijing’s APT an advantage and endangering Western organizations. One consequence could be fewer participants in hacking tournaments, patch efforts, and bug bounty programs; another could be the emigration of Chinese cyber talents to greener pastures. Luta Security CEO Katie Moussouris points to a third possibility: Continuing to allow Chinese participants in US Vulnerability Disclosure Programs (VDPs) could “actually introduce a backdoor directly to the Chinese government.”
In addition to the ban on “collecting[ing], to sell[ing], or publish[ing]”Vulnerabilities, the rules require the implementation of VDP and impose penalties on companies that neglect to produce or apply patches.
And the value of data privacy in AI training (or restricting that training).
Defense 1 Explain The position of United States National Security Advisor Jake Sullivan that Western partners must keep data privacy at the forefront of all efforts to determine global cybersecurity guidelines. As the US and EU have clashed in recent years over data protection standards, the allies should find common ground in the alternative worldview they can offer the international community, a a vision in which absolute government dominance over data is not the norm.
This does not mean staying away from big data and artificial intelligence competitions. Rather, the block can develop and promote emerging solutions such as “privacy-preserving machine learning”, which protect personal information through processing. (Of course, prioritizing data privacy could also help keep PII out of the hands of the CCP.)
Australia is considering imposing liability for incidents on corporate directors.
Information age Comments Canberra’s options for getting business leaders to take a more active role in cybersecurity. Despite the consensus that cyber risks are only growing and that big companies need to do better, only 6% of CEOs in Asia-Pacific meet with their CSOs, according to a survey by the Ponemon Institute, and board members. uninformed administrators continue to dodge difficult conversations.
The government has proposed a number of fixes, ranging from mandatory disclosure to reviews of insurance policies and, more recently, voluntary and mandatory cybersecurity “governance standards”. alternatives who bear the direct responsibility of leadership. Viewers are concerned about the cost of implementation and the impact on international investment.
The speakers are also guest to discuss topics such as labeling and standards regimes for smart devices and the legal rights of victims.
CISA publishes advice on mitigation and hardening.
As Managed Service Providers (MSPs) and small and medium businesses increasingly emerge as targets of cyber threats, the US Cybersecurity and Infrastructure Security Agency (CISA) has ordered advice with these organizations in its role of “risk advisor to the nation”.
The US State Department announces an award for information on foreign threats to US infrastructure.
The diplomatic security service of the US State Department this morning Free a reward of up to $ 10 million for “information that can identify or locate any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activities against an infrastructure US criticism in violation of computer fraud and abuse law. “The ad specifically calls for both cyber espionage (but not by that name) and the related ransomware threat. The offer was submitted in connection with of the state awards program for justice, which the ministry has administered since 1984.
Mike Hamilton, Founder and CISO of Critical Insight, and former DHS vice-chair for the State, Local, Tribal and Territorial Government Coordinating Council, sees a significant nuance in the announcement:
“This is an interesting (and not unexpected) application of the Rewards for Justice program. The key phrase here is: “acting under the direction or control of a foreign government”, which means that the target is not organized criminals at large. , they are those who are supported (openly or tacitly) by a government. This appears to be an attempt to shorten the detailed attribution process that is necessary to involve a foreign government in collusion or cooperation with organized crime. If the US government can get someone to provide proof of it, paying $ 10 million is probably a good deal given the resources we are bringing to the intelligence community for the same result. “
Austin Berglas, global head of professional services at BlueVoyant and former deputy special agent in charge of the cybernetics arm of the New York office of the FBI, wrote to point out that reward programs have potential drawbacks and benefits:
“Reward programs will undoubtedly increase the number of leads, but it is possible to turn the reporting mechanism into a public pay phone. The difficulty lies in the amount of resources that will be required to separate the “signal” from the “noise” and identify legitimate clues. Other considerations include attribution to the tipster and the information provided by the tipster. If there has been an arrest and prosecution (based on an anonymous lead), investigators will need to be able to provide evidence of the crimes alleged by the anonymous party. This may or may not be possible without the cooperation of the anonymous primary source. Additionally, OFAC should be considered when making anonymous payments – how will due diligence be performed before making a payment to a foreign national? Is this an opening for rival malicious hacking groups to make money and reduce competition in the market? Finally, we still have to overcome the safe harbor provided by Russia and others – there are many instances where warrants are obtained and Red Notices are issued for criminals residing in these countries.