| Welcome to The Cybersecurity 202! "AI is no laughing matter" is an alternative headline for today's newsletter. Also, literally. Was this forwarded to you? Sign up here. Below: Apple patches iPhone software flaws used in hacks against Russians, and a China-linked group is tied to hacks against foreign ministries in the Americas. First: | Schumer, Fick join the calls for AI regulation, with election distortion and cyber among the reasons |  Senate Majority Leader Chuck Schumer (D-N.Y.) cited AI-enabled security risks and election threats. (Jahi Chikwendiu/The Washington Post) | | | Two prominent voices on Wednesday joined calls to swiftly regulate artificial intelligence. They both had cyber-related reasons in mind. Senate Majority Leader Charles E. Schumer (D-N.Y.) unveiled a plan for developing rules for AI, citing issues including security risks and threats to elections. "AI could be used to jaundice and even totally discredit our elections as early as next year," he said at the Center for Strategic and International Studies think tank. "We could soon live in a world where political campaigns regularly deploy fabricated, yet totally believable and convincing, images and footage of Democratic or Republican candidates, distorting their statements, greatly harming their election chances." In the executive branch, Nathaniel Fick, the State Department's ambassador at large for cyberspace and digital policy, cited AI-empowered misinformation and cyberattacks as a reason to act quickly on the technology. | - Right now, the four top companies involved in AI large language models like OpenAI's ChatGPT are American, but he predicted a "less trustworthy" company might develop something similar within a year.
- "We don't have a lot of time," Fick said at the Hudson Institute think tank, "to put together some kind of regulatory or governance structure."
| | Both men add to the voices expressing mounting worry about AI's potential for cyber-related malfeasance. | | Prominent cyber officials in recent months have expressed fears about AI's possible harms. | - Cybersecurity and Infrastructure Security Director Jen Easterly has called it, along with China, one of this era's defining threats.
- Rob Joyce, director of cybersecurity for the National Security Agency, said at the RSA Conference this spring that he expected to have evidence of adversaries exploiting AI for cyber purposes by that same time next year.
| | My colleague Joseph Menn wrote last month about how concerns related to AI dominated conversations at RSA among cyber professionals. The technology could enable criminals to get around technical barriers to conducting attacks. "You will be able to say, 'just tell me how to break into a system,' and it will say, 'here's 10 paths in,'" Robert Hansen, deputy chief technology officer at security firm Tenable, said at the conference. "They are just going to get in. It'll be a very different world." Even before Schumer advanced his plan, cyber-focused lawmakers have been proposing legislation to address AI issues. | - Senate Homeland Security and Governmental Affairs Chairman Gary Peters (D-Mich.) introduced legislation this month with Republican Sens. Mike Braun (Ind.) and James Lankford (Okla.) focused on government transparency about the use of AI.
- Sens. Michael F. Bennet (D-Colo.), Todd C. Young (R-Ind.), and Intelligence Chairman Mark R. Warner (D-Va.) also introduced legislation this month establishing an office to review how the United States is competing on emerging technologies like AI.
- And this week, Reps. Ted Lieu (D-Calif.) and Ken Buck (R-Colo.) proposed a bill to establish a commission on AI.
- That's just a smattering of the frenzy of lawmaker activity on AI, which my colleagues Cat Zakrzewski and Cristiano Lima recently wrote about.
| | ChatGPT catapulted AI into the public consciousness, but anyone who was paying attention noticed AI's development was well on its way, Fick said. "This is a long, exponential curve," he said. "We're nowhere near the end of the curve." | | There have been some doubts about AI's capabilities today for writing malicious code, and questions about how any threat might materialize. Fick noted that things thought impossible months ago are now commonplace, and things currently thought impossible would become commonplace in the future. In the near term, Fick said he's most worried about use of AI to produce misinformation and disinformation. "The most likely course of action is we embark on a political campaign season where it is harder than it ever has been to separate fact from fiction," he said. That could be "corrosive," but also could be "galvanizing" in making people realize the severity of the danger, he said. In the long term, the risks include threats to cybersecurity, Fick said. On the other hand, there is positive potential, too, such as using AI to write software code with fewer bugs, he said. Schumer, too, cited the risks to elections. "What if foreign adversaries embrace this technology to interfere in our elections? This is not about imposing one viewpoint, but it's about ensuring people can engage in democracy without outside interference," he said. "This is one of the reasons we must move quickly. We should develop the guardrails that align with democracy and encourage the nations of the world to use them. Without taking steps to make sure AI preserves our country's foundations, we risk the survival of our democracy." And he pointed out that the first part of his plan was focused on security. "The dangers of AI could be extreme," he said. "We need to do everything we can to instill guardrails that make sure these groups cannot use our advances in AI for illicit and bad purpose." | | |  | The keys | | Apple patches iPhone software flaws used in hacks against Russians |  The attacks unveiled about three weeks ago worked by sending a malicious iMessage attachment that allowed hackers to run code without the message needing to be opened. (Mark Lennihan/AP) | | | Apple on Wednesday announced that it fixed two flaws in its operating system that recently allowed hackers to infiltrate thousands of devices in Russia, our colleague Joseph Menn reports. "Apple credited the discovery of the flaws to researchers from Russian security software maker Kaspersky Lab, which said three weeks ago that its senior employees were among those targeted," Joseph writes. | - Russia's Federal Security Service (FSB) at the time accused the United States of colluding with Apple to carry out the attack and did not provide evidence as to how it made that determination.
- The National Security Agency did not respond to a request for comment.
| | The attacks unveiled about three weeks ago worked by sending a malicious iMessage attachment that allowed hackers to run code without the message needing to be opened. | - "On Wednesday, Kaspersky gave more detail, saying that the malicious code installed after infection had 24 commands, including extracting passwords from Apple's Keychain, monitoring locations, and modifying or exporting files," Joseph writes. The patch aims to protect devices running iOS 15.7 or earlier.
| | For years, Kaspersky has come under U.S. scrutiny for its Russia ties. The Federal Communications Commission last March added the company to its national security threat list. The company's software has also been banned from the networks of civilian federal agencies in the United States. | China-linked hacking group attacked foreign ministries in Americas, research finds |  The group has been in operation since at least 2004, according to the report. (Kiichiro Sato/AP) | | | Broadcom's Symantec says that a China-linked hacking group it calls Flea was responsible for a recent campaign against foreign ministries in the Americas, Jesse Levine reports for Bloomberg News. "The hacking group, also known as APT15 and Nickel, focused on foreign affairs ministries in the Americas, but also targeted a government finance department and a corporation that sells products in Central and South America," Levine writes, adding that "Symantec didn't identify the ministries that were hit." | - The group has been in operation since at least 2004, according to the report.
- "In December 2021, Microsoft Corp. obtained a court order allowing the company to seize websites that it said Flea was using to attack organizations in the US and 28 other countries," Levine writes.
- Cybersecurity firm Lookout last year linked the group to a campaign targeting Uyghur-language websites and social media, the Bloomberg report adds.
| | The U.S.-China Economic and Security Review Commission in a report last year said the group is "potentially associated with Chinese defense contractor Xi'an Tianhe Defense Technology." Its attacks have included spear phishing — a targeted phishing email — as well as watering hole attacks which target users that commonly visit a site and Android malware distribution, the report says. The Symantec report did not directly tie the group to China, but "Microsoft described it as a China-based hacking group, and the cybersecurity firm Mandiant, now part of Google Cloud, says the group is likely associated with China," according to Bloomberg. | Child predators using Discord for sextortion and abduction |  Discord, a popular messaging tool among gamers, has been used by predators to groom children before abducting them, records say. (Jeff Chiu/AP) | | | Discord, a popular messaging tool among gamers, has been used by predators to groom children before abducting them, extort them or trade child sexual abuse materials (CSAM), Ben Goggin reports for NBC News. "In a review of international, national and local criminal complaints, news articles and law enforcement communications published since Discord was founded, NBC News identified 35 cases over the past six years in which adults were prosecuted on charges of kidnapping, grooming or sexual assault that allegedly involved communications on Discord," Goggin writes, adding that 22 cases occurred during or after the coronavirus pandemic. | - Those numbers only represent reported cases, the NBC report notes.
- "What we see is only the tip of the iceberg," Canadian Centre for Child Protection (C3P) tip line director Stephen Sauer said.
| | Other platforms like Twitter and Instagram have faced scrutiny for facilitating CSAM, including material that is AI-generated. But "experts have suggested that Discord's young user base, decentralized structure and multimedia communication tools, along with its recent growth in popularity, have made it a particularly attractive location for people looking to exploit children," Goggin writes. Lawmakers have long tried to curb CSAM online by removing liability protections for tech companies if they knowingly let their users share CSAM. But cybersecurity experts say that bill, known as the EARN IT Act, could prompt tech companies to stop offering end-to-end encryption for users. | | |  | Government scan | | | |  | Industry report | | | |  | National security watch | | | |  | Cyber insecurity | | | |  | Encryption wars | | | |  | On the move | | - Jenner & Block partner Aaron Cooper joined the White House as deputy legal adviser to the National Security Council. He previously served as co-chair of the firm's privacy and cybersecurity practice.
| | |  | Daybook | | - Anne Neuberger, Kiersten Todt and other cyber officials speak at the Financial Times Cyber Resilience Summit beginning at 9 a.m.
- The House Homeland Security Committee convenes a hearing on the cybersecurity workforce pipeline at 10 a.m.
- The House Oversight Committee holds a hearing on how cutting-edge technologies can keep America safe at 1 p.m.
- CISA strategic technologist Garfield Jones speaks at an ATARC discussion on protecting critical infrastructure with quantum technology at 1:30 p.m.
| | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
No comments:
Post a Comment