Friday Five: The Updated NIST Framework, Surging Cyberattacks, Red-Teaming AI, & More
With an uptick of cyberattacks against government agencies comes a wave of new cyber frameworks, guidance, and regulations. Catch up on all the latest in this week’s Friday Five!
REPORT REVEALS 'SUDDEN SURGE' IN CYBERATTACKS TARGETING GOVERNMENT AGENCIES BY CHRIS RIOTTA
Blackberry’s most recent quarterly Global Threat Intelligence Report revealed a 40% surge in cyberattacks on government agencies and the public sector between March and May. Novel malware campaigns impacted finance, healthcare, and critical infrastructure, with a 13% rise in malware samples. Limited resources and immature defenses make these targets vulnerable to both nation-state and cybercriminal threats. State-sponsored actors from Russia and North Korea, focusing on the US, Europe, and South Korea, are increasingly active, and some notable intrusions, like China-based espionage, have reportedly hit US agencies. Energy infrastructure faces growing cybersecurity risks, while healthcare and financial institutions are said to be some of the most lucrative targets.
UPDATED NIST CYBER FRAMEWORK FOCUSES ON ON GOVERNANCE BY ALEXANDRA KELLEY
The National Institute of Standards and Technology (NIST) introduced a draft of Cybersecurity Framework 2.0, featuring notable changes to its scope and guidance. A new "Govern" component, the sixth pillar, emphasizes flexible implementation and individual roles in cybersecurity risk management. The update aims to broaden framework applicability beyond critical infrastructure sectors, aligning with the Cybersecurity and Infrastructure Security Agency's strategic plan. The NIST's new framework, which remains voluntary, promotes the integration of guidance documents like AI Risk Management and Secure Software Development and now includes more tailored Framework Profiles. Comments are open until November 4, 2023, with a final version expected in early 2024 after a forthcoming workshop.
HACKER VS. MACHINE AT DEF CON: THOUSANDS OF SECURITY RESEARCHERS VIE TO OUTSMART AI IN LAS VEGAS BY ELIAS GROLL
DEF CON, an annual hacking conference, is currently hosting a red-teaming exercise where hackers will test the security of major AI systems, aiming to uncover vulnerabilities and biases. This exercise is prompted by the newly added "Govern" component of the NIST's Cybersecurity Framework 2.0, which emphasizes security for AI systems, and targets language models from prominent labs like Google, OpenAI, and NVIDIA. Although AI safety understanding is still developing, the red-teaming exercise seeks to identify new risks and promote broader involvement in AI security discussions in light of evolving AI policies. By merging cybersecurity and AI safety, experts aim to create more robust and secure AI systems.
CISA’S STRATEGIC PLAN ADHERES TO OVERALL BIDEN ADMINISTRATION DIRECTION ON CYBERSECURITY BY CHRISTIAN VASQUEZ
The Cybersecurity and Infrastructure Security Agency (CISA) unveiled its strategic plan for fiscal years 2024-2026 which, in line with the White House's cybersecurity strategy, aims to enhance national cybersecurity preparedness. Internally, it guides CISA's resource allocation and operational planning; externally, it encourages stakeholder engagement. The plan centers on three goals--addressing immediate threats, strengthening defenses, and promoting broad security--and each goal includes three specific objectives, outlining CISA's focus for the next three years. This release follows related initiatives, such as the National Cyber Workforce and Education Strategy and the National Cybersecurity Strategy, demonstrating a comprehensive approach to bolstering cybersecurity.
INDIA DATA PROTECTION BILL APPROVED, DESPITE PRIVACY CONCERNS BY DAN RAYWOOD
India's Digital Personal Data Protection (DPDP) bill, which is expected to be approved by the lower house of the country's bicameral Parliament, proposes penalties for data breaches and includes provisions for data fiduciaries to process personal data based on consent, aiming to enhance data privacy by giving individuals control over their information. Facing opposition from privacy groups and the India Bloc party, concerns surround the bill's relaxation compared to previous drafts, potentially granting more power to data fiduciaries, and central government authority over the Data Protection Board's composition. Critics worry about government data access, content takedowns, and potential contradictions with existing laws. The bill's digital focus and potential impact on the Right To Information Act also raise concerns about privacy and citizens' access to information.