TOP OF THE DAY
Governance and Legislation
Drivers of Disharmony in U.S. Cyber Regulations
(Jason Healey, Samuel Dab – Lawfare – 18 December 2024) If a large U.S. company suffers a data breach, losing a substantial amount of sensitive or personal data, to whom must it report and when? The answer is anything but straightforward. Most individual states require reports within 60 days, but others range from 90 days to a single day. Some federal agencies require reports in three days, others four. There are 13 separate forms and 10 websites in use by the federal government for incident reporting, according to the federal Cyber Incident Reporting Council, and “of the 22 Federal agencies with current cyber incident reporting requirements, only three recognize or accept another agency’s form.” If the company is a bank, it turns out “eight Federal agencies currently have reporting requirements applicable to the financial services sector.” – https://www.lawfaremedia.org/article/drivers-of-disharmony-in-u.s.-cyber-regulations
US Government Issues Cloud Security Requirements for Federal Agencies
(James Coker – Infosecurity Magazine – 18 December 2024) US federal agencies and departments have been mandated to implement new cybersecurity practices for cloud services. The Cybersecurity and Infrastructure Security Agency (CISA) published Binding Operational Directive 25-01: Implementing Secure Practices for Cloud Services on December 17, which sets out actions federal agencies must take to identify and secure all production or operational cloud tenants in their environments. – https://www.infosecurity-magazine.com/news/cloud-security-federal-agencies/
Developing a Framework for Collective Data Rights
(Jeni Tennison – Centre for International Governance Innovation – 17 December 2024) Are collective data rights really necessary? Or, do people and communities already have sufficient rights to address harms through equality, public administration or consumer law? Might collective data rights even be harmful by undermining individual data rights or creating unjust collectivities? If we did have collective data rights, what should they look like? And how could they be introduced into legislation? Data protection law and policy are founded on the notion of individual notice and consent, originating from the handling of personal data gathered for medical and scientific research. However, recent work on data governance has highlighted shortcomings with the notice-and-consent approach, especially in an age of big data and artificial intelligence. This special reports considers the need for collective data rights by examining legal remedies currently available in the United Kingdom in three scenarios where the people affected by algorithmic decision making are not data subjects and therefore do not have individual data protection rights. – https://www.cigionline.org/publications/developing-a-framework-for-collective-data-rights/
The AI Presidency: What “America First” Means for Global AI Governance
(Brianna Rosen – Just Security – 16 December 2024) President-elect Donald Trump’s imminent return to the White House is set to transform the global AI landscape with Silicon Valley’s tech titans at the helm. In the past week alone, Trump reportedly has met with a procession of industry leaders, receiving $1 million donations to his inaugural fund from Meta, Amazon, and OpenAI CEO Sam Altman. “President Trump will lead our country into the age of AI,” said Altman, capturing the zeitgeist of the moment. “I am eager to support his efforts to ensure America stays ahead.” – https://www.justsecurity.org/105752/ai-presidency/
Security
Phishing Attacks Double in 2024
(Alessandro Mascellino – Infosecurity Magazine – 18 December 2024) A sharp increase in phishing attacks, including a 202% rise in overall phishing messages in the second half of 2024, has been identified by cybersecurity experts. According to SlashNext’s 2024 Phishing Intelligence Report, a substantial 703% surge in credential phishing attacks was also observed in the same period. – https://www.infosecurity-magazine.com/news/2024-phishing-attacks-double/
New Attacks Exploit VSCode Extensions and npm Packages
(Alessandro Mascellino – Infosecurity Magazine – 18 December 2024) A recent investigation by security researchers has revealed a troubling surge in malicious campaigns exploiting popular development tools, including VSCode extensions and npm packages. These campaigns compromise local development environments and pose risks to broader software supply chains. – https://www.infosecurity-magazine.com/news/threat-actors-exploit-vscode/
Attacker Distributes DarkGate Using MS Teams Vishing Technique
(James Coker – Infosecurity Magazine – 18 December 2024) A threat actor has been observed using vishing via Microsoft Teams to deploy DarkGate malware and gain remote control over the victim’s computer network. Trend Micro reported that the attacker posed as an employee of a known client on an MS Teams call, enabling them to dupe the target user into downloading the remote desktop application AnyDesk, which then facilitated the deployment of DarkGate malware. – https://www.infosecurity-magazine.com/news/attacker-darkgate-teams-vishing/
Nigeria Cracks Down on Cryptocurrency Investment Fraud and Romance Scams
(Kevin Poireault – Infosecurity Magazine – 18 December 2024) network of 792 people has been arrested in Lagos, Nigeria’s most populated city, for their alleged involvement in a large-scale cryptocurrency fraud scheme and romance scam activity. The arrest was made public on December 16 by Ola Olukoyede, the Executive Chairman of Nigeria’s Economic and Financial Crimes Commission (EFCC). – https://www.infosecurity-magazine.com/news/nigeria-cracks-down-cryptocurrency/
Meta Hit with Massive $263m GDPR Fine
(Phil Muncaster – Infosecurity Magazine – 18 December 2024) Meta has been fined €251m ($263m) by the Irish Data Protection Commission (DPC) for a massive 2018 data breach which impacted around 29 million Facebook accounts. The incident in question arose between September 14-28 2018, when unauthorized individuals exploited a vulnerability in the social media platform’s “View As” feature, enabling them to log on as the account holder. – https://www.infosecurity-magazine.com/news/meta-hit-with-massive-263m-gdpr/
A lightweight app comes with some heavy consequences, researchers say
(Joe Warminsky – The Record – 18 December 2024) An app supposedly built for calculating a person’s body mass index (BMI) is actually information-stealing malware, according to researchers. “BMI CalculationVsn” is the latest example of malicious software sneaked into an app store under the guise of being a simple tool for consumers. Spotted on the Amazon Appstore by researchers at antivirus company McAfee, the app was actually an infostealer with the ability to record screen activity, steal text messages and survey the list of the other apps on the device. – https://therecord.media/a-lightweight-app-comes-with-some-heavy-consequences-mcafee
Dutch regulator fines Netflix $5 million for data privacy violations
(Suzanne Smalley – The Record – 18 December 2024) A Dutch privacy regulator on Wednesday fined Netflix €4.75 Million ($5 million) for not telling consumers enough about how the streaming service uses their data. The fine stems from Netflix’s failure to give customers “sufficient” information about how it handled customer personal data from 2018 to 2020, the Dutch Data Protection Authority (DPA) said in a press release. The regulator also said the information Netflix did provide was unclear. – https://therecord.media/dutch-fines-millions-regulator-netflix
CISA orders federal agencies to secure Microsoft cloud systems after ‘recent’ intrusions
(Jonathan Greig – The Record – 18 December 2024) Federal civilian agencies were ordered to secure their Microsoft cloud systems after several recent cyber incidents. The Cybersecurity and Infrastructure Security Agency (CISA) issued a binding directive on Tuesday giving federal agencies a series of deadlines to identify cloud systems, implement assessment tools and abide by the agency’s Secure Cloud Business Applications (SCuBA) secure configuration baselines. – https://therecord.media/cisa-orders-federal-agencies-to-secure-microsoft-cloud-systems
Frontiers
AI and Constitutional Interpretation: The Law of Conservation of Judgment
(Andrew Coan, Harry Surden – Lawfare – 16 December 2024) Modern artificial intelligence systems like OpenAI’s ChatGPT have improved at a dizzying pace, leading some judges, lawyers, and scholars to ask whether AI could finally deliver on a centuries-old dream: a machine capable of interpreting the Constitution objectively, without the messy human bias and subjectivity that has long bedeviled constitutional law. The allure of such an “interpretation machine” is apparent. Rather than relying on ideologically divided human judges to resolve our most contentious constitutional disputes, we might instead turn to neutral, data-driven AI systems that simply analyze the text, history, and precedent to reach the correct legal answer. – https://www.lawfaremedia.org/article/ai-and-constitutional-interpretation–the-law-of-conservation-of-judgment