Top of the Day
Building International Partnerships to Combat Foreign Cyberattacks
(Julia Dickson, Emily Harding – Lawfare – 9 February 2025) Cyberattacks by adversary states and criminal organizations cost Americans more than $12.5 billion in 2023 alone. Most malicious cyber activity, however, is conducted by actors operating outside the United States using foreign infrastructure, making it challenging for U.S. law enforcement to address. The incoming Trump administration must expand international collaboration to stop this crime wave. A good place to start is by building regional, collaborative law enforcement hubs to combat malicious cyber activity. These hubs should be locally organized and run, but seed funded by the United States and its allies. The hubs should be virtual for the first year and then evolve into brick-and-mortar collaborative spaces to build community and trust for deeper information sharing. Over time, seamless, up-to-the minute collaboration will reduce the dark corners of internet infrastructure where criminals like to hide, and these hubs will prove a low-cost, high-impact way to shore up U.S. alliances in areas of the globe poised for dramatic growth. Initial hubs could be established in key partner-states in East Africa, Latin America, and Southeast Asia, with more regional partners brought on board as the program develops. – https://www.lawfaremedia.org/article/building-international-partnerships-to-combat-foreign-cyberattacks
OECD launches global framework to monitor application of G7 Hiroshima AI Code of Conduct
(OECD.AI – 7 February 2025) The Organisation for Economic Co-operation and Development (OECD) launched the first global framework for companies to report on their efforts to promote safe, secure, and trustworthy AI. This initiative monitors the application of the Hiroshima Process International Code of Conduct for Organisations Developing Advanced AI Systems, a central component of the Hiroshima AI Process launched during Japan’s G7 Presidency. – https://www.oecd.org/en/about/news/press-releases/2025/02/oecd-launches-global-framework-to-monitor-application-of-g7-hiroshima-ai-code-of-conduct.html
The Changing Landscape of European Privacy Enforcement
(Kenneth Propp – Lawfare . 7 February 2025) The European Union’s agenda, like the old Soviet Union’s economic planning, operates in five-year increments. During European Commission President Ursula von der Leyen’s first five-year term from 2019 to 2024, implementing the European Union’s 2018 General Data Protection Regulation (GDPR) was an initial digital policy priority. Safeguarding transatlantic data transfers became another, after 2020, when the Court of Justice of the European Union (CJEU) struck down a transatlantic agreement for personal data transfer (the Privacy Shield). By 2023, a successor (the EU-U.S. Data Privacy Framework) was in place. As risk to transatlantic data transfers thereafter receded, U.S. digital policymakers shifted their attention to three major new EU digital legislative initiatives—the 2022 Digital Services Act (DSA) and Digital Markets Act (DMA), and the 2024 Artificial Intelligence Act (AIA). Von der Leyen’s just-begun second term, which started at the end of 2024, will emphasize implementation of these new landmark laws, as her mission letter to Henna Virkkunen, the responsible commissioner, emphasized. Several ongoing DMA investigations are scrutinizing advertising-related practices of U.S. technology giants. Privacy litigation involving data transfers to the United States has not gone away, however, and indeed seems destined to expand. One privacy activist’s challenge to the DPF is due to be taken up by an EU court soon, and rumors of a second case are becoming more concrete. In addition, European privacy nongovernmental organizations are poised to take advantage of new procedural possibilities for class-action-style litigation and for enhanced damages recovery, as detailed in the sections below. Europe’s changing privacy enforcement landscape could thus emerge as a significant policy issue during Trump’s and von der Leyen’s second terms. – https://www.lawfaremedia.org/article/the-changing-landscape-of-european-privacy-enforcement
A Multistakeholder Model of Cyber Peace
(Jean-Marie Guéhenno, Olivia Grinberg, Jason Healey – Lawfare – 7 February 2025) The Russian NotPetya cyberattack of 2017 not only wiped 10 percent of all computers in Ukraine—where it was targeted—but also indiscriminately cascaded around the world, causing approximately $10 billion in damage. Another Russian attack, just one hour before their troops rolled across the Ukrainian border in 2022, disrupted the Viasat satellite communication network, taking offline “more than 5,800 wind turbines belonging to the German energy company Enercon” and internet service in France, the Czech Republic, and the United Kingdom. These cases illustrate that disruptive cyber campaigns are spilling out of conflict zones to affect everyone, even those far from the fighting. Would-be cyber peacekeepers have no effective way to protect civilians in these situations, unlike in traditional conflict. To deal with the nature of cyber conflict, the world needs a new, multistakeholder model for cyber peace. – https://www.lawfaremedia.org/article/a-multistakeholder-model-of-cyber-peace
The crisis in Western AI is real
(Charles Ferguson – ASPI The Strategist – 7 January 2025) The release of the Chinese DeepSeek-R1 large language model, with its impressive capabilities and low development cost, shocked financial markets and led to claims of a ‘Sputnik moment’ in artificial intelligence. But a powerful, innovative Chinese model achieving parity with US products should come as no surprise. It is the predictable result of a major US and Western policy failure, for which the AI industry itself bears much of the blame. – https://www.aspistrategist.org.au/the-crisis-in-western-ai-is-real/
Will the Paris artificial intelligence summit set a unified approach to AI governance—or just be another conference?
(Mia Hoffmann, Mina Narayanan, Owen J. Daniels – Bulletin of the Atomic Scientists – 6 February 2025) Paris will host the French Artificial Intelligence Action Summit, yet another global convening focused on harnessing the power of AI for a beneficial future. One of the conference’s key themes is devising structures to employ AI for good, with the primary aim being “to clarify and design a shared and effective governance framework with all relevant actors.” – https://thebulletin.org/2025/02/will-the-paris-artificial-intelligence-summit-set-a-unified-approach-to-ai-governance-or-just-be-another-conference/#post-heading
DeepSeek’s Lesson: America Needs Smarter Export Controls
(Ashley Lin, Lennart Heim – RAND Corporation – 5 February 2025) Last December, the Chinese AI firm DeepSeek reported training a GPT-4-level model for just $5.6 million, challenging assumptions about the resources needed for frontier AI development. This perceived cost reduction, and DeepSeek’s cut-rate pricing for its advanced reasoning model R1, have left tech stocks plunging and sparked a debate on the effectiveness of U.S. export controls on AI chips. – https://www.rand.org/pubs/commentary/2025/02/deepseeks-lesson-america-needs-smarter-export-controls.html
Defense, Intelligence, and Warfare
DARPA taps Microsoft, PsiQuantum for scalable quantum computer research
(Alexandra Kelley – NextGov – 7 February 2025) The Defense Advanced Research Projects Agency announced a new partnership Thursday working within the agency’s Underexplored Systems for Utility-Scale Quantum Computing program within the Quantum Benchmarking Initiative, a program centered around identifying the technology that could bring a fault-tolerant — meaning that it arrives at its calculations without unexpected mistakes — quantum computer to life within the next few years. DARPA selected Microsoft and PsiQuantum, a startup focused on leveraging photonics and semiconductors to build a fault-tolerant quantum computer, to move into the validation and co-design phase of that program to verify their proposed concepts. – https://www.nextgov.com/emerging-tech/2025/02/darpa-taps-microsoft-psiquantum-scalable-quantum-computer-research/402845/?oref=ng-homepage-river
What Google’s return to defense AI means
(Patrick Tucker – Defense One – 6 February 2025) Google has discarded its self-imposed ban on using AI in weapons, a step that simultaneously drew praise and criticism, marked a new entrant in a hot field, and underscored how the Pentagon—not any single company—must act as the primary regulator on how the U.S. military uses AI in combat. Google defended its decision to strip its AI-ethics principles of a 2018 prohibition against using AI in ways that might cause harm. “There’s a global competition taking place for AI leadership within an increasingly complex geopolitical landscape. We believe democracies should lead in AI development, guided by core values like freedom, equality, and respect for human rights,” it reads. – https://www.defenseone.com/business/2025/02/what-googles-return-defense-ai-means/402816/?oref=d1-featured-river-secondary
Security
UK reportedly demands secret ‘back door’ to Apple users’ iCloud accounts
(Alexander Martin – The Record – 7 February 2025) The British government has reportedly issued a secret legal demand to Apple to provide it with access to encrypted iCloud accounts, according to The Washington Post. The demand, known as a Technical Capability Notice (TCN), is a controversial provision included in the country’s Investigatory Powers Act. It is not illegal to report on the existence of a TCN, however the individual target of a notice is instructed not to disclose it and can face criminal proceedings if they do so. – https://therecord.media/uk-government-reportedly-demands-backdoor-apple-icloud
Phones, email, classes disrupted in University of The Bahamas ransomware attack
(Jonathan Greig – The Record – 7 February 2025) A ransomware gang has shut down the internet and telephone systems used by the University of The Bahamas, forcing changes on administrators, professors and students. The school, which serves 5,000 students across three campuses, said the attack began on February 2 and impacted all online applications including email platforms and systems used for classwork. All online classes were cancelled. – https://therecord.media/bahamas-university-ransomware-attack
Label maker Avery says ransomware investigation also found credit-card scraper
(Jonathan Greig – The Record – 7 February 2025) The world’s largest supplier of labels said a ransomware attack in December prompted an investigation that led to the discovery of a data breach impacting the information of about 67,000 customers. In breach notification letters, Avery Products said a ransomware attack was discovered on December 9 and prompted an in-depth investigation led by forensic experts. – https://therecord.media/avery-products-ransomware-data-breach-notification
Malicious AI Models on Hugging Face Exploit Novel Attack Technique
(Kevin Poireault – Infosecurity Magazine – 7 February 2025) Researchers at Reversing Labs have discovered two malicious machine learning (ML) models available on Hugging Face, the leading hub for sharing AI models and applications. While these models contain malicious code, they were not flagged as “unsafe” by Hugging Face’s security scanning mechanisms. The Reversing Labs researchers saw that these malicious models exploit a novel malware distribution technique by abusing Pickle file serialization. – https://www.infosecurity-magazine.com/news/malicious-ai-models-hugging-face/
Third-Party Risk Management Failures Expose UK Finance Sector
(James Coker – Infosecurity Magazine – 7 February 2025) Over half (58%) of large UK financial services firms suffered at least one third-party supply chain attack in 2024, according to a study by Orange Cyberdefense. Nearly a quarter (23%) of these companies were hit three or more times by third-party attacks. – https://www.infosecurity-magazine.com/news/third-party-risk-failures-uk/
Cybercriminals Weaponize Graphics Files in Phishing Attacks
(James Coker – Infosecurity Magazine – 7 January 2025) Cybercriminals have ramped up their use of graphics files to spread malicious links and malware during email phishing attacks, according to new research by Sophos. The tactic is designed to bypass conventional endpoint or mail protection tools. – https://www.infosecurity-magazine.com/news/cybercriminals-graphics-files/