Cyber Week in Review: April 14, 2023

International group of agencies release secure by design software guidance 

Three U.S. agencies, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and FBI, alongside cybersecurity agencies from six other countries, released new guidance on developing secure-by-design products. The guidance [PDF], which is not mandatory, lays out a series of measures manufacturers should take to build security into their products, including using memory safe programming languages, providing a software bill of materials (SBOM) so users know what software is included in products, ensuring that products are free of common vulnerabilities and exposures (CVEs), and implementing single sign-on for their products, among other recommendations. The document also includes a number of organizational principles for technology manufacturers, including increasing transparency and building organizational structures to ensure security is considered in all phases of product development. The guidance is part of a push within the Biden administration to improve cybersecurity, as seen in the National Cyber Strategy [PDF] released last month, which called for the United States to “continue to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure.” 

United States weighs action against Kaspersky 

The U.S. Commerce Department is considering using its Information and Communications Technology and Services (ICT) rules to clamp down on the use of products made by cybersecurity firm Kaspersky Lab, according to a report by the Wall Street Journal. The Russian company has previously faced accusations that it has ties with the Russian government and that its antivirus software has been used to spy on the United States. ICT rules allow Commerce to ban or restrict products based on the risk they pose to the security of telecommunications equipment, information technology, or critical infrastructure, although the department has previously been criticized [PDF] by Republicans for failing to adequately use the rules. Following Russia’s invasion of Ukraine last year, Kaspersky was blacklisted by the Federal Communications Commission, meaning its software could no longer be used on federal networks. Applying the ICT rules against Kaspersky would allow the Commerce Department to ban the sale of Kaspersky products nationwide. 

Alibaba launches integrated AI chatbot 

On Tuesday, Chinese e-commerce company, Alibaba Group, debuted its ChatGPT-style AI language model, Tongyi Qianwen. At a summit hosted by Alibaba Cloud, Alibaba CEO Daniel Zhang announced that the company's model, which roughly translates to "truth from a thousand questions," will be integrated into all of Alibaba's products in the near future. According to Zhang, Alibaba’s new AI model will initially be added to the company’s Slack-like DingTalk app and smart speaker, Tmall Genie. Tongyi Qianwen will offer services in English and Chinese, and the company is working on adding image recognition and text-to-image conversion features. Also on Tuesday, the Cyberspace Administration of China released draft guidelines that require security reviews for all generative AI-related services intending to operate in China. These rules would apply to Alibaba, as well as recent chatbot introductions from SenseTime Group and Baidu. 

Leaked documents claim Russian hacktivists breached a Canadian gas pipeline company 

Recently leaked classified U.S. intelligence files suggest that a pro-Russia hacktivist group may have breached the network of a Canadian gas pipeline company in February. The group, known as Zarya, is reported to be an offshoot of Killnet, a well-known hacktivist group that has previously targeted websites and organizations in the United States. The briefing, which is part of a larger set of leaked documents that reveals U.S. intelligence gathering on its key partners, adversaries and competitors, details intercepted communications between Zarya and an agent of the FSB, Russia’s main intelligence agency, including an FSB agent giving hackers instructions on how to manipulate controls to trigger an emergency pipeline shutdown. The FSB officer noted that “a successful operation would cause an explosion,” but that the goal was “not to cause loss of life” only “loss of income for Canadians.” Some experts were skeptical of Zarya’s ability to cause an explosion, saying that physical safety controls likely would have prevented such an outcome. 

 Commerce Department considering new rules for AI chatbots 

The U.S. Commerce Department put out a public request for comment as part of the process of drafting new rules for artificial intelligence (AI) models earlier this week. The rules, which would likely be applied to AI products like OpenAI’s ChatGPT, would “support the development of AI audits, assessments, certifications and other mechanisms to create earned trust in AI systems.” Microsoft, which owns OpenAI, expressed support for the creation of new rules. Other countries have rolled out new AI rules in recent months, including China, which passed new rules that require companies to go through a government security review before releasing AI chat models or integrating them into their products and obligates companies to ensure their products do not subvert state security. The European Union is also expected to pass its own AI Act in the coming months, which would classify sectors that AI tools are used in based on their perceived risk, with the amount of regulation dependent on the risk level.