Cyber Week in Review: December 15, 2023

EU negotiators come to agreement on EU AI Act 

EU negotiators reached an agreement on a framework for the EU AI Act, as last-minute negotiations yielded breakthroughs on several controversial portions of the act, including exceptions for law enforcement use of AI for biometric categorization. The Act also clarifies thresholds for “foundation models,” general purpose models which can be used for various applications, like OpenAI’s GPT-4. The new regulations would separate general purpose models into two categories, high and low impact, with makers of high impact models required to conduct model evaluations, assess and mitigate systemic risks, conduct adversarial testing, report to the European Commission on serious incidents, ensure cybersecurity around model data, and report on models’ energy efficiency. Experts have said that under the current framework only OpenAI’s GPT-4 model would meet these standards, with Google’s newly released Gemini model likely also included in the high impact standard. Despite the agreement, the AI Act still faces headwinds before it can be passed into law. French President Emmanuel Macron attacked the act after the deal was reached, saying that the EU “will regulate things that we no longer produce or invent” if the act is passed in its current form. Enforcement of the AI Act will not begin until 2026, two years after the act is passed.  

SEC cyber incident disclosure rules take effect today 

Securities and Exchange Commission (SEC) rules requiring companies to disclose “material cybersecurity incidents” go into effect today, with smaller businesses given 180 extra days to comply. Under the new policy, companies will have to report a cybersecurity incident’s nature, scope, and timing within four days of detecting the incident and determining that it will have a “material impact.” Under the rule, a cybersecurity incident is defined as material by the FBI if “there is substantial likelihood that a reasonable shareholder would consider it important when making an investment decision.” The rules also allow the Justice Department to delay or exempt some disclosures in cases posing a risk to national security or public safety; the Justice Department issued guidelines for how it will make decisions on exemptions and delays on Tuesday. Republicans have attacked the SEC rules, with Representative Andrew Garbarino (R-NY) and Senator Thom Tillis (R-NC) releasing a joint resolution [PDF], which did not pass, to eliminate the regulations earlier this year. 

Ukraine’s largest mobile phone network hit by major cyberattack 

Kyivstar, a mobile phone network that serves over twenty four million people in Ukraine, was hit by a cyberattack that knocked its entire network offline earlier this week. Kyvistar CEO Oleksandr Komarov said that the attack was “well-planned and professional” and that Kyivstar’s infrastructure took an “enormous hit.” Two different Russian groups, Killnet and Solntsepek, claimed responsibility for the attack. Solntsepek has previously been tied to the GRU’s Sandworm group, which is responsible for some of the most prominent cyberattacks against Ukraine, including the 2017 NotPetya attack which caused more than $10 billion worth of damage worldwide. Experts said that taking the network offline would have knock-on effects for Ukraine, rendering some air raid siren systems inoperable and disrupting communications within the Ukrainian military itself, which has come to rely on smartphones for communication and intelligence gathering. 

Harry Coker confirmed as White House cyber director 

Harry Coker was confirmed as the head of the Office of the National Cyber Director (ONCD) earlier this week in a 59-40 vote in the Senate. Coker will be tasked with following through on ONCD’s National Cybersecurity Strategy [PDF] and the implementation plan [PDF] for the strategy. Coker previously served as executive director of the NSA, and has spent much of his career at both the CIA and NSA. His nomination was endorsed by several senior intelligence officials, including Director of National Intelligence Avril Haines, who issued a statement congratulating Coker after his confirmation. Coker was originally nominated for the position in July, as the Biden administration passed over then-acting director, Kemba Walden. 

Interpol says trafficking for cyber scams is expanding globally 

Interpol announced it had completed its first ever operation designed explicitly to counter human trafficking-fueled online fraud between October 16 and 20, conducting over 270,000 inspections at 450 human and migrant trafficking hotspots over those four days. In recent years, human trafficking victims have been lured to foreign countries with offers of high-paying jobs, and are then held against their will by traffickers and forced to run online scams. These scams, and the trafficked workers they rely on, have been a recurring issue in southeast Asia, as Chinese crime bosses have expanded into parts of Cambodia and Myanmar and used a combination of corruption and violence to create the space to operate their scams outside the reach of law enforcement. However, Interpol said that during its most recent operation it observed the spread of human trafficking for the purpose of staffing online scam centers beyond southeast Asia, including to Peru, where it said over forty Malaysian human-trafficking victims had been freed after being forced to commit online fraud.  

Eva Schwartz is the intern for the CFR Independent Task Force Program.