Cyber Week in Review: January 19, 2024

OpenAI and TikTok announce steps to prepare for 2024 election cycle

OpenAI, developers of the popular generative AI tool ChatGPT, published a writeup on their approach to the 2024 global election cycle. The company emphasizes several approaches to securing elections, including adding policies that prevent users from creating chatbots that lobby for political causes or pretend to be real people or institutions, stepping up its investments in watermarking AI-generated images, and having ChatGPT provide users with election resources created by the National Association of Secretaries of State in response to certain queries. TikTok said it would partner with Democracy Works to launch a U.S. elections center, launch a tool to allow users to label AI-generated content, and introduce dedicated reporting on influence operations on the platform. AI’s ability to generate convincing fake text, imagery and video, and its distribution on social media platforms like TikTok, has been a major cause for concern, especially as over eighty national elections are scheduled to take place in 2024, making it one of the busiest election years in decades. The risks of AI-enabled disinformation are already real; in October 2023, two days before the Slovakian election, an unknown group released a fake audio recording of presidential candidate Michal Šimečka discussing how to rig the election.

Turkey secretly blocking virtual private networks ahead of 2024 elections

Turkey secretly forced internet service providers to block access to at least sixteen virtual private network (VPN) services over the past month, according to a report from the Financial Times. The restrictions are expected to remain in place until at least March, when Turkey holds local elections. VPNs let users bypass website blocks and government-imposed firewalls and encrypt personal data. The Turkish government has previously blocked access to VPNs in the country, including after an attempted coup in 2016, but the new restrictions appear far more widespread than previous ones, and may persist far longer. Internet freedom in Turkey has trended downward over the past decade, according to Freedom House, but the new regulations represent a significant step in curtailing access to the free flow of information in the country.

Google plans to make changes to browser, data, and search products in Europe

Google announced that it is planning a raft of changes to its products in Europe to comply with the EU Digital Markets Act. The new policies allow users to unlink their data between disparate Google products, meaning that Google will no longer allow user data gathered during the use of one product to be used to personalize the recommendations and ads on another product. The changes will apply to seven major products: Google Search, YouTube, ad services, the Play Store, Chrome, Shopping, and Maps. Google will also make several changes to its Search results, including linking to comparison sites when individuals search for something to buy and directing some suppliers to show more detailed results on their respective products. The EU designated Google as a gatekeeper under the Digital Markets Act in September 2023, which means the company has six months to ensure it is not prioritizing its own services and to increase third-party interoperability with its products, allow increased access to data on its services, and stop tracking users operating outside the company’s products.

U.S. government agencies release new cybersecurity best practices for water and sanitation sector

The Environmental Protection Agency (EPA), FBI, and Cybersecurity and Infrastructure Security Agency (CISA) released a joint manual on best practices for the water and sanitation sector on Thursday. The manual lays out the four stages of the incident response lifecycle in the industry: preparation, detection and analysis, containment, eradication, and recovery, and post-incident recovery. The manual provides an overview of establishing an incident response plan, available technical resources and support, and information sharing avenues with federal, state, and local governments. The principles outlined in the manual are voluntary, and cybersecurity regulation in the water sector has been fraught with political difficulties over the past year. The EPA had required states to include cybersecurity in its audits of public water systems in March 2023, but the rules led several Republican attorneys general to sue to prevent the regulations from taking effect, and the regulations were eventually dropped in October 2023.

Chinese hackers used two zero days against Ivanti VPN appliances

Chinese hackers, known as UTA0178 and UNC5521, used at least two zero-day exploits in Ivanti Connect Secure VPN, which allows employees to connect to their employers’ systems from outside the office, to break into internal and external-facing servers. After the vulnerability was reported on January 10, the threat actors rapidly pivoted from stealthily exploiting the vulnerability to compromising and retaining access to any system with the vulnerability. The attackers appear to have compromised at least 1,500 devices worldwide, and once the vulnerability was reported it was adopted by other cyberespionage groups. This pivot away from stealth upon detection has marked several Chinese campaigns that were detected in recent years, including a 2021 breach of Microsoft Exchange servers, which rapidly expanded after it was first revealed.