Cyber Week in Review: November 3, 2023

Biden signs executive order on AI

President Biden signed a new executive order on regulating artificial intelligence on Monday. The order will impact a range of departments and targets what policymakers see as the short and long term risks of AI. The Biden administration has previously laid out a number of initiatives on AI, including the AI Bill of Rights and the National Institute of Standards and Technology AI Risk Framework [PDF], and the newly released executive order builds on and expands the administration’s previous work. The order takes a number of steps to address AI across numerous sectors of society; it implements the Defense Production Act to force developers of frontier models to conduct safety tests and share those tests with the government; it will also direct departments to develop new methods of mitigating algorithmic discrimination across a number of different areas, including housing, federal benefits programs, and the criminal justice system, and will create a reporting system for the unsafe use of AI in healthcare and the developments of drugs. The administration will create the National AI Research Resource, which will be used to provide researchers and students data on AI development and will provide grants for cross-cutting research on AI and other issues, such as climate change and healthcare. The order doesn’t only deal with AI risk, but also directs agencies and departments to find a ways to use AI to create positive change. Agencies are instructed to find ways to use AI to make software more secure and providing small businesses, developers, and entrepreneurs with access to technical assistance and resources to further their use and development of AI.

SEC sues SolarWinds over 2020 hack, invoking expanded cybersecurity regulations

On Monday, the U.S. Securities and Exchange Commission (SEC) announced that it is suing software company SolarWinds and its chief information security officer (CISO), Tim Brown, for misleading investors and the public over cybersecurity failures surrounding a 2020 hack of SolarWinds, which appears to mark the first time the SEC has sued a company or individual for misleading statements on their cybersecurity practices. The hack in question occurred three years ago, when a Russia-affiliated hacker group, known as The Dukes, compromised SolarWinds’ Orion platform systems and embedded malicious code in Orion updates. This allowed The Dukes to access the systems of a wide range of organizations, including the U.S. State Department, Homeland Security Department, cybersecurity company FireEye, and Microsoft, among others. The SEC’s allegations against SolarWinds claim that the firm misled investors for years, touting strong cybersecurity policies while failing to follow those policies internally. SolarWinds said it “maintained appropriate cybersecurity controls” before the attack and that it would fight the lawsuit. Alec Koch, Tim Brown's attorney, said his client “worked tirelessly and responsibly to continuously improve the company's cybersecurity posture throughout his time at SolarWinds.” The SEC recently released stricter cybersecurity regulations due to the impact of hacks on investor support, and Monday’s suit represents the first action taken by the Commission regarding stricter cybersecurity practices.

United Kingdom AI Safety Summit hosts global leaders, business owners in regulatory discussions

Throughout this week, the United Kingdom hosted the AI Safety Summit at Bletchley Park. The event was attended by many global officials and business leaders, including U.S. Vice President Kamala Harris, European Commission President Ursula von der Leyen, and China’s Vice Minister of Science and Technology Wu Zhaohui. The primary goal for the summit was to improve international coordination on principles of frontier AI development and regulation, which comes as calls for regulation on artificial intelligence have increased throughout the past year. Critics of the event argue that the summit’s focus on frontier AI models is too limited and that it did not adequately include independent AI researchers. UK Prime Minister Rishi Sunak hopes that the summit will foster collaboration and allow the UK to act as an intermediary between the United States, the EU, and China on AI regulation. Despite this approach, the UK Deputy Prime Minister Oliver Dowden said that it wasn’t appropriate for China to attend all the sessions at the event, although it was unclear which sessions Dowden was referring to. Participants appeared to agree on a number of steps toward regulation. Both the United States and UK said they would launch AI safety institutes, and participants agreed that AI-driven disinformation remained one of the most important and immediate threats posed by AI.  

Forty nine countries pledge to not pay ransoms in ransomware attacks

On Monday, the United States and forty eight other countries, along with the European Union and Interpol, signed a pledge to no longer pay ransoms for ransomware attacks after the third annual  International Counter Ransomware Initiative. The United States had reportedly been leading the charge to release such a measure in the months leading up to the summit. However, not everyone agrees with the pledge, and an FBI official came forward on Tuesday to note that banning ransom payments may create worse alternative opportunities for extortion and ransom. Participants also agreed to create an information-sharing platform to blacklist cryptocurrency wallets associated with ransomware gangs and plan to create a mechanism for members to request assistance after a ransomware incident takes place. Law enforcement has made some notable progress against criminal hacking groups in 2023, gaining access to the network of the Hive ransomware group and providing decryption keys to its victims and seizing the Genesis Market, where hackers had often gone to see stolen personal data.

Indian opposition politicians among those targeted with Pegasus spyware

On Monday and Tuesday, Apple warned at least twenty prominent Indians, including journalists and several members of Parliament, that they had been targeted with Pegasus spyware. Those targeted include politicians from several opposition parties, including the Indian National Congress (INC), and journalists from the Wire and the Organized Crime and Corruption Reporting Project; both outlets have been critical of the ruling Bharatiya Janata Party (BJP) in the past. Apple did not attribute the breaches to any actor, but opposition politicians in India, including INC leader Rahul Gandhi, quickly blamed the BJP for the hacks, while IT Minister Ashwini Vaishnaw, a BJP member, called the notifications “vague and non-specific.” The Indian government had previously purchased the spyware from NSO Group, but reportedly began looking for new spyware vendors earlier this year, after the U.S. Commerce Department added NSO Group to its Entity List.

Eva Schwartz is the intern for the CFR Independent Task Force Program