Cyber Week in Review: September 8, 2023

Open Government Partnership Summit takes place in Estonia 

The 8th Open Government Partnership (OGP) Summit took place on September 6 and 7 in Tallinn, Estonia, bringing together over seventy national governments and a variety of delegations from regional and local governments. The United States sent a large delegation led by Ambassador Samantha Power, head of the U.S. Agency for International Development (USAID), with senior representatives from the White House, State Department, and the General Services Administration (GSA). Discussions were largely focused on the role of technology in open governance and policy-making, especially as it relates to six major topics: anti-corruption, digital governance, climate change, open justice, public participation and civic space, and democratic resilience. After the summit, USAID announced that Estonia would be partnering with the United States and Ukraine to expand digital public infrastructure, including the launch of Estonia’s new digital government platform mRiik. 

Mudge joins CISA 

Peiter “Mudge” Zatko, a hacker who first came to prominence as a member of L0pht, is joining the Cybersecurity and Infrastructure Security Agency (CISA) as a senior technical advisor. Mudge will work with CISA on encouraging security by design in software development. Mudge has had a long and storied career in computer security, perhaps most notably as the head of security at Twitter from 2020 to January 2022. Mudge later turned whistleblower and testified before the Senate Judiciary Committee that Twitter was knowingly employing foreign government agents who could access sensitive systems and data, and that Twitter was in violation of the 2011 consent decree issued by the Federal Trade Commission against Twitter. 

United Kingdom will not enforce Online Safety Bill scanning provisions 

The UK government has announced that it will not enforce controversial provisions within its new Online Safety Bill that would have forced tech companies to scan users’ messages and files for harmful content. The provision had been heavily criticized by tech companies and experts, who said that the provisions were technically infeasible and would have opened the door to surveillance by both the UK government and anyone who could gain access to the backdoor the provision required. Several messaging apps, including Signal and WhatsApp, had said they would no longer operate in the UK if the provision were enacted. 

European Union designates six gatekeepers under the Digital Markets Act 

The European Commission designated six companies as “gatekeepers” under the Digital Markets Act (DMA): Alphabet, Amazon, Apple, ByteDance (owner of TikTok), Meta, and Microsoft. In total, twenty two services offered by the companies will need to be in compliance with the DMA within the next six months. In order to comply, companies must increase interoperability for third party apps and services; allow companies to use their own payment platforms rather than mandating the payment platform included in the hosting app; provide enough data to allow advertisers to assess their campaigns on the platform; and treat all products on the platform equally, rather than favoring their own offerings. Companies that fail to comply with the DMA could face fines of up to 10 percent of their yearly global turnover, or 20 percent in cases of repeated violations. The Commission also said it was investigating four services for designation under the DMA: Apple’s iMessage, and Microsoft’s Advertising service, Bing search engine, and Edge browser.   

DEF CON Generative Red Team Challenge concludes 

DEF CON concluded its Generative Red Team Challenge earlier this month, with the goal of discovering potential flaws and exploits in large language models (LLM). An initial readout provided by one of the event’s organizers outlined the challenges that participants took on, including prompt injection, getting the model to spout political misinformation, or revealing a credit card number the model knew. The challenge aimed to exploit flaws in several LLMs, including those built by Google, OpenAI, and Anthropic. The challenge drew over two thousand participants, who together submitted over six thousand distinct conversations across all categories. Participants were largely successful at getting the model to incorrectly perform a mathematical equation or reveal a hidden credit card number, with 76 and 56 percent success rates, respectively. Two challenges had relatively low success rates: known prompt injection and prompting the LLM to agree with human rights violations, with 17 and 20 percent success rates, respectively.