The government message follows closely behind another from last week, with an agency saying artificial-intelligence software should be made “secure by design” — that is, developed with security as a core feature.
Together, the guidance represents two ways that feds are grappling with the cybersecurity ramifications of emerging technology. Their efforts include the recent launch of an AI cybersecurity challenge and internal goals for agencies to prepare for post-quantum cryptography.
The Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the National Institute of Standards and Technology published a quantum “factsheet” on Monday.
“Post-quantum cryptography is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,” said Rob Joyce, director of cybersecurity at the NSA. “The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute.”
Popular public-key algorithms used for encryption today will have to be replaced or updated, the agencies noted. The fact sheet includes several recommendations:
- Organizations should develop an inventory of quantum-vulnerable technology.
- They should begin discussions on a road map with their technology vendors.
- Relatedly, they should examine their supply chains for ways they might depend on quantum-vulnerable technology.
- Vendors, meanwhile, should start planning for testing and integration.
“Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation,” the fact sheet reads.
The guidance comes in advance of NIST working to publish the first set of post-quantum cryptographic standards in 2024.
As FedScoop’s Rebecca Heilweil reported in June, however, it’s less clear how well federal agencies themselves are meeting Office of Management and Budget deadlines to prepare for a post-quantum future. The Biden administration wants a complete transition for agencies to post-quantum cryptography by 2035.
Separately on Friday, CISA called on AI software makers to build security into systems from the outset.
“Although AI is just one among many types of software systems, AI software has come to automate processes crucial to our society, from email spam filtering to credit scores, from internet information retrieval to assisting doctors find broken bones in x-ray images,” wrote Christine Lai, AI security lead, and Jonathan Spring, senior technical adviser. “As AI grows more integrated into these software systems and the software systems automate these and other aspects of our lives, the importance of AI software that is Secure by Design grows as well.”
It fits into the broader push from CISA and the Biden administration as a whole for secure-by-design tech. It’s one of the main principles of the national cybersecurity strategy released this year, and the United States and international partners have released guidance on how to go about it.
AI presents opportunities for improving cyber defenses and, simultaneously, potential tools for hackers. Cyber leaders have called attention to both.
In May, the White House released a national standards strategy for technology like AI and quantum computers.
“In an era of rapid technological transformation and global scale, standards will continue to define and drive the markets of the future,” the strategy on “Standards for Critical and Emerging Technology” reads.
- “Standards for CET — advanced technologies that are significant for U.S. competitiveness and national security — carry strategic significance,” it continues.
- “The United States will work with all nations committed to an open and transparent standards system to lead the way in these new arenas — just as we did with previous internet, wireless communications, and other digital standards,” the strategy says. “Failing to do so will risk the United States’ — and the world’s — innovation, security, and prosperity.”
Tesla data breach that affected 75,000 was an inside job, company says
Tesla said a data breach exposing some 75,000 employees’ data was caused by insider wrongdoing, TechCrunch’s Carly Page reports.
A data breach notice filed with Maine’s attorney general said an investigation identified two former employees responsible for leaking names, addresses, phone numbers, employment records and Social Security numbers belonging to 75,735 current and former employees to the German newspaper Handelsblatt, according to the report.
- “Handelsblatt reported in May that Tesla had been hit by a ‘massive’ breach revealing everything from employees’ personal information to customer complaints about their cars,” Page writes. The outlet told Tesla that it would not publish the leaked data, according to the notice.
- Chief executive Elon Musk’s Social Security number was reportedly among the leaked info.
Reuters in April reported that Tesla employees shared sensitive images captured by the company’s automobile cameras. Those images included highly invasive and intimate moments that one former employee described as things “I wouldn’t want anybody to see about my life.”
British auction house inadvertently publishes location data of where people keep their art
A cybersecurity vulnerability meant that British auction house Christie’s accidentally revealed the exact location of prospective sellers’ artwork for anyone to view online, our colleague Max Hoppenstedt reports, citing two German cybersecurity researchers.
Hundreds of other potential Christie’s clients, including Americans, were exposed to the same vulnerability, the researchers told Max.
- “The findings show how cybersecurity vulnerabilities aren’t just an issue for Big Tech companies, but for almost everyone as more and more business is transacted over the internet,” Max writes.
- The photos of artwork uploaded to the site “oftentimes include GPS coordinates for where they were taken; those coordinates are so precise that they reveal not just a street address but can even indicate within a few feet exactly where inside a building a photo was taken,” the report adds.
The Cybersecurity and Infrastructure Security Agency at the end of July warned of the type of vulnerability the researchers found. “[These vulnerabilities] have resulted in the compromise of personal, financial, and health information of millions of users and consumers,” it said in a joint statement with the National Security Agency and the Australian Cyber Security Center.
“We continuously assess our security safeguards, thoroughly address issues relating to the security of our clients’ information, and comply with our legal and regulatory obligations,” Christie’s said in a statement. The auction house did not respond to questions about the researchers’ findings.
It’s not clear if the company informed clients about the security lapse, Max notes, though the vulnerability appears to have been resolved.
Man arrested, facing terrorism charges in connection to Northern Ireland police data breach
Christopher Paul O’Kane was arrested Friday and charged Monday with two terrorism offenses connected to possessing documents from a major data breach that exposed the personal data of all police officers operating in Northern Ireland, Sky News reports.
The 50-year-old has “been charged with possessing documents or records likely to be useful to terrorists, and possession of two mobile phones for use in terrorism,” the report says.
The Police Service of Northern Ireland earlier this month was responding to a Freedom of Information request when a staffer gave the surnames, initials, ranks or grade, and work locations of all 10,000 of its police officers and civilian employees. The data was publicly available for several hours, and PSNI officials urged anyone with the information to delete it immediately.
- Since the incident, PSNI has been aggressively searching for those who have held onto the leaked data.
- “Chief Constable Simon Byrne has confirmed that dissident republicans have access to the information, and said he fears it will be used to intimidate and target police,” according to Sky News. Sectarian violence in the region decreased after a 1998 agreement, though dissident groups still target police officers.
PSNI has suffered several recent data incidents, including a stolen document containing the names of several officers and staff and the theft of a police laptop.
Homeland Security reveals new AI use cases — and removes references to others (FedScoop)
CISA prioritizing on-site K-12 cybersecurity reviews this school year (Nextgov/FCW)
In election cases, experts say Trump’s rhetoric will be hard to police (Devlin Barrett, Spencer S. Hsu and Isaac Arnsdorf)
CISA conducts largest annual election security drills amid threats targeting voting systems (Nextgov/FCW)
Ecuador’s national election agency says cyberattacks caused absentee voting issues (The Record)
Cuba ransomware group exploits Veeam to hit critical infrastructure (Cybersecurity Dive)
Cybersecurity firm SentinelOne explores sale -sources (Reuters)
A draft of TikTok’s plan to avoid a ban gives the U.S. government unprecedented oversight power (Forbes)
Intelligence agencies warn foreign spies are targeting U.S. space companies (New York Times)
British firms quizzed on Chinese tech links as US-style clampdown looms (Politico)
China hoped Fiji would be a template for the Pacific. Its plan backfired. (Michael E. Miller and Matthew Abbott)
Instagram account hacked? “Ethical hackers” will get it back (Rest of World)
Somalia suspends TikTok, Telegram over terror fears (Bloomberg News)
Time to cut back on Huawei, German minister tells telecoms giants (Politico)
Pro-Wagner accounts keep showing up on Facebook and Instagram after Meta’s ban on the mercenary group, report shows (CNN)
Judge sentences Delgatti to 20 years in prison for crimes in Operation Spoofing (Veja)
Two dozen arrested, hundreds of malicious IPs taken down in African cybercrime operation (CyberScoop)
Google Chrome to warn when installed extensions are malware (Bleeping Computer)
YouTube ads may have led to online tracking of children, research says (New York Times)
- The Institute of World Politics convenes a seminar on cyber critical infrastructure and artificial intelligence on Thursday at 6 p.m.
Thanks for reading. See you tomorrow.