ELTENI’S CYBER SCOOP
Latest News
In this newsletter, we highlight the addition of a Chief Artificial Intelligence Officer in the CISA as well as the importance of cybersecurity incident disclosure. Also, additional commentary on the Crowdstrike incident.
REGULATORY CORNER
CISA Names First Chief Artificial Intelligence Officer
WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced its first CISA Chief Artificial Intelligence Officer, Lisa Einstein. This selection reflects CISA’s commitment to responsibly use AI to advance its cyber defense mission and to support critical infrastructure owners and operators across the United States in the safe and secure development and adoption of AI. Einstein has led CISA’s AI efforts since 2023 as CISA’s Senior Advisor for AI. Since 2022, Einstein also served as the Executive Director of the CISA Cybersecurity Advisory Committee.
Strong cybersecurity is foundational to trustworthy AI, and the responsible use of AI is increasingly relevant for the security of critical infrastructure. CISA has established this new position to institutionalize our ongoing efforts to responsibly govern our own uses of AI and to ensure critical infrastructure partners develop and adopt AI in ways that are safe and secure.
Notes
Artificial Intelligence (AI) has become increasingly pivotal in cybersecurity for its ability to enhance threat detection and response. This is important as cyberattacks grow in sophistication, requiring advanced solutions that can adapt and respond at machine speed. However, with the reliance of this technology comes the need for a careful and strategic approach to integrating AI into cybersecurity frameworks. By naming a chief artificial intelligence officer, the CISA is taking notable steps to ensure cybersecurity governance is keeping up with the ever-changing landscape of the industry.
CISA Names First Chief Artificial Intelligence Officer | CISA
ENFORCEMENT NEWS
SEC Remains Focused on Disclosure of Cybersecurity Incidents
Recent Securities and Exchange Commission (SEC) enforcement action and statements by SEC officials show that the Commission remains focused on disclosures regarding cybersecurity incidents. On May 21, 2024, Erik Gerding, director of the SEC’s Division of Corporate Finance, issued a statement to clarify that public companies are only required to disclose a cybersecurity incident under Item 1.05 of Form 8-K if the incident is “determined by the registrant to be material.” The next day, on May 22, 2024, the SEC announced that it has settled charges with The Intercontinental Exchange (ICE) relating to ICE’s alleged failure to timely inform the SEC of a cyber intrusion under Regulation Systems Compliance and Integrity (SCI). While Regulation SCI only applies to a small number of key market participants, the SEC’s enforcement order and recent statements signal that the SEC will not hesitate to enforce regulations that require disclosures of cybersecurity incidents.
Notes
The enforcement against the Intercontinental Exchange (ICE) underscores the SEC’s strict enforcement of cybersecurity disclosure requirements, emphasizing the importance of key market participants reporting any cyber incident immediately if they have a reasonable basis to believe an event occurred. This incident highlights the importance of prompt and accurate reporting, regardless of the incident’s immediate impact or materiality. Overall, it reinforces the need for thorough and timely reporting to ensure transparency and integrity. In essence, the SEC is signaling that cybersecurity is a critical aspect of corporate governance. Companies must be proactive and transparent in their cybersecurity practices, as the consequences of non-compliance can be severe.
SEC Remains Focused on Disclosure of Cybersecurity Incidents | harvard.edu
CYBER NEWS
Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4 | darkreading.com
A security firm recently hired a software engineer for its internal AI team that turned out to be a North Korean threat actor, who immediately began loading malware to his company-issued workstation.
Cybersecurity regulations face ‘uphill battle’ after Chevron ruling | CyberScoop
President Joe Biden’s executive branch has distinguished itself on cybersecurity policy from previous administrations with its willingness to embrace regulations — often with a bit of creative lawyering involved. But a landmark ruling by the Supreme Court last week that overturned the so-called Chevron doctrine — which holds that courts should defer to federal agencies when interpreting parts of federal law not specified by Congress — threatens to make it much more difficult for the Biden administration to put in place more stringent cybersecurity rules.
Cybersecurity is at the top of everyone’s mind and budget, but the legal and regulatory compliance landscape is often unclear. As a result, the following questions are usually, “What does it mean practically to be compliant, and what laws require that compliance?” “What are companies required to do?” “What best practices should a company follow even if not required?”
A computer scientist’s take on the CrowdStrike crash | Stanford Report
On July 19, millions of Windows users encountered the dreaded “blue screen of death.” A bug in a critical piece of cybersecurity software, called CrowdStrike, was causing the operating system to crash. For some people and companies, the issue is ongoing, and costs are projected to be in the billions. There’s little we can do to protect against bugs in the software we’re using, says Zakir Durumeric, who is an assistant professor of computer science. “In general though, one of the best things that people can do to protect themselves against attacks is to regularly update their computers and phones.” He shares his insights on the outage.
DECODE THE TERMS
BIA – (Business impact analysis) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations because of a disaster, accident, or emergency.
MTD – (Mobile threat defense) is a set of tools and processes used by organizations to protect mobile devices against various threats.
XDR – (Extended Detection and Response) is a comprehensive cybersecurity approach that integrates multiple security tools and unifies security operations across various layers, including endpoints, networks, cloud environments, and applications.
SOC – (Security Operations Center) is a centralized unit within an organization dedicated to monitoring, detecting, analyzing, and responding to cybersecurity incidents.
