CyberWire Daily - A high-stakes swap.
Episode Date: August 2, 2024Notorious Russian cybercriminals head home after an historic prisoner exchange. An Israeli hacktivist group claims responsibility for a cyberattack that disrupted internet access in Iran. The U.S. Cop...yright Office calls for federal legislation to combat deep fakes. Cybercriminals are using a Cloudflare testing service for malware campaigns. The GAO instructs the EPA to address rising cyber threats to water and wastewater systems. Claroty reports a vulnerability in Rockwell Automation’s ControlLogix devices. Apple has open-sourced its homomorphic encryption (HE) library. CISA warns of a high severity vulnerability in Avtech Security cameras, and the agency appoints its first Chief AI Officer. We welcome Tim Starks of CyberScoop back to the show today to discuss President Biden's cybersecurity legacy. Can an AI chatbot recognize its own reflection? Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guests Welcoming Tim Starks of CyberScoop back to the show today to discuss Biden's cybersecurity legacy. For more information, you can check out Tim’s article “Biden’s cybersecurity legacy: ‘a big shift’ to private sector responsibility.” The National Cybersecurity Strategy can be found here. Dave also sits down with Errol Weiss, CSO of Health-ISAC, sharing their reaction to the ransomware attacks against healthcare. Health-ISAC and the American Hospital Association (AHA) have issued an advisory to raise awareness of the potential cascading impacts of cyberattacks on healthcare suppliers and the importance of mitigating single points of failure in supply chains. Recent ransomware attacks on OneBlood, Synnovis, and Octapharma by Russian cybercrime gangs have caused significant disruptions to patient care, emphasizing the need for healthcare organizations to incorporate mission-critical third-party suppliers into their risk and emergency management plans. Selected Reading Jailed cybercriminals returned to Russia in historic prisoner swap (CyberScoop) American Hospital Association and Health-ISAC Joint Threat Bulletin - TLP White (American Hospital Association and Health-ISAC) Iranian Internet Attacked by Israeli Hacktivist Group: Reports (Security Boulevard) Copyright and Artificial Intelligence, Part 1 Digital Replicas Report (US Copyright Office) Hackers abuse free TryCloudflare to deliver remote access malware (Bleeping Computer) EPA Told to Address Cyber Risks to Water Systems (Infosecurity Magazine) Security Bypass Vulnerability Found in Rockwell Automation Logix Controllers (SecurityWeek) Apple open-sources its Homomorphic Encryption library (The Stack) CISA Warns of Avtech Camera Vulnerability Exploited in Wild (SecurityWeek) Lisa Einstein Appointed as CISA’s First Chief AI Officer (Homeland Security Today) Can a Large Language Model Recognize Itself? (IEEE Spectrum) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Notorious Russian cybercriminals head home after an historic prisoner exchange.
An Israeli hacktivist group claims responsibility for a cyberattack that disrupted Internet access in Iran.
The U.S. Copyright Office calls for federal legislation to combat deepfakes.
Cybercriminals are using a CloudFlare testing service for malware campaigns.
The GAO instructs the EPA to address rising cyber threats to water
and wastewater systems. Clarity reports a vulnerability in Rockwell Automation's control
logic devices. Apple has open sourced its homomorphic encryption library. CISA warns
of a high severity vulnerability in Avtech security cameras, and the agency appoints its first chief AI officer.
We welcome Tim Starks of CyberScoop back to the show today
to discuss President Biden's cybersecurity legacy.
And can an AI chatbot recognize its own reflection? It's Friday, August 2nd, 2024.
I'm Dave Bittner, and this is thank you for joining us here today.
A significant prisoner exchange took place between the United States, Russia, and Germany,
exchange took place between the United States, Russia, and Germany, involving the release of prominent cybercriminals and others. This exchange included Wall Street Journal reporter Evan
Gershkovich and former U.S. Marine Paul Whelan from Russia. The U.S. released Russian cybercriminals
Roman Seleznev and Vyacheslav Klyushin. Seleznev, a notorious hacker, was sentenced in 2017
to 27 years for his role in major credit card fraud. Known by aliases like Track 2,
he operated large-scale cybercrime operations and sold stolen credit card data online.
Klyushin was extradited to the U.S. for a hack-to-trade scheme
that earned $93 million by trading on confidential information. Convicted in February 2023,
he was sentenced to nine years. President Biden described the swap, which involves several
countries, as a diplomatic achievement. Experts consider it the largest such exchange since the Cold War.
Both Seleznev and Kyushin are now returning home
as part of this extensive diplomatic effort.
On yesterday's CyberWire podcast,
we covered the story of the U.S. blood supply being under pressure
from a recent ransomware attack.
It's one of many ransomware attacks
targeting the healthcare sector. And for expert commentary on that, we reached out to Errol Weiss,
Chief Security Officer of the Health ISAC, for his take on these ongoing ransomware attacks.
Errol, welcome back. Great, Dave. Thanks for having me.
So what's your reaction to this? I mean, yesterday we report on the U.S. having pressure on our blood supply.
This follows a similar incident that happened in the U.K. not long ago.
Where do we stand here and where do we need to go?
Yeah, and one not too long before that, another case in the U.S. with the blood supply and plasma supply as well back in June. So three months, three separate ransomware incidents,
Russian-based ransomware gangs targeting very specific pieces
of the critical supply chain in healthcare.
So I used to say that a lot of these ransomware attacks,
malware attacks seem like they were shotgun approaches, right?
The bad guys would send out millions of emails and try to find a victim.
This doesn't seem like that anymore.
So maybe that's not the case anymore.
And maybe they are doing their homework and trying to figure out where are the critical spots in the ecosystem that they can go after that impact many, as we've seen in these last three incidents.
What's the potential diplomatic angle on this?
I mean, is it possible for the U.S. to reach out to Russia
and say, you know, hey, knock it off.
You know, look, healthcare is off limits.
I think we've been trying to do that for years to no avail.
Yeah.
What other possible responses do we have?
I think the longer-term issue is to try to apply more pressure when it comes to these international norms and trying to figure out how can we encourage countries like Russia and others that if they want to play in the international space, in the international economy,
in the international space, in the international economy, they've got to show that they're actively prosecuting and punishing cyber criminals when they're caught or captured. And it's just not
the case these days. And of course, we see these individuals operating with impunity.
They keep going at it. They say they're not going to attack healthcare, but we know that that is
just a smokescreen. There is absolutely no evidence to
show that they're actually doing that. What about coming at it from the other
side of things? I mean, looking at things like resilience and prevention at the outset.
Yeah, I think that's the real crux of the matter here. When we sat back and saw the two incidents
a few weeks ago, and now we see three happening. I think the bigger issue was when we were collaborating with the American Hospital Association on this
and really looking at these incidents as a whole and realizing that the bad guys are continuing to identify weak spots in the infrastructure.
We need to encourage our organizations to look for those kinds of weak spots themselves,
encourage our organizations to look for those kinds of weak spots themselves, try to identify those concentration risks. Where are these points of failure that they can help identify
and either try to identify additional sources so they're not just so single-sourced or encourage
the development of other suppliers as well so that they can have a backup in case primary goes down.
suppliers as well so that they can have a backup in case primary goes down.
Yeah, I mean, in my mind, it really speaks to the utility of the ISACs themselves to be able to be a clearinghouse for this information for the folks who are in this particular vertical.
Yeah, I think, you know, here's a good case where there's a great amount of public and private collaboration happening.
We're able to operate very nimbly, so we can be out there very quick recognizing when these new trends, these new threats, and these new vulnerabilities pop up.
We can put together an analysis like this very fast and get it out to the community so that they can better protect themselves.
very fast and get it out to the community so that they can better protect themselves.
So we've been trying to work with HHS and other parts of the federal government as well,
trying to raise the alarm there. So hopefully we'll get some support here soon for them as well.
Errol Weiss is Chief Security Officer with the Health ISAC.
Errol, thanks so much for joining us.
Dave, thanks for having me.
An Israeli hacktivist group called We Red Evils claimed responsibility for a cyber attack that disrupted Internet access in parts of Iran, including Tehran.
The group announced the attack on Telegram, warning of imminent disruptions to Iranian Internet services.
Reports confirmed Internet outages in Iran, though the extent is unclear. We Read Evils stated they accessed Iran's
communication system and shared information with Israeli security forces. The group has
launched multiple attacks since the October 2023 Hamas attack on Israel, escalating tensions with
Iran. Their actions coincide with increased hostilities following the Israeli assassination of Ismail Haniyeh, Hamas's political leader, in Tehran.
The Biden administration is preparing for potential Iranian retaliation with expectations of involvement from Hezbollah.
previously claimed responsibility for hacking Iran's oil infrastructure and disabling Tehran's electrical grid, highlighting their ongoing cyber warfare efforts. The U.S. Copyright Office has
released the first part of a comprehensive report examining the impact of artificial intelligence,
focusing initially on the issue of digital replicas or deepfakes.
The report highlights the rapid advancements in AI that enable the creation of sophisticated deepfakes,
which can include AI-generated music, impersonations of political figures, and pornographic videos.
It stresses the urgent need for federal legislation to address the challenges posed by these technologies.
The No Fakes Act, recently introduced in the Senate, aims to provide individuals the right to control the use of their likeness in digital replicas. The report supports the bill,
emphasizing the importance of protecting artists, individuals' dignity, and public security from
fraud. Future reports from the Copyright Office will explore other AI-related issues,
including copyrightability and liability.
U.S. Register of Copyright's Shira Perlmutter underscores the transformative impact of AI on creativity,
raising questions about the role of human authorship
and the balance between technological innovation and copyright protection.
The report acknowledges AI's potential to amplify creativity
while also presenting existential challenges to copyright law and policy.
Researchers at Proofpoint have identified a rise in cybercriminals
using Cloudflare Tunnel's TriCloudFlare service
for malware campaigns delivering remote-access Trojans like AsyncRat and RemcosRat.
Detected since February, these campaigns exploit TriCloudFlare's ability to create temporary encrypted tunnels
which mask IP addresses and avoid detection.
tunnels, which mask IP addresses and avoid detection. Threat actors target sectors like law and finance, distributing malware via tax-themed emails. Proofpoint observed over
1,500 malicious emails sent since July 11, highlighting the service's exploitation for
large-scale operations due to its free and reliable infrastructure.
due to its free and reliable infrastructure.
The U.S. Government Accountability Office reports that the Environmental Protection Agency must address rising cyber threats to water and wastewater systems.
These systems face increased risks from nation-state actors,
including Iran's Islamic Revolutionary Guard Corps and Chinese group Volt Typhoon.
The EPA has not conducted a comprehensive risk assessment or developed a risk-informed strategy,
limiting its ability to tackle the most significant risks.
Challenges include aging technology, increased automation, and workforce skills gaps. Many operators underestimate their vulnerability, especially
in smaller or rural areas. The GAO recommends that the EPA conduct a sector-wide risk assessment,
develop a cybersecurity strategy, evaluate its legal authorities, and revise the vulnerability
self-assessment tool. The EPA has accepted these recommendations, with plans to implement them by
2025. On August 1, Clarity reported a vulnerability in Rockwell Automation's ControlLogix 1756 devices,
affecting GuardLogix and other controllers. This flaw allows attackers to bypass the trusted slot feature, enabling them
to execute CIP commands that could alter user projects or device configurations. Clarity found
that attackers could exploit this by jumping between slots in the 1756 chassis via CIP routing,
bypassing security barriers. Rockwell and CISA have issued advisories, and patches are available.
Exploitation requires network access to the device.
Apple has open-sourced its homomorphic encryption library under the Apache 2.0 license,
providing Swift libraries and executables for developers.
Homomorphic encryption allows computations on encrypted data
without revealing the underlying information,
enhancing privacy across various applications.
Historically, homomorphic encryption implementations were complex and resource-intensive,
but recent advancements have made them more practical for production use.
but recent advancements have made them more practical for production use.
Apple's implementation in iOS 18 for Live Caller ID Lookup enables encrypted queries for caller ID and spam blocking without exposing user data.
The library uses a quantum-resistant scheme.
Homomorphic encryption, a key privacy-enhancing technology,
holds potential for securely leveraging data across jurisdictions.
While companies like Microsoft and IBM offer homomorphic encryption libraries,
Apple's open-source initiative is a notable step
in expanding homomorphic encryption's practical applications.
Experts like Envail CEO Ellison Ann Williams emphasize the transformative power
of homomorphic encryption for secure data utilization and its role in the privacy-enhancing
technology ecosystem. The U.S. Cybersecurity and Infrastructure Security Agency has issued
an advisory regarding a high-severity vulnerability found in Avtek security cameras.
This flaw affects Avtek AVM1203 IP cameras with specific firmware versions, allowing remote
unauthenticated command injection. CESA reports active exploitation but notes Avtek's lack of
response to address the issue, leaving the vulnerability unpatched.
Discovered by Akamai and confirmed by a third party,
the vulnerability could impact various sectors, including healthcare and finance.
Despite the critical nature, CISA has not yet included it in its known exploited vulnerabilities catalog.
Avtek cameras have previously been targeted by IoT botnets like Hide and Seek and
Mirai. Unrelated, CISA has appointed Lisa Einstein as its first chief artificial intelligence officer.
Einstein, previously CISA's senior advisor for AI and executive director of the Cybersecurity
Advisory Committee, has been instrumental in shaping CISA's AI initiatives.
Her appointment aims to strengthen the agency's AI expertise and ensure safe AI adoption for
critical infrastructure. CISA Director Jen Easterly praised Einstein's leadership and
vision in advancing AI efforts. Einstein emphasized her commitment to enhancing cybersecurity and infrastructure reliability through AI.
Her achievements include developing CISA's AI roadmap and leading a pilot program for testing AI cybersecurity tools,
with findings recently shared with the White House.
Coming up after the break, Tim Starks from CyberScoop joins us to discuss President Biden's cybersecurity legacy.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It is my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at CyberScoop.
Previous to that, he was at the Washington Post.
And Tim, that's when you and I got started doing these little segments together.
But happy to have you back now that you are comfortably settled into your new role at CyberScoop.
For some reason, I was just predicting you were definitely going to say ensconced.
You know, if I'd had the wherewithal and the mental energy, I definitely would have.
It was a word I was reaching for.
Yeah.
Well, it's good to be back.
Have a good day.
No, it's great to have you back.
I want to dig into this article that you recently published over on CyberScoop.
This is covering President Biden's cybersecurity legacy.
Can we start off just with what prompted you to write this up?
Yeah.
You know, the way it started was I was thinking it's the end of Biden's term, regardless of whether he is elected or not reelected or whatever the case may be,
it's a good time to look at what we got with the four years we elected him to.
And I've always been fascinated, you and I, when we did talk, we talked about this fairly regularly,
I've always been fascinated by the degree to which this administration has embraced regulation
and embraced the idea that the private sector needs to be doing more.
Now, obviously, the story came out after he announced his decision to leave,
sorry, or to not seek re-election,
but that didn't change what we were going to do.
It really didn't matter who was going to be up next.
It was always about, okay, four years have happened, what did we get?
And this issue of the regulation has always been fascinating to me, like I said,
and it was worth just me taking stock and giving readers a sense of what have you gotten out of the four years you elected
Biden to. Well, let's start off with the beginning of the timeline here. I mean, how would you
describe the state of things as left by former President Trump. In this one regard, President Trump was like
almost every other president before him,
which was very light touch regulation.
You know, the idea of being a regulatory,
taking a regulatory approach to cybersecurity
had been anathema to every president,
no matter their party,
because the idea was
if you create rules in cybersecurity,
if you create these regulations,
then you might lock yourself into
an accidental technology approach or the rules might be outdated by the time they're actually
published. I mean, we've been waiting on the cyber incident reporting law to become a rule
for a while now. It was passed years ago. So the idea was that regulation wasn't the appropriate
policy solution to what happens in
cyberspace. That was every president before this one. And there were early signs that this
administration was wanting to do it differently when they published an executive order in the
summer of 2021, or maybe it was early, maybe more spring. But that order, hearing the people talk
about it who were the architects of it, were saying, this covers what the federal government does.
These are rules for federal agencies to do things.
But it also, if you're a contractor and you're working with those agencies, you're going to have to subscribe to these rules too.
And with the billions and billions of dollars that the federal government spends, the idea was, well, any company that wants to do business with the federal government is going to have to change their approach.
So the idea was to use the purchasing power of the federal government to leverage and
sort of indirectly impose rules on companies.
That summer was a big one because you'll recall that that was Colonial Pipeline.
That was a JBS meat processing company getting hacked.
And suddenly, this was a big watermark moment of,
oh, people are realizing that this can affect their lives
in ways that they had not previously thought of.
I mean, obviously, cyber has been a way for people to steal money,
but this was something else.
This was a new way of looking at the way the market could be disrupted.
And as it happened, Ann Neuberger, who I interviewed for the article,
I also interviewed Harry Coker and Jenny Straley.
Those are arguably the three top policymaking cyber officials in the U.S. government.
Ann Neuberger talked about how that got the attention of people inside the administration in a way that had them going further than they had previously in terms of putting rules in place.
We saw TSA put in place the rules for pipelines. And it's kind of been a cascade ever
since. You talk about CISA's Secure by Design initiative, which certainly folks in cybersecurity
know all about. At this point, are we at a point where we can evaluate whether or not that
is going to be a success or has been a success? No, I don't think so. And I think even Janice really would tell you that it's too early.
The other part of this shift, there's an embrace of the regulations and rules,
but it's also that general shift of we want the private sector to be taking on more responsibility for protecting people.
Right now, cyber attacks happen because somebody clicks on a link that
they shouldn't have clicked on, and suddenly they're in trouble, or they are using a device
that's vulnerable through no fault of their own. And so this secure by design is one answer,
yet another answer to this approach of saying, we want you, industry, private sector, critical
infrastructure, software makers, we want you to be doing more and while they do have a
significant number of pledges i think they're up to 168 to say a company saying we want we're
committed to doing this it is voluntary and that doesn't that means that people might say they're
committed to it doesn't necessarily mean they are and then you know to use the metaphor uh jen used
you know ralph nader was talking about seatbelts in the 1960s, and it was decades before
we started getting airbags and seatbelts as a default thing. That's the situation that we're
in now. She's talked about this being at the very beginning of the process of shifting this
responsibility. And I think that, you know, if you go back to the rules thing too, if you're
trying to measure that, we're still seeing a lot of hacks. And Anne had said in the story that,
you know, the threat is high.
Our preparations were low.
We're trying to get the preparation part
to a medium, at least.
There's a lot more that they have to do, they say.
Yeah, I really found that seatbelt comparison
pretty compelling.
You know, someone who grew up during that era
when suddenly, you know, seatbelts became
kind of the law of the land.
I remember there were plenty of people out there who really thought it was a good plan
that rather than wearing seatbelts, they would be thrown from the car, thrown clear of the
accident, which of course seems absurd now, but that was a sensible line of thinking back
in the day.
But growing up in the 80s, it was almost like people would talk about seatbelts like they weren't cool.
Like if you put on a seatbelt, people might make fun of you.
Like, what are you doing, nerd?
Right.
And it's hard to imagine.
Like, I don't feel comfortable in a car without a seatbelt anymore.
Absolutely.
Yeah.
But you're right.
It took decades.
Can we look at some of the things that have happened here recently, you know, through the lens of Biden administration?
I mean, for me, one that you touched on in the article, which is the Supreme Court ruling on Chevron deference.
How do we suppose that could play out in regards to how these folks are looking to regulate?
That is such a fascinating question that nobody knows the answer to right now.
And I think it certainly affects things going forward more than it does looking back, as I understand the application of the rule.
It may open things up to lawsuits, things that are existing.
But as much as I've asked around, I'm not hearing a lot of planning going on around that from people.
In affected industries, you would think that if they did not like these rules and Chevron gave them an opening, they would go for it.
But that's not been their approach yet.
I'm not saying it's going to stay that way,
but right now there's little to no evidence that that is happening.
So I think it more affects how they might make decisions going forward.
If you look at some of the interpretations of rules here
that have let the administration decide that they have these authorities
to make new rules. Then a little, to quote a line from an article from my colleague Derek Johnson,
creative lawyering. It said, you know, we think we have this authority because of this law that
existed that wasn't necessarily geared towards cyber, but it can apply to cyber. And you saw
a setback with this approach when the EPA put its water sector rules forward.
It seemed to be on the outer periphery of arguable authority to me that they had.
I'm not a legal mind, but just my interpretation of things was some of this is clear and some of it's less clear.
And that was on the less clear side.
When the states sued, they essentially dropped that rule.
I don't know if they were convinced that it just wasn't going to happen or that it wasn't worth the time and money they'd spend to defend it.
But there's already evidence that if they get too creative, they will face resistance.
And so I think it's more if they're talking about doing something new, that Chevron will come into play more than in the past.
But really, nobody knows in the administration and specifically said we're
still analyzing that. So as far as what they might do, it's up in the air.
Well, before I let you go, how about the CrowdStrike event? Certainly lots of chatter
about the potential liabilities that CrowdStrike could face here. We hear Delta Airlines is lawyering up
with a real high-profile lawyer
who once went after Microsoft.
What's the buzz you're hearing when it comes to that?
I mean, yeah, we were talking about that lawsuit
in a team meeting at Cyberscoop this morning.
The software liability picture is a big part
of what the administration is doing here.
It's actually probably the piece that's the farthest behind.
This is one of those situations where if you have the software and someone uses it and they sign a form,
they're basically signing away their legal rights to pursue anything if things go wrong.
And there's not a good way to go after these things right now.
You do see every time there's a breach of some kind, there's a lawsuit that pops up.
And I don't know that there have been that many that have been terribly, terribly successful on the breach side.
There have been some, certainly.
But it's certainly not a one-to-one ratio of there's a breach and there's a lawsuit and the lawsuit happens and it's successful.
That's another open question that's really interesting to see to what degree you can go after someone who was
responsible for a software flaw. It's something that the policymakers are trying to address and
it'd be interesting to see how it plays out in the court and how that might have a ripple effect
there. Yeah. Tim Starks is a senior reporter at CyberScoop. The article is titled Biden's
cybersecurity legacy, a big shift to Private Sector Responsibility.
We will have a link in the show notes. Tim Starks, thanks so much for joining us.
Thanks, Dave.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, our HAL 9000 appreciation desk
tells us of a team of Swiss researchers
delving into a question straight out of a sci-fi movie.
Could chatbots become self-aware?
While this sounds like the setup for a blockbuster thriller,
the researchers are taking it seriously, given the potential security implications.
They devised a clever test to see if AI models can recognize their own outputs,
akin to finding their reflection in a sea of digital doppelgangers.
Historically, the notion of AI self-awareness was dismissed by experts.
Despite the skepticism, recent chatter around Anthropic's Clawed 3 opus
being able to detect trick questions has reignited the debate.
A majority of chat GPT users even believe in some form of chatbot consciousness.
even believe in some form of chatbot consciousness. The research team, led by Tim Davison from the École Polytechnique Fédérale de Lausanne, discovered that some AI models can identify
their own responses from a lineup with more than 50% accuracy. This might suggest some
self-recognition, but the reality is a tad more mundane. The models, it turns out, are merely
selecting what they perceive as the best answer, not necessarily their own. It's like asking a dog
to find its reflection and having it pick the shiniest bowl instead. Despite the model's
penchant for vanity, Davidson highlights the importance of this line of inquiry. If AI models eventually become capable of true self-recognition,
it could lead to intriguing scenarios.
Imagine AI-powered lawyers negotiating with one another.
If one model recognizes it's sparring with a twin,
it could gain an unfair advantage by predicting its counterpart's moves.
While this may seem like a far-off dystopian tale,
Davidson advises cautious optimism. After all, as he puts it, you start fireproofing your house
before there's a fire. Keeping an eye on these developments ensures we're prepared for whatever
AI's digital evolution brings, even if it's just making sure our chatbots don't outsmart us at
their own game. And that's The Cyber Wire. For links to all of today's stories, check out our
daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Jason
Baker, Senior Threat Consultant at GuidePoint Security. We're discussing their work, World Wide
Web, an analysis of tactics and techniques attributed to scattered spider. That's Research
Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures
we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment, your people.
We make you smarter about your teams
while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester, with
original music and sound design by
Elliot Peltzman. Our executive
producer is Jennifer Iben. Our executive
editor is Brandon Carff. Simone
Petrella is our president. Peter Kilpie
is our publisher, and I'm Dave
Bittner. Thanks for listening. We'll
see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.