CyberWire Daily - Out with the old, in with the new.
Episode Date: February 27, 2024NIST’s Cybersecurity Framework gets an upgrade. ONCD makes a case against memory-related software bugs. A recent cyberattack targets Canada's Royal Canadian Mounted Police. US dethrones Russia as to...p target in cyber breaches. Caveat podcast cohost Ben Yelin discusses remedies in the generative AI copyright cases.And, Reggaeton Be Gone, a creative way to deal with your neighbors’ music choices. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin, cohost of Caveat podcast and Program Director, Public Policy & External Affairs at University of Maryland Center for Health and Homeland Security, thinking about remedies in the generative AI copyright cases. You can find the Lawfare article Ben references here.  Selected Reading NIST Releases Version 2.0 of Landmark Cybersecurity Framework (NIST) After decades of memory-related software bugs, White House calls on industry to act (The Record) Canada's RCMP, Global Affairs Hit by Cyberattacks (SecurityWeek) A cyber attack hit the Royal Canadian Mounted Police (Security Affairs) UK email mistake put ‘lives at risk’ for Afghans who had worked with British military (The Record) Russia and Belarus targeted by at least 14 nation-state hacker groups, researchers say (The Record) Number of data breaches falls globally, triples in the US (TechSpot) Steel giant ThyssenKrupp confirms cyberattack on automotive division (Bleeping Computer) The Change Healthcare cyberattack is still impacting pharmacies. It's a bigger deal than you think (Fast Company) US Pharmacy Outage Triggered by 'Blackcat' Ransomware at UnitedHealth Unit, Sources Say (US News and World Report) Getting Ahead of Cybersecurity Materiality Mayhem (Security Boulevard) Raspberry Pi maker builds device to hack neighbor's Bluetooth speakers that were streaming annoying music (TechSpot) Reggaeton Be Gone (Hackster.io) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
NIST Cybersecurity Framework gets an upgrade.
ONCD makes a case against memory-related software bugs.
A recent cyber attack targets Canada's Royal Canadian Mounted Police.
U.S. dethrones Russia as top target in cyber breaches.
Dave Bittner sits down with Caveat Podcast co-host Ben Yellen
to discuss remedies in generative AI copyright cases
and a creative way to deal with your neighbor's music.
Today is February 27th, 2024. I'm Trey Hester filling in for Dave Bittner, and this is your CyberWire Intel Briefing. Intel briefing. The National Institute for Standards and Technology released a version 2.0
of its cybersecurity framework, marking a significant milestone in the ongoing battle
against cyber threats.
The framework is a collaborative effort involving government agencies,
private sector organizations, and academia. The CSF 2.0 supports implementation of the National Cybersecurity Strategy with an expanded scope that goes beyond protecting critical
infrastructure to all organizations in any sector. The release includes a focus on adaptation to
evolving threats,
integration and flexibility, risk management, collaboration, and embracing global cybersecurity
trends. In a recent report, the Office of the National Cyber Director highlighted the alarming
prevalence of memory-related software bugs, shedding light on a critical vulnerability
in digital infrastructure. These bugs, often lurking unnoticed in software code,
pose significant security risks,
potentially enabling cyber attackers to exploit sensitive data
or compromise system integrity.
Prioritizing vulnerability awareness,
implementing robust risk mitigation strategies,
fostering collaboration, and maintaining continuous vigilance,
the White House hopes a greater use of memory-safe programming languages
will help to make products more secure from the outset. Cue the Dudley Do-Right theme song.
A recent cyber attack targeted Canada's Royal Canadian Mounted Police.
The RCMP did not share details on the nature and extent of the attack,
saying that it was working with partner Canadian government agencies to
The RCMP notes that the attack did not impact operations or the safety and security of Canadians.
Over the weekend, however, RCMP's website was briefly unavailable.
Over the weekend, however, RCMP's website was briefly unavailable.
The UK Ministry of Defence faced a significant fine of $443,000 due to an email error exposing Afghan interpreters' identities.
The email could have enabled the identification of individuals contacting the British government
and seeking to be relocated from the country as the Taliban regained control in 2021.
This data was exposed
when the Ministry of Defense sent bulk emails using the TO field rather than the BCC field,
according to the ICO. Researchers report that at least 14 state-sponsored hacker groups from
around the world have targeted Russia and some former Soviet Union members, such as Azerbaijan,
Belarus, Kyrgyzstan, and Kazakhstan, with
destructive or espionage campaigns over the last year. Some of the groups were likely linked to
Ukraine, and others acted in the interest of their own countries, like North Korea and China,
according to the Russian company Fax Report. A recent study investigating data breaches
throughout 2023 reveals a total of 299.8 million accounts were compromised.
While that does seem like a very large number, it in fact represents an 18% decrease from 2022.
Despite this global reduction in breaches, the situation in the United States has increased,
with the number of breaches tripling, giving it the title of the world's most frequently
targeted country overtaking Russia.
Bleeping Computer reports steel giant ThyssenKrupp confirmed that hackers breached systems in its automotive division last week, forcing them to shut down IT systems as part of its response
and containment effort. ThyssenKrupp AG is one of the world's largest steel producers
and a crucial component in the global supply chain of products that use it in their industries.
At this time of publication, no major ransomware groups or threat actors had assumed responsibility.
In a follow-up to our coverage of the healthcare cyberattack last week, we have a few updates.
More than 100 health-related services were impacted by the attack,
and there's still no word as to when things will be back to normal.
Hackers working for the Black Cat ransomware gang are behind the outage at UnitedHealth's technology unit that has snarled prescription deliveries. A number of pharmacy
chains, including CVS Health and Walgreens, have said the outage had knock-on effects on their
businesses, as pharmacies could not transmit insurance claims for patients. And another
friend of the Cyber Wire, Steve Winterfeld, member of our Hashtable and frequent contributor to our
CSO Perspectives podcast with Rick Howard, recently wrote about getting ahead of cybersecurity materiality mayhem.
In it, Steve addresses the growing concern of cybersecurity risks and their impact on financial materiality.
The article emphasizes the need for organizations to proactively assess and manage cybersecurity risks to avoid potential financial and reputational damage.
It underscores the importance of integrating cybersecurity into all risk management strategies
and aligning with regulatory requirements. You can find a link to Steve's article in our show notes.
Coming up after the break, we have Ben Yellen, our Caveat podcast co-host and program director
at the University of Maryland Center for Health and Homeland Security.
Ben discusses remedies in the generative AI copyright cases. Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. cybercriminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host on the Caveat podcast.
Ben, welcome back.
Good to be with you, Dave.
So interesting discussion here from the folks over at Lawfare.
And they're taking a look at some of the lawsuits against open AI and generative AI in general
and looking at some of the remedies that are proposed or possible or
being considered here. Can you unpack this for us? What's going on here?
Sure. So we're still in the relative infancy of generative AI, and we've just started to see
a variety of claims against the big players here. So ChatGPT, Microsoft, etc., these claims are based on copyright violations.
So it's the use of in-copyright works for training these generative AI models.
And there's been a lot of commentary on this about whether this constitutes fair use,
which means it would not be subject to copyright violations, or if this is a per se copyright
infringement.
I don't think there's been any sort of developed legal consensus around this.
What the Lawfare blog gets at is if companies can be held liable for using copyrighted work in their generative AI inputs, what will settlement or damages look like in those scenarios?
So this article brought up three notable potential remedy claims,
statutory damages, destruction of models trained on infringing works, and the establishment of
regulatory oversight. And they gave a little bit more detail on each of those three claims.
So for statutory damages, there could be damages based on violation of copyright management information rules and general copyright infringement.
The damages range from $2,500 to $25,000 per violation, which for these big guys, you know, it might start out as kind of a paltry sum of money.
But that adds up when you're talking about everything that a generative AI puts together.
Model destructions.
AI puts together.
Model destructions.
So there are some complaints that are seeking court orders to destroy models trained on these infringing works altogether.
There are practical concerns with that, whether you can destroy the model once it's been set
up, and just kind of disturbing legal implications about it, especially when we're talking about
open source training data.
Do we really want
models destroyed if they're using open source information, for example? And then there are
claims for regulatory relief. So one lawsuit has asked for the establishment of an independent body
to approve AI product uses, accountability protocols, and cybersecurity safeguards, and to establish a monetary fund for
compensating past misconduct. So these are three really interesting potential avenues for remedies
for those who feel they have suffered copyright claims. It's good that Lawfare laid these out.
The issue is time, really. Resolution of all these lawsuits is years away. These suits take time.
There's going to be a lot
that goes into discovery.
But it will have,
when these lawsuits
finally do resolve,
it's going to have a major impact
on the entire AI field.
And not just on AI,
but this is going to be
a revolutionary development
in intellectual property law.
Yeah.
What do you say to folks who are saying that this is the opportunity that we need to reconsider copyright law writ large?
I think it's possible that this does serve as that opportunity.
It's such a unique case, especially when we're talking about the use of potentially open source data
or where you're unable to determine whether the generative AI spit out something
based on copyright infringed material or open source data.
So I think this is a ripe area to review copyright restrictions.
Now, there are a lot of elements of copyright law
that are so ingrained in our legal system.
They've been principles at common law for hundreds of
years that I don't think generative AI is necessarily going to reopen all of those
doctrines. The length of copyrights, for example, is something I know we've talked about before,
and it can be frustrating for people in the industry who are subject to these
copyright claims from 50, 60 years ago. So I don't know if any of that is going to change,
but I do think this poses an opportunity.
It's kind of putting everything under reconsideration
once these cases make it into court.
One of the things that I'm still trying to wrap my head around,
and I've seen different opinions when it comes to this,
is whether or not a copyright infringement happens
at the point of ingest or at the point of synthesis. So,
is ingesting someone else's work a copyright violation itself, or do you have to wait until
one of these models spits out something that is similar enough to the original piece of work,
that that then is the infringing thing. Any insights? Under our established principles of copyright laws, you're only held viable once you publish
that information. So it's kind of the difference between reading a book and retaining it for your
own knowledge or trying to pass off that book or that piece of intellectual property as your own
by publishing something and trying to make money off of it. So I think that's a difficult question in the context of generative AI,
because in a certain sense, when it takes that input, when it takes that potential piece of
copyright-infringed data, I think the people who own that intellectual property might be insecure,
thinking that the cat's already out of the bag.
This is going to be part of some input that spits out information that violates my intellectual
property rights. But I think at least under our traditional understanding of copyright law,
it really will take until that information is published. And I think that's going to be
part of the litigation here. When you're trying to establish damages is, was this information, copyright infringed information, widely disseminated?
How widely disseminated was it? I think those are all going to be important factors at play
when we finally see some litigation here. I've seen some folks say that perhaps the
quickest thing that could happen here, the thing that could work for
all parties, is if we had some kind of centralized licensing organization. It's similar to how the
music industry works. They have like BMI and ASCAP and these organizations that they're the
ones you pay if you want to use music in your production, use copyrighted music
in your production, you pay them and then they distribute it to the original owners.
Do you think that's a possibility here? Sure, it's a possibility. I'll just note,
and I know I've said this before, like we're so early in the world of these claims.
Yeah. The first time the U.S. Copyright Office even took notice of this as an issue was, at least to my knowledge, was August 2023, where they issued a notice of inquiry asking for comments on whether Congress should create a collective licensing regime for generative AI training and development.
So in other words, it's certainly possible.
We're just so early in the development of this field that it's hard to say for certain either way.
Yeah, I guess I'm trying to understand like the slow movement of going through the legal system and for the sake of getting something that people could be happy with more quickly and the sake of there being a need to have some reassurance here, some clarity here.
Might we see something like that just because
everybody comes to the table and says, look, we got to figure this out? Yeah, I mean, I think
that's what it would take is the industry, members of Congress, and some of the regulatory agencies
saying we could all wait, you know, four or five years down the line for this litigation to ripen
and we can get 40 separate decisions on 40 different claims in all different jurisdictions
and have to wait for appeals courts or the Supreme Court to weigh in, or we can create
something that's workable. I'm never an optimist on this stuff because Congress has had trouble
even forming an AI work group, which I believe they just did as of this week. So that's a start.
But to come up with a whole licensing regime, it's an ambitious task, I'll be honest.
Yeah.
All right.
Well, as always, thank you for your insights.
Ben Yellen, thanks so much for joining us.
Thank you.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. The 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And finally, when Roni Bandini's neighbor started blasting reggaeton music every morning at 9 a.m.,
he took the non-confrontational route of addressing the issue with a raspberry pie
and created Reggaeton Be Gone.
The name was selected as an homage to the TV Be Gone device.
It monitors room audio and identifies the reggaeton genre with machine learning.
Once identified, it triggers comm requests and packets to the Bluetooth speaker to disable it,
or at least disturb the sound so much that the neighbor will be forced to turn it off.
Bandini does add this disclaimer, stating that Reggaeton Be Gone is an experimental project.
Before deploying it, check your local laws and regulations.
And only use it with your own Bluetooth speakers for educational purposes. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
This episode was produced by Liz Stokes.
Our mixer is me with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilpie.
And I'm Trey Hester filling in for Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.