DarkReading.com reported “Most security teams can benefit from integrating artificial intelligence (AI) and machine learning (ML) into their daily workflow. These teams are often understaffed and overwhelmed by false positives and noisy alerts, which can drown out the signal of genuine threats.” The September 28, 2023 article entitled “Looking Beyond the Hype Cycle of AI/ML in Cybersecurity” (https://www.darkreading.com/vulnerabilities-threats/looking-beyond-hype-cycle-ai-ml-cybersecurity) included these comments:

AI and ML are often confused, but cybersecurity leaders and practitioners need to understand the difference. AI is a broader term that refers to machines mimicking human intelligence. ML is a subset of AI that uses algorithms to analyze data, learn from it, and make informed decisions without explicit programming.

When faced with bold promises from new technologies like AI/ML, it can be challenging to determine what is commercially viable, what is just hype, and when, if ever, these claims will deliver results. The Gartner Hype Cycle offers a visual representation of the maturity and adoption of technologies and applications. It helps reveal how innovative technologies can be relevant in solving real business problems and exploring new opportunities.

But there’s a problem when people begin to talk about AI and ML. “AI suffers from an unrelenting, incurable case of vagueness — it is a catch-all term of art that does not consistently refer to any particular method or value proposition,” writes UVA Professor Eric Siegel in the Harvard Business Review. “Calling ML tools ‘AI’ oversells what most ML business deployments actually do,” Siegel says. “As a result, most ML projects fail to deliver value. In contrast, ML projects that keep their concrete operational objective front and center stand a good chance of achieving that objective.”

While AI and ML have undoubtedly made significant strides in enhancing cybersecurity systems, they remain nascent technologies. When their capabilities are overhyped, users will eventually grow disillusioned and begin to question ML’s value in cybersecurity altogether.

What do you think?

First published at https://www.vogelitlaw.com/blog/maybe-ai-amp-ml-are-not-really-working-in-cybersecurity

GovInfoSecurity.com reported that “Cybersecurity experts urged Congress to avoid a government shutdown on Oct. 1 – the start of the new federal fiscal year – telling a House panel that a lapse would damage efforts to keep the nation secure.”  The September 19, 2023 article entitled ” Cyber Experts Urge House Committee to Avoid Federal Shutdown” (https://tinyurl.com/dw6aetwr) included these comments:

Congress has yet to approve any of the dozen funding bills that expire annually and are necessary to keep most federal agencies operational. The legislature has 12 days before the current federal fiscal year ends, along with the funding Congress appropriated for it.

A shutdown would cause delays of critical work by the U.S. Cybersecurity and Infrastructure Security Agency, and some projects would come to a halt, testified Brian Gumbel, president of security firm Armis, in a Tuesday hearing before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.

The longer the funding delay, “the more time adversaries will have to get in front of us,” Gumbel said. “The delays are just terrible for this nation and this is going to cause some major impact.”

What do you think?

First published at https://www.vogelitlaw.com/blog/nbspcyberattack-imminent-with-a-federal-shutdown

BankInfoSecurity.com reported that “The U.S. Department of Homeland Security said it will eschew biased artificial intelligence decision-making and facial recognition systems as part of an ongoing federal effort to promote “trustworthy AI.”” The September 18, 2023 article entitled “US DHS Announces New AI Guardrails” (https://www.bankinfosecurity.com/us-dhs-announces-new-ai-guardrails-a-23106) included these comments:

U.S. Secretary of Homeland Security Alejandro Mayorkas also announced that departmental CIO Eric Hysen will serve as the “chief AI officer” while staying on in his original position.

Fighting biased outcomes can be more difficult than might appear since AI systems may be used to discriminate even without the use of obviously biased inquiries. Eliminating close proxies for characteristics such as ethnicity by closing off obvious prompts based on ZIP code and income allows for the possibility that the same intentionally biased results could be obtained with inquiries based on other factors. AI is effective because it draws on vast pools of data, allowing computers to make connections between seemingly unrelated data points. With enough data, there’s no need for a close proxy such as ZIP code.

Critics of facial recognition have also questioned whether human review will be sufficient to prevent wrongful arrests based on facial recognition matches. The New York Times reported in August that six individuals have reported being falsely accused of a crime as a result of a facial recognition search matching the photo of an unknown offender’s face to a photo in a database. “You’ve got a very powerful tool that, if it searches enough faces, will always yield people who look like the person on the surveillance image,” a psychology professor told the Times.

What do you think?

First published at https://www.vogelitlaw.com/blog/will-new-ai-guardrails-work-for-us-dhs

GoveInfoSecurity.com reported that “A Norway court sided with the country’s data protection authority in a battle against Facebook over surveillance based-ads, ruling that the agency has the authority to tell the social media giant to temporarily halt behavioral tracking without explicit consent or face daily fines.”  The September 8, 2023 report entitled “Norway Court Upholds Temporary Ban of Behavioral Ads on Meta” (https://tinyurl.com/55he9x8p) included these comments:

In July, the agency known as Datatilsynet imposed a temporary ban on compulsory behavioral advertising on Facebook and Instagram. It imposed fines on parent company Meta of nearly $100,000 per day starting on Aug. 14 for noncompliance – and Facebook sought to halt in court to halt those fines.

Oslo District Court on Wednesday ruled for the privacy watchdog, writing that the agency had not acted disproportionately on behalf of Norwegians’ privacy interests.

Meta must now halt behavioral tracking for Facebook and Instagram in Norway, said Tobias Judin, head of the international section for Datatilsynet. “We understand that they are looking into how they can comply with data protection law in the long term, but in the meanwhile and until they have carried out the necessary changes, the illegal activity needs to stop,” Judin told Information Security Media Group.

What do you think?

First published at https://www.vogelitlaw.com/blog/facebook-in-trouble-with-norway-courts-for-surveillance-based-ads

The Security and Exchange Commission (SEC) issued a press release about “adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.”  The July 26, 2023 press release entitled “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” (https://www.sec.gov/news/press-release/2023-139 ) included these comments:

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

Do you think these new Rules will help?

First published at https://www.vogelitlaw.com/blog/the-sec-adopts-new-cybersecurity-rules

Darkreading.com reported that “One trend we’ve seen in recent years is a rise of “as-a-service” offerings. Early hackers were tinkerers and mischief-makers, tricking phone systems or causing chaos mostly as an exercise in fun. This has fundamentally changed. Threat actors are professional and often sell their products for others to use.”  The July 5, 2023 article entitled “A Golden Age of AI … or Security Threats?” (https://www.darkreading.com/vulnerabilities-threats/a-golden-age-of-ai-or-security-threats-) Included these comments:

AI will fit very nicely into this way of working. Able to create code to tackle specific problems, AI can amend code to target vulnerabilities or take existing code and change it, so it’s not so easily detected by security measures looking for specific patterns.

But the possibilities for AI’s misuse doesn’t stop there. Many phishing emails are detected by effective filtering tools and end up in junk folders. Those that do make it to the inbox are often very obviously scams, written so badly they’re borderline incomprehensible. But AI could break this pattern, creating thousands of plausible emails that can evade detection and be well-written enough to fool both filters and end users.

Spear-phishing, the more targeted form of this attack, could also be revolutionized by this tech. Sure, it’s easy to ignore an email from your boss asking you to wire cash or urgently buy gift cards — cybersecurity training helps employees avoid this sort of scam. But what about a deep-fake phone call or video chat? AI has the potential to take broadcast appearances and podcasts and turn them into a convincing simulacrum, something far harder to ignore.

Interesting time, so watch out!

The New York Times reported that “Legal scholars, patent authorities and even Congress have been pondering that question. The people who answer “yes,” a small but growing number, are fighting a decidedly uphill battle in challenging the deep-seated belief that only a human can invent. Invention evokes images of giants like Thomas Edison and eureka moments — “the flash of creative genius,” as the Supreme Court justice William O. Douglas once put it.” The July 15, 2023 article entitled “Can A.I. Invent?” (https://www.nytimes.com/2023/07/15/technology/ai-inventor-patents.html?referringSource=articleShare) included these comments:

The U.S. Patent and Trademark Office has hosted two public meetings this year billed as A.I. Inventorship Listening Sessions.

Last month, the Senate held a hearing on A.I. and patents. The witnesses included representatives of big technology and pharmaceutical companies. Next to them at the witness table was Dr. Ryan Abbott, a professor at the University of Surrey School of Law in England, who founded the Artificial Inventor Project, a group of intellectual property lawyers and an A.I. scientist.

The project has filed pro bono test cases in the United States and more than a dozen other countries seeking legal protection for A.I.-generated inventions.

“This is about getting the incentives right for a new technological era,” said Dr. Abbott, who is also a physician and teaches at the David Geffen School of Medicine at the University of California, Los Angeles.

Rapidly advancing A.I., Dr. Abbott contends, is very different from a traditional tool used in inventions — say, a pencil or a microscope. Generative A.I. is also a new breed of computer program. It is not confined to doing things it is specifically programmed to do, he said, but produces unscripted results, as if creatively “stepping into the shoes of a person.”

A central goal of Dr. Abbott’s project is to provoke and promote discussion about artificial intelligence and invention. Without patent protection, he said, A.I. innovations will be hidden in the murky realm of trade secrets rather than disclosed in a public filing, slowing progress in the field.

The Artificial Inventor Project, said Mark Lemley, a professor at the Stanford Law School, “has made us confront this hard problem and exposed the cracks in the system.”

What do you think?

First published at https://www.vogelitlaw.com/blog/can-ai-get-patents

Computerworld reported that “Stock content provider and creative suite Shutterstock is the latest company in its field to offer customers a legal indemnity against suits related to AI-generated images created and licensed on its platform. In its announcement, issued Thursday, Shutterstock said that the aim is to provide a level of assurance to users of its services who want to leverage the ability to use AI-generated imagery but are concerned about legal risks that could arise under US intellectual property laws.”  The July 6, 2023 article entitled “Shutterstock offers customers legal indemnity for AI-created image use” (https://www.computerworld.com/article/3701932/shutterstock-offers-customers-legal-indemnity-for-ai-created-image-use.html ) included these comments:

The indemnity mostly relates to one recently launched product from Shutterstock, namely its AI Design Assistant (an image generator that allows users to select a particular style and type of content for generated images), which is powered by the DALL-E generative AI image creator from Microsoft-backed OpenAI, the maker of ChatGPT. Shutterstock said that its contributor fund funnels monetary compensation to the artists who created images that the AI Design Assistant was trained on.

Shutterstock’s indemnity program is similar to the one announced last month by Adobe, which unveiled its own program alongside the release of Firefly, a generative-AI-powered image creation tool. Firefly, Adobe said, works through training on both images owned by the company, and those in the public domain or other material not subject to copyright rules. Like Shutterstock, Adobe said that its indemnification for AI-generated images is meant to be as similar as possible to the one that covers the company’s other assets.

Great news, but let’s see what happens at the courthouse! First published at https://www.vogelitlaw.com/blog/great-news-you-may-have-ip-indemnification-to-protect-for-ai-copyright-amp-trademark-infringement

BankInfoSecurity.com reported that “The latest development comes on the heels of a European Commission proposal Wednesday for a single currency, called the Digital Euro, that will be accepted across the EU. The new currency, issued by the European Central Bank, would “work like digital wallet,” the commission said, but members did not clarify if the currency would be integrated with the EU’s proposed digital wallet app.”  The June 30, 2023 article entitled “EU Is Set to Finalize Digital Wallet, Proposes Digital Euro” (https://tinyurl.com/2k6sfa9w) included these comments about the European Digital Identity framework (https://data.consilium.europa.eu/doc/document/ST-14959-2022-INIT/en/pdf)”

The latest development comes on the heels of a European Commission proposal Wednesday for a single currency, called the Digital Euro, that will be accepted across the EU. The new currency, issued by the European Central Bank, would “work like digital wallet,” the commission said, but members did not clarify if the currency would be integrated with the EU’s proposed digital wallet app.

Both the initiatives have faced criticism from lawmakers, and privacy experts fear the proposals would put citizens’ digital security at risk.

Lawmakers removed unique identifiers from the digital wallet, citing snooping risks, but using the wallet for identity confirmation could displace the anonymity online users now have on the internet, said Patrick Breyer, a German politician and member of the Pirate Party.

What do you think?

First published at https://www.vogelitlaw.com/blog/are-you-ready-for-digital-wallets-in-the-eu

Darkreading.com reported these comments from Check Point researchers “The research also highlights the “alarming” role USB drives play in spreading malware quickly and often unbeknown to users — even across air-gapped systems. “These malicious programs possess the ability to self-propagate through USB drives, making them potent carriers of infection, even beyond their intended targets,…” The July 22, 2023 article entitled “USB Drives Spread Spyware as China’s Mustang Panda APT Goes Global” (https://tinyurl.com/3wpzsypn) included these comments:

Researchers at Check Point Research discovered the backdoor, which they’ve dubbed WispRider. The campaign is the work of the Chinese-state-sponsored APT that Check Point tracks as “Camaro Dragon,” but which is probably better known as Mustang Panda (aka Luminous Moth and Bronze President).

Check Point first discovered the malware when an employee who had participated in a conference held in Asia came home with an infected USB drive, researchers revealed in a blog post published June 22. Apparently, the employee — dubbed “Patient Zero” by the researchers — had shared his presentation with fellow attendees using his USB drive, and one of his colleagues there passed on the infection from his computer, they said.

Pretty scary news, what do you think?

First published at https://www.vogelitlaw.com/blog/new-usb-drive-malware-spreading-across-the-world