One thing I wish I could have expanded upon in my story is how the Biden admin's secure-by-design strategy has left the USG unprepared to wield any sort of influence over Microsoft, even as the company doesn't meet SBD expectations. (cont'd)
As one cyber expert told me, "There are good regulators and good enforcement mechanisms around [federal] IT procurement on security ... and the fact that CISA and the SBD team have chosen not to connect that work to those other entities has left it in a very limited position."
This expert, who requested anonymity to speak candidly, bemoaned the fact that the Biden White House isn't framing secure-by-design as a set of actual requirements for selling tech to govt. "Instead, they've chosen to pursue a principled public-interest approach."
Market dominance, inertia, and savvy PR have almost completely insulated the hack-plagued company from meaningful oversight, even as Biden officials preach corporate accountability.
I asked cyber experts, lawmakers, fmr govt officials, & employees of Microsoft's competitors why the company has struggled w/ security and why those woes haven't threatened its business.
Their comments and criticisms mirrored the recent findings of the Cyber Safety Review Board.
Why has Microsoft experienced so many high-profile hackers recently?
Because, experts said, MSFT has underinvested in the security improvements needed to protect both its legacy products and cloud services from modern threats.
The House Homeland maritime security subcommittee is holding a hearing on U.S. port cybersecurity:
The hearing, w/ witnesses from DHS, USCG, & Transportation Command, comes a week after a big Biden admin push on port cybersecurity: homeland.house.gov/hearing/subcom…
Subcommittee chair Carlos Gimenez says U.S. ports' use of Chinese-made equipment "introduces significant supply chain vulnerabilities into our maritime transportation system."
Gimenez on Biden's recent port cyber initiatives: "I commend the administration in this initial action, but I know that more must be done."
Biden has signed his AI executive order. As we await its release, here's what the fact sheet says about "the most sweeping actions ever taken to protect Americans from the potential risks of AI systems"... 🧵whitehouse.gov/briefing-room/…
Developers of any LLMs with the potential to pose serious risks will have to red-team them for safety and security issues—based on standards developed by NIST—and share the results with the government. Biden is using the Defense Production Act for this.
DHS will require critical infrastructure operators to meet these standards, though it's unclear what that means (banning their use of LLMs with bad red-team results?).
There will be a new AI Safety and Security Board and a new focus on AI threats to critical infrastructure.
This week’s #Ahsoka episode was one of the finest episodes of Disney Star Wars TV so far. Sabine emerges as the real main character, Thrawn and Ezra’s long-awaited introductions absolutely deliver, and it’s no coincidence that Ahsoka’s best ep yet barely features Rosario Dawson.
Let's start with Sabine, because she continues to be far and away the best character. Natasha Liu Bordizzo must be exhausted from carrying this show on her shoulders.
NLB continues to nail Sabine's personality. When Baylan encourages her to engage in self-reflection, she quips, “I try to avoid that.” We see how her brashness and constant need to be active are coping mechanisms to suppress her inner turmoil, anxiety, and self-doubt.
.@lilyhnewman is moderating a Black Hat keynote with @CISAJen and @VZhora.
@lilyhnewman @CISAJen @VZhora Zhora says Ukraine has observed “a shift" in Russian cyberattacks "from disruptive and chaotic attacks to more focused activity [like] cyber espionage and data collection."
Zhora: "In recent weeks, we discovered activity … in the networks of Ukraine’s armed forces. So, Russian forces targeting our situational awareness system … in order to gain information that, to their opinion, can give them advantage on the battlefield."