Author: bacohido

San Francisco, Calif. — The amazing digital services we have today wouldn’t have come to fruition without the leading technology and telecom giants investing heavily in R&D.

Related: GenAi empowers business

I had the chance to attend NTT Research’s Upgrade Reality 2024 conference here  last week to get a glimpse at some of what’s coming next.

My big takeaway: GenAI is hyper-accelerating advancements in upcoming digital systems – and current ones too. This is about to become very apparent as the software tools and services we’re familiar with become GenAI-enabled in the weeks and months ahead.

And by the same token, GenAI, or more specifically Large Language Model (LLM,) has added a turbo boost to the pet projects that R&D teams across the technology and telecom sectors have in the works.

The ramifications are staggering. The ability for any human to extract value from a large cache of data – using conversational language opens up a whole new universe of possibilities.

The power of conversations

One small example is a souped-up Jibo smart home assistant — a prototype — that can do much more than lock the doors, turn out the lights and set the thermostat. Thanks to GenAI, users can engage this prototype in conversations that get steadily richer over time.

Heidbrink

NTT Research is testing its Jibo protype as a chatty, mindful digital companion oriented to assisting the elderly in multifaceted ways. Sensors scattered around a home keep track of motion, temperature, CO2 levels, light levels and sound. A baseline gets established, deviations get analyzed and responses automatically get fine-tuned.

This all gets done leveraging well-established AI algorithms — but  GenAI takes it to another level, says Chris Heidbrink, NTT Research senior vice president of AI & Innovation.

By factoring in human language cues, Jibo over time can start to detect sentiment and potentially identify health conditions based on conversations. “What we’re doing is combining traditional AI with quality data —  and then bringing in GenAI is like adding polish to it,” Heidbrink  told me. “GenAI allows us to plug in many different things, combine them together and have really deep conversations about them.”

Tech giants out front

Jibo is a microcosm of how GenAI is turbo boosting R&D prototypes of all kinds. Meanwhile, the dust storm clouding the tech horizon is being kicked up by enterprises in all sectors racing to deploy GenAI in support of their entrenched business models.

This GenAI gold rush is being led by the marquee tech giants. Like me, you may be beta testing Adobe’s “Ai Assistant” prototype for Acrobat that allows you to type conversational commands directly into PDF documents. On my SEA to SFO flight, I sat next to a Meta software engineer and we chatted about how Microsoft’s $10 billion  investment in OpenAI/ChatGPT is all about integrating ChatGPT into Windows and Office, while Google’s Gemini services is all about infusing GenAI into Google Search, Google Docs and YouTube.

Likewise, Facebook LLaMA is Meta’s attempt to extract more value from its core asset, Facebook users’ digital footprints. This, of course, raises profound privacy and cybersecurity questions that are just starting to heat up with the rising tide of GenAI-infused deep fake attacks.

Cybersecurity conundrum

Somewhat ironically, the cybersecurity industry itself is scrambling to integrate LLM into emerging security platforms and frameworks to mitigate deep fakes, as well as to get in a better position to address sure-to-come iterations of cyber attacks enhanced by GenAi. (Stay tuned for Last Watchdog’s RSAC Insights podcasts from RSAC 2024, just around the corner.)

I broached this topic at Upgrade Reality 2024 with Moshe Karako, CTO of NTT Innovation Laboratory in Israel. On a whim, while waiting for a flight to Tokyo, Karako was able to persuade Microsoft’s Copilot chat tool to violate Microsoft policy and solve a  captcha to gain him access to a secured website page.

Karako

Moshe used tried-and-true social engineering tactics, such as misspelling words and using persuasive language, to lower Copilot’s guard and manipulate the conversation in his favor. “All it took was playing with prompts to convince it to do what I needed,” Karako says. “And there’s no active solution today that can prevent this.”

Here we go again. Remember how email spam, evolved into phishing attacks, ransomware and advanced persistent threats? This transpired over the past 20 years as business networks advanced from on-premises data centers to hybrid cloud. Along the way, cyber exposures mushroomed. Now GenAI has set us up for a repeat of that cycle — only at a breakneck pace of change.

The hype over the impact of GenAI is just getting started. I heard Vab Goel, founding partner of NTTVC, declare that GenAI will trigger 100X change 100 times faster the we saw in the Internet revolution. Another executive, Rajeev Shah, founder and CEO of Celona.io, I thought, put it best. Speaking on a panel discussion about the transformative potential of GenAI, Shah said this:

Shah

“Actually, I think, as a Silicon Valley (company) founder that it is very rare, and it’s actually the first time in my entire career, that I have been confronted with a technology that neither can I fully understand, nor can I fully grasp the potential. I don’t think any of us have fully internalized yet how transformative AI can be.”

So where will this democratization of AI take us over the next few months and in next couple of years? That’s the turbo-boosted digital revolution we’re all about to experience. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

 

San Francisco and Tokyo, Apr. 11, 2024 – At Upgrade 2024, NTT Corporation (NTT) and NTT DATA announced the successful demonstration of All-Photonics Network (APN)-driven hyper low-latency connections between data centers in the United States and United Kingdom.

In the U.K., NTT connected data centers north and east of London via NTT’s Innovative Optical Wireless Network (IOWN) APN, and communication between them was realized with a round-trip delay of less than 1 millisecond. In the U.S., data centers in Northern Virginia achieved similar results. The goal of this initiative is to transform geographically distributed IT infrastructure into the functional equivalent of a single data center.

The data center market is under severe local constraints. Carbon dioxide emission restrictions and land shortages have made it difficult to build data centers in urban areas, forcing operators to turn to the suburbs. Yet with geographically distant data centers, delay of communication, or latency, can be very high, making it difficult to meet customers’ needs for low latency. In separate demonstrations, NTT and NTT DATA connected data centers in the U.K. (HH2 in Hemel Hempstead and LON1 in Dagenham) and in the U.S. (VA1 and VA3 in Ashburn) using APN equipment from NEC.

These U.K. and U.S. data centers are 89km and 4km apart, respectively. (See Figure 1.) Measurements in tests conducted over 100 Gbps and 400 Gbps links showed the two APN-connected data centers in the U.K. operated with less than 1 millisecond (approximately 0.9 milliseconds) of latency, and with a delay variation (sometimes called jitter) of less than 0.1 microseconds. (See Figure 2 and Table 1.)

According to cloud connectivity provider Megaport, typical delay between data centers at an equivalent distance exceeds 2,000 microseconds (2 milliseconds). In the U.S. case, delay over the much shorter span was approximately 0.06 milliseconds; and delay variation was less than 0.05 microseconds. By contrast, conventional networks with general Layer 2 switches experience delay variation of several microseconds to tens of microseconds. In other words, the APN cuts latency in half, and jitter by orders of magnitude.

The APN delivered very low latency required by current and emerging use cases. These include distributed, real-time AI analysis, such as industrial IoT and predictive maintenance, smart surveillance systems, smart grid and energy management, natural disaster detection and response and more.

NTT DATA is also conducting demonstrations in the financial sector, where low latency is required for remittances, settlements and transactions. Another advantage of the IOWN APN is that it enables line activation simply by adding wavelengths, without needing to install new dark fiber. As a result, data center operators can respond very quickly to customer demand.

About NTT: NTT contributes to a sustainable society through the power of innovation. We are a leading global technology company providing services to consumers and businesses as a mobile operator, infrastructure, networks, applications, and consulting provider. Our offerings include digital business consulting, managed application services, workplace and cloud solutions, data center and edge computing, all supported by our deep global industry expertise. We are over $97B in revenue and 330,000 employees, with $3.6B in annual R&D investments. Our operations span across 80+ countries and regions, allowing us to serve clients in over 190 of them. We serve over 75% of Fortune Global 100 companies, thousands of other enterprise and government clients and millions of consumers.

Media contact, Nick Gibiser,  Wireside Communications for NTT Corporation, Email: gibiser@wireside.com, Phone: +1-804-500-6660

Mountain View, Calif. – April 11, 2024 Simbian today emerged from stealth mode with oversubscribed $10M seed funding to deliver on fully autonomous security.

As a first step towards that goal, the company is introducing the industry’s first GenAI-powered security co-pilot that integrates secure and intelligent AI solutions into diverse IT environments to maximize coverage and expedite resolutions to security teams’ ever-changing needs.

The co-pilot continuously observes user actions and environments, and learns to autonomously perform increasingly sophisticated tasks on its own with time. Simbian is committed to making security fully autonomous by delegating all tactical tasks to its trusted AI platform, allowing users to focus on strategic security goals.

Simbian, the name derived from the symbiotic relationship between humans and AI, has received initial investment from security and AI-focused investors Cota Capital, Icon Ventures, Firebolt and Rain Capital. Its founding team comprises leading AI researchers and security veterans who have created security products in broad use across enterprises today, and have 150+ patents across large language models, cloud computing, encryption, scalable architecture, transistors, and hardware design.

“Traditional approaches to security automation no longer suffice in today’s dynamic environments,” said Cota Capital Partner Aditya Singh. “Talent is getting scarce, and at the same time threat vectors are getting more complex. A fully autonomous security platform presents a big opportunity in the global cybersecurity market which, according to a cybersecurity market report, is to grow to $298.5 billion by 2028. Simbian is a leader in the field, using a deep understanding of the nuance and context of security automation that learns with AI and gets smarter and deeper over time.?

Simbian’s founding team has a uniquely proven background, having built NVIDIA GPUs, confidential computing, and leading cloud security solutions. We are thrilled to join Simbian in the journey to fully autonomous security.”

In addition, 15 of today’s most successful business leaders back the company, including Olivier Pomel, Co-founder and CEO at Datadog; Pankaj Patel, Co-founder and CEO at Nile; Diogo Monica, Co-founder and CEO at Anchorage Digital; Joe Sullivan, former CSO at Facebook, Uber and CloudFlare; Bharat Shah, former CVP of Microsoft Security; Suresh Batchu, Co-founder and COO at Seraphic; Paul Albright, Operating Partner at Goldman Sachs; Pierre Lamond, legendary Silicon Valley investor; and Gokul Rajaram, board member at Coinbase and Pinterest.

Simbian’s GenAI-powered platform is the industry’s first security co-pilot that adapts to diverse IT environments and covers the entire gamut of security functions. Most businesses have a mix of software from multiple vendors and in-house software. Each business and each member of a security team have unique, ever-changing security needs.

Simbian helps every member of the security team from the CISO to the frontline practitioner solve their unique security needs in real-time. Users provide their goal in natural language, and Simbian’s patent-pending LLM-powered platform provides personalized recommendations and generates automated actions across heterogeneous environments – delivering better security outcomes, higher agility to evolving business needs and threats, and lower costs.

“Security is a domain of ever-increasing complexity,” said Sergey Gorbunov, Co-founder at Axelar. “Every day security incidents bring new variables. Simbian is taking a big step forward towards the mission of a fully autonomous security platform. We are excited to partner with them as it allows us to be strategic in our security goals, leaving the mechanics of security to Simbian.”

While security vendors are increasingly using GenAI, off-the-shelf GenAI models come with many security risks, including hallucinations, prompt injection risks, and exposure of PII and confidential data. Simbian minimizes these risks by leveraging a patent-pending hardened LLM system called TrustedLLM™ that utilizes multiple layers of security controls between the user and the GenAI models it uses under the hood.

“AI-driven security solutions can greatly improve threat detection, speeding remediation, and reducing complexity,” said Dave Gruber, Principal Analyst at Enterprise Strategy Group. “Simbian is bringing this vision to a reality, as they leverage AI to automate many of the more challenging, frequent security tasks performed by all levels of security analysts throughout their day.”

Simbian’s Co-founder and CEO Ambuj Kumar was most recently the Co-founder and CEO at Fortanix, a successful data security company, where he raised $135M+ and established the Confidential Computing security category. Mr. Kumar previously served as Lead Designer of NVIDIA GPUs and as Chief Architect at Cryptography Research Inc. Simbian’s Co-founder and CTO Alankrit Chona has extensive background in high scale platforms and data engineering from Twitter, and was a founding member of successful startups Afterpay and Spotnana.

Kumar

“Security teams cannot keep up with the operational tasks they must do each day, despite years of investment in in-house automation and tools to make them more effective – which is why we founded Simbian,” said Ambuj Kumar, Simbian Co-Founder and CEO. “Early feedback and traction in the industry have been extremely positive, and we are excited to launch the company today.

A first in the industry, Simbian puts the security operator firmly in charge of security decisions, and we enable the user to interact with products across vendors to get things done. We stand unique in the industry with our ability to generate commands in code using LLM and based on a natural language user interface, and we enable users to craft permutations of the actions we support, all on the fly.”

About Simbian: Using GenAI, Simbian is the industry’s first company to integrate secure and intelligent AI solutions into business operations across diverse IT environments to maximize security coverage and speed resolutions to security teams’ most pressing ever-changing needs. Simbian, with its hardened TrustedLLM™ system, is the first to accelerate security by empowering every member of a security team, from the C-Suite to frontline practitioners, to craft tailored insights and workflows for their unique security needs – ranging from complex investigation and response to governance and reporting. The company is venture backed and headquartered in Mountain View, Calif. For more information, visit www.simbian.ai, or follow Simbian on https://www.linkedin.com/company/simbian/ and https://twitter.com/simbianai.

Media contact: Liz Youngs, Spalding Communications, 843-412-6327, liz@spaldingcomm.com

CISOs can sometimes be their own worst enemy, especially when it comes to communicating with the board of directors.

Related: The ‘cyber’ case for D&O insurance

Vanessa Pegueros knows this all too well. She serves on the board of several technology companies and also happens to be steeped in cyber risk governance.

I recently attended an IoActive-sponsored event in Seattle at which Pegueros gave a presentation titled: “Merging Cybersecurity, the Board & Executive Team”

Pegueros shed light on the land mines that enshroud cybersecurity presentations made at the board level. She noted that most board members are non-technical, especially when it comes to the intricate nuances of cybersecurity, and that their decision-making is primarily driven by concerns about revenue and costs.

Thus, presenting a sky-is-falling scenario to justify a fatter security budget, “does not resonate at the board level,” she said in her talk. “Board members must be very optimistic; they have to believe in the vision for the company. And to some extent, they don’t always deal with the reality of what the situation really is.

“So when a CISO or anybody comes into a board room and says, ‘if we don’t do this, this is going to happen,’ it makes them all feel anxious and they start to close down their thought processes around it.”

This suggests that CISOs must take a strategic approach, Pegueros observed, which includes building relationships up the chain of command and mastering the art of framing messages to fit the audience.

Last Watchdog engaged Pegueros after her presentation to drill down on some of the notions she highlighted in her talk. Here’s that exchange, edited for clarity and length.

LW: Why do so many CISOs still not get it that FUD and doom-and-gloom don’t work?

Pigueros: I think this is the case where CISOs understand the true gravity and risk of the situation and they feel a sense of urgency to drive action by senior management and the board.  When that action does not materialize as they think it should, they start to use worst case scenarios to drive action.

Pegueros

In the end, the CISOs are just trying to do the right thing and resolve the issues threatening the organization. What they fail to realize is that the Board does not truly understand the risk of the situation and since nothing has happened up until that point, why would it happen now?

LW: What are fundamental steps CISOs can take to start to think and act strategically and communicate more effectively

Pigueros:  First, they need to understand the business including financials, customer concerns, product deficiencies and any macro level issues and how they are impacting the business.  Next, they need to understand the priorities of the business and frame all the security priorities in the context of the business priorities.

If the CISO wants to drive better compliance, then they talk about how compliance is key to enabling sales and how the customers are demanding compliance to do business with the company.  If they want better patching, then the CISOs should talk about how patched systems will improve availability of the product and therefore service to the customers.

If they want improved visibility around security logs, they can talk about the benefits of better visibility to the overall troubleshooting and improved efficiencies in operations.   Boards won’t argue with more revenue, better availability (which drives revenue) or greater efficiencies (which save money)

LW: Is compliance an ace in-the-hole, in a sense, for CISOs? How does the SEC’s stricter rules come into play, for instance.

Pigueros: Compliance is not going to fix all the security risks.  Many companies who are compliant with various regulations or frameworks have had breaches.  I believe compliance sets a minimum bar and a CISO must leverage compliance initiatives to drive overall better security, but it is not sufficient in and of itself.

Compliance brings visibility to a topic.  For example, with the SEC Cybersecurity Rules, Boards are now much more aware of the importance of cyber and are having more robust conversations relative to cybersecurity.

LW: Is it overly optimistic to suggest that companies will soon start viewing security as a business enabler instead of a cost center?

Pigueros: Sound cybersecurity practices and risk management are a differentiator for many non-regulated companies and are table stakes for highly regulated organizations.   Enterprise customers are demanding and driving the conversation around cybersecurity.

They are demanding to understand how their vendors could potentially impact their customers and their reputation.  The evolving and interrelated ecosystem that most companies exist in has the entrance fee of sound cybersecurity practices.  In time, organizations who do not pay this entrance fee will be kicked out.

LW: Massively interconnected, highly interoperable digital systems of the near future hold great promise. Don’t we have to solve security to get there?

Pigueros: Understanding digital connectedness, the benefits, and risks of that relationship and how it enables strategic objectives is key for the board to understand.  Security is just one risk element of this reality.

Boards need to dig in and understand all the key connection points and how they could enable or potentially hinder growth for the organization.  We have a long way to go relative to boards because technology is disrupting the established norms and modes of operations relative to governance.  Boards must evolve or their organizations will fail.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

It’s a digital swindle as old as the internet itself, and yet, as the data tells us, the vast majority of security incidents are still rooted in the low-tech art of social engineering.

Related: AI makes scam email look real

Fresh evidence comes from  Mimecast’s “The State of Email and Collaboration Security” 2024 report.

The London-based supplier of email security technology, surveyed 1,100 information technology and cybersecurity professionals worldwide and found:

•Human risk remains a massive exposure. Some 74 percent of cyber breaches are caused by human factors, including errors, stolen credentials, misuse of access privileges, or social engineering.

•New AI risks have lit a fire under IT teams. . Eight out of 10 of those polled expressed concerned about AI threats posed and 67 percent said AI-driven attacks will soon become the norm.

•Email remains the primary attack vector.  The newest wrinkle – Generative AI tools, like ChatGPT, are giving rise to new attack paths, compounding the pressure from old standby threats, i.e.  phishing, spoofing, and ransomware

van Zadelhoff

“Emerging tools and technologies like AI and deepfakes, along with the proliferation of collaboration platforms are changing the way threat actors work; but people remain the biggest barrier to protecting companies from cyber threats,” observes Marc van Zadelhoff, Mimecast CEO.

One types of email-borne exposure that continues to gut-punch companies large and small is Business Email Compromise (BEC) fraud. A study issued last August by Gartner analysts Satarupa Patnaik and Franz Hinner drills down on how  legacy endpoint protections are falling short in the post-Covid, GenAI operating environment.

BEC = big losses

attackers finagle their way into corporate communications, mimicking or outright hijacking legitimate email accounts. They no longer bother with malware or link, instead focusing more so than ever on human failings. And it’s paying off to the tune of $2.7 billion in losses in just one year, according to the FBI.

The Gartner report highlights how BEC fraud often begins with an Account Takeover (ATO). Attackers infiltrate a user’s account to orchestrate their grand larceny and the collateral damage can be significant: loss of trust from customers and business partners .

Patnaik and Hinner lay out an argument as to why  companies need to get on with their due diligence and move towards upgrading  to AI-based secure email gateway solutions, equipped with behavioral analysis and imposter detection. Indeed, the  technology and best practices to do this are readily available. For enterprises looking to bolster their cyber-defenses, Gartner recommends:

•Leveraging GenAI in what amounts to a counter attack to granularing monitor and apply security policies to every email.

•Tapping proven controls such as k DMARC, MSOAR, IAM, MFA to serve as an effective layered defense.

•Updating antiquated email protocols for financial transactions. Email alone should never be the gatekeeper for moving money or sensitive data.

•Implementing effective training to teach users and partners how to spot and sidestep BEC traps.

We now know what the post Coivd 19/Gen AI threat threat landscape looks like, folks. One  crucial layer to button down is human factors, which means advanced security for the most ubiquitous communication tool: email. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

The technology and best practices for treating cybersecurity as a business enabler, instead of an onerous cost-center, have long been readily available.

Related: Data privacy vs data security

However, this remains a novel concept at most companies. Now comes a Forrester Research report that vividly highlights why attaining and sustaining a robust cybersecurity posture translates into a competitive edge.

The report, titled “Embed Cybersecurity And Privacy Everywhere To Secure Your Brand And Business,” argues for a paradigm shift. It’s logical that robust cybersecurity and privacy practices need become intrinsic in order to tap the full potential of massively interconnected, highly interoperable digital systems.

Forrester’s report lays out a roadmap for CIOs, CISOs and privacy directors to drive this transformation – by weaving informed privacy and security practices into every facet of their business; this runs the gamut from physical and information assets to customer experiences and investment strategies.

Last Watchdog engaged Forrester analyst Heidi Shey, the report’s lead author, in a discussion about how this could play out well, and contribute to an overall greater good. Here’s that exchange, edited for clarity and length.

LW: This isn’t an easy shift. Can you frame the barriers and obstacles companies can expect to encounter.

Shey: A common barrier is framing and articulating the value and purpose of the cybersecurity and privacy program. Traditionally it’s been about focusing inward on securing systems and data at the lowest possible cost, driven by compliance requirements.

Compliance matters and is important, but with this shift, we have to recognize that it is a floor not a ceiling when it comes to your approach. Building your program and embedding these capabilities with a customer focus in mind is the difference. You are trying to align business and IT strategies – and brand value – to drive customer value here. This is a key factor for building trust in your organization.

LW: How can companies effectively measure the success of cybersecurity and privacy integration into their operations?

Shey

Shey: This is something that calls for a maturity assessment. By understanding the key competencies required for this type of shift, organizations can better gauge their current maturity and identify capabilities they need to shore up to further improve. These key capabilities fall under the four competencies of oversight, process risk management, technology risk management, and human risk management.

For example, process risk management capabilities include how well the organization implements security and privacy in its customer-facing products and services as well as its own internal processes. It also covers the extension of security and privacy requirements to third-party partners and the ability to respond quickly and effectively to external questions from stakeholders such as customers, auditors, and regulators.

Within a maturity assessment like this, you can start to hone in on areas of improvement. If you’re doing a particular activity in an ad-hoc way today, establishing a repeatable process for it helps you push to the next level of maturity.

LW: Cultural change is acutely difficult.  What should CIOs and CISOs expect going in; what basic rethinking do they need to do?

Shey: Re-examine their own relationship first, specifically the trust and empathy between CIO and CISO. You need to be partners in driving this. If the CIO and CISO are operating in silos, and do not have shared vision, goals, and values here, it will make broader organizational cultural change difficult.

LW: Some progressive companies are moving down this path, correct? What have we learned from them; what does the payoff look like?

Shey: Yes, and this goes back to a point I made earlier about a key outcome of building customer trust in your organization. Trusted organizations reap rewards. Our research and data on consumer trust have proven this. Customers that trust your firm are more likely to purchase again, share personal data, and engage in other revenue-generating behaviors.

There is also a benefit of stronger business partnerships. We operate in a world today where your business is the risk and how you adapt is the opportunity. Companies view it as a risk to do business with your firm, whether they’re purchasing products and services or sharing data with you. Your ability to comply with partner’s or B2B customer’s security requirements will be critical.

LW: What approach should  mid-sized and smaller organizations take? What are some basic first steps?

Shey: Resist the urge to go buy technology as the first step. Emphasize strategy and oversight of your cybersecurity and privacy program, because you can’t embed the foundation for what you have not built yet. Align with a control framework as a starting point.

This will be your common frame of reference for connecting policies, controls, regulations, customer expectations, and business requirements. Recognize that as you mature your program, a Zero Trust approach will help you take your efforts beyond compliance.

Conduct a holistic assessment of technology and information risks to determine what matters most to the business, and identify the appropriate practices and controls to address those risks.

Set clear goals, such as a roadmap of core competencies to build and milestones. Identify clear lines of accountability to help make it transparent as to who is responsible for what, making it clear how each person on the team contributes to the program’s success.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

The National Institute of Standards and Technology (NIST) has updated their widely used Cybersecurity Framework (CSF) — a free respected landmark guidance document for reducing cybersecurity risk.

Related: More background on CSF

However, it’s important to note that most of the framework core has remained the same. Here are the core components the security community knows:

Govern (GV): Sets forth the strategic path and guidelines for managing cybersecurity risks, ensuring harmony with business goals and adherence to legal requirements and standards. This is the newest addition which was inferred before but is specifically illustrated to touch every aspect of the framework. It seeks to establish and monitor your company’s cybersecurity risk management strategy, expectations, and policy.

•Identify (ID): Entails cultivating a comprehensive organizational comprehension of managing cybersecurity risks to systems, assets, data, and capabilities.

•Protect (PR): Concentrates on deploying suitable measures to guarantee the provision of vital services.Detect (DE): Specifies the actions for recognizing the onset of a cybersecurity incident.

•Respond (RS): Outlines the actions to take in the event of a cybersecurity incident.

•Recover (RC): Focuses on restoring capabilities or services that were impaired due to a cybersecurity incident.

Noteworthy updates

The new 2.0 edition is structured for all audiences, industry sectors, and organization types, from the smallest startups and nonprofits to the largest corporations and government departments — regardless of their level of cybersecurity preparedness and complexity.

Emphasis is placed on the framework’s expanded scope, extending beyond critical infrastructure to encompass all organizations. Importantly, it better incorporates and expands upon supply chain risk management processes. It also  introduces a new focus on governance, highlighting cybersecurity as a critical enterprise risk with many dependencies. This is critically important with the emergence of artificial intelligence.

To make it easier for a wide variety of organizations to implement the CSF 2.0, NIST has developed quick-start guides customized for various audiences, along with case studies showcasing successful implementations, and a searchable catalog of references, all aimed at facilitating the adoption of CSF 2.0 by diverse organizations.

The CSF 2.0 is aligned with the National Cybersecurity Strategy and includes a suite of resources to adapt to evolving cybersecurity needs, emphasizing a comprehensive approach to managing cybersecurity risk. New adopters can benefit from implementation examples and quick-start guides tailored to specific user types, facilitating easier integration into their cybersecurity practices.

Swenson

The CSF 2.0 Reference Tool simplifies implementation, enabling users to access, search, and export core guidance data in user-friendly and machine-readable formats. A searchable catalog of references allows organizations to cross-reference their actions with the CSF, linking to over 50 other cybersecurity documents – facilitating comprehensive risk management. The Cybersecurity and Privacy Reference Tool (CPRT) contextualizes NIST resources with other popular references, facilitating communication across all levels of an organization.

NIST aims to continually enhance CSF resources based on community feedback, encouraging users to share their experiences to improve collective understanding and management of cybersecurity risk. The CSF’s international adoption is significant, with translations of previous versions into 13 languages. NIST expects CSF 2.0 to follow suit, further expanding its global reach. NIST’s collaboration with ISO/IEC aligns cybersecurity frameworks internationally, enabling organizations to utilize CSF functions in conjunction with ISO/IEC resources for comprehensive cybersecurity management.

About the essayist: Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant.

Congressional bi-partisanship these day seems nigh impossible.

Related: Rising tensions spell need for tighter cybersecurity

Yet by a resounding vote of 352-65, the U.S. House of Representatives recently passed a bill that would ban TikTok unless its China-based owner, ByteDance Ltd., relinquishes its stake.

President Biden has said he will sign the bill into law, so its fate is now in the hands of the U.S. Senate.

I fervently hope the U.S. Senate does not torpedo this long overdue proactive step to protect its citizens and start shoring up America’s global stature.

Weaponizing social media

How did we get here? A big part of the problem is a poorly informed general populace. Mainstream news media gravitates to chasing the political antics of the moment. This tends to diffuse sober analysis of the countless examples of Russia, in particular, weaponizing social media to spread falsehoods, interfere in elections, target infrastructure and even radicalize youth.

Finally, Congress appears to be heeding lessons available to be learned since the hacking John Podesta’s email account – not to mention all of the havoc Russia was able to foment in our 2016 elections, attempting to interfere in 39 states.

One of the most chilling examples of Russia methodically continuing to leverage social media as a strategic weapon has attracted barely any news coverage at all. In 2011, Russia launched a social media site called iFunny aimed at disaffected young men. In short order, iFunny was downloaded 10 million times and became a tool for neo-Nazi terror groups to recruit Gen-Z males.

In the weeks leading up to the 2020 U.S. presidential election, authorities in North Carolina arrested a 19-year-old male with a van full of guns and explosives and charged him with plotting to assassinate then Democratic presidential nominee Biden. Federal court documents describe how the teenager had posted memes on iFunny questioning whether he should kill Biden, and also run numerous Google searches for things like Biden’s home address and information about automatic weapons and night-vision goggles.

During this same time frame, investigators at Pixalate, a Palo Alto, Calif.-based supplier of fraud management technology, documented how iFunny distributed data-stealing malware specifically targeting smartphone users in the key swing states of Pennsylvania, Michigan and Wisconsin.

50 upcoming elections

It’s logical to assume China has been and will continue to borrow from Russia’s social media manipulation playbook.

Sanchez

“If the amount of data harvested by TikTok is similar to all other social media platforms then there is a bigger problem to deal with as misinformation and deepfakes are threats that are quickly growing,” observes Antonio Sanchez, principal evangelist at Fortra. “This could impact election outcomes and there are 50 countries having elections this year.”

Senate detractors insist that this bill – or any legislation that puts any hint of rails around social media — will stifle innovation and impinge on civil liberties. Brandon Hart, CTO at Everything Blockchain, argues that this divest-or-be-banned mandate, aimed squarely at China  “could inadvertently infringe upon (civil) liberties, potentially eroding public trust and individual autonomy.”

Safety first

Hart advocates more laisse faire intervention.

Hart

“A more fitting approach would be for the government to focus on identifying and elucidating potential threats, thereby empowering citizens to make informed decisions regarding the technologies they use,” Hart says.

Empowering citizens is all fine and well, but it is also true that the fundamental role of government is to keep the citizenry safe.

Clemens

“A nation-state must protect its citizens and today, protection extends beyond bodily or physical harm,” observes Daniel Clemens, CEO of ShadowDragon. “ The protection of a democratic government’s citizens may mean the protection of citizens’ data, which now justifies the intervention of nations.”

Clemens opines that forcing China to divest would be a “great step in countering the influence and outcomes from TikTok against a free society that does not need to be influenced by a regime that ignores basic human rights.”

Clemens further notes that if China is made to divest, it still stands to strike a windfall in profits off the sale of TikTok. “China will continue to break international laws and push the boundaries on digital surveillance to advance its interests,” he says. “There’s no change there.”

Careful calibrations

Proponents also point out that this bill has been carefully calibrated to stop a specific, tangible threat: the likelihood that China will use TikTok strategically against the U.S.

Strand

“Consideration needs to be given to determine what kind of data has and is being collected, and to what extent,” says Chris Strand, vice president, risk and compliance, at Cybersixgill. “Even in the event that no personal data is collected, there can still be reason to take action to prevent the abuse of data that relates to behaviors, emotions, and preferences, that can lead to nefarious outcomes, identity theft, and military operational intelligence.”

Clemens also adds that the West’s private sector has been moving away from China for years due to China’s rampant intellectual property thievery and censorship. “This sets an important precedent that signifies the US Government’s willingness to step in when consumer data is threatened,” Clemens says. “I hope to see more material regulatory actions against China in the future.”

I’d note that the concerted efforts by Chinese officials to downplay the significance of this bill is a sure sign that it has teeth – and, indeed, would deter America’s rivals from wielding social media as a strategic weapon against the U.S.

There’s no baseless paranoia here. Quite the opposite. The imperative for legislative intervention couldn’t be any clearer. We’re deep into a digital Pearl Harbor. Which way will the U.S. Senate pivot? We’ll soon find out. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

A close friend of mine, Jay Morrow, has just authored a book titled “Hospital Survival.”

Related: Ransomware plagues healthcare

Jay’s book is very personal. He recounts a health crisis he endured that began to manifest at the start of what was supposed to be a rejuvenation cruise.

Jay had to undergo several operations, including one where he died on the operating table and had to be resuscitated. Jay told me he learned about managing work stress, the fragility and preciousness of good health and the importance of family. We also discussed medical technology and how his views about patient privacy evolved. Here are excerpts of our discussion, edited for clarity and length:

LW: Your book is pretty gripping. It starts with you going on a cruise, but then ending up on this harrowing personal journey.

Morrow: That’s right. I was a projects manager working hard at a high-stress job and not necessarily paying any attention to the stress toll that it was taking on me over a number of years. Professionally, my plates were full. I was working 60 to 70 hours a week and that was probably too much.

Finally, my wife, Malia, said, ‘That’s enough!’ and she arranged for us to take a short cruise down the California coast to Mexico and back. By the time we got to the cruise terminal, my leg was hurting a little bit, it was just a little sore and I was limping a bit. Things quickly got a whole lot worse.

LW: It took quite some time to finally discover what was wrong.

Morrow: Initially, I went through a battery of different tests and even a series of operations, and they still weren’t sure. Finally, an orthopedic surgeon figured out that it was a cyst on my colon that would leak when I was under stress. This caused poisons to leak into my hip and infect the bone to the point where I contracted osteomyelitis, an excruciating bone infection.

All through this, I had to have three major operations, including removal of my femur. During one of my surgeries, I died on the operating table. I quit breathing. My heart stopped. There was no pulse or blood pressure and they had to use the paddles to bring me back to life and I was in a coma after that.

LW: How did technology come into play?

Morrow: Probably about every week I’d have to undergo an MRI. You’re inserted into a huge machine, and you’re not allowed to move. Then they spend what seems like hours checking various items. I couldn’t have survived without modern medical technology.

It helped the doctors, but it helped me even more so. The MRIs, the CAT scans and ultrasounds that I endured provided information that helped me understand what was going on. Knowing how things were progressing was very important to me.

LW: You told me your views on patient privacy shifted through the course of all this.

Morrow: It used to be you could just walk into the hospital and see a doctor with minimal fuss. Now, often times, you have to check in through layered technologies that require several levels of proving you are who you say you are. This is because of HIPAA privacy functions but also because of the waves of ransomware attacks against health care facilities.

LW: Were you at any point concerned about your privacy being invaded?

Morrow: What I came to realize is that survival trumps privacy. By default, you give up all your personal privacy to receive medical treatment in a tightly controlled environment. In fact, once you’re in a hospital, you need to be assertive. The hospital staff is overworked and most often will fall back on protocol, and sometimes protocol just does not work; sometimes you need to push back.

LW: What’s the main thing you’d like your book to convey?

Morrow: To survive a hospital, you’re going to need a care advocate other than yourself. I’m assertive by nature. But if I didn’t have my wife, and on occasion my mother or my daughter with me, I would probably not have survived. It took all of us to figure out how the place actually functioned, and how to actually get certain things done.

The nursing staff and orderlies do a good job of taking care of most things, but if you’re not assertive, you’re going to find yourself at the low end of the chain. Someone must make sure you’re not falling through the cracks.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Americans lost a record $10 billion to scams last year — and scams are getting more sophisticated.

Related: Google battles AI fakers

Recently used to impersonate Joe Biden and Taylor Swift, AI voice cloning scams are gaining momentum — and one in three adults confess they aren’t confident they’d identify the cloned voice from the real thing.

Google searches for ‘AI voice scams’ soared by more than 200 percent in the course of a few months. Here are a few tips  how to not fall prey to voice cloning scams.

•Laugh. AI has a hard time recognizing laughter, so crack a joke and gauge the person’s reaction. If their laugh sounds authentic, chances are there’s a human on the other end of the line, at least.

•Test their reactions. Say something that a real person wouldn’t expect to hear. For instance, if scammers are using artificial intelligence to imitate an emergency call from your relative, say something inappropriate, such as “Honey, I love you.” Whereas a real person would react panicked or confused, AI would simply reply “I love you too.”

Konovalov

•Listen for anomalies. While voice cloning technology can be convincing, it isn’t yet perfect. Listen out for unusual background noises and unexpected changes in tone, which may be a result of the variety of data used to train the AI model. Unusual pauses and speech that sounds like it was generated by ChatGPT are also clear giveaway that you’re chatting to a machine.

•Verify their identity. Don’t take a familiar voice as proof that a caller is who they say they are, especially when discussing sensitive subjects or financial transactions. Ask them to provide as many details as possible: the name of their organization, the city they’re calling from, and any information that only you and the real caller would know.

•Don’t overshare. Avoid sharing unnecessary personal information online or over the phone. According to Alexander, scammers often phish for private information they can use to impersonate you by pretending to be from a bank or government agency. If the person on the other end seems to be prying, hang up, find a number on the organization’s official website, and call back to confirm their legitimacy.

•Treat urgency with skepticism. Scammers often use urgency to their advantage, pressuring victims into acting before they have time to spot the red flags — If you’re urged to download a file, send money, or hand over information without carrying out due diligence, proceed with caution. Take your time to verify any claims (even if they insist there’s no time.)

About the essayist: Alexander Konovalov is the Co-Founder & Co-CEO of vidby AG, a Swiss SaaS company focused on Technologies of Understanding and AI-powered voice translation solutions. A Ukrainian-born serial tech entrepreneur, and inventor, he holds patents in voice technologies, e-commerce, and security. He is also a co-founder of YouGiver.me, a service that offers easy and secure communication through real gifts, catering to individual users and e-commerce businesses.