Cybersecurity

Former NSA director joins OpenAI’s Safety and Security Committee

OpenAI has announced the appointment of retired US Army General Paul M. Nakasone, former head of the National Security Agency (NSA), to its board of directors. Nakasone, who led the NSA from 2018 until earlier this year, will join OpenAI’s Safety and Security Committee. This committee, prioritised by CEO Sam Altman, focuses on enhancing the company’s understanding of how AI can be leveraged to improve cybersecurity by swiftly identifying and countering threats.

The addition of Nakasone follows notable departures from OpenAI related to safety concerns, including co-founder Ilya Sutskever and Jan Leike. Sutskever was involved in the controversial firing and reinstatement of CEO Sam Altman, while Leike has publicly criticised the company’s current focus on product development over safety measures.

OpenAI board chair Bret Taylor emphasised the importance of securely developing and deploying AI to realize its potential benefits for humanity. He highlighted Nakasone’s extensive experience in cybersecurity as a valuable asset to guiding the organisation toward this goal.

The current OpenAI board comprises Nakasone, Altman, Adam D’Angelo, Larry Summers, Bret Taylor, Dr Sue Desmond-Hellmann, Nicole Seligman, and Fidji Simo, with Microsoft’s Dee Templeton holding a non-voting observer position.

US lawmakers press Microsoft president on China links and cyber breaches

At Thursday’s House of Representatives Homeland Security panel, Microsoft President Brad Smith addressed tough questions about the tech giant’s security measures and connections to China. The scrutiny follows a significant breach last summer when China-linked hackers accessed 60,000 US State Department emails by infiltrating Microsoft’s systems. Additionally, earlier this year, Russia-linked cybercriminals spied on emails of Microsoft’s senior staff, further intensifying concerns.

Lawmakers criticised Microsoft for failing to prevent these cyberattacks, which exposed federal networks to significant risk. They highlighted a report by the Cyber Safety Review Board (CSRB) that condemned Microsoft for lack of transparency regarding the China hack, labelling it preventable. Smith acknowledged the report’s findings and stated that Microsoft acted on most of its recommendations. He emphasised the growing threat posed by nations like China, Russia, North Korea, and Iran, which are increasingly sophisticated and aggressive in their cyberattacks.

During the hearing, Smith defended Microsoft’s role, saying that the US State Department’s discovery of the hack demonstrated the collaborative nature of cybersecurity. However, Congressman Bennie Thompson expressed dissatisfaction, stressing that Microsoft is responsible for detecting such breaches. Given its substantial investments there, panel members also inquired about Microsoft’s operations in China. Smith noted that the company earns around 1.5% of its revenue from China and is working to reduce its engineering presence in the country.

Despite facing significant criticism over the past year, some panel members, including Republican Congresswoman Marjorie Taylor Greene, commended Smith for accepting responsibility. In response to the CSRB’s findings, Microsoft has pledged to prioritise security above all else, launching a new cybersecurity initiative in November to bolster its defences and ensure greater transparency moving forward.

Surge in cyberattacks hits Switzerland ahead of Ukraine peace summit, authorities report

Switzerland is facing a significant rise in cyberattacks and disinformation campaigns ahead of this weekend’s summit, where representatives from 90 countries will convene to discuss the resolution of the Ukraine conflict. During a press briefing on Monday, Swiss President Viola Amherd mentioned the recent spike in cyber assaults but refrained from providing specific details. Foreign Minister Ignazio Cassis underscored the evident intention to disrupt the impending peace negotiations.

While refraining from directly attributing the incidents to any particular nation, Swiss officials have hinted at Russia as a probable suspect, given its exclusion from the summit and vocal criticism of the event’s validity, based on President Volodymyr Zelensky’s peace proposals.

The summit will take place near Lucerne and will draw participants from various regions, including Europe, the Americas, Africa, the Middle East, and Asia. In anticipation of potential threats, the Swiss National Cyber Security Centre (NCSC) has urged local organisations to bolster their security measures. Emphasising the vulnerability of large-scale international events to cyberattacks, the NCSC plans to establish an emergency centre for technical analysis and communication support. Additionally, Swiss authorities plan to deploy nearly 4,000 military personnel to ensure event security, including air transportation and surveillance support.

Despite ongoing tensions, Switzerland has refrained from expelling Russian diplomats, a measure undertaken by other European nations and the US in response to Russia’s actions in Ukraine. Swiss intelligence suggests that a significant portion of Russian diplomats may engage in intelligence activities.

Apple refuses bug bounty to Kaspersky researchers despite iPhone spy vulnerabilities disclosure

Apple has declined to award a bug bounty to Kaspersky, the cybersecurity company, after disclosing four zero-day vulnerabilities in iPhone software. These vulnerabilities were reportedly exploited to spy on Kaspersky employees and diplomats from Russia. A spokesperson for Kaspersky stated that their research team believed their findings were eligible for Apple’s Bug Bounty rewards. However, upon inquiry, they received a decline from Apple’s Security team, citing the company’s policy.

Bug bounties serve as incentives for researchers to disclose vulnerabilities to companies, rather than selling them to malicious actors. Kaspersky’s disclosure last year revealed a highly sophisticated spying campaign dubbed ‘Operation Triangulation.’ Eugene Kaspersky, the company’s CEO, described it as ‘an extremely complex, professionally targeted cyberattack’ affecting several dozen iPhones of top and middle-management employees.

The campaign, suspected to be state-sponsored due to its sophistication and intelligence-focused targeting, utilised 13 separate bullet points in its attack chain. Simultaneously, Russia’s Federal Security Service (FSB) accused the United States and Apple of collaborating to spy on Russian diplomats.

The FSB’s allegations aligned with Russia’s computer security agency’s claim that both campaigns shared the same indicators of compromise. A critical concern was a vulnerability known as CVE-2023-38606, which affected an unusual hardware feature unused by iOS firmware. Kaspersky suggested it may have been included in the iPhone operating system mistakenly or for debugging purposes. Apple refuted claims of collaboration with any government to insert backdoors into its products, emphasising its commitment to user privacy and security.

Dutch authorities reveal extensive Chinese cyber-espionage operation

The Dutch military intelligence and security service (MIVD) has raised alarms over a global Chinese cyber-espionage campaign, that successfully targeted ‘a significant number of victims’, including Western governments, international organisations and the defense industry. The Netherlands’ National Cyber Security Centre (NCSC) provided the details of this operation in the warning sharing how state-sponsored hackers exploited a vulnerability in FortiGate devices for ‘at least two months before Fortinet announced the vulnerability.’

This vulnerability, identified as CVE-2022-42475, was leveraged during a ‘zero-day period’ to compromise around 14,000 devices in Netherlands. In particular, the warning says that the had successfully breached the internal computer network of the Dutch Ministry of Defence. After gaining access, the hackers deployed a remote access trojan (RAT) named COATHANGER to perform reconnaissance and exfiltrate user account information from the Active Directory server. It, however, remains unclear how many of these systems were infected with the COATHANGER malware. The MIVD warned that identifying and removing these infections is particularly challenging.

“The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims,” the report cautioned, emphasizing the ongoing threat posed by this extensive cyber-espionage campaign.

Japanese Prime Minister urges legislation for pre-emptive cyber defense system

Japanese Prime Minister Fumio Kishida has directed his government to expedite the drafting of legislation to establish an active cyber defense system, enabling pre-emptive measures against cyberattacks. Addressing the inaugural meeting of an expert panel convened at the prime minister’s office, Kishida emphasised the pressing need to bolster the country’s cyber response capabilities.

The government of Japan aims to present the proposed legislation during the upcoming extraordinary parliamentary session scheduled for autumn. During the meeting, Digital Transformation Minister Taro Kono outlined three critical areas for discussion – enhancing information sharing between the public and private sectors, identifying servers involved in cyberattacks, and determining the extent of governmental authority.

Kono urged the panel consisting of 17 experts such as specialists on cybersecurity and lawyers to provide progress reports on these issues within the coming months, highlighting the urgency of addressing cybersecurity challenges. Kono highlighted the importance of establishing a system on par with those of the United States and European nations, while also safeguarding the rights and interests of the people.

Google tests AI anti-theft feature for phones in Brazil

Alphabet’s Google announced that Brazil will be the first country to test a new anti-theft feature for Android phones, utilising AI to detect and lock stolen devices. The initial test phase will offer three locking mechanisms. One uses AI to identify movement patterns typical of theft and lock the screen. Another allows users to remotely lock their screens by entering their phone number and completing a security challenge from another device. The third feature locks the screen automatically if the device remains offline for an extended period.

These features will be available to Brazilian users with Android phones version 10 or higher starting in July, with a gradual rollout to other countries planned for later this year. Phone theft is a significant issue in Brazil, with nearly 1 million cell phones reported stolen in 2022, marking a 16.6% increase from the previous year.

In response to the rising theft rates, the Brazilian government launched an app called Celular Seguro in December, allowing users to report stolen phones and block access via a trusted person’s device. As of last month, approximately 2 million people had registered with the app, leading to the blocking of 50,000 phones, according to the Justice Ministry.

US set to expand sanctions on semiconductor sales to Russia

The US government is set to announce expanded sanctions on semiconductor chips and other goods sold to Russia, targeting third-party sellers in China. That move is part of a broader effort by the Biden administration to thwart Russia’s attempts to bypass Western sanctions and sustain its war efforts against Ukraine. The new measures will extend existing export controls to include US-branded goods, even those not made in the United States. They will identify specific Hong Kong entities involved in shipping goods to Moscow.

These upcoming sanctions come as President Joe Biden prepares to attend a summit with other Group of Seven (G7) leaders in southern Italy, where supporting Ukraine and weakening Russia’s military capabilities are top priorities. US officials have expressed increasing concern over China’s growing trade with Russia, which they believe is enabling Moscow to maintain its military supplies by providing essential manufacturing equipment. The broadened export controls aim to address this issue by encompassing a wider range of US goods.

Additionally, the US plans to impose significant new sanctions on financial institutions and non-banking entities involved in the ‘technology and goods channels’ that supply the Russian military. That decision comes amid efforts to ensure that Ukrainian President Volodymyr Zelenskiy can emphasise the critical situation facing Ukrainian forces in their ongoing struggle against Russia during his meetings with G7 leaders.

LinkedIn disables targeted ads tool to comply with EU regulations

In a move to align with EU’s technology regulations, LinkedIn, the professional networking platform owned by Microsoft, has disabled a tool that facilitated targeted advertising. The decision comes in adherence to the Digital Services Act (DSA), which imposes strict rules on tech companies operating within the EU.

The move by LinkedIn followed a complaint by several civil society organizations, including European Digital Rights (EDRi), Gesellschaft für Freiheitsrechte (GFF), Global Witness, and Bits of Freedom, to the European Commission. These groups raised concerns that LinkedIn’s tool might allow advertisers to target users based on sensitive personal data such as racial or ethnic origin, political opinions, and other personal details due to their membership in LinkedIn groups.

In March, the European Commission had sent a request for information to LinkedIn after these groups highlighted potential violations of the DSA. The DSA requires online intermediaries to provide users with more control over their data, including an option to turn off personalised content  and to disclose how algorithms impact their online experience. It also prohibits the use of sensitive personal data, such as race, sexual orientation, or political opinions, for targeted advertising. In recent years, the EU has been at the forefront of enforcing data privacy and protection laws, notably with the GDPR. The DSA builds on these principles, focusing more explicitly on the accountability of online platforms and their role in shaping public discourse.

A LinkedIn spokesperson emphasised that the platform remains committed to supporting its users and advertisers, even as it navigates these regulatory changes. “We are continually reviewing and updating our processes to ensure compliance with applicable laws and regulations,” the spokesperson said. “Disabling this tool is a proactive step to align with the DSA’s requirements and to maintain the trust of our community.” EU industry chief Thierry Breton commented on LinkedIn’s move, stating, “The Commission will monitor the effective implementation of LinkedIn’s public pledge to ensure full compliance with the DSA.” 

Why does it matter?

The impact of LinkedIn’s decision extends beyond its immediate user base and advertisers. Targeted ads have been a lucrative source of income for social media platforms, allowing advertisers to reach niche markets with high precision. By disabling this tool, LinkedIn is setting a precedent for other tech companies to follow, highlighting the importance of regulatory compliance and user trust.

Google Play cracks down on AI apps amid deepfake concerns

Google has issued new guidance for developers building AI apps distributed through Google Play in response to growing concerns over the proliferation of AI-powered apps designed to create deepfake nude images. The platform recently announced a crackdown on such applications, signalling a firm stance against the misuse of AI for generating non-consensual and potentially harmful content.

The move comes in the wake of alarming reports highlighting the ease with which these apps can manipulate photos to create realistic yet fabricated nude images of individuals. Reports have surfaced about apps like ‘DeepNude’ and its clones, which can strip clothes from images of women to produce highly realistic nude photos. Another report detailed the widespread availability of apps that could generate deepfake videos, leading to significant privacy invasions and the potential for harassment and blackmail.

Apps offering AI features have to be ‘rigorously tested’ to safeguard against prompts that generate restricted content and have to provide a way for users to signal it. Google strongly suggests that developers document the recommended tests before launching them, as Google could ask them to be reviewed in the future. Additionally, developers can’t advertise that their app breaks any of Google Play’s rules at the risk of getting banned from the app store. The company is also publishing other resources and best practices, like its People + AI Guidebook, which aims to support developers building AI apps.

Why Does It Matter?

The proliferation of AI-driven deepfake apps on platforms like Google Play undermine personal privacy and consent by allowing anyone to generate highly realistic and often explicit content of individuals without their knowledge or consent. Such misuse can lead to severe reputational damage, harassment, and even extortion, affecting both individuals and public figures alike.