cybersecurity

Microsoft ramps up cybersecurity efforts following critical review

Microsoft has made significant strides in enhancing its security culture following critical feedback from the United States Cyber Safety Review Board. The company launched its Secure Future Initiative (SFI) in late 2023, leading to the involvement of 34,000 engineers dedicated to cybersecurity efforts. CEO Satya Nadella has prioritised security across the organisation, even tying employee performance reviews to security goals in recent months.

Microsoft has implemented several changes to its security processes, including improvements to its Entra ID and Microsoft Account systems, reducing inactive tenants, and enhancing network tracking for better compliance. The company has also introduced stricter controls, such as limiting personal access tokens and eliminating SSH access for internal engineering repositories.

In its push for greater transparency, Microsoft is now publishing CVEs even when customer action is not required. It has also introduced new standards with a ‘Start Right, Stay Right, and Get Right’ approach to ensure that security protocols are integrated throughout its projects.

To oversee its cybersecurity efforts, Microsoft has established a Cybersecurity Governance Council and appointed several new deputy CISOs. The company has also launched a security skilling academy for employee training, reinforcing its long-term commitment to building a robust security culture.

ENISA set to develop cybersecurity certification scheme for EU’s digital ID wallets

The European Commission has tasked the EU Agency for Cybersecurity (ENISA) with developing a cybersecurity certification scheme for the EU Digital Identity (EUDI) wallets. That move aims to standardise and comprehensively secure digital identity wallets across EU member states.

ENISA will create harmonised requirements to support national certification schemes, involving the establishment of reference standards, procedures, and specifications crucial for security and privacy protection. The certification process will align with the Cybersecurity Act and ensure that EUDI Wallets are secure, protecting users’ privacy and personal data while allowing cross-border usability throughout the EU.

The European Digital Identity Framework, effective since May, requires EU member states to start providing EUDI Wallets within two years of adopting their implementing acts. The EC concluded its collection of input on the cybersecurity certification scheme earlier this month, with feedback highlighting the importance of preventing excessive consumer data sharing. ENISA will consider existing certification schemes, such as the European Cybersecurity Certification Scheme on Common Criteria while developing the new framework.

Why does it matter?

ENISA’s ongoing collaboration with the eIDAS Expert Group and the Certification Subgroup, alongside recommendations from its Digital Identity Standards report and current EUDI Wallet pilot projects, will significantly influence the development of the certification scheme, ensuring a robust and trustworthy digital identification system across Europe.

Quad leaders set principles for Digital Public Infrastructure

The Quad leaders, comprising the United States, India, Japan, and Australia, outlined principles to guide the development and deployment of Digital Public Infrastructure (DPI) during their 6th Quad Leaders’ Summit in Wilmington, Delaware. Recognising the transformative power of digital technologies, they emphasised the need for DPI to foster inclusivity, ensure security, and promote scalability while respecting privacy and human rights.

The principles aim to provide a blueprint for governments and private sectors to collaborate on creating secure, interoperable digital systems. These systems would offer equitable access, support public service delivery, and drive sustainable development by addressing key challenges such as digital divides, privacy concerns, and cybersecurity risks. They focus on creating an inclusive, safe, and transparent digital ecosystem that can adapt to evolving demands, especially in pursuit of the UN 2030 Agenda for Sustainable Development.

Among the core principles are:

Inclusivity: Governments should strive to close digital divides by eliminating barriers that hinder access and ensuring no erroneous biases are embedded in digital systems.

Interoperability: DPI should be based on open standards that ensure compatibility across systems, balancing legal and technical requirements.

Scalability: Infrastructure should be designed to accommodate growing demand without significant disruptions.

Security and Privacy: DPI must integrate privacy-enhancing technologies and cybersecurity features to protect users’ data and ensure system resilience.

Collaboration: A culture of openness is encouraged by involving community actors and innovators throughout the DPI’s lifecycle.

Human Rights and Governance: DPI must respect human rights and be governed transparently to maximise public trust and benefit.

Sustainability: DPI should be built with sustainability in mind, ensuring long-term financial and technological viability.

These principles highlight the Quad’s commitment to ensuring that digitalisation leads to equitable, reliable, and sustainable outcomes for societies, strongly emphasising maintaining democratic values and human rights.

Snapchat’s balance between user safety and growth remains a challenge

Snapchat is positioning itself as a healthier social media alternative for teens, with CEO Evan Spiegel emphasising the platform’s different approach at the company’s annual conference. Recent research from the University of Amsterdam supports this view, showing that while platforms like TikTok and Instagram negatively affect youth mental health, Snapchat use appears to have positive effects on friendships and well-being.

However, critics argue that Snapchat’s disappearing messages feature can facilitate illegal activities. Matthew Bergman, an advocate for social media victims, claimed the platform has been used by drug dealers, citing instances of children dying from fentanyl poisoning after buying drugs via the app. Despite these concerns, Snapchat remains popular, particularly with younger users.

Industry analysts recognise the platform’s efforts but highlight its ongoing challenges. As Snapchat continues to grow its user base, balancing privacy and safety with revenue generation remains a key issue, especially as it struggles to compete with bigger players like TikTok, Meta, and Google for advertising.

Snapchat’s appeal lies in its low-pressure environment, with features like disappearing stories and augmented reality filters. Young users, like 14-year-old Lily, appreciate the casual nature of communication on the platform, while content creators praise its ability to offer more freedom and reduce social pressure compared to other social media platforms.

Canada pauses CBDC project after public disinterest

Canada’s central bank has halted its plans to develop a Central Bank Digital Currency (CBDC), focusing instead on research as other nations like China and Nigeria press ahead. The Bank of Canada initially launched the project in 2017 to explore the potential of a digital Canadian dollar. However, after years of investigation and public consultations, the bank has decided to rethink its approach due to low public interest and security concerns.

A recent survey revealed that 87% of Canadians said they would never use a digital currency, with 92% expressing a preference for traditional payment methods. Major concerns included cybersecurity threats and the privacy of digital transactions. Despite this, the central bank had maintained that the digital dollar would not replace paper currency but serve as a simplified way to make online payments.

While Canada shifts away from its CBDC project, other countries are making progress. China’s digital yuan pilot, for example, has already facilitated nearly $986 billion in transactions, making it the largest initiative worldwide. Global efforts to introduce CBDCs continue to grow, driven in part by geopolitical events and changing payment technologies.

Digital Skills Forum in Bahrain highlights global need for digital education, unveils new toolkit

The International Telecommunication Union (ITU) recently hosted the Digital Skills Forum in Manama, Bahrain, addressing the pressing need for digital skills in today’s technology-driven society. With nearly 700 participants from 44 countries, the forum emphasised urgent calls to action aimed at bridging the digital skills gap that affects billions around the globe.

‘Digital skills have the power to change lives,’ asserted Doreen Bogdan-Martin, ITU Secretary-General, highlighting the union’s dedication to fostering an inclusive digital society. In response to this challenge, ITU introduced the ‘Digital Skills Toolkit 2024,’ a comprehensive resource to support policymakers and stakeholders in crafting effective national strategies to close digital skills gaps.

That toolkit seeks to empower diverse sectors, including private enterprises and academic institutions, by providing essential insights and resources within an ever-evolving technological landscape. Furthermore, the forum underscored the importance of lifelong learning and continuous upskilling, particularly in advanced fields such as AI and cybersecurity. ‘Addressing the digital skills gap requires strong partnerships and a commitment to investing in digital education,’ emphasised Cosmas Luckyson Zavazava, Director of ITU’s Telecommunication Development Bureau.

Bahrain’s leadership in promoting digital skills was prominently featured, reflecting its dedication to international cooperation and innovation. Young entrepreneurs showcased their innovative approaches to digital education, demonstrating the transformative potential of technology in shaping the future.

UK’s National Cyber Security Centre leads international effort against botnet threat

The NCSC has collaborated with cybersecurity agencies from the United States, Australia, Canada, and New Zealand to effectively address the global botnet threat. That joint effort underscores the importance of international cooperation in tackling cyber threats that span multiple countries.

By combining their expertise and resources, these agencies have been able to produce a comprehensive advisory that provides detailed information on the botnet’s operation, its impact, and the types of devices it targets. Consequently, this collaboration ensures a robust and unified response to the threat, reflecting the global commitment to enhancing cybersecurity.

Moreover, the advisory issued by these agencies details how the botnet, managed by Integrity Technology Group and used by the cyber actor Flax Typhoon, exploits vulnerabilities in internet-connected devices. It includes technical information on the botnet’s activities, such as malware distribution and Distributed Denial of Service (DDoS) attacks, and offers practical mitigation strategies.

Therefore, it underscores the need for updating and securing devices to prevent them from becoming part of the botnet, providing crucial guidance to individuals and organisations seeking to protect their digital infrastructure. In addition, this international collaboration serves to promote proactive security measures and raise awareness about cybersecurity best practices. The joint advisory encourages users to safeguard their devices and avoid contributing to malicious activities immediately.

China releases sensitive data guidelines

China’s National Information Security Standardization Technical Committee (TC260) introduced new guidelines titled ‘Cybersecurity Standard Practice Guidelines – Sensitive Personal Information Identification.’ These guidelines establish clear criteria for what constitutes sensitive personal information. Specifically, personal data is deemed sensitive if its unauthorised disclosure or misuse could harm an individual’s dignity, jeopardise their safety, or threaten their property.

In addition, the guidelines outline several key categories of sensitive personal information, such as biometric data, religious beliefs, specific identity details, medical and health information, financial account details, movement tracking data, and personal information of minors. Each category is illustrated with examples to assist organisations in effectively identifying and managing sensitive data.

Furthermore, the TC260 emphasises the necessity of evaluating individual data points and their combined effects when determining the sensitivity of personal information. That comprehensive approach ensures a nuanced understanding of the potential impacts of data breaches or misuse. By considering both isolated pieces of information and their possible cumulative effects, the guidelines provide a robust framework for assessing the risk levels associated with different data types.

Moreover, the TC260 underscores existing laws and regulations in China that may also define sensitive personal information. This reinforces the importance of organisations remaining informed about legal requirements and adhering to all relevant standards for safeguarding sensitive data.

The NSA alerts on PRC-Linked botnet threat

The National Security Agency (NSA), in conjunction with the Federal Bureau of Investigation (FBI), United States Cyber Command’s Cyber National Mission Force (CNMF), and international allies, has issued a critical cybersecurity advisory. Titled ‘People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations,’ the advisory reveals the extensive activities of cyber actors affiliated with the People’s Republic of China (PRC).

These actors have breached internet-connected devices worldwide, establishing a massive botnet. To address this threat, the NSA has outlined several key mitigations aimed at helping device vendors, owners, and operators secure their devices and networks. These recommendations include regularly applying patches and updates, turning off unused services and ports, replacing default passwords with strong alternatives, and implementing network segmentation to reduce IoT device risks.

Furthermore, the advisory suggests monitoring network traffic for signs of DDoS attacks, planning device reboots to eliminate non-persistent malware, and upgrading outdated equipment with supported models. Moreover, NSA Cybersecurity Director Dave Luber has emphasised the importance of the advisory, noting that it provides crucial and timely insights into the botnet’s infrastructure, the geographical distribution of the compromised devices, and effective mitigation strategies.

According to the advisory, the botnet encompasses thousands of devices across various sectors, with over 260,000 devices compromised in North America, Europe, Africa, and Southeast Asia as of June 2024. Consequently, this extensive network of affected devices highlights the urgent need for enhanced security measures to protect against such pervasive cyber threats.

BlackDice and Bin Omran join forces to boost Qatar’s cybersecurity

BlackDice and Bin Omran Trading and Telecommunication have launched a strategic partnership to enhance Qatar’s cybersecurity infrastructure significantly. Combining their expertise will deliver state-of-the-art cybersecurity solutions, with BlackDice leveraging its AI-powered security and data intelligence to safeguard critical infrastructure and sensitive information.

Additionally, their collaboration will focus on strengthening the cybersecurity capabilities of major telecom operators in the region, thereby boosting network resilience and protecting extensive personal and financial data. Consequently, this comprehensive approach supports DA2030’s goal of creating a secure and resilient digital environment essential for Qatar’s economic diversification and social development.

By addressing the evolving needs of the digital landscape in Qatar, BlackDice and Bin Omran Trading and Telecommunication contribute to the nation’s ambition of becoming a global leader in technology and connectivity and ensuring robust protection against emerging cyber threats.