Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202! This was me trying to watch the NBA Finals and the return of my favorite show “It’s Always Sunny in Philadelphia” while playing D&D with some pals. Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: Instagram launches a task force to fight against child sexual abuse material, and the FBI warns of AI-generated sexually explicit images being used for extortion. First:

SEC rules changes are the latest battleground over government cybersecurity mandates

Financial services industry groups banded together this week to call on the Securities and Exchange Commission to make significant changes to a proposed suite of cybersecurity rules, saying they are overly burdensome and conflict with one another.

Advertisement

A nonprofit group that pushes for tighter regulation of markets, though, said the rule doesn’t go far enough. And some organizations with cybersecurity expertise weighed in, too.

It’s the latest salvo in the back and forth between the Biden administration, which has advanced more government mandates on cybersecurity than its predecessors, and industry groups that are uneasy with that approach.

The rules

One proposal amends “Regulation S-P,” which is intended to safeguard personal information on customers of brokers, dealers, investment companies and investment advisers.

Covered entities would have to adopt incident responses programs. And they’d have to notify customers within 30 days if their sensitive information had been, or was likely to have been, breached.

It would also add transfer agents, who keep track of owners of a publicly traded company’s stocks and bonds, to the list of entities that have to comply with the regulation’s requirements.

Caroline Crenshaw said at a “When personal information or assets are stolen, the results can be calamitous,” Commissionersaid at a March commission meeting . “It can lead to identity theft, stolen savings, ruined credit, and other effects that are personally disastrous for those implicated, and that can be systematically significant to the economy.”

Another regulation, known as the “Cybersecurity Risk Management Rule,” would levy new cybersecurity requirements on so-called “market entities” such as broker-dealers and transfer agents.

These covered entities would have to write, maintain and enforce procedures to address their cybersecurity risks.

They also would have to provide an “immediate” notification to the SEC if they suffer a major cybersecurity incident. And they’d have to notify the public on their websites about any incident they endured during the current or previous calendar year.

Gary Gensler said when the commission “The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades,” SEC Chairmansaid when the commission announced the rule . “Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age.”

The last of the proposals — and the one that has so far garnered fewer comments related to cybersecurity — makes changes to “Regulation SCI,” a 2014 measure that was intended to increase the reliability and resiliency of technology systems. The idea was to prevent market disruptions like the multiday exchange closure in the wake of 2012’s Hurricane Sandy.

Advertisement

One of the reasons for the update is to “account for heightened cybersecurity risks,” as the proposal explains.

Changes to Regulation SCI would expand the definition of “system intrusion” to include things like “significant attempted” intrusions. It also would expand the definition to not just unauthorized entry, but any “cybersecurity attack that disrupts, or significantly degrades, the normal operation of an SCI system.”

It would require penetration testing to check for cybersecurity weaknesses annually instead of every three years. Covered entities would have to develop programs to prevent unauthorized access and maintain a written inventory of their systems, among other requirements.

Comments were due on Monday for the first two proposals. Groups have until next week to comment on the SCI rules.

The feedback

In a joint letter, the Securities Industry and Financial Markets Association, Bank Policy Institute, Institute of International Bankers and American Bankers Association criticized the Cybersecurity Risk Management Rule.

“A well-designed SEC rule could provide further clarity and guidance on strong cybersecurity practices, collaboration with government agencies, and proper cyber breach reporting,” the groups wrote. “However, the associations recommend that the Commission significantly revise the notice of proposed rulemaking in line with essential cross-government harmonization, greater simplicity and flexibility, appropriate deference to the input of other government agencies, and thoughtful consideration of the burdens, impacts, and justifications for certain of the proposed requirements in the Proposal.”

Advertisement

They were less critical, though, in their joint letter on the amendments to Regulation S-P, which they said “at times is too prescriptive and does not provide enough flexibility to covered institutions in responding to the unique circumstances that can arise during an incident.”

And they said the two regulations need to be harmonized with each other, as well as with proposed and existing rules at other agencies.

On part of that, the groups got some backup from Microsoft. Given that the three proposals include notification requirements that range from “immediate” to “48 hours,” the SEC should just use 72 hours as the standard across the board, wrote Tom Burt, corporate vice president of customer security and trust at Microsoft.

Legislation signed into law last year would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency when they are hit by a major cyberattack within 72 hours. CISA must provide rules under the law by the fall of 2025.

Burt also took issue with the change to Regulation SCI that called for reporting of significant attempted intrusions.

Advertisement

“Identification of events that qualify as ‘significant attempted’ intrusions will consume considerable resources, result in confusing and inconsistent reporting, and yield little discernible benefit,” he said.

The advocacy group Better Markets contended that the Cybersecurity Risk Management Rule should be strengthened with additional measures.

“It must require stricter board oversight of cybersecurity policies and procedures as well as increased disclosures,” Stephen Hall, the group’s legal director and securities specialist, said in a news release. “That information should include whether a market entity has paid a ransom related to a cybersecurity incident; whether a market entity has a designated Chief Information Security Officer; and whether a market entity has an independent, third-party audit conducted on their cybersecurity policies and procedures.”

Advertisement

Hall said of the Regulation S-P changes: “We urge the SEC to finalize the proposal without weakening any of its elements.”

The keys

Defense Department’s reliance on Microsoft products raises safety, monopoly concerns in Congress

A Democratic member of the House Appropriations Committee, Rep. C.A. Dutch Ruppersberger (D-Md.), expressed concerns to Defense Secretary Lloyd Austin in February that the U.S. government’s heavy reliance on Microsoft for cyber tools and services poses a security risk and shuts out other vendors, Shaun Waterman reports for Newsweek.

The letter obtained by the outlet “asked whether that decision to buy the bundle of software and cybersecurity solutions provided best value for the taxpayer or locked the U.S. military into dependence on a single IT provider that cannot match its competitors' performance and will become more and more expensive over time,” Waterman writes.

Advertisement

“It is critical that DOD pursue a fair and open competition that ensures procurements for cybersecurity solutions are based on technical merits and are not limited to a single one-size-fits-all enterprise solution,” Ruppersberger wrote.

“We share this concern and we’re working towards a long-term balanced strategy,” Defense Department CIO John Sherman wrote in response to the letter.

Microsoft declined to comment on the matter to Newsweek. The company since 2017 has exclusively supplied the Defense Department with its Windows operating system and other applications.

The department’s Deputy CIO David McKeown in an interview with Newsweek rejected the idea of integrating cyber tools from different providers, arguing the agency can easily achieve its cyber goals with Microsoft’s bundles, while IT procurement representative John Weiler told the outlet that “doubling-down on Microsoft might shut out competitors.”

FBI warns of AI tools being used for sexual extortion and harassment

The FBI is warning that AI tools are being used to create sexually explicit materials for intimidation and extortion, Raphael Satter reports for Reuters.

“In an alert circulated this week, the bureau said it had recently observed an uptick in extortion victims saying they had been targeted using doctored versions of innocent images taken from online posts, private messages or video chats,” Satter writes. The bureau said the images have appeared “true-to-life” and in some cases are used against children.

Advertisement

“Once circulated, victims can face significant challenges in preventing the continual sharing of the manipulated content or removal from the internet,” the alert said.

The FBI did not detail what AI image tools were being used in the acts and did not respond to a request from Reuters that asked for additional information.

The agency noted technological advancements were “continuously improving the quality, customizability, and accessibility of artificial intelligence (AI)-enabled content creation.”

AI-generated images have been a flash point for artists and photographers concerned about copyright infringement. Such content has also been used to depict events that haven’t happened, risking panic.

Meta launching task force to fight against child sexual abuse material on Instagram

Meta is launching a task force to study how child sexual abuse material (CSAM) is disseminated and sold on its Instagram platform, our colleague Naomi Nix reports.

“The new effort by the Facebook parent company follows a report from the Stanford Internet Observatory which found that large networks of accounts that appeared to be operated by minors openly advertising self-generated child sexual abuse material for sale,” Naomi writes.

Advertisement

Buyers and sellers of the material were able to connect through Instagram’s direct messaging feature and leverage its recommender algorithms to make more effective advertisements from the materials, the report found.

The size of the sales network ranged between 500 and 1,000 accounts at a given time.

The company said it has separately dismantled 27 abusive networks between 2020 and 2022, and in January disabled more than 490,000 accounts that violated its child safety policies.

“Child exploitation is a horrific crime,” Meta spokesman Andy Stone said in a statement. “We work aggressively to fight it on and off our platforms, and to support law enforcement in its efforts to arrest and prosecute the criminals behind it.”

Naomi writes that the findings by the researchers “offer more insight on how internet companies have struggled for years to find and prevent sexually explicit images that violates its rules from spreading on its social network.” The company in 2021 paused development of an Instagram app for children amid pushback from some policymakers and child welfare advocates.

This Congress, lawmakers have reintroduced a bill that would remove liability protections for technology companies if they knowingly let users share CSAM. The bill, known as the EARN IT Act, has long been criticized by cybersecurity experts, who say it could undermine end-to-end encryption.

Government scan

Hill happenings

Privacy patch

Industry report

National security watch

Cyber insecurity

Daybook

The Cato Institute convenes an event on biometrics and privacy at 1 p.m.

Secure log off

Thanks for reading. See you tomorrow.

GiftOutline Gift Article