Occurring just a couple of weeks after the global CrowdStrike IT outage, which ground airports to a halt and forced medical facilities to resort to pen and paper, it felt the right time to reflect as firms find themselves under pressure to adopt AI  faster and release products before they are properly evaluated.

Lisa Einstein, senior AI advisor at the US Cybersecurity and Infrastructure Security Agency (CISA), compared what she called “the AI gold rush” to previous generations of software vulnerabilities that were shipped to market without security in mind.

“We see people not being fully clear about how security implications are brought in. With the CrowdStrike incident, no malicious actors were involved, but there was a failure in the design and implementation that impacted people globally.

“We need the developers of these systems to treat safety, security and reliability as a core business priority,” she added.

The Internet Security Alliance’s (ISA) president and CEO, Larry Clinton, put it more bluntly: “Speed kills — today we’re all about getting the product to market quickly — and that’s a recipe for disaster in terms of AI.”

He added: “Fundamentally, we need to reorientate the whole business model of IT, which is ‘Get to market quick and patch’. We need to move to a ‘Secure by Design’ model and to work with government partners so we are competitive and secure.”

Many of the event’s sessions, which featured speakers from WTT, Microsoft, CISA, Nvidia, as well as the CIA’s first chief technology officer, were focussed on how organisations might achieve ‘Secure by Design’ AI, which TechInformed has summarised in eight key takeaways.

1. Do the basics and do them well

“You can’t forget the basics,” stressed veteran CIA agent Bob Flores during one of the event’s panel sessions. “You have to test systems and applications and the connections between the applications, and you have to understand what your environment looks like,” he added.

Flores, who, towards the end of his CIA career, spent three years as the agency’s first enterprise chief technology officer, asked Black Hat’s AI conference delegates: “How many of you out there have machines that are attached to the internet that you don’t know about? Everyone’s got one, right?”

He also warned that, with AI, understanding what’s in your network needs to happen fast “because the bad guys are getting faster. They can overcome everything you put in place.”

And while enterprises might think it’s safer to develop their own LLMs rather than to rely on internet-accessible chatbots such as ChatGPT, Flores is concerned that they might not be building in security from the beginning. “It’s still an afterthought. As you build these LLMs, you must think, every step of the way, like a bad guy and wonder if you can get into this thing and exploit it.”

2. Architect it out

Bartley Richardson, cybersecurity AI lead at GPU giant NVIDIA, advised the Black Hat crowd to look at AI safety from an engineering perspective.

“When you put together an LLM application, don’t just look at every block you’ve architected there; look at the connections between those blocks and ask: ‘Am I doing the best possible security at each of those stages?’ ‘Is my model encrypted at rest?’ Are you putting safeguards in place for your prompt injections?’ This is all Security by Design. When you architect it out, these things become apparent, and you have these feedback loops where you need to put in security,” he explained.

3. Create a safe space to experiment

Matt Martin, founder of US cyber consulting firm Two Candlesticks and an AI Security Council member for Black Hat, advised that creating a controlled sandbox environment within which employees can experiment was important. “A lot of people want to use AI, but they don’t know what they want to do with it just yet – so giving them a safe space to do that can mitigate risk,” he said.

Martin added that it was important to understand the business context and how it was going to be applied. “Ensure someone in the company is in overall control of the projects. Otherwise, you’ll end up with 15 different AI projects that you can’t actually control and don’t have the budget for.”

4. Red team your products  

Brandon Dixon, AI partner strategist at Microsoft, explained how the software giant is balancing advances in AI with security. “We’ve done that through the formation of a deployment safety board that looks at every GenAI feature that we’ve deployed and attaching a red teaming process to it before it reaches our customers,” he says.

Red teaming is an attack technique used in cybersecurity to test how an organisation would respond to a genuine cyber-attack.

Check out our healthcare cybersecurity tabletop coverage here

“We’ve also formed very comprehensive guidance around responsible AI both internally and externally, consulting experts, which has enabled us to balance moving very quickly from the product side in a way that doesn’t surprise customers,” he added.

5. Partnerships are paramount

According to CISA’s Lisa Einstein, ‘Secure by Design’ relies on public and private enterprise partnerships. She added that this is particularly important in terms of sectors that provide critical infrastructure.

To this end, in 2021, CISA established the Joint Cyber Defense Collaborative (JCDC). This public-private partnership aims to reduce cyber risk to the nation by combining the capabilities of the federal government with private sector innovation and insight.

Einstein told conference delegates: “CISA only succeeds through partnerships because more than 80% of critical infrastructure is in the private sector in the US.

“We have a collective and shared responsibility. I’m seeing organisations that didn’t think they were part of this ecosystem, not realising that they have part of the responsibility. Tech providers also need to help these enterprises become more secure and keep everything safe,” she said.

Partnerships with and between vendors were also emphasised at the event. Jim Kavanaugh, longtime CEO and technology guru of $20 billion IT powerhouse World Wide Technology, spoke on the benefits of the firm’s long-term partnership with chipmaker Nvidia, including advances with AI.

In March this year, WWT committed $500 million over the next three years to spur AI development and customer adoption. The investment includes a new AI-proving ground lab environment and a collaboration ecosystem that uses tools from partners, including Nvidia.

While former CIA agent Flores recognised that such partnerships were crucial,  he also stressed the need for firms to conduct robust assessments before onboarding.

“Every one of your vendors is a partner for success, but there are also vulnerabilities. They must be able to secure their systems, and you must be able to secure yours. And together, you must secure whatever links them,” he noted.

6. Appoint an AI officer

The conference noted the rise of the chief AI officer, who oversees the safe implementation of AI in organisations. This appointment is now mandatory for some US government agencies following the Biden Administration’s Executive Order on the Safe, Secure and Trustworthy Development and Use of AI.

These execs are required to evaluate different ways to deploy robust processes for evaluating use cases and AI governance.

While it was not a requirement for CISA to appoint a chief AI officer, Lisa Einstein stepped up to the role last month as the organisation recognised that it was important to its mission beyond having an internal AI use case lead.

“CISA wanted someone responsible for coordinating those efforts to ensure we were all going in the same direction with a technically sound perspective and to make sure that the work we’re doing internally and the advice we are giving externally is aligned so that we can adapt and be nimble, “she explained.

While this doesn’t have to be a board-level appointment, Einstein added that the person needs to be in the room with an ever-expanding roster of C-Suit players: the CIO, the CSO, the legal and privacy teams, and the data officers when decisions and policies on AI are made.

Einstein added that, within ten years, the position should be redundant if she’s done her job well. “By then, what we do should be so ingrained in us that we won’t need the role anymore. It would be like employing a chief electricity officer. Everyone understands the role they must play and their shared responsibility for securing AI systems and using them responsibly.”

7. Weave AI into your business operations

For ISA chief Larry Clinton, Secure by Design starts with theory. For over a decade, his organisation has collaborated with the US National Association of Corporate Directors (NACD), the US Departments of Homeland Security, and the Board of Direct Justice on an annual handbook for corporate boards to analyse cyber risk.

According to Clinton, ISA is currently developing a version of this handbook specifically for working with AI, which will be released this fall.

Clinton claimed that enterprises need to bring three core issues to the board level.

“AI deployment needs to be done strategically. Organisations underestimate risks associated with AI and overestimate the ability of staff to manage those risks. This comes from an idiosyncratic adaptation of AI, which needs to be woven into the full process of business operations, not just added on independently to various projects,” he says.

The second issue, he said, was education and the need to explain AI impacts to board members rather than explaining the nuts and bolts of how various AI deployments work.

The third issue, he added, was communication. “It’s critical that we move AI out of the IT bubble and make it part of the entire organisation. This is exactly the same advice we give with respect to cybersecurity. AI is an enterprise-wide function, not an IT function.”

8. Limiting functionality mitigates risk

According to Microsoft’s Brandon Dixon, limiting the actions that an AI system is capable of is well within a human’s control and should, at times, be acted upon. The computer giant has done this with many of its first-generation copilot tools, he added.

“What we’ve implemented today is a lot of ‘read-only’ operations. There aren’t a lot of AI systems that are automatically acting on behalf of the user to isolate systems. And I think that’s an important distinction to make — because risk comes in when AI automatically does things that a human might do when it may not be fully informed. If it’s just reading and providing summaries and explaining results, these can be very useful and low-risk functions.”

According to Dixon, the next stage will be to examine “how we go from assertive agency to partial autonomy to high autonomy to full autonomy. At each one of those levels, we need to ask what safety systems and security considerations we need to have to ensure that we don’t introduce unnecessary risk.”

The post Black Hat USA 2024: Eight ways to achieve ‘Secure by Design’ AI appeared first on TechInformed.

Perhaps because of its name – black hat is the term used for a computer hacker who violates the law for nefarious purposes – the conference still evokes suspicion from the locals in this burgeoning desert metropolis.

Going through security at Harry Reid, a passport official asked whether I was a hacker. I later watched a payment dispute play out between a taxi driver and a passenger. The car’s electronic payment system kept rejecting the passenger’s credit card: “Well what do you expect? The hackers are in town!” decried the passenger, by way of explanation.

And then there are the claims that Black Hat is one of the most hostile networks in the world. That, unless you switch your phone on airplane mode and use pen and paper, there’s a high chance you may get spammed by phishing emails – or worse.  This may or may not be an exaggeration, but people may well test out exploits at an event like this, and security experts always advise on exercising caution.

But in truth the event – founded by ethical hacker and US Homeland Security advisor Jeff Moss over 25 years ago – is really all about keeping the bad guys out. While it grew out of Def Con  (which takes place at the end of the same week and focuses more on the technical side of hacking) Black Hat aims to give enterprise engineers and software developers, CISOs and IT folk privileged insight into the minds and motivations of their hacker adversaries.

Keynote

This year, Jen Easterly, director of Cybersecurity and Infrastructure Security Agency (CISA) set the tone during Black Hat’s opening keynote, which focussed on security around the US elections as well as the recent CrowdStrike outage.

In March this year CISA called out China’s attempts to interfere with its electoral system, although Easterly assured that election infrastructure “has never been more secure” and that the community of election stakeholders has “never been stronger.”

What makes the US election system arguably resilient to attacks is partly its siloed structure: Each city, county and state administers an election differently and, following Russian interference in the 2016 elections, work has been done to secure the electoral system (now designated as ‘critical infrastructure’) and support local state officials.

Nonetheless, Easterly recognised that it was vital not to get complacent and that threat actors continued to be “entrepreneurial”. One recent tactic she highlighted was Russian adversaries hiding behind unwitting US public relations firms to spread disinformation about the US presidential race. You can read about others here

Hostile states such as China, Russia and Iran,  Easterly added, are all focussed on the same goal: spreading disinformation (false and incendiary claims) about US democracy to undermine faith in the election.

On US election day this year – due to take place on 5 November – Easterly appears to hold a strong faith in the system, not least because election officials are well-versed in dealing with crises.

“A poll worker will forget their key. There will be a storm,  there will be DDoS attack, but the good news is that they are natural born crisis managers and know how to deal with disruption and know how to respond,” she said.

CrowdStrike outage learnings

The beauty of an election is that you can plan for it, and for things to go wrong, even if, in the case of the UK election, you are only given six weeks’ notice.

However, last month’s  CrowdStrike IT outage  – which caused global disruption – caught most by surprise and highlighted the ubiquitousness of software in everything from payment systems to medical records.

Easterly – who woke up at 2am on the morning of the outage “to help get mitigation advice out there” said that one of her first thoughts was: “This is exactly what China wants to do but without rolling back the updates to get services back online.”

Earlier this year, the US government exposed Chinese hackers, Volt Typhoon, for infiltrating American critical infrastructure to embed dormant malware, ready to activate in case of conflict, such as a Taiwan attack.

“Volt Typhoon is aimed at exposing our pipelines, derailing our systems to incite panic. And that’s the lesson I took away from the CrowdStrike outage. We need to build that resilience now, so we are prepared for mass disruption – and that includes working with private sector,” she said.

Easterly added that it also reinforced a message that her organisation has been hammering home to tech vendors lately:  deploy software that is ‘secure by design’. She added that cyber security vendors should not be immune to this message either.

Most vendors I spoke with at the show were broadly sympathetic to CrowdStrike’s role in the outage. Several admitted that this could have happened to them and the majority were using it as an opportunity to ensure they had the right software update and testing processes in place.

The widespread global meltdown – caused by a faulty update in the manufacturer’s endpoint security product Falcon running in Windows – also didn’t stop delegates from flocking to CrowdStrike’s Black Hat booth. The snaking crowd appeared to be lining up for collectable giveaways that celebrated Falcon’s successful attempt to foil ransomware gangs such as Scattered Spider and Fancy Bear.

Security agency heads, however, might not be as easily convinced. For every company saved by Falcon there were arguably many more whose networks went down for days following Blue Screen of Death Friday.

Easterly told attendees at another session that day that delivering major improvements in computer security will require a sea change in how companies – especially big tech companies – approach building software.

“We have a multi-billion-dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software,” she said.

To force companies to devote greater resources to the security of their products, the Biden administration is considering how to carry out software liability reform, which in theory would allow those affected by software flaws to sue the makers of that product.

As it stands, restrictive liability waivers ensure that when technology companies make mistakes, they generally can’t be sued for them. And when they do, damages are capped. Everyone is watching to see what happens with the lawsuit Delta airlines and others are bringing against CrowdStrike for losses caused.

Easterly added: “Congress can have a transformative impact by establishing a software liability regime with an articulable standard of care and safe harbour provisions for those vendors that innovate responsibly, prioritising secure development processes.”

Complex web

What such legislation doesn’t consider, perhaps,  is the increasingly complex, interdependent nature of cloud-based environments. This isn’t a get-out-of-jail card for those more focussed on efficiency than resiliency, but the reality of working in agile environments.

As Black Hat’s considered founder Moss noted during the Black Hat Locknote wrapup session, it’s not only getting harder for security leaders to keep an inventory of all the software in their enterprises, but for vendors too who might not realise what libraries they are dependent on “under the hood”.

Moss’s remarks followed Thursday’s keynote from Moxie Marlinspike,  co-founder of encrypted messaging service Signal. According to Marlinspike, agile is not helping innovation but hindering it.

Agile ways of working, he argued, meant that teams end up siloed, working separately from each other, and without much visibility into what other teams are doing.

These teams also tend to lack visibility into some of the fundamentals of what makes their own products work, Thistle Technologies founder and CEO Window Snyder added during the wrap up session.

Moss added:  “I worry that at some point you reach a world where we have these completely unknowable systems …you’re building this infrastructure on the cloud on top of a cloud on top of the cloud…and at some point, you completely lose the connection.

He added that such complex systems can fail in completely unpredictable ways, and he wondered whether security leaders may have to come to terms with these failures and be ok with never being able to fully describe to management why it failed.

Another panel member pointed out that if this failure was relatively low it might be ok, but for mission-critical use cases with a low tolerance for failure, it might be dangerous.

The post Black Hat USA: What lies beneath? appeared first on TechInformed.

The outage – first reported as Australia woke up – has affected dozens of banks, supermarkets, broadcasters, stock exchanges, airports and trainlines around the world. It has also meant that Sky News in the UK  could not broadcast live this morning.

Speaking on BBC Radio 4’s Today programme this morning, Martin said that information was emerging that attributed the outage to a misconfiguration in cyber company CrowdStrike’s Falcon sensor software update.

“This is heavily caveated because it’s all happened so quickly. In cyber security terms there’s a very well-known company called CrowdStrike which a lot of companies use for all sorts of corporate network protection, they provide updates.

“They were carrying out a sensor update on one called Falcon which seems to have been misconfigured in such a way that it wrecks Windows.

“So, if a company is using both CrowdStrike and Windows for its OS it seems they get, what people in the trade call a ‘blue screen of death’ [BSOD] and Windows doesn’t work. And that’s why, for time zone reasons, it seems to have emerged first in Australia.”

The expert continued :  “These complex systems operate inter dependently so the cyber security tools must be able to interact with Windows. Companies spend a lot of time, money and effort on both sides of that equation making sure that they are compatible when you are deploying things and making sure you don’t destabilise other parts of the network.

“Most of the time that works, occasionally it doesn’t. It’s very rare for it to be as serious this.”

According to Martin, while these mistakes were rare, it happened to Facebook a couple of years ago when the social media app accidently deleted itself from the internet by misconfiguring its domain name routing that the internet depends on.

“These things do happen. So, it’s very plausible that this isn’t an attack until we see evidence to the contrary.”

For its part CrowdStrike has acknowledged “reports of crashes on Windows hosts related to the Falcon Sensor” and is working on a fix to the Falcon sensor update bug.

US airlines United, Delta and American Airlines have issued a global ground stop while Irish carrier Ryanair warned of delays. Dozens of firms and organisations in Australia – where the bug first hit – are reporting ongoing issues.

The glitch has also meant that departure boards have frozen at Edinburgh Airport, and Berlin Airport has reported delays. A series of train companies Thameslink, Southern , Gatwick Express and Great Northern also reported “widespread issues” this morning across the entire network.

The post Windows IT outage blamed on software update; CrowdStrike works on fix appeared first on TechInformed.

According to the Wall Street Journal, a source familiar with the acquisition said it would be funded mostly in cash and would be the biggest acquisition the technology giant has ever made.

Founded in 2020, Wiz is led by former Microsoft exec Assaf Rappaport and has raised roughly $2 billion in funding. It was recently valued at $12 billion and is headquartered in New York.

The startup provides cloud-based cyber security solutions with real-time AI-powered threat detection.

It ingests data from Amazon Web Services, Microsoft Azure, Google Cloud, alongside other cloud platforms and then scans for security risk factors.

There has been speculation that Alphabet views the deal as a means by which to strengthen its Google Cloud business, which grew almost 30% in the first quarter of this year to just over $9.5 bn.

Customers of Wiz include technology firms such as Siemens, Slack, and DocuSign, retailer ASOS and car manufacturer BMW.

According to its website, it generated about $250 million in revenue last year, and works with 40% of Fortune 100 companies.

Alphabet and Wiz did not immediately respond to requests for comment.

Recently, TI spoke with fintech firm Soldo on how observability is fortifying its cloud, and why this is so crucial in protecting customer data.

To read more about the cloud, click here.

The post Google eyes cyber sec startup with $23bn price tag appeared first on TechInformed.

Customers affected include those on mobile virtual network operators that use the AT&T network such as Cricket, Boost Mobile, and Consumer Cellular.

Data from between May 1^st, 2022, and October 31^st, 2022, may have been exposed, as well as records from a “very small number” of customers on January 2^nd, 2023.

The attackers obtained the information through the firm’s cloud provider, Snowflake, AT&T’s spokesperson Alex Byers told The Verge.

The telecoms firm knew of the breach in April, but an FBI spokesperson reported to TechCrunch that itself, AT&T, and the Department of Justice “agreed to delay notifying the public and customers on two occasions, citing ‘potential risks to national security and/or public safety.’”

According to Byers, the stolen data includes phone numbers customers interacted with, counts of those calls/texts and total call durations for specific days or months.

It does not include the content of the calls or texts, time stamps, or Social Security numbers, dates of birth, or other identifiable information – however, a name can be matched to a phone number by simple actions taken with online tools.

AT&T said in a blog post that it does not “believe that the data is publicly available” and it has “taken steps to close off the illegal access point.”

“We will provide notice to current and former customers whose information was involved along with resources to help protect their information,” AT&T added.

“We sincerely regret this incident occurred and remain committed to protecting the information in our care.”

Recently, TI spoke to fintech platform Soldo on how it uses observability to make its cloud more secure: read here.

The post AT&T admits customer call and text data breached in cloud hack appeared first on TechInformed.

The self-proclaimed ‘gay furry’ hackers claimed to have infiltrated The Heritage Foundation – a US conservative think tank responsible for formulating the Republican Party’s so-called ‘policy wish list’, Project 25.

Chronologising the hack via Telegram and a stream of tech media interviews, the politically motivated hacker collective said that it had infiltrated the Washington DC-based think tank to oppose Project 25’s stance on transgender rights and had subsequently leaked two gigabytes of the foundation’s data.

The data is thought to have contained 72k unique email addresses, primarily used for commenting on articles (along with usernames, IP addresses, comments and stored passwords).

Additionally, the hacking group threatened to leak passwords, email addresses, and full names of every user, including US government employees and the Heritage president, Kevin Roberts.

The hacktivists later told media outlets that it had gained access to the data on July 2 and released it to provide “transparency to the public regarding who exactly is supporting Heritage”.

For its part, Heritage played down the hack – claiming that the two-year-old archive the group snagged had contained incomplete password information, and data that was limited to usernames, names, email addresses of both Heritage and non-Heritage contributors.

The attack was carried out as part of SiegedSec’s “OpTransRights,” campaign, which has previously included the defacement of government websites and data theft from states either considering or implementing anti-abortion or anti-trans legislation.

However, today on Telegram the group announced its intention to quit cybercrime, largely for the wellbeing of members. It said: “We planned to disband later today or tomorrow but given the circumstances I believe it’s best we do so now. for our own mental health, the stress of mass publicity, and to avoid the eye of the FBI.”

Random or targeted?

Keen to weigh in cyber security experts have advised that – regardless of ideological stance – organisations operating in this sector must swiftly determine whether such attacks are random or, in the case of Heritage, targeted.

Cybereason VO and global field CISO Greg Day, said: “With numerous political elections happening worldwide, it’s no surprise that cyber attacks are increasingly targeting this sector.

“Understanding the motive behind the breach and the actions taken during it is crucial. The ability to respond appropriately and promptly determines the commercial impact of the incident.

“In the past, only a few highly skilled incident responders had this knowledge. However, as breaches have become more common, the industry has adapted to enable businesses to manage these situations themselves.

Day claimed that this shift required a new perspective and more technology.  ”Instead of focusing on individual attack events, businesses need to consider the entire malicious operation.

“Historically, we’ve relied heavily on human analysis to piece together evidence, but today we should embrace data normalisation techniques to empower AI to detect adversaries amidst the overwhelming noise that most security teams face.”

The post Hacktivists involved in Project 25 think tank breach disband appeared first on TechInformed.

The Labour Party’s manifesto mentioned ‘technology’ and ‘innovation’ more frequently than any other party, suggesting that these will be central to the government’s efforts to enhance public services, boost productivity, and revitalise the UK economy.

We’ve previously discussed the promises made in the Labour manifesto as they pertain to technology in various sectors. But what are the perspectives of industry leaders on the future of UK tech policy and its potential impact on businesses?

TechInformed has gathered insights from Cybersecurity, AI, and Open-Source leaders to provide a comprehensive view of the industry’s positions.

Cybersecurity & Online Safety

The election has been criticised for neglecting cybersecurity, with the industry urging the new government to prioritise cybersecurity through strong legislation, proactive strategies, and securing critical infrastructure. There are also calls to swiftly implement and enforce the Online Safety Act to protect individuals and balance digital protections with free expression and privacy rights. 

“With recent high-profile attacks on the NHS and MoD highlighting critical gaps in national security, the new leaders must play their part in ensuring that cybersecurity is a boardroom priority in all organisations with accountable outcomes, given that the UK is at high risk of a “catastrophic ransomware attack.

“Cyber security efforts have remained stagnant even as threats rise, with 43 legacy systems at critical risk levels this year alone. The new government must take decisive action and hold all businesses accountable for improving the UK’s level of cyber preparedness through more robust and comprehensive legislation that ensures cyber security is taken more seriously.

“Government must advocate for building cyber resilience through proactive strategies, secure-by-design principles, and visibility into everything that is coming in and out of an organisation, including encrypted data. They must also lead by example, taking steps to secure the public sector itself, especially critical national infrastructure, as the traditional IT and security strategies underpinning these organisations are no longer sufficient for the extent of today’s sophisticated threats.”

Mark Coates, VP EMEA, Gigamon

“Details from the Labour Party have been minimal. However, what we do know from their manifesto is that they recognise the threat to our safety and security. They specifically call out the growing emergence of hybrid warfare, including cyberattacks and misinformation campaigns which seek to subvert our democracy.

“Labour proposes to tackle this by conducting a Strategic Defence Review. This will happen within Labour’s first year in government, and their manifesto states that it will set out the path to spending 2.5% of GDP on defence.

“I urge Sir Keir and the Labour Party to speak with a broad spectrum of people across the cyber security industry, including those at the front line of law enforcement activities. The reality of the problems and the needs of the UK must be seen and addressed in this review.”

Adam Pilton, Cybersecurity  consultant, CyberSmart

“For all the election noise, cyber security was absent. In a way, this is understandable; there are many other social and economic issues to focus on when trying to woo voters. But as the dust settles on this election, continuing to overlook cyber security would be a grave mistake.

“The electoral commission: hacked. NHS hospitals: hacked. Countless UK businesses: hacked. How many attacks are too many? With Labour coming into power for the first time in 14 years, a comprehensive strategy to strengthen the UK’s cyber defences is urgently needed.

“The EU is implementing the NIS2 directive. Why does the UK lag in securing its digital infrastructure? It’s time for the government to wake up, smell the coffee and develop a plan to change this.”

 Al Lakhani, CEO, IDEE

“With the appointment of Peter Kyle as Secretary of State for Science, Innovation and Technology, it’s a vital time for Labour to reaffirm its commitment to online safety. The Online Safety Act, which Labour supported, has enabled the UK to lead the world in this space and set the direction for online platforms to make concrete changes that keep people safe.

“The new government must ensure that the Act is not only implemented swiftly but also enforced robustly to hold tech companies accountable. Keeping up the pace here will be crucial to tackling some of our biggest societal problems, such as protecting children and other vulnerable people from age-inappropriate, harmful, and illegal content. Child Sexual Abuse Material (CSAM) and fast-developing AI-generated harms like deepfakes and nonconsensual explicit content also demand urgent attention.

“While the focus is often on ‘Big Social’ regarding online safety in the media, we hope to see more focus on other user-to-user platforms, including video games, chat apps, and streaming services. Platforms must be held responsible for the content posted by their users to create safer online communities.”

Andy Lulham, COO, VerifyMy

Open Source

According to leaders in the field, the critical role of open-source technology in driving economic growth, enhancing public sector efficiency, and maintaining technological leadership calls for strategic government support and investment.

“Change must not only start now but must be digital. Only a fundamental shift in our digital policies and practices can impact the lives of every individual across the UK.

“This can be made possible by leading with digital funding the development of the right skills in open-source software. Leveraging a globally visible living CV created by open-source contribution will offer individuals who can currently code but have no employment experience the opportunity to be employed by global tech companies and hired as home workers with a proven track record of contribution.

“We should remember that these are employers who recruit based on skills, not location. In this way rurally based individuals can have international jobs, stemming talent flight, injecting international salaries into the UK economy whilst building our future tech sector.

“With 96% of software codebases having open-source software dependencies today, the public sector must learn how to manage open-source properly. Only this change allows interoperability that can open data flows between systems, unlock efficiency, and break patient and practitioner frustration in the NHS. Our new government owes the NHS this change.”

Amanda Brock, CEO, OpenUK

AI & Regulation

Leaders in the AI space stress the need for AI openness to prevent centralised control, urging the new government to learn from past technological developments. They emphasise tech investment, calling for the appointment of  Chief AI Officers in government departments and creating an AI fund to foster public-private innovation while ensuring privacy through synthetic data.

Industry-specific regulations, especially for healthcare and pharmaceuticals, are highlighted, alongside the need for a dedicated office to ensure diverse policy input. There’s also a strong call for robust AI processes to mitigate risks, ethical AI use, transparent policies, and continuous compliance to protect data and maintain public trust.

“AI will have an impact in the coming months and years like the internet in the last 20. But this time, everyone knows how the game plays out. We know the risk today is that AI ends up controlled by the hands of a few.

“This time, our new leaders must learn from the recent past. History will not be forgiving if they do not. To protect the UK’s AI leadership, Labour must look to open AI wherever possible. But it must do this with a considered understanding of what that means to open each component that makes up, from models to data, and what it means to be partially or fully open.

“It’s complex, yes, but we expect our leaders to be able to understand complex tasks and to cut through the distraction of the noise created by those who can shout loudest. The biggest risk the UK faces from AI today is that our leaders fail to learn the lessons of the last 20 years of tech and do not enable AI openness. Only Labour can bring this change.”

Amanda Brock, CEO, OpenUK

“It is crucial the new government places an emphasis on tech investment, particularly around AI, which will be paramount to streamlining services and enhancing citizens’ lives.

“We expect to see Chief AI Officers hired across government departments to ensure AI underlines the priorities in all the parties’ manifestos, while a foundational data strategy with governance at its core will help meet AI goals.

“An AI fund can also help promote public-private innovations and enable the commercialisation of data and assets globally through synthetic data. This approach would offer a unique opportunity to unlock value from data whilst maintaining robust privacy protections, as synthetic data can mimic real-world information without exposing sensitive personal details.

“Regarding AI regulation, it would be beneficial to establish industry-specific rules, with particular attention paid to sectors like healthcare and pharmaceuticals and their unique needs. For the pharmaceutical industry, in particular, there needs to be more robust agreements established on the use of medical data, with internal investment to manage and protect this data. This could include shared profits or IP rights provisions when companies benefit from UK resources.

“A dedicated office to oversee these initiatives would help to ensure that diverse voices are heard in shaping data and AI policies. These steps will be crucial for the new government to support data-driven industries and ensure they can capitalise on AI, thus positioning the UK as a global innovation powerhouse whilst ensuring sustainable growth and protecting national interests.”

James Hall, VP & country manager UK&I, Snowflake

“Labour’s promise to introduce “binding regulation” for AI safety will create ripple effects across the UK private and public sectors. And while stricter regulation for major AI firms is planned, organisations leaning on these emerging technologies will have to scrutinise their AI strategy here and now.

“With Labour’s wider review on the misuse of AI for harmful purposes, companies need to telegraph they are mitigating risk with AI. Both ‘good AI’ and ‘bad AI’ exist, and combatting threats from bad AI is critical in an increasing risk environment, as over half (59%) of IT leaders say that customer-impacting incidents have increased, growing by an average of 43% in the last 12 months.

“In light of regulation pressures and mounting risk factors, companies need to establish watertight AI processes and mechanisms to ensure the ethical use of AI; how are external AI threats being tackled? How are internal hygiene processes with AI protecting customers? CIOs and DPOs face a big set of tasks involving sticking close to regulators, sharing rigorous policy documentation publicly, and implementing clear and transparent network policies on data collection and information security.

“Compliance is a 24/7 job, and dropping the ball on this, with regards to areas like data protection, could result in hefty fines and loss of trust.”

Eduardo Crespo, VP EMEA, PagerDuty

For more tech-oriented coverage of elections around the world, check out our dedicated hub to the Year of Elections.

The post Labour’s next steps: Cyber security, AI, & Open-Source industry leaders weigh in appeared first on TechInformed.

Howden’s annual report found that insurance premiums have been dropping in the past year, presenting positive signs that the companies are becoming more adept in curbing their losses from cybercrime.

The easing in cost comes after a rocket in cyber insurance premiums over the Covid-19 pandemic (2021-2022), due to increased cyber incidents.

However, as firms have bolstered their security further, such as adding multifactor authentication, insurance claims have become less common, the report claims.

“MFA is the most basic thing you can do, it’s like locking the door when you leave the house,” said Sarah Neild, head of UK cyber retail at Howden,

A mix of: increased attacks, heightened geopolitical instability, and the proliferation of GenAI, alongside easing cyber security costs is something that the market has never experienced, added Neild.

“The foundations for a mature cyber market, with innovation and exposure-led growth at its core, are now in place,” she said.

According to the report, price decreases are also due to a greater appetite by insurers to offer cyber insurance.

“Cyber insurance is key to strengthening resilience around the world and insurers are now in a strong position to bring about real change,” said Jean Bayon de La Tour, head of cyber, international, at Howden.

“This involves providing more capacity to meet pent-up demand in currently underpenetrated groins, including Europe, Latin America and Asia,” Bayon de La Tour continued.

The post Cyber insurance rates fall although attacks are increasing appeared first on TechInformed.

Synnovis, which manages tests for London based NHS trusts and services, became the victim of a cyber attack carried out by the Russian group Qilin on 3 June – the day before InfoSec Europe’s annual conference kicked off.

Compromised suppliers have been the source of many data breaches at organisations over the last couple of years, leading to damaging financial and reputational damage.

So, it’s no surprise that a key discussion across many conference sessions at Infosec this year, involved CISOs and CIOs discussing how best to achieve a secure supply chain.

According to Tom Mullen, senior operational security director at Motorola, gaining buy-in for supply chain security investment from the board is the first port-of-call. He adds that this includes ensuring the messaging is conveyed in terms that the business understands.

“I’m competing against people who want money to drive up revenue,” he says, “so if I’m bidding for additional money, I need to get the board to understand how it will impact the business,” he explains.

“They need to know that we’re going to tighten our controls so that we understand the supply chain risks and that we secure them correctly. They need to know that they are not wasting money and that we’re doing it in the right way,” he adds.

This might involve drawing on recent security incidents such as the one which happened at London’s hospitals, to illustrate the risk and to show what could happen if the right measures aren’t taken or invested in.

Another important step is to categorise suppliers in terms of risk – which, for large organisations and enterprises, is no mean feat.

Take the National Trust for instance, which has around 24,000 suppliers – ranging from individual fencers  to large IT suppliers. The British heritage organisation’s CIO Jon Townsend explains how suppliers to the organisation are categorised into tiers, according to business criticality.

He explains: “It doesn’t matter about the business functions they are providing, what you need to understand is the business criticality of what they do. What service are we are trying to acquire? What are the security concerns and how big are they?

“I’m sure that there are many conversations going on around London hospitals today reflecting on this point. We will look at things like whether they handle personal data; What’s the sensitivity of the data they hold? Are they a public-facing service?…Once you start categorising them, they tend to come together. Ranking them into tiers and then thinking about how you can do a more in-depth analysis and risk assessment on those key suppliers to the organisation is key,” he adds.

Show me the money!

For large multinationals such as Motorola, Mullen advises firms look at where the money is being spent internally, within different departments and to look at what they are spending it on. This, he adds, often involves liaising with finance, legal and procurement departments within the business.

“This information needs to be captured in central point,” he adds, “For instance, does someone in finance check that what has been bought goes via security? If a manager can spend below £40K without going through a procurement process, what happens if he goes out and buys two servers and plugs them into the network? It’s small things like that.”

He adds that you also need to look at physical contractors who come into close contact with system such as cleaners. “There’s so much to do, so many layers, so doing a risk assessment at the start is critical and you need to capture everything.

“And you need to make sure that procurement is engaged, legal is engaged so that you make your contracts tight and stipulate where work can and can’t be outsourced.”

Mullen also recommends that firms do their due diligence before choosing suppliers: “Have they had any data breaches in the last couple of years? You have financial due diligence how about security due diligence? You need to look at both.”

Most CISOs agree that it’s one thing stipulating something in a contract and another managing it and auditing regularly. In terms of managing external suppliers Mullen says that Motorola sends out a security schedule audit to ensure that “everything they say they do, they do.”

He adds “If a contract changes mid year do your procurement team run it back through again? Or if someone in IT negotiates or renegotiate a contract with BT or Cisco – has that gone through security?

“You really must work closely and have regular meetings with your procurement team, your finance team and ensure they are working together because if someone works differently, then you’ll miss something,” says Mullen.

Mahbubul Islam, a public sector CISO with 20 years experience, and Regina Bluman, a cyber security advisor at legal firm Pinsent Masons, both advise that it’s worth including penalties in contracts for suppliers who do not fulfil their contractual obligations.

“Rarely do you go down that route,” Islam says, “ But if you do, and litigation comes in, then having assurance activities nailed is very important – although it’s best to sort it out before it gets to that point.”

Bluman adds that, from a law firm perspective, she often gets pushback from clients saying they don’t want to include penalties in contracts because they don’t want situations to reach that point.

“But it’s about having it in there so that if it does, then you protect yourself early,” she claims.

Pushback

In terms of pushback, larger firms can always use their buying power to ensure that contractors stick to their obligations.

Says Townsend: “You do get the odd occasion where suppliers are trying to cut costs and they are happy to take a risk from their own business perspective, but that might be impacting you through a supply chain risk.

“If you get the hard facts through an audit that says something doesn’t meet the required standard you’ve got a choice:  ultimately you can choose a different supplier. We’ve had to end contracts with organisations because they were not meeting the required standards.

Mullens adds that there are grey areas, and a degree of flexibility is often needed.

“No one can guarantee 100% security, we all know that. You must be reasonable when you look at a contract, if someone does come back with something and they say ‘we can’t guarantee against that risk, but we can mitigate it in this way…’ then you can agree to go forward.

Bluman adds that in the UK, a new Procurement Act – which will come into force this this October, will require all contracts worth over £5m to include three supplier KPIs that will need to be declared publicly. “I’m waiting for someone to publish their security KPIs,” she adds.

Support for SMEs

The danger with making demands on contractors is that only the bigger suppliers can afford to meet a client’s requirements. How can nonprofits and innovative new start ups ensure that they have all the controls needed to fulfil a contract without blowing their entire funding on security?

It’s a challenge that Cheryl Sims-Hancock, cybersecurity lead at the Alzheimer’s Society also addressed at the conference, as she believes that bigger charities and organisations have a duty to support smaller players.

“In the charity sector we try to support smaller operators, different charities and innovators who are trying to bring things to market. One of the challenges in these small, very dynamic orgs is there is no one  – there might be two- or three-person company they don’t have human resources.

“The challenge we have to address is what can we and the cyber industry do to help others ensure that third party risk is nailed down, so when we are talking to partners and potential suppliers, we can give them advice and provide them with a route.”

Mullens adds that the government is doing some work with SMEs and charities and helps with free resources – but enterprises should be helping too.

“We want to deal with promising start ups but maybe they haven’t got the security lined up but maybe we can help them. Let’s help them grow secure. We need to do more of that,” he says.

SBOMs

Another important conversation many cyber security heads are having now, is whether to demand a Software Bill of Materials (SBOM) from suppliers.

An SBOM is a complete, formally structured list of components, libraries, and modules that are required to build a piece of software. Like a baking recipe for software licensing, but with data fields and source codes rather than eggs and flour.

Some cyber sec experts claim that SBOMs are a crucial tool for tracking vulnerabilities in a system and detecting things like outdated and open-source software along the supply chain.

“This is something we’re looking at but we’re in the very early stages,” reveals Townsend.

“SBOMs bombs are a fine balance – how far do you go in doing your supplier’s job for them in assessing their security? Maybe it’s better to simply identify a supplier you can trust and believe in so that when you do have a new concern over a vulnerability you can work together and rapidly engage with your supply chain,” he suggests.

According to Mullen, Motorola’s US colleagues are using SBOMs to combat supply chain vulnerabilities, but he agrees that there’s only so far you can go with your suppliers without doing their work for them.

“Also,” he adds, “that’s just looking at software. I’m also looking at hardware, I’m looking at physical contractors, I’m looking at all sorts –  so if I’m making it more complex in more areas, then that’s going to involve more resources,” he says.

Bluman adds that Pinsent Masons is having “ more conversation with clients around SBOMs”

She expands: “It’s early days but we’re starting to see more people add that to their supply chain intelligence. But it’s also about the maturity of a provider rather than the actual value of the list of components.”

The post Leading CISOs reveal how to secure the supply chain appeared first on TechInformed.

The report, conducted by cyber security firm KnowBe4, found that in the first three quarters of last year, the sector experienced 1,613 cyberattacks per week.

Additionally, the average cost of a breach reached nearly $11 million over the past three years, more than three times the global average – making the healthcare industry the costliest for cyberattacks.

According to KnowBe4, healthcare and pharmaceutical firms are among the most vulnerable to phishing attacks – particularly in large healthcare organisations, where employees have a 50% likelihood of falling victim to a phishing email.

In other words, criminals have a better than 50/50 chance of successfully phishing an employee in the sector.

“The healthcare sector remains a prime target for cybercriminals looking to capitalise on the life-or-death situations hospitals face,” said Stu Sjouwerman, CEO of KnowBe4.

“With patient data and critical systems held hostage, many hospitals feel like they are left with no choice but to pay exorbitant ransoms. This vicious cycle can be broken by prioritising comprehensive security awareness training,” Sjouwerman advised.

One recently reported breach was the ransomware attack on pathology firm Synnovis, which processes blood tests for NHS hospitals across London.

Speaking to the BBC’s Today programme , National Cyber Security Centre (NCSC) chief, Ciaran Martin said that it was unlikely the gang behind the attack (Qilin) would receive any ransoms.

This is because the UK government has a policy of not allowing public sector organisations to pay ransoms, although he acknowledged that Synnovis isn’t under the same restrictions as it is a public/private partnership.

In the second week after the attack, more than 320 planned operations and nearly 1,300 outpatient appointments were postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust.

On top of this, over 1,100 operations were cancelled after the attack.

Reports claim Qilin had demanded up to $50 million in ransom to release the data. Martin added that the gang likely expected a quick pay-off and may not have anticipated such disruption when it attacked Synnovis.

The breach eventually saw patient names, dates of birth, NHS numbers and descriptions of blood tests exposed online. Business account spreadsheets were also uploaded, exposing arrangements between hospitals, GP services, and Synnovis.

“This situation underscores a few critical points that organisations – not just in healthcare, but across all sectors – need to internalise,” said Javvad Malik, security awareness advocate at KnowBe4.

Malik enforced that regular security assessments, prompt patching of vulnerabilities, effective incident response plans, and robust data encryption are “just the tip of the iceberg when it comes to securing data.”

“This event should serve as a catalyst for broader conversation on cybersecurity legislation, inter-organisational cooperation, and the sharing of threat intelligence,” he added.

“There’s a pressing need for a unified response to cyber threats and building of a strong security culture facilitated by government agencies, the private sector, and international bodies.”

The post Healthcare sector experienced 4x global average of cyberattacks last year appeared first on TechInformed.