Newsletter

open source and cybersecurity news

January 12, 2024

It's 5:05, January 12 2024, Point of View Friday

In this Episode:

It’s January 12th, 2024, and time for Point of View Friday, where we cover a single topic from multiple perspectives. Today’s point of discussion is what does the future look like for AI and cyber legislation? We have perspectives from Edwin Kwan in Sydney, Australia, Trac Bannon and Camp Hill, Pennsylvania, Olympia Pop from Transylvania, Romania. We’ll begin with Shannon Lietz in San Diego, California on the Win, Lose or Draw when considering cyber legislation.

 

Point of View Friday: 2024 Predictions for AI and Cyber Legislation

 

Shannon Lietz
2024 AI Predictions

Shannon Lietz, Contributing JournalistThis is Shannon Lietz reporting on the Win, Lose, or Draw of cybersecurity regulations from San Diego, California.

Adversaries are super overwhelming. They frost my cookies, in fact. But when it comes down to it, cybersecurity regulations being set by governments who themselves are having challenges with adversaries is just the most interesting possibility there is.

Over the last set of years, we’ve seen so many more cybersecurity regulations and don’t they kind of all look the same? I mean, for God’s sakes, at this point. If you’ve been compliant with one, you’ve been compliant with most. That means that when it comes down to it, is compliance really changing the game?

From a win perspective, cybersecurity regulations do nothing more than line the pocketbooks and create a bit of a false sense of security, if you ask me.

From a lose perspective, who’s losing in this equation? Well, every time we see a new cybersecurity regulation that doesn’t go far enough to really help prevent adversary attacks, we see that the ultimate loser in this is the consumer. Because, simply put, who’s gonna take on the responsibility of cybersecurity challenges? It’s all being passed down to the consumer. So if you’re a consumer out there, you’re listening to me, why on earth are you buying bad products, putting up with bad cybersecurity? It’s time to really think about what we need from all these companies producing software and the things that they’re actually doing.

And finally, from a draw perspective, I just kind of think it’s interesting, but cybersecurity regulations and governments that are creating them are really up against a possibility of being at a draw with adversaries. Adversaries know that the current state of cyber regulations are going to be, simply put, more of the same.

And so they’re really good at getting around them. If you look out at some of the stuff raised by cybersecurity ventures about the multi-trillions of dollars that adversaries are gaining, we’re not even making a dent with some of these regulatory activities.

So how do we really change it? The way to change the game is to focus on adversaries, and focus on cyber resilience, and focus on the things that we can all move the needle on.

Building security metrics that focus more on the actual challenge of reducing adversary risk in our environments, and getting rid of some of the compliance metrics that are out there that simply draw us down into a day by day activity that doesn’t move the needle.

This is Shannon Lietz reporting on the Win, Lose, or Draw of cybersecurity regulations. See ya out there.

 

Edwin Kwan
2024 AI and Cyber Legislation

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastAustralians suffered a number of significant data breaches in the last two years. In response, the Australian government released their Cyber Security Strategy late last year and it provides a peek to some of the cyber legislations that are upcoming.

This is Edwin Kwan from Sydney, Australia, providing my predictions on what changes we could potentially be seeing in 2024.

The first is ransomware, which the government is looking to address as part of its focus on strong businesses and citizens. Forget pay and pray when it comes to ransomware. To enhance visibility, the government is planning a no fault, no liability ransomware reporting obligations for businesses.

In addition, the government is taking a hard stance against rewarding cybercriminals.

They’re looking to seriously discourage paying ransoms, potentially with financial penalties or public naming and shaming. There’s also a focus on safe technology. Think of your smart fridge, your fitness tracker, that singing teddy bear for your kids, all those internet connected gizmos. Well, the government’s saying, not so fast, Mr. Gadget. They’re proposing a mandatory cyber security standard for these internet of things devices, making sure they’re not flimsy fortresses against digital intruders.

App developers and stores, you’re not off the hook either. A voluntary code of practice is brewing with guidelines for secure app design and responsible data handling.

And finally, we can expect changes to the Commonwealth legislative data requirements. The Australian government will be reviewing how much information businesses are required to retain. They recently completed a review of the Privacy Act and will be exploring options to minimize and simplify data retention requirements.

So what does this all mean? Australia’s raising the cyber security bar, and businesses and techies need to keep up. New obligations, standards, and maybe even a few regulatory nudges are coming, all aiming to build a safer, more trusted digital space. This isn’t just about protecting infrastructure. It’s about protecting people.

And that is a win-win in our online world. That’s it from me. Stay safe, stay savvy, and stay secure.

Resources
– Home Affairs, AU: https://www.homeaffairs.gov.au/cyber-security-subsite/files/2023-cyber-security-strategy.pdf

 

Tracy (Trac) Bannon
2024 AI and Cyber Legislation

Trac Bannon, Contributing Journalist, It's 5:05 Podcast

In the ever evolving landscape of cybersecurity, the question of regulation becomes increasingly pertinent. Recent developments in this field have shown a dynamic interplay between tech, policy and the nefarious actors who constantly challenge the status quo.

Hello, this is Trace Bannon reporting from Camp Hill, Pennsylvania.

Regulation in the realm of cybersecurity is a complex issue that requires a multifaceted approach. The ideal scenario is a collaborative effort involving government bodies, private sector experts, and academic researchers. Governments, particularly those with robust tech infrastructures like the U. S., should take the lead in formulating policies.

However, and this is a big however, input from private sector experts is crucial. These pros bring practical experience and an understanding of the latest tech advancements. That’s essential for effective regulation. Academic institutions and non profit groups can provide research based insights and innovative approaches .

Can we outpace the nefarious actors? Outpacing the bad guys is a continual race. As technology evolves, so do the tactics and the tools used by these guys. The kicker is that we need to stop being reactive. We need to focus on anticipatory measures rather than reactive stopgaps.

This means investing in emerging technologies like AI and ML. We need to harvest these tools to predict and counteract cyber threats. However, there’s a caveat. As we develop advanced defensive tools, the same tech can fall into the wrong hands. As I’ve said before, the bad guys are using the same tools as the good guys.

Continuous innovation coupled with stringent security practices is the key to staying ahead in this race.

At the end of the day, do the regulatory activities matter? Absolutely! Regulatory activities play a crucial role in setting standards and guidelines that shape the cybersecurity landscape. These regulations ensure there’s a baseline of security practices that organizations must follow. And that is going to reduce vulnerabilities.

Over regulation will stifle innovation. Under regulation will leave systems exposed. Moving forward, the focus should be on developing flexible, adaptive regulations that will evolve with tech advancements or emerging threats. Some of what we’ve seen in 2023 from the EU actually attempts this.

How can we change the game? It takes a paradigm shift in how we approach security. First, there needs to be greater emphasis on cybersecurity education and awareness, starting at the grassroots. Second, embrace a DevSecOps approach in the software development lifecycle to significantly enhance security. We need to integrate security practices at every stage along the way. We need to bake in security rather than bolt it on later.

No prediction would be complete without mentioning generative AI. The use of Gen AI tech in designing systems will be a game changer. These technologies can help in simulating potential threats and developing more robust defense mechanisms. They should be used with a clear understanding of their capabilities and limitations, especially in terms of ethical and security implications.

From my point of view, the future of cybersecurity regulation is not about creating rules, it’s about fostering an ecosystem where security is ingrained in every aspect.

Something to noodle on.

 

Olimpiu Pop
2024 AI and Cyber Legislation

The European Union made a name for itself in the tech world for stricter regulation. The range is rather broad, from fiscal legislation for big tech companies, to the EU AI Act, the first of its kind, and the CRA, the EU Cyber Resilience Act. The last two both got approved not more than one month ago. The CRA in particular, which generated a lot of fears in the open source ecosystem about its ability to innovate, received many clarifications to avoid that.

The CRA is going after software with commercial activity as stated by Article 10 of the Act. ‘This regulation applies to economic operators only in relation to products with digital elements on the union market in the course of a commercial activity.’ End of quote.

The previous version of the act did not give clear indication of what commercial activity means, leaving a lot of room for interpretation. In the final compromise form, a lot of clarification has been added about what that actually means. Its legislation contains clear points about donations and various models about markets.

My non professional feeling is that the commission did a better job in describing what it actually meant. The same clarifications were provided for users of open source as well. Those 90 plus percent of the existing software are there.

The bottom line is that each and every one of us should do our own due diligence when using open source components.

My non legal expert opinion is that many of the confusing points were clarfied and we are off to a good start. Like always when talking about EU legislation, the devil is in the implementation. Many things may be lost in translation. Especially as the 27 countries of the EU have 3 years to incorporate it in their legislation.

As much as I would like to leave politics behind, it all boils down to that. Most of the EU countries are facing elections in the upcoming period, the EU itself included. The discussion is pro or against the bloc. That actually translates as pro or against the war in Ukraine or better still, pro or against Russia.

So, for me, the next 12 months will show us that the current legislation has the potential of protecting not only EU software, but even its energy, given that it provides clear indication for IoT devices.

What’s certain is that the signing off of this bill is not an end, but just the beginning. Olimpiu Pop stated his opinion from Transylvania, Romania.

More opinions on cyber legislation changes around the globe on 505updates. com.

Resources
– Bert Hub: https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/
– Eura Active: https://www.euractiv.com/section/cybersecurity/news/eu-institutions-finalise-agreement-on-cybersecurity-law-for-connected-products/
– Digital Strategy: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

Contributors:

Comments:

Newsletter