JPMorganChase’s $1.5T Security & Resiliency Initiative targets AI, cybersecurity, quantum and critical industries. Learn what this investment means for national and enterprise resilience.
The post JPMorganChase to Invest in AI, Tech to Foster Growth, Innovation, Resiliency appeared first on Security Boulevard.
Peak e-commerce season hits retailers every year just as the Halloween decorations start to come down. Unsurprisingly, cyber criminals see this time as an opportunity to strike, and criminal activity online spikes alongside sales. Shockingly, 4.6% of attempted e-commerce transactions during the 2024 Black Friday period were suspected to be digital fraud. In the UK..
The post How to Protect from Online Fraud This Holiday Season appeared first on Security Boulevard.
A government watchdog is sounding the alarm about a growing national security threat online. Rather than a traditional cyberattack, however, this one comes from the everyday digital footprints service members and their families leave across the internet.
A new Government Accountability Office report warns that publicly accessible data — from social media posts and location tracking to Defense Department press releases — can be pieced together by malicious actors to identify military personnel, target their families and disrupt military operations.
According to GAO, while the Pentagon has taken some steps to address the threat, its efforts remain scattered, inconsistent and lack coordination.
“We found that the department recognized that there were security issues, but they weren’t necessarily well-prepared to respond to them because it was new, because it didn’t necessarily neatly fit into existing organizational structures or policies or doctrines, and that’s a consistent story with the department,” Joe Kirschbaum, director of the defense capabilities and management team at GAO, told Federal News Network.
To understand the risks posed to DoD personnel and operations that come from the aggregation of publicly accessible digital data, the watchdog conducted its own investigation and built notional threat scenarios showing how that information could be exploited. GAO began by surveying the types of data already available online and also assigned investigators to scour the dark web for information about service members.
In addition to basic social media posts, investigators found data brokers selling personal and even operational information about DoD personnel and their families — information that can be combined with other publicly available data to build a more complete profile.
“Once you start putting some of these things together, potentially, you start to see a pattern — whether it’s looking at individuals, whether it’s the individuals linked to military operational units or operations themselves, family members. Nefarious actors can take these things and build them into a profile that could be used for nefarious purposes,” Kirschbaum said.
One of GAO’s threat scenarios shows how publicly accessible information can expose sensitive military training materials and capabilities. Investigators found that social media posts, online forums and dark-web marketplaces contained everything from military equipment manuals, detailed training materials, and photos of facility and aircraft interiors. When combined, these digital footprints can reveal information about equipment modifications, strategic partnerships or potential vulnerabilities, which can be used to clone products, exploit weaknesses or undermine military operations.
And while DoD has identified the public accessibility of digital data as a “real and growing threat,” GAO found that DoD’s policies and guidance are narrowly focused on social media and email use rather than the full range of potential risks from aggregated digital footprints.
For instance, the DoD chief information officer has prohibited the use of personal email or messaging apps for official business involving controlled unclassified information. But that policy doesn’t address the use of personal accounts on personal devices for unofficial tasks involving unclassified information — such as booking travel, accessing military travel orders, or posting on social media — activities that can pose similar risks once aggregated.
In addition, DoD officials acknowledged that current policies and guidance do not fully address the range of risks created by publicly accessible digital information about DoD and its personnel. They said part of the challenge is that the department has limited authority to regulate actions of DoD personnel and contractors outside of an operational environment.
“In general, except for the operation security folks, the answer was they didn’t really consider this kind of publicly available information in their own sphere. It’s not like they didn’t recognize there’s an issue, but it was more like, ‘Oh yeah, that’s a problem. But I think it’s handled in these other areas.’ Almost like passing the buck. They didn’t understand, necessarily, where it was handled. And the answer was, it should probably be handled collectively amidst this entire structure,” Kirschbaum said.
The officials also said that while they had planned to review current policies and guidance, they “had not collaborated to address digital profile risks because they did not believe the digital profile threat and its associated risks aligned with the Secretary of Defense’s priorities,” including reviving warrior ethos, restoring trust in the military and reestablishing deterrence by defending the homeland.
“One of our perspectives on this is we know we’re not sure where you would put this topic in terms of those priorities. I mean, this is a pretty clear case where it’s a threat to the stability and efficacy of our military forces. That kind of underlines all priorities — you can’t necessarily defend the homeland with forces that have maybe potential operational security weaknesses. So it would seem to kind of undergird all of those priorities,” Kirschbaum said.
“We also respect the fact that as the department’s making tough choices, whether it’s concentrations of policy, financial and things of that nature, they do have to figure out the most immediate ways to apply dollars. For example, we’re asking the department to look across all those security disciplines and more thoroughly incorporate these threats in that existing process. The extent they’re going to have to make investments in those, they do have to figure out what needs to be done first and where this fits in,” he added.
GAO issued 12 recommendations to individual components and agency heads, but at its core, Kirschbaum said, is the need for the department to incorporate the threat of publicly available information into its existing structure.
“In order to do that, we’re asking them to use those existing structures that they do have, like the security enterprise executive committee, as their collaborative mechanism. We want that body to really assess where the department is. And sometimes they’re better able to identify exactly what they need to do, rather than us telling them. We want them to identify what they need to do and conduct those efforts,” he said.
The post DoD failing to address growing security threats posed by publicly available data first appeared on Federal News Network.
© The Associated Press
EXPERT INTERVIEW — Riyadh’s Global Cybersecurity Forum (GCF) in Saudi Arabia kicked off last week under the theme “Scaling Cohesive Advancement in Cyberspace.” The gathering came as researchers are increasingly discovering new malware and hacking campaigns, cybercrime is at an all-time high, and, in the U.S., critical cybersecurity legislation and authorities have been allowed to expire.
We caught up there with Chris Inglis, the first U.S. National Cyber Director, who says he sees reason for optimism. Inglis spoke on a cybercrime panel at the GCF and told us why he’s bullish on the prospect of cooperation and collaborative action to effectively counter cyber threats. Our conversation has been lightly edited for length and clarity.
The Cipher Brief: What is the real focus there right now as all of these cyber experts gather?
Inglis: There is a buzz to be sure, and I think that buzz kind of revolves around the use of the term in their title this year, which is to do “cohesive scaling.” Both of those attributes are important. Cohesive implies the notion not just of concurrent action, but collaborative action. And scale is what lies before us. So we must scale this effort because we're being crowdsourced by a vast array of actors, malign actors, holdings at risk through things like ransomware or insertions or critical infrastructure. So I think the buzz is what do we do together as opposed to the single point solutions that might be offered by the technologist alone.
The Cipher Brief: You're on a panel there talking about cybercrime and the global stakeholders associated with cybercrime. Can you give us a few highlights of some of the things that you're going to talk about in that session?
Inglis: I think that the reality of cybercrime is it's perhaps a more appealing, more transcendent issue to focus collective action on, because every citizen, regardless of what nation he or she might be from, cares about crime and wants to live in a world where they're not going to be thwarted or taken down by somebody that takes advantage of digital infrastructure that's not quite fit for purpose.
And so rather than talk about who those actors are that hold them at risk or talk about coalitions of one form or another that might take on coalitions of malign actors, let's talk about the needs of our citizens and that everyone wants to live in a crime-free world. That might sound like a bit of a panacea, but there's no one that would argue against that.
And I think the other thing about taking on the criminal elements is that there's so many of them, the cost of entry is still so low and the assets they might acquire still so high that we're never going to entirely remove them from the field. That might sound like I'm giving up before I even start, but it's going to focus us on this high-leverage proposition of, what if we just made it too hard for them to succeed? I then don't need to find each and every one of those that's transgressed and succeeded against me. I actually am in a better place because they decided today not to try or they failed in trying in the first place.
And so it focuses us, again, on resilience and robustness, not for its own sake, but so that we might have confidence in digital infrastructure. I think those are the highlights of this collective action and a focus on resilience.
The Cipher Brief: Oftentimes, criminal groups now are being backed by nation states. How is that being tackled at an international forum like this?
Inglis: We're being too kind. Sometimes, criminal enterprises are nation states, thinking about North Korea where it's a money-making proposition. It's an unholy alliance to be sure, and I think it gives them the kind of backing that we do not want to put into the hands of any single adversary. But we have the right on the defensive side to not simply collaborate, but to do so in the light of day. We don't have to skulk about in the dark or to accomplish these crowdsourcing activities on the dark web. We could do it in the light of day in a place like Riyadh, which is what's taking place here.
Talking about what our common aspirations are for our citizens, talking about what the common kind challenges are to those aspirations, and thinking about not just collective action, which might be a concurrent application of all this talent, but collaborative action with a degree of professional intimacy that we actually assist one another in ways that no one of us could succeed alone. So I'm bullish about what the defense can pull off if they follow the same tactics that the offense does, which is let's crowdsource the other side.
The Cipher Brief: While you're talking about collaboration in Riyadh, CISA 2015 expired here in the United States on September 30th, and that really has a lot of indicators in terms of information sharing between government and the private sector. How serious of an issue is this?
Inglis: Of course, I'm worried about the lack of the legal authority and the liability protections that are attendant to that. But if it was truly valuable in the first place, then I hope, imagine and am confident that that degree of sharing still goes on. That form should follow function.
We should get the law back in place as soon as possible. I've heard no one argue against the usefulness of that, and we're just caught in a time and place where we ran out of time. But behind the scenes, hopefully, and I'm more than hopeful, I'm confident there is a degree of collaboration going on. Why? Not because it's mandated, but because it's useful to all sides.
The Cipher Brief: President Trump was just in Saudi Arabia earlier this year where he announced a pretty incredible investment package. AI was a big focus of his trip there, and of those announcements that were made, I'm wondering how concerned you are about autonomous AI-driven cyber weapons escalating conflicts, and if there is a path toward international guardrails or norms here.
Inglis: I don't think anyone's actually talking about the literal kind of creation of autonomous AI driven systems. That term is sometimes not well-defined. Ask it this way, which is do we want weapon systems that can change sides in the middle of a war? Of course not. So we don't want autonomous weapon systems. But do we want highly capable weapon systems that augment human capacity, that can take a line of action from a human being who remains accountable, the human remains accountable, and execute that at scope and scale in ways that a human alone could not? Yes, of course we do, but we need a value scheme to go with that. And there's talk not just on the part of governments, but on the part of the private sector for the necessity of that.
If we went back 50, 60 years to the days of early robotics, Isaac Asimov would be advising us that we should have three rules for robots. One, it should never hurt a human being. Two, it should obey human beings. And three, it should protect itself. In that order. And it turns out there's an equivalent to those three simple rules for generative AI or agentic AI.
I'm not afraid of AI that achieves human-like capacities, but I am very nervous about having it be completely independent of human beings. And no one that I know is talking about having it be independent of human beings. Human accountability must and will remain on the loop, even though the speed of the human's ability to think through the complex problems AI can take on is going to be overmatched in a wondrous way by generative AI. We will remain accountable for it, and therefore the values that Asimov would recommend play through to this day. And I think that there's a version of that in every instance that I've seen of responsible parties talking about let's use this way in some different capacity.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
The Cipher Brief: How bullish are you on the idea of norms, particularly when we're seeing so many nation-states using cyber as a national security tool, an espionage tool, and cybercrime? How bullish are you on norms and the effectiveness of norms?
Ingli: I'm bullish on the utility of norms. I'm less bullish on the implementation of those kind of universally and kind of the same across all kind of players in this space. As we talked about earlier in this conversation, clearly there are some actors who are broadly ignoring those norms, and the answer to that is to not for ourselves to actually similarly violate those norms. Why? Because our people are then disadvantaged in that regard. They get caught in the churn. Our allies or those who would collaborate with us in this world will not then commit their full-time and attention to that in the absence of shared value, shared norms, shared aspirations, and so I think that norms still have their value, and it still tells us how we actually deliver on the human aspirations that ultimately have a foundation in values, not just technology.
The Cipher Brief: What are some of the most interesting conversations that you've had on the sidelines there in Riyadh?
Inglis: I think the most interesting conversations are about those who argue for collaboration as opposed to division of effort. And the pitch that they make is not one that's to their own advantage, it's to the collective advantage. Reminding us that we're not trying to solve similar problems. We're all trying to solve the same problem or deliver the same aspirations to our citizens. Those are the most compelling conversations that I've seen so far.
And the focus by the GCF, the Global Cyber Forum that's convened here by the Saudis, a focus on those things that every parent, every human being could find a noble aspiration for our children: child protection, elimination of ransomware that holds individuals and small businesses at risk. Those are, I think, the most meaningful discussions. The technology can follow, the doctrine can follow, but if we get those aspirations right, we're in a better place at the start.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
Login
