Universities and colleges cope silently with ransomware attacks

Although some cybersecurity researchers say that ransomware attacks are on the downswing as cybercriminals face declining payments, a spate of recent ransomware attacks makes it feel like the scourge is continuing at the same, or even an elevated, pace. Nowhere is this more apparent than in the higher education sector, with at least eight colleges and universities in North America reporting ransomware attacks since December 2022.

Among recent incidents are:

  • On December 30, 2022, Bristol Community College in Attleboro, Massachusetts, announced it experienced disrupted internet and networking functions due to a likely ransomware attack.
  • In early January, a likely ransomware attack shut down access to campus network services at Okanagan College in the southern Interior of British Columbia, Canada.
  • Mount St. Mary’s College in Newburgh, New York, confirmed on February 9 that it experienced a ransomware attack in December after the ransomware group Vice Society claimed credit for the incident on its leak site.
  • On February 25, Southeastern Louisiana University in Hammond, Louisiana, reported a data breach and “network issues” widely believed to be a ransomware attack.
  • Tennessee State University in Nashville announced on February 26 that its IT systems were temporarily inaccessible due to a possible ransomware attack.
  • On March 1, College of the Desert, a community college in Palm Desert, California, announced it was alerting around 800 people who might have been affected by a ransomware attack that occurred in July 2022, which took down the school’s phone and online services for nearly a month.
  • On March 3, Gaston College, a community college in Dallas, North Carolina, announced that it was the victim of a ransomware attack by an unknown threat actor.
  • Northern Essex Community College campuses in Haverhill and Lawrence, Massachusetts, were closed in early March due to what is widely believed to be a ransomware attack.

Recent ransomware attacks on higher learning institutions also occurred outside North America. In mid-January, the University of Duisburg-Essen (UDE) in Germany announced it had been hit by a ransomware attack on November 22 after threat group Vice Society claimed credit for the incident. Another German university, the Hamburg University of Applied Sciences (HAW Hamburg), admitted in early March it, too, had been hit by a ransomware incident on December 20, 2022, for which Vice Society also took credit.

Cone of silence surrounding ransomware attacks

It is impossible to know how many higher education institutions have become victims of ransomware attacks or whether these incidents are increasing because the institutions are more reluctant than most organizations to reveal the attacks or discuss any other aspect of cybersecurity. CSO sent interview requests to at least five university CISOs to discuss the challenges they face in managing their institutions’ cybersecurity, and all went unanswered. None of the CISOs CSO contacted are employed at colleges or universities publicly known as victims of ransomware attacks.

“It’s always hard to know when you’re tracking ransomware attacks because most of them are never publicly reported for a variety of reasons,” Allan Liska, threat intelligence analyst at Recorded Future, tells CSO. “However, we know there was at least a 10% increase in publicly reported ransomware attacks against colleges and universities in 2022 versus 2021. We’re starting 2023 with what appears to be that trend of increased attacks continuing.”

Most organizations are reluctant to discuss ransomware attacks unless situations press them into it. “Very few organizations, unless they wind up on an extortion site, want to talk about the fact that they’ve been hit with ransomware,” Liska says. “But when you talk about many colleges and universities, because they’re part of the public sector, a lot of times they have state requirements regarding what they can say and can’t say.”

Beyond that, however, “There seems to be this unwillingness to share this information, I think wrongly, under the perception that if you share that you were hit with a ransomware attack, it’s going to make other people attack you or something like that,” Liska says. “I’m not really sure what the logic is behind that, but it’s definitely a problem. It makes it hard for those of us who are trying to solve the problem because we can’t get a full understanding of what’s happening because we don’t know about most of the ransomware attacks. It makes it hard to develop a good national strategy if people don’t want to talk about it.”

Recorded Future recently issued FOIA requests to learn more about ransomware attacks against colleges and universities in one specific state. “Every time they came back with the same thing, ‘due to the sensitive nature of this, blah blah, blah, we can’t share any information,'” says Liska. “They said it could reveal sensitive networking stuff, which is complete [nonsense]. But that was the tack they took. And I’m like, dude, your data are on an extortion site, so we know what happened. So there seems to be this unwillingness to share information.”

Attacks on education sector not disproportionately high

Some experts think that the number of ransomware incidents affecting educational institutions, including universities, has remained consistent in recent years. “I don’t have the breakdown between local school districts and colleges at hand, but every year since 2019, there has been between 84 and 89 incidents involving US K-12 and post-secondary schools,” Brett Callow, threat analyst at Emsisoft, tells CSO. “If anything, the numbers are surprisingly consistent and vary by five per year. It is as though [threat actors] are working to a quota.”

Adam Meyers, senior VP of intelligence at CrowdStrike, thinks universities and colleges are not more targeted than most organizations. “I don’t know that it’s disproportionately higher than what we’re seeing elsewhere,” he tells CSO. “You might be seeing more mention of it in the media and more stories about it, but I think the ransomware threat actors are constantly shifting targets looking for something that’s going to pay out and be interesting.”

Higher learning a favorite target of Vice Society

Russian threat actors drive most ransomware attacks, including those aimed at colleges and universities. “Most of these attackers, at least the core group, are based in Russia,” Liska says, clarifying that they’re not state actors per se but criminal groups that thrive while the Kremlin turns a blind eye to them. “When we’re talking about ransomware as a service, which I know some of these attacks are part of, the affiliates can actually be spread out worldwide, but still, the core developing group is almost always based in Russia.”

Vice Society is a leading culprit in these attacks and is widely believed to be a Russian group. Last Fall, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an advisory warning of Vice Society ransomware attacks that disproportionately target the education sector.

“Vice Society is the one that you really see active going after schools and colleges and universities,” Liska says. “They’ve almost made, for lack of a better term, a career out of it. Vice Society accounts for about five to six percent of overall publicly reported ransomware attacks but accounts for 30% of ransomware attacks against schools.”

Meyers says, “I think that it’s not like there’s one monolithic group of criminal actors. There are so many different affiliates.” But he, too, points to Vice Society as one of the more significant threats to higher education institutions. “They have heavily been targeting academia and deploying the Red Alert Locker since January or February,” he says. Red Alert Locker is one piece of malware developed by a third party that Vice Society deploys in ransomware attacks.

“Talking about which groups are responsible is a little bit misleading,” Callow says. “It’s really which affiliates of those groups are choosing to target the education sector. That said, there is a group called the Vice Society, which for whatever reason targets a very large number of organizations in the education sector.”

Money is the payoff, but data could be more important

In terms of what motivates ransomware attacks on colleges and universities, the primary motive, of course, is money, even when payments are small. “People talk about ransomware gangs being big game hunters, but they’re really not,” Callow says. “They are opportunistic and will take money wherever they can get it. They will pursue even low sums. For example, we’ve seen LockBit try to squeeze ten thousand bucks out of a community hospital in a low-income country.”

But Liska says, “we don’t actually know that they make money from the ransomware attacks. The education sector overall, so, not just colleges and universities, but also grade schools, high schools, is actually one of the sectors that are least likely to pay a ransom.” They are less likely to pay “in part because they generally don’t have the $100,000, $200,000, $500,000 that these ransom actors are asking for but also because they’re generally using state money or student money there.”

“If it’s causing them not to be able to do admissions or enrollment or to service their student body and it’s bringing negative attention to the university, that is the calculus of ransomware,” says Meyers. “They’re trying to create enough downtime or enough of an impact that it’s cheaper to pay the ransom than to try to figure out a way to fight through it.”

Although Callow thinks the data stolen during ransomware attacks on colleges and universities are not of significant value, Liska does. “When you’re talking about a ransomware attack at this point, we’re talking about double extortion,” he says. “So, it’s data theft plus the encryption event. That student data can be very valuable. Social security numbers, names, addresses, all of that has a value on the secondary market to sell for those who engage in identity theft.”

All threat actors are moving to the double extortion model, Meyers says. “They don’t have to deal with the complexity of cryptography and doing all the ransom attacks. I think we’ll see ransomware playing second fiddle to data extortion moving forward. Weaponization is starting to become a favored tool for these threat actors.”

US Maritime Administrator to study port crane cybersecurity concerns

The 2023 National Defense Authorization Act (NDAA) passed by Congress and signed by President Biden in late December 2022 was filled with a host of military-related cybersecurity provisions. One little-noticed provision in the bill called for a study of cybersecurity and national security threats posed by foreign-manufactured cranes at United States ports.

Under this provision, the Maritime Administrator, working with Homeland Security, the Pentagon, and the Cybersecurity and Infrastructure Security Agency (CISA), is required to conduct a study to assess whether foreign manufactured cranes at United States ports pose cybersecurity or national security threats. It must be completed by late December 2023 and submitted to the Senate Commerce and Armed Services committees and House Transportation and Armed Services committees.

Crane security study origins unclear

Little information is available on why this study appeared in the NDAA or why a study of port crane security was deemed critical enough to include in the annual must-pass legislation. However, the study could be a concession to Representative Carlos Gimenez (R-FL), who introduced a bill last year, H.R.6487, the Port Crane Security and Inspection Act of 2022, that died in committee.

Gimenez’s bill limited the operation at US ports of foreign cranes made by US adversaries. It required CISA to inspect foreign cranes before they are placed into operation for potential security vulnerabilities and assess the threat posed by security vulnerabilities on existing or newly constructed foreign cranes. Gimenez’s bill also called for CISA to report to Congress about critical and high-risk security vulnerabilities posed by foreign cranes at US ports. Gimenez’s office did not respond to requests for comments on his bill or the NDAA-mandated study.

FBI boarded Chinese ship in a mysterious incident

Concerns about cybersecurity at the nation’s increasingly digitized ports have been rising for years. As far back as 2013, a Brookings study concluded that the cybersecurity awareness and culture level in US port facilities was low and that basic cybersecurity hygiene measures were missing in most ports. Of the ports studied by the Brookings researchers, only one had conducted a cybersecurity vulnerability assessment, and none had developed a cyber incident response plan.

In 2015, cybersecurity firm CyberKeel, now owned by Improsec, warned that 37% of maritime companies with Windows web servers weren’t adequately installing security patches from Microsoft. Earlier in 2015, US Coast Guard officials reported that interference with GPS signals disrupted operations for seven hours at a significant, unidentified east coast port, affecting four cranes.

In a barely noticed incident on September 15, 2021, FBI counterintelligence agents conducted a search of the Chinese merchant ship Zhen Hua 24 that delivered four “Neo-Panamax” port container cranes to Baltimore harbor. The agents were said by informed sources to have uncovered intelligence-gathering equipment on the ship during the search, but no details are available about what specific equipment they discovered.

Shanghai Zhenhua Heavy Industries Company Limited, or ZPMC, manufactured the four cranes. ZPMC is the most prominent crane maker, boasting an 80% global market share. ZPMC’s US offices did not answer questions about the NDAA study or the FBI incident. Likewise, the FBI declined CSO’s request for an interview regarding the incident.

Cybersecurity concerns center on crane communications

Given the digitized nature of modern cranes, the NDAA study could have its origins in fears that the costly (typically starting at $15 million) and all-important port machines could come equipped with destructive malware or be vulnerable to malicious cyber incidents. But experts say it is more likely that the concern stems from the communications technology that controls the cranes’ operations.

“Without the intent of the client or the asset owner, some of these systems could be communicating outbound to possibly even the internet knowingly or unknowingly,” Marco Ayala, global director, ICS cybersecurity and sector lead, 1898 & Co., tells CSO. “If there is a possibility of ‘E.T. phone home’ or some type of beacon or communication link that could give a command, a control capability, to a foreign adversary, whether that is for financial gain or just to create a logistics nightmare,” that could create incredible bottlenecks at US ports, potentially causing substantial economic damage.

Cameras on cranes could be “surveillance tools”

Steve Gyurindak, CTO of network and operational technology at Armis, tells CSO that Chinese cranes, including the ZPMC cranes, might be under scrutiny because they come equipped with Chinese-made cameras that have “basically been branded surveillance tools” by the US government. Gyurindak was referring to a new rule issued in July 2020 by the Federal Acquisition Regulation Council that federal agencies can’t “enter into a contract (or extend … a contract) with an entity that uses any equipment, system, or services that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”

Among the equipment banned under the new rule are video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, Dahua Technology Company, or any subsidiary or affiliate of these companies. “I would think if anything on the Chinese ship, the FBI was looking at the cameras,” Gyurindak says. “The Chinese have invested a lot of money in using video for intelligence.”

Supply chain disruption fears could be the impetus

Patrick Miller, president and CEO of Ampere Industrial Security, thinks it isn’t “out of the realm of possibility” that China could be using port cranes for surveillance. They could be “trying to gather as much manifest information on what is coming in and out of America as possible,” he tells CSO. “That would fit very well into their standard mode of operations and their motives.”

But, “I honestly think one of the bigger drivers behind [port crane cybersecurity fears] is we rely so much on trade through ports, and people in America freak out when there’s a supply chain issue,” Miller says. “If there were an attack on the ports in any way, shape, or form, that would be yet another reason for a supply chain problem.”

Port operational technology should be part of cybersecurity discussions

Cranes are emblematic of the uneasy mix of internet and operational technologies (OT) characteristic of most ports. “For us, all this part of the port infrastructure is something that should be considered when conducting a risk assessment and identifying proper mitigation controls,” Athanasios (Thanos) Drougkas, cybersecurity expert at European Union Agency for Cybersecurity (ENISA), tells CSO. “For us, it’s the starting point and where we see cranes in this whole process

Drougkas is encouraged by the NDAA-mandated study. “I’m very happy to see that operational technology is becoming more and more a part of cybersecurity discussions,” he says. “We’re happy to see that national authorities all over are actually picking up on this.”

US Congress funds cybersecurity initiatives in FY2023 spending bill

On December 23, the House and Senate Appropriations Committee agreed to a $1.7 trillion omnibus spending bill that funds government operations through the fiscal year 2023. On December 29, President Biden signed it. The 4,155-page bill reflects an already agreed-upon $858 billion for defense spending and an additional $800 billion for non-defense spending, including several prominent cybersecurity items.

US Senator Chris Murphy (D-CT), chair of the Subcommittee on Homeland Security, said, “This bill is a reasonable compromise, and I’m proud of the investments it would make in the responsible management of our border, the protection of our nation from cyber threats, and the protection of our coastlines and airports.”

On the House side, Homeland Security Subcommittee Chairwoman Lucille Roybal-Allard (D-CA) said, “This year’s appropriations bill for the Department of Homeland Security makes historic investments in America’s domestic, maritime, and border security while also protecting critical cyber and physical infrastructure and supporting disaster relief.”

Key cybersecurity provisions in the bill

Cybersecurity is referenced dozens of times in the bill, highlighting how routine cybersecurity spending has become in the federal government. The following cybersecurity provisions in the spending bill are noteworthy for their prominence, the dollar amounts involved, their first-time appearance in the annual appropriations process, or the emphasis lawmakers place upon them.

  • CISA Funding: The bill allocates $2.9 billion for the Cybersecurity and Infrastructure Security Agency (CISA), $313.5 million or 12% above the fiscal year 2022 levels and $396.4 million above the President’s budget request. Among some of the specific CISA funding flagged by lawmakers are
    • More than $1.7 billion for cybersecurity efforts that include “the protection of civilian federal networks that also benefit state, local, tribal and territorial (SLTT) government networks”
    • $214.2 million to further advance CISA’s Cybersecurity Operations, encompassing, among other things, a $17 million increase for the Joint Cyber Defense Collaborative (JCDC)
    • A $16 million increase for the Multi-State Information and Analysis Center, for a total of $43 million for the center
    • $46 million for “threat hunting and response capabilities” across federal, SLTT, and critical infrastructure networks
    • $17 million for “emergency communications preparedness”
    • An additional $32 million for “increasing regional operations capabilities”
  • Additional Ukraine Supplemental Appropriations Act, 2023. This bill, included as part of the omnibus spending package, allocates $50 million to address cybersecurity threats from Russia and other malicious actors.
  • Office of Personnel Management: The spending package gives $422 million for the Office of Personnel Management to “address cybersecurity and hiring initiatives,” representing an increase of $49.2 million.
  • National Science Foundation: The legislation provides $69 million for the National Science Foundation’s CyberCorps program, a $6 million increase from last year. ​​The program provides students with scholarships if they agree to work for the government in cybersecurity after graduation.
  • Treasury Department: The bill allocates $100 million in supplemental funds for salaries and expenses for enhanced cybersecurity for systems operated by the department.
  • Office of the National Cyber Director: The bill provides $21,926,000 in funding for the Office of the National Cyber Director.
  • Secret Service funding: The bill allocates $23 million for and reauthorizes the Secret Service to continue operating the National Computer Forensics Institute, which serves as a national training center for law enforcement officials to learn methods for investigating and combating cyber and electronic crimes.
  • Commerce Department funding: The legislation allocates $35 million specifically for technology modernization and cybersecurity risk mitigation for the department.
  • Department of Homeland Security (DHS) funding: The bill allocates $3 million for the DHS Intelligence and Cybersecurity Diversity Fellowship Program.

TikTok banned on executive branch phones

Despite ongoing efforts by China’s ByteDance to forge a compromise agreement with the Committee on Foreign Investment in the US (CFIUS) to assuage the national security concerns surrounding its popular TikTok video app, the spending bill prohibits the use of TikTok on executive agency phones. The legislation requires the Office of Management and Budget (OMB), in consultation with the administrator of general services, the director of CISA, the director of national intelligence, and the secretary of defense, to develop within two months standards and guidelines for executive agencies requiring the app’s removal.

Following the bill’s enactment, the chief administrative officer of the US House of Representatives banned TikTok from the phones of House members and staff effective immediately. A TikTok spokesperson said, “We’re disappointed that Congress has moved to ban TikTok on government devices — a political gesture that will do nothing to advance national security interests — rather than encouraging the administration to conclude its national security review. The agreement under review by CFIUS will meaningfully address any security concerns that have been raised at both the federal and state level.”

Limitations on Chinese, North Korean, and Iranian procurement

The bill stipulates that no government agency may use their funds to buy telecom equipment from Chinese tech giants Huawei or ZTE for “high or moderate impact information systems,” as determined by the National Institute of Standards and Technology (NIST).

It further states that agencies cannot use any of their funds for technology, including biotechnology, digital, telecommunications, and cyber, developed by the People’s Republic of China unless the secretary of state, in consultation with the USAID administrator and the heads of other federal agencies, as appropriate, determines that such use does not adversely impact the national security of the United States.

Moreover, no agency can spend funds on entities owned, directed, or subsidized by China, Iran, North Korea, or Russia unless the FBI or other appropriate federal entity has assessed any risk of cyber espionage or sabotage associated with acquisitions from these entities.

Report on ransomware and other cyber-related attacks by foreign parties

The bill incorporates the Ransomware Act, which requires the Federal Trade Commission (FTC) to deliver to Congress in 2025 and 2027 a report that spells out the number and types of ransomware incidents or other cyberattacks from China, North Korea, Iran, or Russia. It also invites the FTC to share information on litigation related to these incidents and recommend new laws and business practices to strengthen the resilience of US organizations against digital threat actors.

Ensuring medical device cybersecurity

Finally, the bill amends the Federal Food, Drug, and Cosmetic Act to make medical device makers meet specific cybersecurity standards. Among the requirements is submitting a plan to the secretary of the Food and Drug Administration to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.

The manufacturers must also ensure their devices and associated systems are secure and release post-market software and firmware updates and patches. The device makers are further required to provide a software bill of materials (SBOM) to the secretary of the FDA that includes all off-the-shelf, open-source, and critical components used by the devices.

The bill further requires the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office (GAO) is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities and how federal agencies can strengthen coordination to improve the cybersecurity of devices.

With AI RMF, NIST addresses artificial intelligence risks

Business and government organizations are rapidly embracing an expanding variety of artificial intelligence (AI) applications: automating activities to function more efficiently, reshaping shopping recommendations, credit approval, image processing, predictive policing, and much more.

Like any digital technology, AI can suffer from a range of traditional security weaknesses and other emerging concerns such as privacy, bias, inequality, and safety issues. The National Institute of Standards and Technology (NIST) is developing a voluntary framework to better manage risks associated with AI called the Artificial Intelligence Risk Management Framework (AI RMF). The framework’s goal is to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

The initial draft of the framework builds on a concept paper released by NIST in December 2021. NIST hopes the AI RMF will describe how the risks from AI-based systems differ from other domains and encourage and equip many different stakeholders in AI to address those risks purposefully. NIST said it can be used to map compliance considerations beyond those addressed in the framework, including existing regulations, laws, or other mandatory guidance.

Although AI is subject to the same risks covered by other NIST frameworks, some risk “gaps” or concerns are unique to AI. Those gaps are what the AI RMF aims to address.

AI stakeholder groups and technical characteristics

NIST has identified four stakeholder groups as intended audiences of the framework: AI system stakeholders, operators, and evaluators, external stakeholders, and the general public. NIST uses a three-class taxonomy of characteristics that should be considered in comprehensive approaches for identifying and managing risk related to AI systems: technical characteristics, socio-technical characteristics, and guiding principles.

Technical characteristics refer to factors under the direct control of AI system designers and developers, which may be measured using standard evaluation criteria, such as accuracy, reliability, and resilience. Socio-technical characteristics refer to how AI systems are used and perceived in individual, group, and societal contexts, such as “explainability,” privacy, safety, and managing bias. In the AI RMF taxonomy, guiding principles refer to broader societal norms and values that indicate social priorities such as fairness, accountability, and transparency.

Like other NIST Frameworks, the AI RMF core contains three elements that organize AI risk management activities: functions, categories, and subcategories. The functions are organized to map, measure, manage, and govern AI risks. Although the AI RMF anticipates providing context for specific use cases via profiles, that task, along with a planned practice guide, has been deferred until later drafts.

Following the release of the draft framework in mid-March, NIST held a three-day workshop to discuss all aspects of the AI RMF, including a deeper dive into mitigating harmful bias in AI technologies.

Mapping AI risk: Context matters

When it comes to mapping AI risk, “We still have to figure out the context, the use case, and the deployment scenario,” Rayid Ghani of Carnegie Mellon University said at the workshop. “I think in the ideal world, all of those things should have happened when you were building the system.”

Marilyn Zigmund Luke, vice president of America’s Health Insurance Plans, told attendees that, “Given the variety of the different contexts and constructs, the risk will be different, of course, to the individual and the organization. I think understanding all of that in terms of evaluating the risk, you’ve got to start at the beginning and then build out some different parameters.”

Measuring AI activities: New techniques needed

Measurement of AI-related activities is still in its infancy because of the complexity of the socio-political ethics and mores inherent in AI systems. David Danks of the University of California, San Diego, said, “There’s a lot in the measure function that right now is essentially being delegated to the human to know. What does it mean for something to be biased in this particular context? What are the relevant values? Because of course, risk is fundamentally about threats to the values of the humans or the organizations, and values are difficult to specify formally.”

Jack Clark, co-founder of AI safety and research company Anthropic, said that the advent of AI has created a need for new metrics and measures, ideally baked into the creation of the AI technology itself. “One of the challenging things about some of the modern AI stuff, [we] need to design new measurement techniques in co-development with the technology itself,” Clark said.

Managing AI risk: Training data needs an upgrade

The management function of the AI RMF addresses the risks that have been mapped and measured to maximize benefits and minimize adverse impacts. But data quality issues can hinder the management of AI risks, Jiahao Chen, chief technology officer of Parity AI, said. “The availability of data being put in front of us for training models doesn’t necessarily generalize to the real world because it could be several years out of date. You have to worry about whether or not the training data actually reflects the state of the world as it is today.”

Grace Yee, director of ethical innovation at Adobe, said, “It’s no longer sufficient for us to deliver the world’s best technologies for creating digital experiences. We want to ensure that our technology is designed for inclusiveness and respects our customers, communities, and Adobe values. Specifically, we’re developing new systems and processes to evaluate if our AI is creating harmful bias.”

Vincent Southerland of the New York University School of Law raised the use of predictive policing tools as an object lesson of what can go wrong in managing AI. “They are deployed all across the criminal system,” he said, from identifying the perpetrator of the crime to when offenders should be released from custody. But until recently, “There wasn’t this fundamental recognition that the data that these tools rely upon and how these tools operate actually help to exacerbate racial inequality actually and help to exacerbate the harms in the criminal system itself.”

AI governance: Few organizations do it

When it comes to AI governance policies, few organizations are doing it. Patrick Hall, scientist at bnh.ai, said that outside large consumer finance organizations and just a few other highly regulated spaces, AI is being used without formal governance guidance, so companies are left to sort out these stormy governance issues on their own.”

Natasha Crampton, chief responsible AI officer at Microsoft, said, “Failure mode arises when your approach to governance is overly decentralized. This is a situation where teams want to deploy AI models into production, and they’re just adopting their own processes and structures, and there’s little coordination.”

Agus Sudjianto, executive vice president and head of corporate model risk at Wells Fargo, also stressed top-level management in governing AI risk. “It will not work if the head of responsible AI or the head of management doesn’t have the stature, ear, and support from the top of the house.”

Teresa Tung, cloud first chief technologist at Accenture, emphasized that all businesses need to focus on AI. “About half of the Global 2000 companies reported about AI in their earnings call. This is something that every business needs to be aware of.”

As with other risk management frameworks developed by NIST, such as the Cybersecurity Framework, the final AI RMF could have wide-ranging implications for the private and public sectors. NIST is seeking comments on the current draft of the AI RMF by April 29, 2022.

SEC eyes more expansive cybersecurity requirements

Gary Gensler, chair of the Securities and Exchange Commission (SEC), has laid out an ambitious cybersecurity plan for his agency that could give it a far more expansive regulatory footprint than it currently has. Speaking to Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, Gensler said that “the financial sector remains a very real target of cyberattacks” and is becoming “increasingly embedded within society’s critical infrastructure.”

Although the SEC participates in several advisory bodies, such as the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC), among others, that deal directly with cybersecurity requirements, the agency has no hard and fast cybersecurity rules or cybersecurity incident reporting requirements for publicly traded companies. It does, however, have data protection and other security requirements for the financial segments it directly regulates, including exchanges, brokers, financial advisers, and others.

Staff guidance governs publicly traded companies

In 2011, the SEC issued staff guidance stating, “Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents.” Nevertheless, in this earlier guidance, the SEC advised companies that “Material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” Consequently, most publicly traded companies began reporting significant cybersecurity risks and incidents, frequently using a standard SEC reporting form called 8-K.

In 2018, the SEC issued interpretive guidance that expanded upon the 2011 guidance stressing the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. The updated guidance also reminded companies of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws. It further stressed companies’ obligations to “refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”

Like the 2011 staff guidance, the 2018 update underscores that “no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents.” The 2018 update does point to statutory financial filing requirements known as Regulation S-K and Regulation S-X that might require cybersecurity disclosures in registrations statements and financial reports submitted to the SEC.

Even without mandatory disclosure rules, the SEC has brought legal action against companies for poor cybersecurity reporting practices. In 2018, the Commission forced Yahoo to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s most significant data breaches.

New proposals would expand SEC’s reach

In his speech, Gensler proposed a series of changes involving new, “refreshed,” or expanded SEC cybersecurity authorities. These proposals include:

  • “Freshen up” Regulation Systems Compliance and Integrity (Reg SCI): Gensler said that he plans to ask the SEC at its next meeting to consider a “freshened up” version of Reg SCI to further shore up the cyber hygiene of important financial entities. Reg SCI is a 2014 rule covering a subset of large registrants, including stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations (SROs). The rule aims to improve the resiliency of these entities by requiring sound technology programs, business continuity plans, testing protocols, data backups, and other requirements.
  • Strengthen financial sector registrants’ cybersecurity hygiene and incident reporting: Gensler said he had asked his staff how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting to a broader group, including investment companies, investment advisers, and broker-dealers, not covered by SCI, considering guidance issued by CISA and others.
  • Strengthen customer information protection for financial sector registrants: Gensler said he had asked staff for recommendations to change how customers and clients of financial sector registrants receive notifications about cyber events when their data, such as personally identifiable information, has been accessed.
  • Improve cyber risk and event reporting for public companies registrants: Gensler has asked his staff to make recommendations about publicly traded companies’ cybersecurity practices and cyber risk disclosures, including possibly their practices concerning cybersecurity governance, strategy, and risk management. Gensler added that both companies and investors would benefit if this information were presented in a “consistent, comparable, and decision-useful manner” rather than the free-form descriptions currently appearing in the 8-K submissions. He has also asked staff to recommend whether and how to update companies’ disclosures to investors when cyber events have occurred.
  • Address cybersecurity risk from service providers: Perhaps the most controversial of the steps outlined by Gensler is the idea of requiring certain public company registrants to identify service providers that could pose cybersecurity risks. Following a spate of damage supply chain attacks, most notably the compromise of business software provider SolarWinds, Gensler said he asked staff to consider recommendations on addressing cybersecurity risk from service providers. Among the measures cited by Gensler to address suppliers’ security are requiring certain registrants to identify service providers that could pose risks and holding registrants accountable for service providers’ cybersecurity measures for protecting investor information.

“Seismic speech” should send waves

Scott Ferber, partner at McDermott Will & Emery, tells CSO that while expansive, Gensler’s proposals align with how the SEC has traditionally viewed its role in cybersecurity. “The SEC has made it clear for years that cybersecurity is in their enforcement sites.”

Ferber adds, “The seismic speech from the chair reinforces that priority and highlights various initiatives. It should send waves to several constituencies, including the financial sector, SEC registrants, public companies, and, notably, service providers, even those not regulated by the SEC today.”

The timing of proposals is unclear

What’s unclear, however, is just how quickly the SEC might act on some of these ideas, if at all. Last year, the SEC put on its public agenda a rulemaking on amendments to enhance issuer disclosures regarding cybersecurity risk governance. That rulemaking, slated for October 2021, has yet to materialize.

Last September, Gensler told the Senate Banking Committee the agency is developing a proposal on cybersecurity risk governance, which “could address issues such as cyber hygiene and incident reporting.” The SEC did not respond to requests for information on either the seemingly stalled rulemaking or the timing of Gensler’s new proposals.

Ferber thinks the SEC is primed for fast action. “I don’t think [Gensler’s new expansive agenda] is something that is years down the road,” he tells CSO. “It seems that they’re looking to move quickly on this.”