GitHub is betting a yearslong investment in generative AI will fulfill the software security dreams that cybersecurity practitioners and government officials have envisioned.

Why it matters: Some of the most common security vulnerabilities that malicious hackers exploit to breach networks are the result of insecure and outdated coding practices.

• Coders specialize in different languages — JavaScript, C+ or Ruby, among others — and those languages each demand different updates and parameters for developers to write secure programs.
• But many programmers don’t keep up with which coding frameworks or popular open-source tools have caused which software vulnerabilities, leading to a mountain of security vulnerabilities that hackers are eager to exploit.

The big picture: GitHub, a Microsoft-owned service that allows developers to store their code, widely released a generative AI-enabled tool, called GitHub Copilot, last year to help bridge this knowledge gap.

• The program gives developers predictive suggestions that aim to speed up the time it takes to write code, as well as to make their code more secure.

Driving the news: A year after launching the product, GitHub released a report this week at the Collision conference in Toronto detailing how Copilot users are responding to the product.

• So far, users are accepting an average of 30% of Copilot’s suggestions. The acceptance rate "steadily increased as developers became more familiar with the tool," the report noted.
• Users with less coding experience were slightly more inclined to accept Copilot's suggestions, the report found.
• GitHub estimates that more than 1 million developers and 20,000 organizations are using its Copilot.

Zoom out: Cybersecurity companies, alongside the rest of the tech ecosystem, are increasingly looking at ways to integrate generative AI into their products.

• However, most of the products released so far focus on analyzing information about cyber threats and assessing whether a network is affected by a recently discovered vulnerability. Few, if any, are helping coders write more secure code from the very start of a project.

What they're saying: "It’s kind of like a driver assistance system," GitHub CEO Thomas Dohmke told Axios. "It doesn’t prevent all accidents that can happen, but it makes traffic a little bit more secure."

Between the lines: Dohmke said he doesn’t see generative AI resulting in fewer jobs for developers and programmers.

• Instead, he envisions generative AI will just speed up the writing process and help clear out the backlog of projects that developers often face, as well as allow them to conduct security reviews at an earlier stage.
• "If you go to any software company, backlogs are endless, ideas are unlimited, and things take way too long," he said.

The intrigue: GitHub's usage data on Copilot arrives as the Biden administration has been pushing organizations to adopt new principles that prioritize cybersecurity in all aspects of product development.

• Recent high-profile breaches involving popular open-source projects have been tied to flaws in code, like the widespread Log4j flaw in 2021. That's because open-source code is often run by volunteers who don't have the resources to conduct frequent security reviews.
• Mike Hanley, GitHub’s chief security officer and senior vice president of engineering, told Axios that as Copilot gets better, he envisions opportunities for the technology to help review old open-source code, like Log4j, for new vulnerabilities.

Yes, but: GitHub, Microsoft and OpenAI are facing a 2022 class action lawsuit claiming that Copilot — which was trained based on public code scraped from the web — has failed to credit the authors of that code.

• In May, the three companies asked a judge to dismiss the case.

State privacy laws in Colorado and Connecticut will go into effect Saturday.

Why it matters: If companies haven't finished their compliance work to abide by the rules, they could soon face civil penalties of up to $20,000 per violation in some states.

The big picture: Colorado and Connecticut add to an increasingly complex patchwork of state data privacy laws.

• California paved the way in 2018 after passing the country's first state-level privacy bill, while Virginia followed on Jan. 1 this year when its law went into effect.

Details: The Colorado and Connecticut laws apply to entities that do business in their states, as well as businesses that process a certain amount of data about customers in their states.

• Under the new laws, residents of each state will have the right to request businesses delete their personal information, ask for a copy of the information businesses have collected about them, opt out of the sale of their personal data, and more.
• Both laws also require businesses to request permission from consumers to opt in to letting businesses process their sensitive information — differing from the opt-out mechanisms consumers have in California.
• Colorado and Connecticut are leaving enforcement up to their attorneys general — but until enforcement begins, it's unclear how much each office will prioritize data privacy cases.

Between the lines: States are increasingly passing their own laws after watching Congress struggle for years to make progress on a national standard.

• Tech companies have long argued that a patchwork of laws would place undue burden on their businesses, while privacy advocates have supported a national standard but worry it could undercut stronger state rules.

What's next: Utah's privacy bill, which state officials passed last year, is set to go into effect Dec. 31.

• Tennessee, Indiana, Iowa and other states have also recently passed their own comprehensive privacy measures.

Proton, the company that runs end-to-end encrypted email service Proton Mail, released an open-source password manager this week that protects users' email addresses in addition to passwords.

Driving the news: The company made Proton Pass widely available earlier this week after teasing the product back in April.

• Proton Pass has two primary tasks: provide and store unique passwords for users' accounts across the internet and manage a set of alias emails that users can use to sign up for random services, like access to public WiFi.

Why it matters: Most password managers only safeguard someone's password — and many of the evolutions in this space have just focused on finding new ways to evolve passwords to be more secure.

• But few products protect the other half of users' login credentials: their email address.

What they're saying: "Our view has always been that the password managers that exist so far, they're actually protecting the least important piece of the two pieces that you give out when you register for services," Andy Yen, founder and CEO of Proton, told Axios.

The big picture: When a user's login credentials are stolen in a data breach, it's pretty easy for that user to change their password and fend off malicious actors. But the same can't be said for their email address.

• "You can't very easily change it because it's your identity for your digital existence," Yen said of the email address. "And now that you've lost it, it's pretty bad, all the phishing and spam notices that you can get."

How it works: When someone signs up for a new account or needs to submit their email address for something, Proton Pass will give them the option to submit an "alias" email address instead of their actual email.

• That alias email will route any future emails through it to the user's actual email inbox. But if the user wants, they can turn off that forwarding feature at any time, Yen said.
• Doing this also limits how many companies are storing someone's real email address in their databases.

Between the lines: Proton rolled out this product after acquiring SimpleLogin, an email alias startup, last year.

@ D.C.

🏛️ The White House asked federal agencies to prioritize investments in secure-by-design technologies in fiscal-year 2025 budget guidance released this week. (Federal News Network)

🤷🏻‍♀️ Hundreds of internet-connected devices on federal systems haven't patched vulnerabilities that the Cybersecurity and Infrastructure Security Agency has directed them to fix. (Nextgov)

@ Industry

💰 The University of California is suing the Lloyd's of London insurance market, saying the company has refused to pay out its cyber insurance claims nearly 10 years after a breach. (Bloomberg)

🔓 Apple is now advocating against provisions in the U.K.'s Online Safety Bill, warning some of the language could be used to break encryption in messaging services. (BBC)

👔 Corporate security executives are increasingly adding IT tasks to their purview. (Wall Street Journal)

@ Hackers and hacks

🩺 At least 100,000 people's data might have been compromised in a MOVEit-related breach of Department of Health and Human Services contractors, the agency told Congress. (CNN)

⚡️ The Cl0p ransomware gang claimed it targeted both Schneider Electric and Siemens Energy, two major energy companies, using a vulnerability in MOVEit. (CyberScoop)

🛰️ A hacker group claiming to be affiliated with the Wagner Group, the Russian private mercenary army involved in last weekend's mutiny, says it took down Russian satellite communications provider Dozor-Teleport. (The Record)

🇨🇦 When in Canada, eat poutine — at least that's how I decided to spend my downtime in Toronto this week.

• Yes, but: I have been told you can only get the "real" poutine in Montreal, where restaurants are reportedly able to use unpasteurized cheese in the dish. Guess I'll have to make a quick detour next time!