Axios Codebook

Newsletter branding image

May 10, 2024

ğŸ˜Ž TGIF, everyone. Welcome back to Codebook.

  • 🌁 My cup is overflowing after another productive week here at the RSA Conference in San Francisco. Thanks to everyone who met with me and made this year so memorable — now, time to nap.
  • 📬 Have thoughts, feedback or scoops to share? [email protected].

🚨 Situational awareness: Ascension, a major U.S. health care system that includes 140 hospitals in 19 states, is currently diverting ambulances at several hospitals following a cyberattack this week.

Today's newsletter is 1,301 words, a 5-minute read.

1 big thing: Fulfilling the promise of AI security

Illustration: Eniola Odetunde/Axios

The dream of training AI tools to fight cyberattacks without human intervention could soon be a reality.

The big picture: Several AI security companies unveiled products at the RSA Conference this week designed to help mitigate cyber threats before they land on a corporate system.

  • CalypsoAI, a startup focused on preventing confidential data from being sucked into AI models, introduced a new feature that allows customers to create a vulnerability scanner without any coding experience.
  • Protect AI released Sightline, a new AI and machine learning supply chain vulnerability database, during the conference Monday. The tool provides an early-warning system that will defend against threats before they even appear on the government-run National Vulnerability Database.
  • Trellix rolled out its new generative AI-enabled tool, called Trellix Wise, which will share details about a threat with defenders as soon as it hits its network without any prompting.
  • Deep Instinct debuted DIANNA, its artificial neural network assistant, which relies on deep learning to predict hackers' tactics and intercept malware-infected files before they touch a system.

The big picture: So far, most AI security products have focused on keeping corporate data and government secrets away from chatbots and leveraging chatbots to help walk through threat alerts.

  • "We're still in this era of 'detect and respond,'" Carl Froggett, chief information officer at Deep Instinct, told Axios.

Between the lines: Executives and government officials have been hopeful that generative AI tools will help alleviate cyber workers who are stretched thin and burned out.

  • The cybersecurity industry doesn't have all of the workers it needs, and experts have hoped that generative AI products could help fill in some of the gaps.

Zoom in: CalypsoAI noticed the trend of everyone competing in the so-called scanner wars to create dozens of content and vulnerability scanners targeting specific use cases for AI models.

  • So instead of the company continuing to dream up use cases for generative AI models, CalypsoAI created a product that allows customers to create their own customizable chat scanners for their specific needs, CEO Neil Serebryany said.
  • If a customer needs to follow the Health Insurance Portability and Accountability Act (HIPAA), they can create a bot for this specific use case to keep patient data from landing in employees' hands.
  • The customer scanners can be embedded into Slack, Microsoft Teams and other parts of a corporate system that's using a custom LLM.

Yes, but: The industry isn't ready to completely turn cyber defense over to AI, Ashok Banerjee, senior vice president of product engineering at Trellix, told Axios.

  • Even if the recommendations for a model are 99% correct, that 1% can still have a detrimental impact, Banerjee noted.
  • "It's a huge responsibility," he said. "99% success would be very good grades in any test, but in this case we want to be very, very sure."

2. Congress pushes Microsoft on cybersecurity

Illustration: Annelise Capossela/Axios

The House Homeland Security Committee is trying to get Microsoft president Brad Smith to testify this month on the company's recent cyberattacks.

Why it matters: Microsoft has recently come under fire in Washington over its cybersecurity practices after a series of high-profile cyberattacks — but it's been years since a congressional committee grilled the tech company on the topic.

Zoom in: House Homeland Security Chair Mark Green (R-Tenn.) and ranking member Rep. Bennie Thompson (D-Miss.) sent a letter to Smith on Thursday requesting that he testify at an upcoming hearing focused on the company's cybersecurity practices.

  • The letter, first obtained by Politico, says the committee plans to hold a hearing — called "A Cascade of Security Failures: Assessing Microsoft Corporation's Cybersecurity Shortfalls and the Implications for Homeland Security" — on May 22.
  • The hearing is expected to examine the company's recent nation-state cyberattacks and its plans to strengthen its internal practices moving forward, according to the letter.

Catch up quick: Microsoft recently started overhauling its internal cyber practices after a scathing government report into last summer's China hack.

What they're saying: "While we appreciate the company's cooperation with the CSRB's investigation and its recent commitment to making improvements, the report's findings not only reveal numerous troubling failures that compromised sensitive government information, but potentially revealed a lack of accountability at the company that could lead to even greater failures in the future," Green said in a statement to Axios.

  • Microsoft did not respond to a request for comment Thursday evening.

Between the lines: Microsoft is the top cloud and enterprise software provider for the federal government, underscoring lawmakers' and government officials' growing concerns.

What we're watching: The House Homeland Security Committee hasn't formally published the date for the hearing, and the date mentioned in the letter could change.

  • It's also unclear if the hearing could inspire any specific legislation.

3. Turning over "secure-by-design" to companies

Illustration: Brendan Lynch/Axios

A new government pledge to build more secure products now relies on the motivation of nearly 70 tech manufacturers to see it through.

Why it matters: The Cybersecurity and Infrastructure Security Agency (CISA) does not plan to strictly enforce its new "secure-by-design" pledge.

  • Each of the 68 companies that signed the pledge will be accountable for following through on their promises on their own.

Catch up quick: Dozens of tech vendors are promising to work on several projects to make their products more secure against basic cyber threats.

  • Those promises include increasing the use of multifactor authentication, reducing the number of security bugs in their products, speeding up security patches, and publishing a vulnerability disclosure policy.

The big picture: The signatories have their own unique challenges in completing the secure-by-design promises.

  • For example, some companies may have already adopted multifactor authentication on all critical systems but need to improve their process for patching bugs.

Zoom in: Amazon Web Services will spend the first year of the pledge expanding its use of multifactor authentication on privileged user systems and fine-tuning its vulnerability disclosure policy, Mark Ryland, director of security at AWS, told Axios.

  • Trend Micro has already completed many secure-by-design principles and is assessing how to best approach the others it's working through, Jon Clay, the company's vice president of threat intelligence, told Axios.
  • "We have language that is both ambitious and measurable but also gives companies the flexibility they need to figure out what approach best suits them," Jack Cable, senior technical advisor at CISA, said during the pledge signing event at the RSA Conference.

What's next: CISA plans to convene signatories throughout the year so they can trade notes on how their secure-by-design projects are going.

4. Catch up quick

@ D.C.

🐛 CISA is stepping in to help the National Institute of Standards and Technology address its software bug assessment backlog. (Axios)

⚠️ Generative AI is lowering the bar for who can become a cybercriminal, CISA Director Jen Easterly warned in an interview. (Axios)

📲 The Office of the Director of National Intelligence issued a new policy directive limiting how intelligence agencies can buy and use data about Americans collected by internet-connected devices. (Wall Street Journal)

@ Industry

🤖 Microsoft has created a generative AI model that's entirely disconnected from the internet that U.S. intelligence agencies can use safely. (Bloomberg)

@ Hackers and hacks

ğŸŽ­ U.S. and U.K. authorities unmasked the identity of the person who has been leading the prolific LockBit ransomware gang. (TechCrunch)

💰 Boeing confirmed it faced a $200 million extortion payment demand when LockBit targeted the company last year. (CyberScoop)

💪🏻 The Library of Congress was able to thwart an attempted cyberattack that happened around the same time as last year's high-profile British Library hack. (Nextgov/FCW)

5. 1 fun thing

CISA Director Jen Easterly and her team (left) and Third Eye Blind (right) playing at different RSA Conference parties in San Francisco. Photos: Sam Sabin/Axios

The magic of the RSA Conference is that you can see both CISA Director Jen Easterly and Third Eye Blind playing at venture capital firm parties throughout the week.

☀️ See y'all Tuesday!

Thanks to Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.