Considering Passwordless Login? Here’s What You Need to Know…

I. Strong Authentication Protocols

II. Secure Credential Storage

III. User Experience and Adoption

IV. Robust Identity Verification

V. Monitoring and Logging

VI. Continual Security Updates and Patches

VII. Backup and Recovery Mechanisms

VIII. User Education and Awareness

IX. Threat Modeling and Risk Assessment

The Future of the Passwordless Login Trend

In many ways, the open-source intelligence (OSINT) framework is a double-edged sword. On the one hand, it equips cybersecurity teams with a potent arsenal to detect vulnerabilities and strengthen their organization’s defenses. On the other hand, it also serves as a treasure trove for cybercriminals, enabling them to scan, probe, and breach vulnerable networks with remarkable efficiency. And to further complicate things, the remote work model, which has recently become the norm, only magnifies the risks and potential impact of OSINT-enabled attacks.

With freely available open-source data, malicious actors can often pinpoint and exploit unsecured and misconfigured systems while remaining obfuscated behind the anonymity of the digital world. Consequently, organizations are faced with a perpetual arms race, striving to stay one step ahead of the rapidly evolving cyber threat landscape.

With this in mind, recognizing threat actors’ tactics is paramount. This knowledge provides a solid foundation to fortify cyber defenses, ensuring robust protection of valuable data assets. So, let’s delve into the details of the OSINT framework and how hackers can leverage it to breach your organization.

What Is OSINT in Cybersecurity?

Open-source intelligence (OSINT) refers to the collection and analysis of publicly available data from various mediums like the internet, media, professional and academic publications, and government reports, among others. OSINT involves leveraging this publicly accessible information to identify potential vulnerabilities in systems and networks. It’s a powerful tool for both security professionals aiming to fortify defenses and cybercriminals seeking to exploit weaknesses.

For instance, a security analyst might use OSINT to identify outdated software or improperly configured servers, allowing them to rectify these issues. On the other hand, a cybercriminal could use OSINT to find weak points to launch an attack.

OSINT sources can range from social media posts revealing too much information about a network’s setup, to technical data found in online forums or databases detailing known vulnerabilities in certain software.

Critically, data is not automatically intelligence. Without proper context or analysis, open-source data remain unprocessed raw data. The transformation into intelligence happens when this data is critically analyzed.

For example, OSINT is more than just bookmarking a LinkedIn profile. It’s about extracting relevant, actionable details that can answer a specific intelligence question. It’s about asking, “what makes this data significant?” and delivering insightful intelligence based on the data gathered.

What is the OSINT Framework?

So we’ve covered open-source intelligence, but what is the OSINT framework specifically? Put simply, the OSINT framework is a collection of methodologies and open-source intelligence tools that make your intel and data-gathering tasks easier. The framework includes several stages, from identifying information needs, data collection, and analysis to presenting the findings.

How to Use the OSINT Framework

First, visit the OSINT framework website. You’ll notice a list of categories branching off from the OSINT framework, and by clicking on these branches, you can find tools and resources to help you with specific types of intelligence gathering.

Essentially, it’s your best resource for search engines, resources, and tools publicly available on the Internet.

However, it can also be confusing if you don’t know where to start. That’s the purpose of this post. To give you context on OSINT, how it works, and how both attackers and defenders leverage it to either keep our systems safe or launch ruinous attacks. Armed with this information, you should be better able to defend your networks from cybercriminals.

We’ll dive more into the specifics on how to use the OSINT framework in a later section.

To help you understand how to use the OSINT framework, let’s first dive into the specifics of open-source data gathering.

What are the Different Types of Open Source Data?

To extract valuable insights from data, you first need to know where to look. Open-source data comes in many forms. Much of it is already publically accessible, and the rest can often be obtained by request. OSINT sources can include:

• Media reports, newspapers, and magazine articles: These can provide valuable insights into ongoing events, public sentiment, and trends. For example, a company may use them to learn about security breaches in their industry.
• Academic papers and published research: These offer in-depth knowledge about specific topics. A cybersecurity professional could find a research paper detailing a new type of cyberattack or vulnerability.
• Social media activity: This can reveal personal information, affiliations, behavior patterns, or even inadvertent disclosure of sensitive data. For instance, a hacker might identify a potential phishing target through social media.
• Census data: This provides demographic details which can be used in threat modeling or understanding potential target audiences for social engineering attacks. For companies, it can provide valuable insights into which groups are likely to be targeted in future attacks.
• Telephone directories: These can reveal contact information that could be used for spear-phishing or other targeted attacks.
• Court filings and arrest records: These can provide information about legal disputes and criminal activities that might indicate potential vulnerabilities or targets.
• Public trading data: This can offer insights into a company’s financial health, which might inform attack motivations.
• Public surveys: These can reveal trends, public opinion, or other valuable data. They can also inadvertently expose sensitive information if not adequately anonymized.
• Location context data: Information, like geotags, can disclose a person’s or device’s location, potentially revealing patterns or valuable details.
• Breach or compromise disclosure information: This can help organizations understand how breaches occur and learn from others’ mistakes, while attackers may use it to replicate successful attacks.
• Publicly shared cyberattack indicators like IP addresses, domains, or file hashes: These can help organizations identify potential threats and proactively protect their systems.
• Certificate or Domain registration data: This information can reveal an organization’s online assets, which can be monitored for potential security issues.
• Application or system vulnerability data: This is often found in public databases or forums detailing known vulnerabilities, which both attackers can use to exploit weaknesses and defenders to patch vulnerabilities.

How do Attackers Leverage OSINT?

As we’ve already touched on, both attackers (cyber criminals) and defenders (cybersecurity professionals) can use OSINT to further their own agendas. Here we’re going to be focusing on how attackers leverage OSINT.

Attackers increasingly leverage Open Source Intelligence to plan and execute cyberattacks. They use OSINT to gather information about potential targets, identify vulnerabilities, and plan their attack strategies. Here’s how:

Target Identification

Cybercriminals use OSINT to identify valuable targets. For example, they might mine social media platforms or professional networking sites like LinkedIn to find individuals with access to sensitive information.

Vulnerability Identification

Once they’ve identified a target, attackers use OSINT to find potential weaknesses. They could, for example, use data from public vulnerability databases, technical forums, or bug bounty platforms to learn about unpatched software vulnerabilities in the target’s infrastructure.

Attack Planning

OSINT also aids in planning attacks. Cybercriminals can use information from news articles, blog posts, or even the target’s disclosures to understand their security posture and technologies in use. This helps them select the most effective attack method.

Social Engineering Attacks

OSINT plays a crucial role in social engineering attacks. Threat actors might use information gleaned from an individual’s social media profiles, such as personal interests or travel plans, to craft convincing phishing emails.

Advanced Search Techniques – Google Dorks

Google Dorks, a technique used to refine search results, is another method cybercriminals employ for OSINT collection. By crafting specific search terms, threat actors can locate hard-to-find intelligence sources. For example, an attacker could combine “filetype:PDF” with the company’s domain name to find a list of all publicly available PDFs associated with that company. The results may contain PDFs that were inadvertently made publicly available due to misconfigured permissions.

Domain Analysis

Cybercriminals often use WHOIS databases to retrieve information about the owners, administrative contacts, and IP addresses associated with domain names. This data can help them craft spear-phishing attacks or locate potential points of entry into the network.

Geolocation Tracking

Information about a person’s whereabouts can also be used maliciously. Cybercriminals can analyze posts on social media platforms, such as vacation photos or check-ins, to determine when an individual or key company personnel are away, making it an optimal time to strike.

Infrastructure Analysis

Attackers can leverage network mapping tools like Shodan or Censys to discover exposed network services or Internet of Things (IoT) devices. These services and devices often have vulnerabilities that can be exploited for unauthorized access or to launch attacks. We’ll dive more into the specifics of OSINT tools later.

Code Repository Mining

Open-source code repositories like GitHub can be a gold mine for cybercriminals. Developers may leave sensitive information like API keys, passwords, or secret tokens in public repositories. Attackers can find this data and use it to gain unauthorized access to systems or services.

Competitor Analysis

Just as businesses use OSINT for competitive intelligence, so do cybercriminals. They may analyze breaches experienced by similar targets to learn about successful tactics and apply them in their own attacks.

Example of OSINT in Action

Suppose an attacker is targeting an employee at a technology firm. They might start by researching the employee on LinkedIn, finding out their role, the projects they’re working on, and who they report to. Then, they might look at the employee’s Twitter or Facebook feed, where they discover that the employee is attending a cybersecurity conference.

Using this information, the attacker crafts a phishing email. The email appears to come from the conference organizers, complete with a convincing logo and signature. It states that there’s a last-minute change to the schedule and asks the recipient to click on a link to see the updated information. In reality, the link leads to a malicious site designed to steal the employee’s login credentials.

This example illustrates how cybercriminals can use OSINT to make their phishing attempts highly personalized and convincing, increasing the chances that the recipient will fall for the scam.

How to Use the OSINT Framework – Empowering Cybersecurity Teams

OSINT is a powerful resource for cybersecurity teams. It allows for comprehensive and effective identification, prevention, and mitigation of cyber threats. Here’s how they can leverage OSINT to strengthen their organizations’ cybersecurity:

• Identifying Vulnerabilities: Cybersecurity teams can use OSINT to discover vulnerabilities in their networks and systems. For example, companies can use information from forums, blogs, or databases detailing known software vulnerabilities to patch these weaknesses cybercriminals exploit them.
• Threat Intelligence: By monitoring public data like social media, blogs, and forums, teams can identify emerging threats and trends. They can watch for mentions of their organization or relevant industry keywords, helping them anticipate potential attacks and respond proactively.
• Employee Training: OSINT can reveal what kind of information about the organization and its employees is publicly available. This can inform employee training, teaching them about the risks of oversharing on social media or how to identify phishing attempts, as these often leverage publicly available information.
• Supply Chain Security: OSINT can help monitor the digital footprint of supply chain partners. For instance, teams can watch for news of data breaches or public disclosures of vulnerabilities in their partners’ systems, helping them manage supply chain cyber risk.
• Incident Response: In the event of a cyber incident, OSINT can help teams understand the nature of the attack. By comparing indicators of compromise like IP addresses, domain names, or file hashes with public databases, teams can identify the type of malware used or possibly even the attacker’s identity.
• Competitor Analysis: Cybersecurity teams can use OSINT to learn from competitors’ experiences. They can analyze competitors’ breaches, understand how they happened, what their impacts were, and how they were mitigated, improving their organization’s readiness.
• Predictive Analysis: By studying patterns in cyberattacks and breaches on a broader scale, teams can predict potential threats and take preventive measures.
• Compliance Auditing: Organizations can use OSINT to ensure they’re not unintentionally disclosing sensitive data. Regular audits of publicly available information about the organization can ensure they comply with data protection regulations.

In a nutshell, OSINT serves as the eyes and ears of cybersecurity teams in the public sphere. By effectively leveraging it, you can transform raw data into actionable intelligence, strengthening your organization’s cybersecurity posture. It helps you stay one step ahead of the attackers.

While OSINT is a powerful tool, organizations should leverage it as part of a comprehensive cybersecurity strategy, complementing other tools and tactics such as secure architecture, Zero Trust, intrusion detection systems, regular patching, and employee training.

Dark Web OSINT

The dark web – a part of the internet not indexed by search engines – also plays a crucial role in OSINT, offering a peek into the cybercriminal underground.

The dark web houses various illicit activities, including hacking forums, black marketplaces, and encrypted communication platforms, making it a valuable source of information for cybersecurity professionals.

Tactical Threat Intelligence

Threat actors often share their tactics, techniques, and procedures (TTP) in dark web forums or marketplaces. These can provide insights into the latest attack strategies against specific industries or technologies. By monitoring these platforms, cybersecurity teams can anticipate potential threats and bolster their defenses accordingly. For example, if a particular type of ransomware is being discussed in relation to healthcare systems, security professionals can alert hospitals and clinics to strengthen their cyber defenses.

Initial Access Brokers

Initial access brokers are individuals or groups specializing in gaining unauthorized access to systems and then selling that access to the highest bidder. Here, intelligence can provide clues about specific corporate environments that may be under threat.

For example, if a cybersecurity team finds that cybercriminals are selling their organization’s access credentials, they can take immediate action, like initiating password resets and investigating potential breaches.

Operational Intelligence

The dark web is also a hub for trading stolen data and compromised devices. This can range from leaked credentials to infected devices for sale. By keeping an eye on these marketplaces, companies can identify if their data or devices have been compromised and take swift action.

For example, cybersecurity professionals can monitor sales of botnets – networks of compromised devices threat actors use for large-scale attacks like Distributed Denial of Service (DDoS). If they identify their systems within these botnets, they can immediately isolate and clean the infected systems, thereby disrupting the botnet’s operations and protecting their infrastructure. They can also share this intelligence with other organizations and law enforcement, assisting in the broader disruption of the threat actor’s operations.

Top OSINT Tools

There are plenty of OSINT tools out there, and the number is growing all the time. With this in mind, here we will focus on the top OSINT tools organizations can use to improve their cybersecurity.

Shodan

Shodan is a specialized search engine that allows users to discover Internet-connected devices worldwide. It indexes data from various devices, including webcams, servers, and routers. Unlike typical search engines that crawl websites, Shodan explores the internet’s infrastructure, revealing vulnerabilities and exposing potential security risks.

Maltego

A powerful data mining tool that aids in visualizing complex networks, Maltego allows users to easily map relationships and find patterns among various internet-based data points. These could be networks of individuals, organizations, websites, social media profiles, or other interconnected entities. The ability to map relationships in a graph format helps unveil hidden connections and patterns that might not be discernable from raw data.

Mitaka

An extension for browsers, Mitaka enhances OSINT capabilities by allowing users to scan and analyze highlighted texts for potential security threats or investigate cybercrime. Users can use Mitaka to scan selected text on a webpage for any signs of cyber threats, such as IP addresses associated with known malicious activities, hash values of potential malware, or even suspicious URLs.

SpiderFoot

An open-source intelligence automation tool, SpiderFoot collects and analyzes data about an IP address, domain name, or other related entities to aid in cybersecurity investigations. This can include details about an IP address, domain name, or network subnet.

BuiltWith

A web technology lookup tool, BuiltWith profiles and tracks what technology, including server software and analytics tools, websites across the internet are using. Users can discover what server software a website uses, the ad networks it participates in, the tracking widgets installed, or even the WordPress plugins used.

Metasploit

A widely-used penetration testing framework, Metasploit helps cybersecurity professionals perform vulnerability assessments, improve security awareness, and conduct rigorous penetration tests on their networks. Metasploit contains a vast collection of exploits and payloads that users can deploy against target systems to evaluate their security posture.

DarkSearch.io

DarkSearch.io serves as a gateway to the dark web, allowing users to perform safe searches across numerous .onion sites. It makes the dark web more accessible, revealing content typically hidden from standard search engines.

Spyse

A cybersecurity search engine, Spyse allows for thorough internet data reconnaissance by accumulating and indexing information about internet entities like IP addresses, domains, Autonomous System Numbers (ASNs), and even cryptographic certificates.

Google Dorks

Advanced search techniques using Google, Google Dorks help users to find specific information or expose potential vulnerabilities on websites that the regular Google search may not reveal.

Babel X

A comprehensive threat intelligence platform, Babel X sifts through multilingual data from the web, the dark web, and other sources to deliver actionable intelligence for security teams. By leveraging AI and machine learning, it can identify, categorize, and alert potential security threats in more than 200 languages.

Recon-n

An open-source reconnaissance framework with an interface similar to Metasploit. It provides a modular platform where different independent modules perform tasks like harvesting data from social media, querying network registries, or even detecting vulnerabilities.

Aircrack-ng

A comprehensive suite of tools for network security, Aircrack-ng enables users to monitor, attack, test, and crack Wi-Fi networks, assessing their vulnerabilities. It’s particularly renowned for its ability to break WEP and WPA-PSK keys, which allows it to identify weak points in a Wi-Fi network’s security.

Final Thoughts

Understanding OSINT tools and their potential for misuse is critical for maintaining organizational security. Attackers can leverage the same tools designed for securing systems to expose vulnerabilities and execute breaches. By familiarizing ourselves with the OSINT framework, we can anticipate potential threats and fortify our defenses, thereby keeping a step ahead of the perpetrators. Awareness and proactivity are our best defenses in an ever-evolving cyber threat landscape.

We’re living in an age where an algorithm could either help us buy the perfect gift for a loved one or potentially drain our bank account in a fraction of a second. As AI’s capabilities expand and increase, its impact on cybersecurity—both positive and negative—becomes more pressing, necessitating an urgent conversation about regulatory frameworks.

With this in mind, let’s dive into the complex relationship between AI and cybersecurity and explores how judicious regulation can turn the tides in our favor. How should AI be regulated? Should it be regulated at all? And what restrictions are countries around the world putting in place?

Should AI Be Regulated?

While AI is nothing new, its capabilities and popularity have rapidly expanded in the last few years. OpenAI’s ChatGPT, a natural language processing chatbot, has already massively disrupted workplaces, with the chatbot helping people write code, emails, and content. It set the record for the fastest user growth in January, reaching over 100 million active users just two months after launch. And its competitors, Microsoft Bing AI, Google Bard, Chatsonic, and others, and similarly gaining traction.

With this surge in popularity has come new conversations about the role of AI and whether we need to put on the breaks or quickly establish some rules and regulations surrounding it. And these concerns aren’t just coming from tech-skeptics. Google President of Global Affairs Kent Walker said that AI “is too important not to regulate.” And OpenAI’s CEO Sam Altman said, “I try to be upfront… Am I doing something good? Or really bad?”. In other words, the very people developing these tools are also keenly aware of the damage they can cause if left unchecked.

So far, much of the discourse surrounding AI regulation has focused on the following areas:

1. AI Art and Copyright: AI can create artwork similar to human works, potentially infringing on copyrights. There’s also debate over who owns the copyright of AI-generated art.
2. Natural Language Models: Advanced AI models can produce text that’s hard to distinguish from human-written content, leading to worries about disinformation, privacy invasion, and economic impacts.
3. Academic Integrity: AI could be used to write essays or dissertations, challenging academic integrity and making plagiarism detection difficult.
4. Ethics and Bias: AI can inadvertently amplify societal biases, which calls for regulations ensuring fairness.
5. Privacy and Surveillance: Concerns about AI’s potential in violating privacy and enabling mass surveillance.
6. Autonomous Decision Making: In areas like autonomous vehicles or weaponry, regulation is needed to ensure safety and accountability.

However, as our reliance on AI grows, more specific concerns are coming to light – like cybersecurity. With AI, hackers can craft human-like text, generate phishing emails, and automate the creation of malicious content. For example, an AI model trained on known vulnerabilities can generate new malware, making it a potent weapon in the hands of cybercriminals. And we’re already seeing this happen – AI cyber-attacks are here.

The ways in which cybercriminals can leverage AI for nefarious gains are as expansive as they are severe. Here are some of the ways cybercriminals can use AI to enhance the efficiency and effectiveness of their attacks:

1. Automated Hacking: AI can be programmed to identify system vulnerabilities and exploit them much faster than a human hacker could. They can perform brute force attacks more efficiently, constantly altering their approach until they find a successful pathway.
2. Spear Phishing: AI can gather and analyze vast amounts of personal data from social media and other online sources to create highly personalized phishing messages, making them more believable and increasing the likelihood of success.
3. AI-Generated Deepfakes: AI can create realistic fake audio and video, known as deepfakes, that can be used for disinformation campaigns or to impersonate individuals for fraudulent purposes.
4. Malware: AI can be used to create more sophisticated malware that can adapt and learn from the security measures it encounters, making it harder to detect and neutralize.
5. Evasion: Advanced AI systems can learn to evade detection systems, making attacks harder to identify and respond to. They can also mimic normal user behavior, making their malicious activities blend in with regular network traffic.
6. DDoS Attacks: AI can enhance Distributed Denial of Service (DDoS) attacks by learning to identify network weaknesses and optimizing the attack strategy.

For many, cybercriminals’ potential misuse of AI underscores the need for robust cybersecurity measures, including tighter regulation.

The Case Against AI Regulation

Despite the dangers of unregulated AI, some people prefer no or very little regulation. Put simply, opponents of AI regulation argue that it could stifle innovation and progress. Regulations are often slow to adapt and may fail to keep pace with the rapid evolution of AI technologies. Strict regulatory oversight could also create high barriers to entry, favoring established companies and hindering start-ups and smaller businesses.

Furthermore, overly prescriptive rules could limit AI’s creative and beneficial applications. Critics also note the global nature of AI development; if strict regulations are imposed in one country, research and development might shift to less regulated regions. Lastly, they argue that existing laws covering areas like copyright, defamation, and data protection are often sufficient to manage AI’s current level of sophistication and that we should address future concerns reactively as AI capabilities continue to advance.

A Wild West AI Landscape

While some people would prefer a more wild-west style AI landscape, those people are largely absent from the cybersecurity community. As we touched on, the potential misuse of AI for cybercrime is too great. In an increasingly severe threat landscape, cybersecurity professionals need all the help we can get.

And this is why we see reputable cybersecurity calling for tighter regulations or working independently to develop safer practices around AI. For example, NIST recently released a risk-management framework to combat malicious AI.

Cybersecurity Professionals Aren’t Anti-AI

Before we dive into some specifics around how we should regulate AI in cybersecurity, it’s important to understand the critical role AI plays in cybersecurity.

When cyber professionals call for more regulation, they’re not calling for AI bans – AI is a potent tool for cybersecurity. For example, experts increasingly believe that AI is key to ensuring IoT security in the digital age. Similarly, AI is making identity authentication safer and more robust, preventing unauthorized access to sensitive data and systems.

And the list goes on. Cybersecurity teams leverage AI to detect malware., recognize phishing attempts, automate threat hunting, predict attacks, mitigate DDoS attacks, and speed up incident response.

How Should AI Be Regulated? A Cybersecurity Perspective

In the next section, we’re going to dive into AI regulation around the world. That can tell us a lot about how governments think about AI and its continued role in our societies. However, these regulations are coming from a holistic perspective – they’re answering the question, “How should AI be regulated?” and not “How can we regulate AI to bolster cybersecurity.” Of course, a well-regulated AI landscape should also positively impact cybersecurity, but it’s not necessarily the first priority in making legislation.

With that in mind, here are some recommendations on how we could regulate AI to improve cybersecurity and safeguard our systems.

Legislation

First, we need to establish clear-cut legislation that determines what constitutes appropriate AI usage in cybersecurity. Governments should work alongside international organizations, AI experts, and industry stakeholders to create and adopt AI ethical guidelines. The legislation should articulate the rights, responsibilities, and liabilities of AI users and manufacturers. For instance, in case of a security breach due to faulty AI, who should be held accountable? The user, the manufacturer, or both?

Certification and Standards

Regulatory efforts should include establishing certification processes and standards for AI systems. These standards should guide the design, development, deployment, and maintenance of AI in cybersecurity. They should cover aspects such as data privacy, transparency, accountability, and robustness of the AI system. Organizations such as ISO and IEC can play a vital role in developing these standards.

• ISO 27001, the international standard for Information Security Management Systems, can be updated to incorporate AI-related cybersecurity risks.
• IEC 62443, the series of standards for Industrial Communication Networks, can incorporate guidelines for AI usage in industrial cybersecurity.

Privacy Laws

One key aspect of AI regulation is data privacy. Data fuels AI and an enormous amount of data is often needed to train effective AI models. Consequently, data privacy laws should be revised and strengthened to ensure they fit the AI era. These laws should dictate what data can be used, how it can be used, and for how long.

AI Transparency and Explainability

A significant issue with AI is the ‘black box’ problem – the lack of transparency about how AI makes its decisions. Regulation should necessitate AI systems to have some degree of explainability. This transparency can help cybersecurity professionals better understand and trust the AI’s decisions, particularly in detecting potential threats.

Public-Private Partnership

The public and private sectors should collaborate to combat cybersecurity threats effectively. Governments should incentivize private companies to invest in AI-driven cybersecurity measures. Similarly, private firms should aid governments by sharing their technical expertise and insights on the latest threats.

Education and Awareness

To create an AI-literate society, education and awareness about AI and its implications for cybersecurity are crucial. Governments should integrate AI and cybersecurity topics into educational curriculums. Businesses should also run regular training and awareness programs for their staff.

Mandatory Disclosure of AI Breaches

Governments could require that businesses disclose any data breaches within a specific timeframe. This transparency would keep organizations accountable and help identify and address potential flaws in AI security measures.

Independent Auditing

Regular third-party audits of AI systems could be a prerequisite for their use in cybersecurity. These audits would provide an external perspective on the organization’s AI usage, ensuring that it aligns with regulatory and ethical standards.

Global Cooperation

Given the borderless nature of the internet and cyber threats, international cooperation is essential for AI regulation. We can establish global forums to share best practices, discuss emerging threats, and propose collective responses. Cybersecurity threats are global and should be the response.

Regulating AI Supply Chain

Given that AI systems are often composed of various components sourced from different vendors, there should be regulations to ensure the security of the entire AI supply chain. Standards for the components, vendors’ security practices, and transparency about the origin of the components could be part of these regulations.

User Consent and Control

Regulations could give users more control over how AI uses their data, requiring explicit consent for data collection and usage. This user-centric approach can help create a balance between leveraging AI for cybersecurity and respecting individual privacy rights.

Responsible AI Development

Regulations should promote the development of AI systems with a built-in “safety-first” approach. This includes mechanisms to prevent unauthorized access, detect anomalous behavior, and limit the AI’s actions if it deviates from expected behavior.

AI Regulation Around the World

We’ve seen a recent surge in discussions around AI regulation worldwide. For example, Japanese Prime Minister Fumio Kishida headed into the recent G7 meeting signaling his desire to launch the Hiroshima AI Process – a coordinated approach to AI governance, especially generative AI, like ChatGPT.

The EU, the US, China, and other countries have already been developing their approaches to AI regulation, which often take different forms.

For example, one key decision policymakers have to make is choosing between a “horizontal” or a “vertical” method. A horizontal strategy entails crafting a single, all-encompassing regulation to address the multitude of impacts posed by AI. Conversely, a vertical strategy tailors specific regulations to manage distinct applications or varieties of AI.

We already see some differences here. For example, while neither the European Union nor China has chosen a strictly horizontal or vertical path for their AI governance, they do show preferences. The EU’s AI Act leans horizontally, aiming to create a broad and comprehensive regulatory framework. In contrast, China’s algorithm regulations tend to take a vertical stance, focusing on custom rules for specific AI applications.

EU AI Regulation

The AI Act, a landmark legislation in Europe, sets out to regulate artificial intelligence (AI) based on its potential harm. It received the green light from leading parliamentary committees of the European Parliament on May 11, 2023, preparing it for final approval in mid-June.

The Act prohibits specific AI applications like manipulative techniques and social scoring. And following the insistence of left-to-center MEPs, the ban was extended to include AI models for biometric categorization, predictive policing, and the harvesting of facial images for database creation. Additionally, emotion recognition software is now outlawed in law enforcement, border management, workplaces, and education.

Biometric identification systems, initially permitted under specific circumstances such as kidnapping or terrorist attacks, became a contentious point. Despite resistance from the conservative European People’s Party, Parliament ultimately passed a complete ban.

The original AI Act did not address AI systems without specific purposes. However, the rapid success of large language models, like ChatGPT, necessitated a rethink on how to regulate this kind of AI, resulting in a tiered approach. The Act does not cover General Purpose AI (GPAI) systems by default. Instead, it imposes most obligations on operators that incorporate these systems into high-risk applications.

The Act introduces stricter rules for high-risk AI applications. An AI system is considered high-risk if it significantly threatens people’s health, safety, or fundamental rights.

Critically, the EU AI regulation could see significant players in the AI game, like OpenAI, leaving the EU altogether. OpenAI’s CEO said, “The current draft of the EU AI Act would be over-regulating.”

US AI Regulation

While not as far along in the AI regulation journey as the EU, the US is taking deliberate steps toward regulation. The White House released a Blueprint for an AI Bill of Rights on October 4, 2022, establishing key principles for the design and use of AI. These guidelines include protections such as shielding individuals from algorithmic discrimination and enabling people to opt out of automated systems. The Blueprint builds on the Biden-Harris Administration’s mission to regulate big tech, protect American civil rights, and make technology work in favor of its people.

The Blueprint lays out five core protections for Americans:

• Safe and Effective Systems: Protection from unsafe or ineffective AI systems.
• Algorithmic Discrimination Protections: No individual should face discrimination from algorithms. Systems should be designed and utilized equitably.
• Data Privacy: Protection from abusive data practices with built-in safeguards. Individuals should have control over how their data is used.
• Notice and Explanation: Individuals should be made aware when an automated system is in use and understand how and why it impacts them.
• Alternative Options: Individuals should be able to opt out of automated systems when appropriate and have access to a person who can address and rectify any issues encountered.

In response to the bill, several federal agencies are drafting new rules. For example, The Federal Trade Commission (FTC) is preparing rules to restrict commercial surveillance, algorithmic discrimination, and negligent data security practices. And the Department of Labor is also protecting workers’ rights by enforcing surveillance reporting requirements.

More recently (May 4, 2023), Biden summoned CEOs of Google and Microsoft to the White House to discuss AI. It’s not yet clear what resulted from this meeting, but presumably, The White House wants to know what these companies are doing to manage the dangers surrounding AI.

China AI Regulation

China’s AI regulations, while on paper, seem more expansive than other nations, are pretty vague. This is actually by design. China’s central government tends to publish vague outlines so that local governments have a high-level view of what the central government wants but still have room to experiment. At the same time, it allows government regulators to flexibly control technology companies as needed.

But what do the regulations say? For AI-based recommendation algorithms, the regulation addressed their use in disseminating information, pricing, and worker deployment. It mandated that providers “vigorously disseminate positive energy” and avoid price discrimination or overworking delivery drivers. The second regulation, addressing deep synthesis algorithms (which generate new content like deepfakes), requires the providers to get consent from individuals if their images or voices are manipulated.

UK AI Regulation

Following its exit from the EU, the UK is now responsible for managing its own AI regulations and is somewhat behind the other nations on this list. No specific AI regulations are in place yet, but there are moves toward regulation.

For example, the Financial Conduct Authority (FCA) is currently consulting with several legal and academic institutions, including the Alan Turing Institute, to enhance its understanding of AI technology and its implications. And to investigate the impacts of AI, the UK’s competition regulator announced in May that it would initiate a comprehensive examination of the technology’s effects on consumers, businesses, and the overall economy.

Interestingly, the UK has decided not to establish a new, centralized body governing AI. Instead, in a statement made in March, the UK government expressed its plans to divide the responsibility among its existing regulators. The regulators for human rights, health and safety, and competition will each have a role in overseeing AI within their respective spheres. This approach is presumably to leverage the specialized knowledge and experience these regulators already have in their fields while adding the new responsibility of managing AI’s impact.

Final Thoughts

Here’s the bottom line. While fostering innovation in AI is essential, regulation is vital to ensuring robust cybersecurity safeguards. As AI technology continues to evolve, so does the threat landscape, with an escalating number of AI-based cyberattacks causing notable concern. This trend suggests that our systems will become increasingly susceptible to advanced AI-driven threats. The future of a secure digital world will largely depend on our ability to govern AI effectively and responsibly today. Let’s rise to the challenge and ensure we build a safe and secure cyber ecosystem for all.

What is Blockchain and How Does it Work?

Why Are IoT Devices So Insecure?

Blockchain IoT Use Cases

1. Secure communication: Blockchains can establish secure communication channels between IoT devices, preventing unauthorized access to data and ensuring that messages are not tampered with. For example, a smart home security system could use blockchain to securely transmit data between sensors and a central hub, preventing hackers from intercepting or altering the data.
2. Immutable record-keeping: Blockchain can provide an immutable record of all transactions and communications between IoT devices. Any attempted changes or unauthorized access to the data can be immediately identified and traced back to the source. This is especially critical in industries where data integrity is paramount, like healthcare and finance.
3. Supply chain management: With blockchain, we can track the movement of goods throughout the supply chain, ensuring no counterfeiting or tampering occurs. For example, a food company could use blockchain to track the movement of its products from the farm to the store, ensuring that they are fresh and safe to eat.
4. Smart contracts: Organizations can use blockchain to create smart contracts that execute automatically when certain conditions are met. For example, a smart parking system could use blockchain to automatically charge drivers when they park their cars in designated spaces, based on how long they stay parked.
5. Decentralized data storage: Organizations can use blockchain to store data in a decentralized manner, ensuring that the data remains safe from loss or tampering. For example, a healthcare provider could use blockchain to store patient records, ensuring they are secure and accessible to authorized parties.
6. Energy management: Blockchain can be used to manage energy distribution more efficiently and transparently. For example, a smart grid system could use blockchain to track the production and consumption of energy and automatically adjust the distribution of energy based on demand.
7. Identity management: Blockchain can be used to manage digital identities in a secure and decentralized way. For example, an office could use blockchain to manage employee and device identities and provide secure access to services and resources.

How Could Blockchain Solve IoT Security and Scalability Challenges

• Distributed ledger technology removes the need for trust among involved parties and reduces the risk of unauthorized access or data breaches.
• Blockchain’s robust encryption provides an additional layer of security that makes it virtually impossible to overwrite existing data records.
• Blockchain’s transparency allows authorized users to track past transactions and identify the source of any data leakages. It removes any debate about where a breach originated and who is accountable.
• Blockchain technology enables fast processing of transactions and coordination among billions of connected devices. This will become increasingly important as IoT devices continue to surge in popularity.
• Blockchain can reduce costs by eliminating the processing overheads related to IoT gateways, such as traditional protocol, hardware, or communication overhead costs.

Final Thoughts