Laws, executive orders, compliance frameworks, government action
The UK government's Vulnerability Monitoring System has significantly accelerated the patching of DNS vulnerabilities in the public sector. This automated scanning system, implemented as part of a program launched last year, has reduced fix times by 84 percent. The article also briefly mentions Firefox enhancing XSS protection, leadership changes at CISA, and FTC exemptions for certain data collection.
Samsung has agreed to a settlement with the State of Texas following allegations of unlawfully collecting content-viewing data from smart TVs without explicit consent. This agreement requires Samsung to obtain express consent before collecting such data and to provide clear privacy notices to Texans.
The U.S. Department of Defense has designated AI company Anthropic as a "supply chain risk" due to disagreements over the lawful use of its AI model, Claude. The dispute centers on Anthropic's refusal to allow its AI for mass domestic surveillance of Americans and fully autonomous weapons.
Former President Trump has ordered all federal agencies to phase out the use of Anthropic technology. Other AI providers like OpenAI, Google, and xAI maintain contracts to supply AI models to the military.
A Europol-coordinated operation, "Project Compass", targeting the online cybercrime collective known as "The Com" has resulted in 30 arrests and implicated 179 suspects. The Com specifically targets children and teenagers with cybercrime activities.
The article discusses the lack of transparency in data breach disclosures by organizations. It argues that disclosing the bare minimum, or not disclosing at all, has become a common practice.
A job posting by the UK's GCHQ for a Chief Information Security Officer, described as a highly influential role, offers a maximum salary of £130,000 (approximately $175,000). This salary is considered low compared to industry standards for similar positions, especially considering the responsibilities involved in securing a nation from cyber threats.
Anthropic is in a dispute with the Pentagon regarding AI safeguards. Anthropic seeks assurances that their Claude AI model will not be used for mass surveillance of Americans or in fully autonomous weapons systems.
The article discusses Iran's internet shutdown in January 2026, which was more severe than previous shutdowns. Unlike prior incidents, even the National Information Network (NIN), Iran's domestic intranet, was affected, impacting banking and administrative sectors.
US authorities sentenced Peter Williams to 87 months in prison for selling sensitive cyber-exploit components to a Russian company. Simultaneously, the Department of the Treasury sanctioned Sergey Sergeyevich Zelenyuk and Matrix LLC (Operation Zero) for acquiring and distributing cyber tools harmful to US national security, including exploits for US products.
Meta is filing lawsuits against advertisers in Brazil, China, and Vietnam for running celebrity-bait scams on its platforms. The company has suspended payment methods, disabled related accounts, and blocked website domains used in the scams.
The U.S. Court of Appeals for the Tenth Circuit overturned a lower court’s dismissal of a challenge to sweeping warrants that allowed police to search a protester’s devices and digital data, as well as a nonprofit’s social media data. The court found the warrants to be overbroad and lacking in particularity, violating the Fourth Amendment.
A FinTech company is suing SonicWall after suffering a breach, raising questions about the responsibility of third-party security vendors when their products fail to prevent attacks. The lawsuit highlights the complex issue of liability in cybersecurity incidents involving multiple parties.
EPIC and the Open Technology Institute (OTI) have urged the Federal Trade Commission (FTC) to consider a broader range of harms stemming from unlawful data practices. The organizations emphasize the need for the FTC to expand its understanding of privacy injuries, encompassing both quantitative and qualitative aspects, to effectively protect consumers.
Apple's iPhones and iPads have been cleared for classified use by NATO. These devices have been added to the NATO Information Assurance Product Catalogue (NIAPC), indicating they meet the security requirements for handling classified information within the alliance.
This SecurityWeek article discusses four cybersecurity risks that boards of directors should prioritize and not ignore. The emphasis is on business continuity and resilience in the face of inevitable successful attacks, rather than focusing solely on prevention.
An expert recommends preparing for Post-Quantum Cryptography (PQC) now due to the increasing threat of adversaries stealing encrypted data today to decrypt it in the future when quantum computers become more powerful. The rise of ransomware and cloud computing are also contributing factors to the need for PQC.
New York Attorney General Letitia James is suing Valve Corporation, alleging the company facilitates illegal gambling among minors through game loot boxes. The lawsuit claims Valve knowingly profits from the sale of these loot boxes, which resemble gambling by offering randomized in-game items.
Florida is considering legislation to create its own 'spy squad,' raising concerns among Muslim communities about potential targeting. An Israeli spyware firm is reportedly tracking the GOP legislation, according to lobbying disclosures.
The United States has sanctioned Russian exploit broker Operation Zero. The broker acquired zero-day exploits from a US defense contractor executive who was jailed for his actions.
The article discusses how CISOs can justify security investments to boards of directors. It emphasizes the importance of framing security spending in terms of revenue generation, risk mitigation, and shareholder value, rather than simply as technical upgrades. The article also advises CISOs to link technology investments to strategic priorities, such as entering new markets, improving margins, increasing resilience, and ensuring compliance.
This edition of Risky Business News discusses the potential risks and security implications of using AI models like Claude in sensitive environments, particularly in the context of war and conflict. It explores whether the model's design and biases could lead to unintended consequences or vulnerabilities.
The article discusses the CLAIR model, a conceptual framework for mapping critical infrastructure interdependencies. This framework aims to help understand and manage the complex relationships between different critical infrastructure sectors, improving resilience and security.
The PCI Security Standards Council's first annual report indicates that threats to payment systems are accelerating. The council needs to work faster to keep pace with attackers targeting these systems.
EFF's EFFector newsletter discusses the dangers of online age verification laws and the fight for privacy and free speech online. This issue covers Discord's mandatory age verification, a leaked Meta memo on face-scanning smart glasses, and a Super Bowl surveillance ad.
Google has disrupted the infrastructure of UNC2814, a suspected China-nexus cyber espionage group that breached at least 53 organizations across 42 countries. This group has a history of targeting international governments and global telecommunications organizations.
Google has disrupted a Chinese cyberespionage campaign attributed to the UNC2814 threat actor. The group, active since at least 2017, has targeted organizations in 42 countries, including telecoms and governments.
A former general manager of L3Harris's cyber division, Trenchant, has been sentenced to seven years in prison for selling cyber tools and exploits reserved for the US to Russia. The individual profited millions from these illegal sales.
Peter Williams, a former executive at a U.S. defense contractor, has been sentenced to 87 months in prison for selling cyber exploits to a Russian broker. The case highlights the serious consequences for individuals who compromise national security by providing sensitive information to foreign adversaries.
CISA added two new vulnerabilities, CVE-2022-20775 and CVE-2026-20127, to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. These vulnerabilities affect Cisco Catalyst SD-WAN and pose significant risks, especially to the federal enterprise. CISA urges all organizations to prioritize remediation of KEV Catalog vulnerabilities.
A report indicates that over half of national security organizations still use manual processes for sensitive data transfers. This reliance on manual processes is flagged as inefficient and a systemic risk to security.
The U.S. Treasury Department has sanctioned a Russian exploit broker, Aleksandr Gennadievich Ermakov, for procuring stolen hacking tools. Ermakov purchased these tools, including zero-day exploits, from a former executive of a U.S. defense contractor, contributing to potential cybersecurity risks.
Reddit has been fined nearly $20 million by the UK's data privacy watchdog for failing to protect children's personal information. The fine highlights the increasing scrutiny on online platforms regarding child safety and data privacy.
Operation Red Card 2.0 resulted in the arrest of 651 individuals involved in cybercrime across Africa. The operation, a collaboration between African law enforcement, Interpol, and cybersecurity companies, recovered over USD 4.3 million.
The article discusses the disconnect between the cybersecurity metrics that security teams track and the risk signals that boards of directors need to effectively govern risk. It argues that boards are less interested in technical metrics like "mean time to detect" and more interested in metrics that directly map to financial consequences, regulatory exposure, and operational disruption. Experts suggest focusing on metrics like detection and containment speed, which function as proxies for business loss avoided.
The article discusses how companies need to revise their GRC (Governance, Risk & Compliance) processes to account for the increasing use and risks of generative and agentic AI. It highlights the challenges CISOs face in balancing innovation with securing AI deployments and the need to integrate AI risk management into GRC frameworks.
The Department of Defense is pressuring AI company Anthropic to lift restrictions on how their technology is used, particularly regarding autonomous weapons systems and surveillance. Anthropic is resisting, citing their principles against using their AI for surveillance against US persons and autonomous weapons systems, leading to potential repercussions such as being labeled a "supply chain risk."
EPIC and other consumer protection groups are urging the FTC to create a rule requiring companies to disclose when they use "surveillance pricing." This practice involves companies collecting and analyzing consumer data to personalize pricing, often without the consumer's knowledge or consent.
The UK Information Commissioner's Office (ICO) has fined Reddit £14.47 million (over $19.5 million) for violating data protection laws. Reddit is accused of collecting and using the personal information of children under 13 without proper safeguards, a breach of the UK's data protection regulations.
The UK's data protection regulator, the Information Commissioner's Office (ICO), has fined Reddit £14.47 million for failing to adequately protect children's data. Reddit plans to appeal the fine, arguing that it doesn't want to collect private data.
The article discusses the use of AI in various domains, particularly its potential impact on democracy. It highlights concerns about AI-generated content flooding academic journals and influencing public opinion, suggesting an ongoing arms race where AI is the weapon of choice.
CISA added CVE-2026-25108, a Soliton Systems K.K. FileZen OS Command Injection Vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability is actively exploited and poses a significant risk, especially to the federal enterprise. CISA urges all organizations to prioritize remediation of KEV Catalog vulnerabilities.
The NIST Cybersecurity Framework (CSF) 2.0 is celebrating its second anniversary. Published in 2024, CSF 2.0 included an updated framework with an added Govern Function, emphasizes supply chain risk management, and new categories/subcategories addressing current threat and technology shifts.
The article discusses the flawed approach of prioritizing identity management tasks based on volume or control checks, arguing that modern enterprises require a risk-based approach considering control posture, hygiene, business context, and intent. It suggests that traditional IT ticketing methods are inadequate for managing identity risks in increasingly complex environments.
Spanish authorities have arrested additional members of the Anonymous Fénix group. The group's administrator and moderator were previously arrested last year, followed by the arrest of two more members this month.
A trial has begun in Leipzig regarding the illegal streaming service 'movie2k.to' and billions of euros in Bitcoin profits. The main defendant is accused of commercial money laundering for illegally distributing copyrighted material and generating revenue through advertising, which was then used to acquire Bitcoins. The court will also decide on the fate of approximately 2.64 billion euros derived from the defendant's Bitcoin assets.
Several European nations, including Britain, are collaborating to develop low-cost air defense systems, including autonomous drones and missiles, with a target delivery date as early as 2027. The initiative focuses on affordable surface-to-air weaponry for defense purposes.
The article discusses the reporting structure of CISOs, highlighting that a majority still report to IT, specifically the CIO or CTO. Experts argue that this structure can create a conflict of interest, as the CIO is incentivized to cut costs, while the CISO is responsible for identifying risks that require spending, and suggests that CISOs should ideally report to the CEO or general counsel.
The article discusses Russia's escalating hybrid warfare tactics against NATO, characterized by a blend of cyberattacks, sabotage, and influence operations. It emphasizes the need for organizations to understand and prepare for this "New Generation Warfare."
The article emphasizes the importance of transparency and provability in AI decision-making processes. It argues that AI systems should maintain a clear record of their actions and reasoning to enhance accountability and trust.
