The article discusses the persistent debate around the CISO's reporting line, arguing that this issue reflects a deeper organizational struggle with defining the CISO's role and authority. It emphasizes that the reporting line is less important than the CISO's organizational standing to influence decisions across various departments and that the ongoing debate highlights a tendency to view cybersecurity as a technical rather than a leadership issue.
Two U.S. nationals have been sentenced to prison for facilitating North Korean IT workers to gain employment with over 100 U.S. companies by falsely posing as American residents. This operation allowed North Korea to circumvent sanctions and generate revenue through its IT sector. The individuals involved face significant prison sentences for their roles in this scheme.
This article discusses the potential risks associated with the sale of precise geolocation data. The author argues for a ban on the sale of such data due to its potential misuse by malicious actors. The piece highlights the growing concern over privacy and security implications as this sensitive information becomes more widely accessible.
The Maine Legislature has failed to pass the Maine Online Data Privacy Act, LD 1822, which would have provided significant privacy protections for residents. The bill mirrored Maryland's privacy law and included provisions for data minimization and enhanced protection of sensitive data.
EPIC (Electronic Privacy Information Center) is supporting two bills in South Carolina aimed at regulating chatbot harms. One bill, S. 896, is modeled after EPIC's People-First Chatbot Bill, indicating a focus on protecting individuals from potential negative impacts of AI chatbots.
The Electronic Frontier Foundation (EFF) is calling for the release of journalist Ahmed Shihab-Eldin, who was arrested in Kuwait on charges including spreading false information and harming national security. His arrest is believed to be related to his reporting on a U.S. military aircraft crash and subsequent social media posts. This incident occurs amidst a broader crackdown on reporting in Kuwait, with new decrees targeting information that could undermine the military.
An audit found that major tech companies like Google, Meta, and Microsoft are failing to comply with California's privacy law by not honoring opt-out requests for online tracking. These companies only respected these requests about half the time, indicating a significant gap in their privacy compliance practices.
Governments worldwide are increasingly weaponizing internet connectivity through shutdowns, throttling, and selective restoration, a trend that has escalated significantly since the Arab uprisings of 2011. What began as emergency measures has evolved into a normalized infrastructure of control, with a record 304 internet shutdowns imposed across 54 countries in 2024. This practice restricts access to information, work, and essential services, shaping public discourse and dissent.
Congress is preparing to debate the reauthorization of a surveillance program that allows U.S. spy agencies to access communications of foreign individuals. This debate occurs as some lawmakers are advocating for stronger privacy protections for U.S. citizens.
A new report by the Open Rights Group indicates that the UK's extensive reliance on Big Tech companies, primarily US-based, has created a significant national security risk. Years of integrating these services into the public sector have left the nation exposed.
Research indicates that the definition of cyber resilience is inconsistently applied across regulatory frameworks and organizations, creating systemic risk for leadership. Without a standardized definition, boards struggle to oversee, measure, and evaluate their organization's resilience to cyber threats.
Microsoft has announced a $10 billion investment in Japan over the next two years, focusing on AI adoption and cybersecurity development. This strategic move is intended to bolster Japan's digital infrastructure, train its workforce in AI technologies, and foster new cybersecurity partnerships, aligning with global trends in sovereign AI and data center development.
Amandla Thomas-Johnson, a former international student, had his Google data handed over to ICE by Google without prior notification. This action broke Google's decade-long promise to inform users before releasing their data to law enforcement. The EFF has filed complaints against Google for deceptive trade practices in California and New York regarding this incident.
The Electronic Frontier Foundation (EFF) has urged the attorneys general of California and New York to investigate Google for deceptive trade practices. This action stems from Google allegedly failing to notify users before disclosing their data to law enforcement, as promised by the company.
Virginia Governor Abigail Spanberger has signed S.B. 338 into law, which prohibits the sale of precise geolocation data belonging to Virginians. This legislation aims to protect citizens' privacy by restricting the commercialization of their location information.
The US government intends to leverage AI for analyzing American data acquired through data brokers and foreign intelligence surveillance, often without a warrant. EPIC urges Congress to close loopholes concerning these data collection methods before renewing Section 702 of the Foreign Intelligence Surveillance Act.
This article discusses the increasing legal complexities faced by cybersecurity professionals due to geopolitical uncertainty and evolving regulations. It highlights growing personal liability, including criminal prosecution, and reviews key legal trends in AI and privacy legislation across the US and EU.
California's A.B. 2047 bill proposes mandating censorware on all 3D printers and criminalizing the use of open-source alternatives, aiming to restrict the printing of firearms. The EFF argues this legislation will stifle innovation, harm consumers through surveillance and platform lock-in, and is an ineffective approach to security.
EPIC has joined an ACLU-led coalition of over 70 organizations in an open letter urging Meta to halt plans for facial recognition in its Ray-Ban smart glasses. EPIC has opposed this initiative since its existence was revealed, and previously asked the FTC and state enforcers to investigate this privacy abuse.
EPIC has filed an amicus brief in support of South Carolina's Age-Appropriate Design Code (AADC) against tech industry challenges. The AADC aims to protect minors' data and allow users to opt out of surveillance-based algorithmic feeds that manipulate engagement.
The Electronic Frontier Foundation (EFF) is participating in the HOPE 26 conference from August 14-16 in Manhattan. The event provides a platform for community learning and connection around digital civil liberties, with EFF technologists, attorneys, and activists presenting on topics such as location data privacy, digital rights, and surveillance.
Asset owners in Operational Technology (OT) environments are facing regulatory pressure to demonstrate their readiness for post-quantum cryptography. However, the lack of adequate tooling prevents them from genuinely assessing or achieving this readiness, leading to a situation where compliance efforts are merely symbolic rather than substantive security measures.
This article introduces Dr. Jean Linis-Dinco, an activist-researcher focused on human rights and technology, particularly in relation to cybersecurity. She has a PhD in Cybersecurity and works with the Manushya Foundation, advocating for digital rights and challenging policies that restrict online freedom of expression.
Gulf states are intensifying efforts to silence dissent and restrict the flow of information under the guise of wartime "misinformation." This includes narrowing the operating space for journalists, criminalizing social media activity, and leveraging existing cybercrime and media laws to suppress any form of dissent.
NHS England is allocating £46,000 for benchmarking services to prepare for upcoming negotiations on its substantial Microsoft licensing agreement, which is reportedly worth £774 million. This move aims to ensure the best terms for the next phase of their software deal.
France is initiating a move away from Windows in favor of Linux for its public administration. This shift aims to enhance security and reduce reliance on foreign software. Meanwhile, OpenAI was affected by an Axios attack, Rockstar Games experienced another hack, and the UK is proposing jail time for tech executives who fail to prevent data breaches.
China's National Data Administration has released an action plan for AI in education, emphasizing upskilling citizens to utilize AI technology. The plan aims to integrate AI into educational processes, including lesson preparation and homework grading, and also touches on AI's role in other sectors like automotive and server technology.
Oklahoma and Alabama have passed consumer privacy laws that critics argue are insufficient in protecting personal data from abuse. These laws are similar to those enacted in other states like Virginia. Advocacy groups like EPIC and U.S. PIRG have criticized these laws for their lack of meaningful protections.
The Massachusetts Supreme Judicial Court ruled that Section 230 of the Communications Decency Act does not shield Meta from claims that it designed its social media platforms to be addictive and misled users. The court allowed the Commonwealth's claims to proceed, rejecting Meta's broad interpretation of Section 230 immunity.
FINRA, the Financial Industry Regulatory Authority, has launched its Financial Intelligence Fusion Center (FIFC). This new center aims to bolster efforts against cybersecurity threats and financial fraud within the securities industry. By integrating data and intelligence, FINRA seeks to enhance its ability to detect, prevent, and respond to emerging risks.
This article discusses the upcoming reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA), a US government surveillance tool. The Electronic Frontier Foundation (EFF) urges Congress to enact substantial reforms, citing concerns about potential warrantless access to US citizens' communications collected incidentally through foreign surveillance.
The UK government is launching a four-week call for evidence to gather public opinion on radiofrequency jammers. This initiative is a precursor to enacting legislation to ban these devices, which are often linked to criminal activities.
Donald Trump's proposed 2027 budget indicates a decrease in federal civilian cybersecurity spending, falling by approximately $227 million from the previous year. Despite the overall reduction, some agencies like the Department of Justice and the State Department are slated for significant funding increases, while others face cuts.
CMMC 2.0 requires federal contractors to actively demonstrate their ability to protect sensitive government data, moving beyond self-attestation to a more risk-based approach. A key challenge for organizations is gaining a complete understanding of the scope of systems and data that fall under CMMC 2.0 controls, which often reveals a larger footprint than initially anticipated.
The article reports on a situation where ICE attempted to obtain the identity of a Redditor who criticized them, but their initial summons to Reddit failed. Now, the Trump administration is reportedly escalating this effort by taking the case to a secret grand jury, raising concerns among advocates about a broader crackdown on dissent.
EPIC has submitted testimony to the Rhode Island House Innovation Internet and Technology Committee, proposing enhancements to the Rhode Island Age-Appropriate Design Code (AADC). This code aims to bolster privacy and online safety measures for minors.
Senator Ed Markey has introduced the Youth AI Privacy Act, supported by EPIC, aiming to mandate privacy and safety measures for AI chatbots. The act specifically targets the protection of minors from potential harms associated with AI technologies.
Despite a recent ceasefire in the Middle East, cybersecurity experts are skeptical that it will significantly reduce the number of cyberattacks. History suggests that such agreements, especially those not directly involving cyber actors, rarely lead to a decrease in malicious online activity.
Amazon is using the Computer Fraud and Abuse Act (CFAA) to block Perplexity's AI tool, Comet, which helps users compare prices and potentially order products from various online retailers. A federal district court initially sided with Amazon, but Perplexity is appealing, arguing that such actions do not constitute hacking and should not be criminalized under the CFAA.
The Electronic Frontier Foundation (EFF) is leaving the social media platform X (formerly Twitter) after nearly twenty years. This decision stems from a significant decline in engagement metrics and a lack of transparency and security improvements since Elon Musk's acquisition.
Microsoft has locked out developers of popular open-source tools VeraCrypt and WireGuard from their Microsoft accounts without clear explanation, citing an automated verification process. This action has prevented them from signing software updates and has led to a significant backlog in their appeals.
The article discusses the fragmented nature of cybersecurity risk management, where different systems, markets, and regulators approach security in isolation. This siloed approach creates blind spots and unpriced exposures, which are exacerbated by increasing interconnections in digital transformation. The author advocates for a unified discipline to address these systemic risks.
Federal cybersecurity evaluators found Microsoft's cloud offerings to have a "lack of proper detailed security documentation," leading to a "lack of confidence in assessing the system's overall security posture." Reviewers struggled to understand how sensitive information is protected across servers, preventing them from vouching for the technology's security.
The article discusses how cybersecurity risk is managed in silos across different industries and regulatory bodies, leading to overlooked exposures at the seams between these systems. As digital transformation increases interconnectedness, these seams represent a growing risk surface, despite increasing security spending.
American diplomats are being trained to combat propaganda on the social media platform X (formerly Twitter). This initiative aims to equip them with the skills to identify and counter disinformation campaigns, particularly those originating from foreign adversaries. The program focuses on practical techniques and strategies for engaging in the online information space.
The article argues that third-party risk management (TPRM) should be treated as an intelligence operation, moving beyond simple ratings to a more comprehensive approach. It highlights the evolving landscape where traditional vendor risk management is no longer sufficient.
The FCC has expanded its "Covered List" to ban the sale of new routers manufactured in foreign countries, citing security vulnerabilities exploited by nation-state actors. This broad ban aims to prevent domestic routers from being used in cyberattacks but is criticized for being too sweeping and potentially neglecting other vulnerable devices like IoT and smart home gadgets.
Many organizations are struggling to keep up with the increasing complexity of regulatory compliance due to a lack of IT capacity. This gap can lead to increased risk as security controls may not be adequately implemented or maintained. The challenge is exacerbated by the rapid pace of technological change and evolving compliance landscapes.
IT and cybersecurity teams across various sectors are struggling to keep pace with the increasing complexity of regulatory compliance. This burden is impacting their capacity to manage current IT needs effectively.
IT and cybersecurity teams globally are struggling to keep up with the increasing complexity of regulatory compliance. Across various countries, industries, and company sizes, teams report a significant burden from these requirements and express concern about maintaining alignment.
