Mayorkas: We must guard against hackers targeting our infrastructure

US Homeland Security chief’s call for companies to bake stronger cybersecurity into products leads our infosec wrap.

US regulators must hold companies accountable for their poor cybersecurity practices, Homeland Security Secretary Alejandro Mayorkas told news outlet Axios.

US critical infrastructure has proven vulnerable not only to highly skilled nation-state hackers who lurk in American infrastructure such as healthcare facilities, schools and the major utility companies – but also to low-level hackers who just guess a utility operators’ password.

“Given adverse nation-states’ activities [and] given the state of the cybersecurity of our critical infrastructure, has the voluntary framework really advanced cybersecurity to the extent needed?” Mayorkas said. “There’s concern there.”

The Cybersecurity and Infrastructure Security Agency (CISA) has started pushing a concept called Secure by Design, in which tech manufacturers will be required to bake stronger cybersecurity practices into products as they’re being developed.

And President Biden just signed an executive order giving the Coast Guard new powers to regulate maritime cybersecurity.

Despite initial pushback, US tech companies are “progressing” and coming around to CISA’s secure-by-design principles, Mayorkas said.

“There’s an increasing receptivity to the notion,” he said. “It’s a very significant business model change, so it’s not going to happen with the click of a finger.”

Mayorkas shared his regulatory approach with heads of state, government officials and company executives during keynote remarks at the Munich Security Conference last week. He argued that the best path forward was new regulations that shift the burden of security away from consumers and onto tech manufacturers – while still fostering innovation and public-private partnerships.

Mayorkas told Axios he had heard from executives at multinational companies who believed the European regulators have more “distance” between themselves and the industries they’re regulating.

“That’s why I spoke as I did in Europe to try to really diminish that degree of adversity, which chills the cooperation that’s critical to cybersecurity,” he said.

AI could increase cyber attacks

A January report from Britain’s National Cyber Security Centre said that artificial intelligence (AI) would lower the barriers to entry for cyber hackers and enable more malicious cyberactivity, including ransomware attacks.

But Google CEO Sundar Pichai thinks that AI tools could help governments and companies speed up the detection of and response to threats from hostile actors.

“We are right to be worried about the impact on cybersecurity. But AI, I think actually, counterintuitively, strengthens our defense on cybersecurity,” Pichai told delegates at the Munich Security Conference last week.

Pichai also said AI will also reduce the amount of time required for defenders to detect attacks and react against them.

Cloud security controls need to be stronger

Organizations with weak cloud security controls and gaps in cross-domain visibility are getting outmaneuvered by threat actors and struck by intrusions, CrowdStrike said Wednesday in its annual Global Threat Report.

The report found that cloud environment intrusions jumped 75% from 2022 to 2023, as threat actors abused unique cloud features to initiate attacks, the report found.

“This is not surprising,” said Adam Meyers, head of counter-adversary operations at CrowdStrike said. “We’ve seen more and more organizations deploying more and more cloud resources without necessarily having a cohesive or equivalent security posture for their cloud deployments as they do in their traditional enterprise deployments.”

Cyberattacks conducted by cloud-savvy threat actors, or groups that are aware they gained access to a victim-owned cloud environment and use that access to abuse the cloud service, increased 110% last year, according to CrowdStrike.

“These adversaries continue to develop new and innovative ways to operate within the cloud,” Meyers said.

“We also see them using clouds for persistence where they can maintain their persistence into a target if they are detected and a system gets remediated,” Meyers said. “Oftentimes, they’re able to create another account inside the cloud to come back through.”

Microsoft’s red team tool

Microsoft just released a tool that it has been using internally to help red teams identify risks in generative AI systems.

The tool is designed to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.

The company said it is “deeply committed to developing tools and resources that enable every organization across the globe to innovate responsibly with the latest artificial intelligence advances”.