Artificial Intelligence & Machine Learning , Governance & Risk Management , Government
ISMG Editors: US Election Impact on Cybersecurity, HIPAA
Also: Potential Government Policy Changes; AI-Driven Zero-Day Discoveries Anna Delaney (annamadeline) • November 8, 2024In the latest weekly update, ISMG editors discussed how the recent election results may reshape U.S. cybersecurity policy and healthcare privacy under HIPAA and the groundbreaking role of artificial intelligence in Google’s recent discovery of a critical zero-day vulnerability.
See Also: Using the Netskope HIPAA Mapping Guide
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Mathew Schwartz, executive editor of DataBreachToday and Europe - discussed:
- Cybersecurity challenges the new Trump administration might face and how it must navigate an increasingly complex world amid heightened geopolitical tensions;
- What Trump’s return to the White House might mean for the healthcare sector, particularly in terms of his administration's regulatory enforcement priorities, as well as potential changes to HIPAA regulations and enforcement;
- How Google's AI agent, Big Sleep, uncovered a critical zero-day vulnerability in SQLite and implications for the evolving role of human researchers in cybersecurity.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 25 edition on 2024 election security, tackling global threats and the Nov. 1 edition on law enforcement’s ransomware crackdown.
Transcript
This transcript has been edited and refined for clarity.Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll explore how the recent election results may reshape the U.S., cybersecurity policy and healthcare privacy under HIPAA, as well as discuss the groundbreaking role of AI in Google's recent discovery of a critical zero day vulnerability. The excellent editors joining me are Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity, Mathew Schwartz, executive editor of DataBreachToday and Europe; and Tony Morbin, executive news editor for the EU. Matthew, why don't you start us up off election results are in, a new president set to be sworn in come January 2025. You've written a very timely piece that dives into the cybersecurity challenges awaiting a Trump administration. If you think back to his last term, they talked a lot about bolstering U.S. cybersecurity defenses, but then cut the cybersecurity coordinator role. Fast forward to now, the landscape has changed and global tensions are running even higher than they were in 2020. What kind of obstacles could this new administration be walking into, and how do you think they're going to navigate a world that's a whole lot different than before?
Mathew Schwartz: Simple questions, Anna, thank you very much. If I had to get out the crystal ball and prognosticate, obviously, that's impossible, and it is a very fraught exercise. I have been attempting, however, to speak with a number of experts since we got the election results overnight Tuesday to ask what they foresee second Trump administration doing on a number of cyber policy fronts, including what the attitude might be to combating cybercrime. Everyone agrees that they will be combating cybercrime, but there are open questions about the extent to which international collaborations might continue to involve the U.S. in a leadership role. Obviously, those international collaborations will carry forward. The White House has had a well-attended countering ransomware initiative which is leading and which involves 68 members, most of them countries, but also Interpol and some other organizations and agencies like that. Will the U.S. continue to take a leadership role in that organization? Or could that be cut due to funding? Those sorts of questions. Could it get cut and then we see another Colonial Pipeline or a CrowdStrike outage, for example, not a cybercrime problem, but a big cybersecurity problem. Obviously, that could happen, and whatever the intentions of the administration are, the political realities might get very quickly rewritten. It's been interesting to look back at what the Trump administration did on the cyber front. The experts I've spoken to said there was good and there was bad, as with any administration. One of the good things was, for the first time in 15 years, the administration updated the national cyber strategy, and a lot of people said that was a good benchmark. We have a focus on cyber, and we know that we need to deal with this rally the troops, kind of a moment. At the same time, we also saw the administration weaken cybersecurity on a number of fronts. Trump axed the top Cybersecurity Coordinator role in the White House, weakened cyber diplomacy by getting rid of cyber diplomats in the State Department, and then at a very public spat, of course, with Chris Krebs, the first head of the Cybersecurity Infrastructure and Security Agency, CISA. A mixed record is what I'm hearing when I speak with people about this. What's going to happen? Well, one thing we know is China, Russia, Iran and North Korea continue to pose a huge threat to, in some respects, U.S. intellectual property, especially China, disrupting U.S. businesses through the use or the allowance of cybercrime groups, especially Russia, and possibly even more so, given the ties that we're seeing now between Russia and North Korea, around Ukraine, and the additional money that might be flowing into Russia or vice versa, what will that have in terms of an impact on cybercrime and cyber espionage and operations. We don't know. Disinformation: Russia certainly has not stopped attempts to interfere in U.S. elections. The FBI, a few days ago, was saying there were a lot of bomb threats, and it's traced back to Russia attempting to interfere with the U.S. democratic processes. What will we see in terms of regulations? The Securities and Exchange Commission, for example, requiring publicly traded firms to detail their cybersecurity strategies, disclose material cybersecurity events. Could the Trump administration go after end-to-end encryption again? Bill Barr, the then Attorney General really did not like end-to-end encryption, and although wasn't able to torpedo it, this could be something that the Trump administration really sets its sights on: weakening encryption, enforcing messaging services to give law enforcement backdoors - which as we're seeing with a now-unfolding attack attributed to China, where it infiltrated law enforcement wiretap backdoors and major telecommunications organizations - is a risky proposition. I don't have any hard and fast answers, Anna. There's a huge number of cyber policy questions. Certainly, ransomware has worsened. Cybercrime has gotten worse. Things have become a lot more nuanced since Russia launched its all-out invasion against Ukraine. We've also seen Russia attempted to hew to some not, not violate some red lines, and apparently with ransomware groups as well, to say, "look, we're going to allow you to do this, but don't disrupt the entire eastern seaboard of the United States, or there's going to be hell to pay, you domestic Russian cybercriminals. Otherwise, go for it!" Again with China as well, trying to keep their activities within certain boundaries, it seems. So one thing, just as a closing thought that experts have been telling me is this is all very precarious, and how the Trump administration handles this remains to be seen. Bull in a China shop wouldn't be good, although that's not what we saw with the last Trump administration.
Delaney: Many unknowns that was very clear, though, and great analysis of and many more questions that we have answers for. But go back to CISA, because I know it received a bit of criticism from some Republicans. But you know now I think though CISA is central to the U.S. cybersecurity landscape, do you think - or have some people who you've spoken to on this topic - could we expect a redefined, or even a reduced role for CISA under Trump's leadership?
Schwartz: Great question. This has come up, of course, and what I'm hearing is CISA is congressionally mandated, so we're going to see a Republican controlled Congress, both the Senate and the House, and CISA also gets its funding from Congress and is answerable in hearings, in terms of where it puts that funding. Could Republicans in Congress decide that they don't like CISA cut its funding or otherwise rewrite its authorities? That's a possibility. I don't know what the likelihood of any of that is. Certainly, if Trump wanted to do that, he would need to get Congress to do that. It has been a lightning rod - CISA - for some Republican dissatisfaction. On the flip side, cybersecurity is a huge problem. It's having a real impact on American lives. So hopefully there's going to be some continuing push to deal with that. Congress has always been regulation averse, and CISA's has not been applying regulations. In fact, one of CISA's core missions is to make sure the federal government does things in the right way. I would suspect that would sound pretty good still to a lot of people to hold federal agencies to account, but we'll see.
Delaney: You've written a follow-up article today diving deeper into cybercrime and how might that can be handled under a Trump administration? Just delve a little bit into that, if you may.
Schwartz: What people have been saying is cyber is not the end all be all. The administration has got many more priorities. There are collaborative international efforts, like I was saying before, to combat cybercrime. Those are going to carry forward, no matter what. I think there's no way we're not going to see the FBI involved in some of these major operations. They have got close ties, years-long investigations, sometimes with Britain, also the Netherlands - to a lesser extent, Germany, France, Australia, and Canada. Lot of law enforcement and intelligence agencies in these countries are working together, often coordinated by Europol. We're going to keep seeing that. It's just a question of if the White House will continue to take a leadership role, especially for some things that might be perceived as Biden era initiatives. We don't know. But as we cover cyber, hopefully they'll give it a lot of their attention.
Delaney: We remain hopeful. Thank you. Mat, so Marianne, we're not walking away from the election results just yet, but shifting our focus to healthcare. Let's look at what the Trump administration might mean for HIPAA and health privacy. You've reported that with the Republicans back in charge, we could see significant changes, particularly around privacy protections introduced by Biden, especially those aimed at reproductive health data. What new priorities might shape healthcare privacy under this administration?
Marianne McGee: As you mentioned, one of the big shifts under the Trump second administration compared to what has gone on with the Biden administration is the handling of health data security and privacy issues centered around a very hot button topic: reproductive health information. Earlier this year, the Department of Health and Human Services, Office for Civil Rights, published a final rule that made changes to the HIPAA Privacy Rule in the wake of the U.S. Supreme Court in 2022 ruling that it was overturning the Roe versus Wade decision many years ago that basically granted the national right to abortion. Now, the Biden administration says that its HIPAA privacy rule changes were designed to protect women who seek abortions and who perhaps cross state lines, as well as their medical care providers in circumstances such as abortions, among other things, those modifications prohibit the use or disclosure of HIPAA protected health information when it is sought to investigate or impose liability on individuals healthcare providers or others who seek obtain, provide, or facilitate reproductive healthcare that is lawful under the circumstances in which the such under which the healthcare is provided. What does that mean? I'm going to simplify. For instance, if a woman who lives in a state such as Texas, where abortion is banned or severely limited, travels to have an abortion, or perhaps miscarriage care or other reproductive healthcare services in a state like New Mexico, where abortion is legal, the doctors in New Mexico are prohibited from releasing that patient's information, the reproductive health information to law enforcement in Texas. It's a little bit more complicated than that, but I'm kind of simplifying it for the example. But once the Trump administration comes in and Trump names his own HHS secretary, and that Secretary names a leader for the Office for Civil Rights. Some privacy experts expect that reproductive health information related to that privacy rule change, which only went into effect this June, could end up being either revoked or at least ignored for the most part, from an enforcement standpoint, by federal regulators. And that would essentially mean that patients' reproductive health information could be more easily up for grabs by law enforcement or others, depending on the circumstances. That's some of the key privacy things that are going on, or potentially could go on. In terms of cyber issues, experts seem to think that there is pretty much a bipartisan agreement that cybersecurity in the healthcare sector does need to be bolstered. The Biden administration last December issued a concept paper that outlined ways to improve the healthcare and public health sectors' cybersecurity posture that includes possibly mandating certain new cybersecurity best practices for hospitals and perhaps other kinds of healthcare entities through new regulations that would be tied to financial incentives and perhaps penalties. But those regulations have still not been issued by the Biden administration, and it's getting late in the game, and some experts say it's really pretty doubtful that a Trump administration would issue any new such regulatory mandates for healthcare. In the meantime, the Biden administration has been working on an update to the 20 year old HIPAA Security Rule, with the aim also to help strengthen healthcare sector cybersecurity. Now, HHS has said that that proposed rule will be published by December or sometime by the end of the year, and that would be followed by 60 days of public comment before being finalized. But as we know, the Trump administration is taking over in January. No one knows at this point for certain whether the Biden team's proposed HIPAA security will update, will go anywhere, we'll have to see.
Delaney: What are your thoughts, Marianne, do you think Trump's team is likely to continue with these changes. And in your view, what updates are most urgently needed in healthcare?
McGee: The people who will lead HHS will be political appointees. But the new secretary isn't a political appointee. Then that person will appoint a leader for the HHS Office for Civil Rights, but the people on the ground at HHS-OCR, they're every day career people. They're within the government, they're not political appointees. They're deep into all the issues. Many of these people have been there for years. If the Biden administration does agree that the HIPAA Security Rule does need to be updated and strengthened, those people are pretty much the same people that would be doing an update, whether it's under Trump or under Biden, and this regulatory work, like I said, it's a lot of deep, nerdy stuff, you might come out with the same sort of recommendations or outcome for any proposed updates to the HIPAA Security Rule. It depends on the details. But, if the Biden administration's team goes ahead publishes the rule, gets some public comment, and everyone later - once Trump is in office - seems to agree, these changes make sense, and maybe public comment suggests "let's change this ... let's change that," it could very much well take off. But, the other thing with this is that just before Trump left 2021, his HHS OCR team issued a proposed update to the Privacy Rule. And that had public comment, the whole nine yards. But for the last four years, the Biden administration's HHS OCR just sat on it. That's been on the sidelines as well. Some of this might be like a political football, one administration doesn't want to pick up work that the other one did just for principles of their own. An update is probably needed. We'll see what happens.
Delaney: Indeed, we'll see what happens. Thank you, Marianne. Shifting gears Tony takes into the world of AI. You're covering how Google's AI agent Big Sleep uncovered a critical zero day vulnerability in SQ Lite. It's interesting to see AI stepping into roles, typically handled by human researchers. What do you think this all means for the future of AI and cybersecurity research?
Tony Morbin: I do want to put it into the context of both attackers' use and defenders' use of AI. The general perception is that attackers have been quicker to adopt AI than defenders. But that might not necessarily be the case. It is true that attackers are early adopters of technology, and they quickly use AI to improve their lures, writing phishing emails in any language without the glaring spelling and grammar errors of the past. They're using it to create deepfakes, it provides a new attack surface to poison or substitute AI models. Plus the criminals are also using AI to write their malware quicker and ensure it's got fewer errors. To date, we've not been seeing them really using entirely AI-created malware. In contrast, the vendors are genuinely spending billions to incorporate AI into their defensive products, as well as simply rebranding as "AI inside." Trend Micro's Robert McArdle recently said that the different scale of investment and the emphasis on AI in cybersecurity is going to enable defenders to gain an advantage over the attackers. He said the reason for the contrast is that criminals are particularly slow to change when they don't have to. Because criminals want an easy life, their return on investment has to be better than other options on the market, and cybercrime is an evolution, not a revolution. I'm not sure I agree with the last part, but I'll carry on. Nonetheless, for defenders, the main uses of AI seen today tend to focus on trawling through data piles to prioritize alerts, building less buggy code, quicker and automating processes. However, back to the subject that we mentioned, the recent discovery of zero days by AI highlights just how the defense capabilities of AI could be a game changer. In short, we're now looking at finding vulnerabilities in software before it's even released, which as a researcher at Google's project Big Sleep commented, "it will mean that there's no scope for attackers to compete. The vulnerabilities are going to be fixed before the attackers even have the chance to use them." It was Google's project Big Sleep that last month reported on how an experimental AI agent called Atlantis discovered a previously undetected and exploitable memory flaw in the popular open-sourced database engine SQL Lite, which was then fixed the same day. Atlantis had earlier discovered six zero days in SQL Lite 3, and autonomously patched one of them during the White House AI cyber challenge in August. But the latest find is believed to be the first public example of an AI agent finding a previously unknown, exploitable real-world vulnerability in a widely used real world software outside a test sandbox. Explaining the approach used - exactly as you were saying, Anna - researcher Han quin zal said, "It's not magic, we've distilled our collective experience and common practices in manual auditing and reverse engineering into structured prompts, and that's significantly enhancing the system's capabilities." The system emulates the code auditing process based on the habits of the security experts on the team. Although the approach might appear to be essentially replicating the behavior of human researchers and essentially automating human expertise, it went beyond the ability of human researchers, who were then unable to rediscover the SQL-like vulnerability using typical fuzzing techniques. All this is to the good and a great example of the benefits that AI can bring. I'm afraid I'm going to be another one dipping into the election here with the results of the U.S. election just in I would still like to end with a few words of caution. The Republican presidential platform calls for revoking of the Biden AI Executive Order, which was just voluntary guidance. Among other things, the Executive Order called for companies to report how they're training and securing AI models and show the results of their vulnerability testing. For some Republicans, this smacks of governmental overreach, stifling innovation. Senator Ted Cruz slammed what he called NIST's "woke AI safety standards," preferring this to focus on AI's physical safety risks as his party seeks to support AI development rooted in free speech and human flourishing. The potential of risks in insecure AI can affect us all, so this shouldn't be a partisan issue. Encourage AI development and innovation by all means, but do it securely. Don't throw out controls, regulations and guidance, if that will help secure the human flourishing that's sought and not detrimentally be affected by AI development, as Yuval Noah Harari reminded us in his book Nexus, which I've just started, just like the socialist apprentice, we should not summon up powers that we can't control, so let's not ditch all controls.
Delaney: I was thinking how this might impact the role of the human research and the skills, because will they now need skills in sort of AI oversight and auditing rather than the sort of traditional hands on code analysis? Surely we don't want them to lose those traditional skills.
Morbin: That applies to all AI. AI and all technology tends to be a de-skilling process. It enables the average person to produce better than average results, because you're using, as in this case the processes that the top experts were using, so we're all able to do better. A typist doesn't have to use TIPX, because you can just go back and change the word on your computer. They are going to have to have the skills to use AI, but those skills are probably of a lower level than the skills that were previously required, and the top people will need to have the ability to have that reproducibility. We're going to have to be able to check and verify what AI has done, because it works on the basis of probability, rather than being a definitive result. You are going to have to deal with your AI critically, and you're going to have to have the skills to know how to do that, but it's actually going to enable a lot more people to do a lot more things at a lot higher level, a lot quicker.
Delaney: It's striking a balance between AI literacy and maintaining those core cybersecurity fundamentals, that's great. Thank you, Tony. And finally, and just for fun, if you could have AI analyze one historical event to figure out what really happened, what would you pick? And let's put the election 2024 to one side for the moment. Doesn't mean that you can't touch other elections, but maybe, you could touch a conspiracy theory or mystery or something close to home. What are you thinking about?
McGee: I'm going to stick not with the election, but with the presidential theme. Who shot JFK? That's been American conspiracy theory. There's a zillion different theories of the Cubans involved, it was the mafia. Let's see what AI has to say about this.
Delaney: That is the answer we all want to know. That's a great one. Tony?
Morbin: It seems there was a big flood in the Mediterranean region about 8000 years ago, and the Theories range from volcanoes to an act of God for which Noah was given advance warning. I'd like to see all the historic and geological data, as well as the religious and other texts, collated, analyzed, and see if they can fit a uniform narrative. But as we were saying before, given generative AI works on probability, the chances are it would come up with its own story, and there's no way we could verify it.
Schwartz: I was thinking dinosaurs. That was like the seven year old me, like, what really happened? But if I could get more macabre, Jack the Ripper, who was it really?
Delaney: Hearing all your ideas, I'm thinking, "Oh, I should, I should think about this. I got all these, these mysteries that I want to unfold." But, the 12 year old me thinks about the pyramids. You know, I think AI could analyze every theory, every ancient text, even simulate the building process. Because if are there some advanced techniques that we've somehow lost over time that the ancient Egyptians knew about. But then also there's the star alignment. So did they really plan the pyramids to line up with Orion's Belt? Was it all intentional? And how do they achieve such precision without modern technology? We could learn a lot about not just building techniques, but their vision and connection to the cosmos. Well, great stuff. Well done. Big week. Great commentary. Thank you so much.