Dropping the ball on chemical security has precipitated "a national security gap too great to ignore," CISA warns.

Source: TTstudio via Alamy Stock Photo

CISA warned this week that facilities maintaining dangerous chemicals across the US are no longer receiving adequate security support.

Compared with such industries as energy, water, and telecoms, cybersecurity professionals tend to be less au courant with the chemicals sector, despite the physical and cybersecurity threats it faces.

CISA used to plug that gap with its Chemical Facility Anti-Terrorism Standards (CFATS). In CISA's own words, CFATS "identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists." But on July 28, Congress allowed the statutory authority of the CFATS program to expire.

Yesterday, in a blog marking the fourth monthiversary of that decision, CISA associate director for chemical security Kelly Murray warned that "the absence of the CFATS program is a national security gap too great to ignore," likely leading to security gaps, unsafe conditions, and possibly even access by a terrorist.

**Terrorist Threats to the Chemicals Industry**

There are four primary pillars to CFATS, each with an important security function.

Firstly, CISA has screened over 40,000 chemical facilities through the program, identifying 3,200 of them as high-risk. With four months of downtime, the agency estimates that at least 200 new facilities have likely acquired dangerous chemicals, and that "facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation."

Equally, through CFATS, CISA worked with facilities to identify risks to them and their surroundings, and develop cyber and physical safety plans to mitigate those risks, improving their security postures by around 60%. As Murray explained, approximately one third of CISA's site visits historically tended to reveal security gaps, thus "we can safely estimate that hundreds of security gaps have gone unidentified since July."

Perhaps most importantly, chemical facilities used CFATS to run personnel against a Terrorist Screening Database. CISA used to vet an average of 9,000 names per month, flagging in all more than 10 individuals with terrorist ties. At these rates, Murray estimated, its missed screenings "likely would have identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist at some point over the past four months."

Lastly, CFATS was designed to help the chemical industry stay ahead of the evolving threat landscape, both from a physical and cyber standpoint. "Prior to the lapse in authority, this process was going to be further enhanced by a proposed rulemaking effort to enhance the physical and cybersecurity standards required of CFATS," Murray explained, though now no longer.

Murray ended the letter with a call to Congress to reinstate CFATS. "This is a resolution we cannot afford to break," she concluded.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

CISA to Congress: US Under Threat of Chemical Attacks

Anyscale has dismissed the vulnerabilities as non-issues, according to researchers who reported the bugs to the company.

Source: Ken stocker via Shutterstock

Organizations using Ray, the open source framework for scaling artificial intelligence and machine learning workloads, are exposed to attacks via a trio of as yet unpatched vulnerabilities in the technology, researchers said this week.

**Potentially Heavy Damage**

The vulnerabilities give attackers a way to, among other things, gain operating system access to all nodes in a Ray cluster, enable remote code execution, and escalate privileges. The flaws present a threat to organizations that expose their Ray instances to the Internet or even a local network.

Researchers from Bishop Fox discovered the vulnerabilities and reported them to Anyscale — which sells a fully managed version of the technology — in August. Researchers from security vendor Protect AI also privately reported two of the same vulnerabilities to Anyscale previously.

But so far, Anyscale has not addressed the flaws, says Berenice Flores Garcia, senior security consultant at Bishop Fox. "Their position is that the vulnerabilities are irrelevant because Ray is not intended for use outside of a strictly controlled network environment and claims to have this stated in their documentation," Garcia says.

Anyscale did not immediately respond to a Dark Reading request for comment.

Ray is a technology that organizations can use to distribute the execution of complex, infrastructure-intensive AI and machine learning workloads. Many large organizations (including OpenAI, Spotify, Uber, Netflix, and Instacart) currently use the technology for building scalable new AI and machine learning applications. Amazon's AWS has integrated Ray into many of its cloud services and has positioned it as technology that organizations can use to accelerate the scaling of AI and ML apps.

**Easy to Find and Exploit**

The vulnerabilities that Bishop Fox reported to Anyscale pertain to improper authentication and input validation in Ray Dashboard, Ray Client, and potentially other components. The vulnerabilities affect Ray versions 2.6.3 and 2.8.0 and allow attackers a way to obtain any data, scripts, or files stored in a Ray cluster. "If the Ray framework is installed in the cloud (i.e., AWS), it is possible to retrieve highly privileged IAM credentials that allow privilege escalation," Bishop Fox said in its report.

The three vulnerabilities that Bishop Fox reported to Anyscale are CVE-2023-48023, a remote code execution (RCE) vulnerability tied to missing authentication for a critical function; CVE-2023-48022, a server-side request forgery vulnerability in the Ray Dashboard API that enables RCE; and CVE-2023-6021, an insecure input validation error that also enables a remote attacker to execute malicious code on an affected system.

Bishop Fox's report on the three vulnerabilities included details on how an attacker could potentially exploit the flaws to execute arbitrary code.

The vulnerabilities are easy to exploit, and attackers do not require a high level of technical skills to take advantage of them, Garcia says. "An attacker only requires remote access to the vulnerable component ports — ports 8265 and 10001 by default — from the Internet or from a local network," and some basic Python knowledge, she says.

"The vulnerable components are very easy to find if the Ray Dashboard UI is exposed. This is the gate to exploit the three vulnerabilities included in the advisory," she adds. According to Garcia, if the Ray Dashboard is not detected, a more specific fingerprint of the service ports would be required to identify the vulnerable ports. "Once the vulnerable components are identified, they are very easy to exploit following the steps from the advisory," Garcia says.

Bishop Fox's advisory shows how an attacker could exploit the vulnerabilities to obtain a private key and highly privileged credentials from an AWS cloud account where Ray is installed. But the flaws affect all organizations that expose the software to the Internet or local network.

**Controlled Network Environment**

Though Anycase did not respond to Dark Reading, the company's documentation states the need for organizations to deploy Ray clusters in a controlled network environment. "Ray expects to run in a safe network environment and to act upon trusted code," the documentation states. It mentions the need for organizations to ensure that network traffic between Ray components happens in an isolated environment and to have strict network controls and authentication mechanisms when accessing additional services.

"Ray faithfully executes code that is passed to it — Ray doesn’t differentiate between a tuning experiment, a rootkit install, or an S3 bucket inspection," the company noted. "Ray developers are responsible for building their applications with this understanding in mind."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Critical Vulns Found in Ray Open Source Framework for AI/ML Workloads

Check out our new look — it's crisp, fast, and more reader-friendly.

Source: ronstik via Alamy Stock Photo

Here are some adjectives the Dark Reading team used to describe our revamped site that went live today: Elegant. Slick. Seamless. Clean. Modern.

Change is never easy or comfortable. But the process almost always winds up injecting new life and fresh purpose into your mission, and that's what we've accomplished with Dark Reading's latest look.

The journey to our new look began in August with the quiet rollout of an updated Dark Reading logo that gave our beloved brand a more contemporary design.

Today we've wrapped that logo in a new website platform that improves the overall reader experience, and our hope is that it makes your visit to the site more pleasant, efficient, and productive.

We've streamlined and updated our section names so the site is easier to navigate by topics (check out the Cybersecurity Topics button at the top of the black navigation bar). There's also more context about the type of content that's here, and how to find it on the Dark Reading site.

We enhanced our featured news section at the top of the fold and added a special feed of the latest news from around the globe via Dark Reading Global. As we announced this spring, DR Global initially is focused on the rapidly growing cybersecurity industry in the Middle East and Africa, but stay tuned as we expand our scope to other regions as well.

Scroll further down the homepage and you'll see our Latest News and Commentary sections, packed with our traditional mix of informed, unique, and relevant content. You'll also see a new space titled Deep Reading, which showcases Dark Reading's vast library of digital reports and original research. You can read summaries of our reports as well as download them for free.

Underneath our dedicated features section The Edge, and DR Technology, our section dedicated to cybersecurity technology trends and products, you will find our newest section, DR Global, now with a homepage presence and its own special section within the site.

That's just a quick tour of some of the new features and functions on the updated Dark Reading site. There will be more landing on the site in the coming months as we evolve to match our readers' needs. No matter how much our look changes, we are committed to serving up comprehensive and informed reporting, analysis, and other content that long has set Dark Reading apart as one of the top cybersecurity media sites in the industry.

In the meantime, we want to hear from you on what you think about the site redesign and its features. Drop us an email at \[email protected\] with your feedback — good or bad, we can take it.

**About the Author(s)**

Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Dark Reading Debuts Fresh New Site Design

The company's power production remains in operation, and authorities have been notified of the attack.

Source: Brian Guest via Alamy Stock Photo

Holding Slovenske Elektrarne (HSE), a Slovenian power generation company, fell victim to a ransomware attack on Nov. 22 that compromised its systems but didn't disrupt power production.

The company regained control and was able to contain the attack on Nov. 24. 

The National Office for Cyber Incidents at Si-CERT and the Ljubljana Police Administration were notified of the attack. The power company also worked with third-party experts to mitigate the effects of the attack and prevent the spread of the malware to other critical infrastructure systems in Slovenia. 

No ransom has been demanded yet. The attack is believed to be the work of Rhysida ransomware gang, which offers its victims an email address to connect with the threat actors without making any financial demands. It's still unclear if HSE has made contact with Rhysida.

Disruption is limited to the Šoštanj Thermal Power Plants and the Velenje Coal Mine websites, according to a spokesperson, and HSE officials have claimed that the situation is under control. 

**About the Author(s)**

Slovenian Electrical Utility HSE Suffers Ransomware Attack

Joe Sullivan, spared prison time, weighs in on the lessons learned from the 2016 Uber breach and the import of the SolarWinds CISO case.

Source: MOZCO Mateusz Szymanski via Shutterstock

Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud for failing to alert regulators of a 2016 cybersecurity breach, but Sullivan was spared having to serve any prison time.

Instead, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation, 200 hours of community service, and a $50,000 fine. Prosecutors were seeking 15 months of prison time for the charges alleged by the Federal Trade Commission (FTC) that Sullivan failed to report the breach that affected more than 50 million records for customers and Uber drivers.

"I went to my sentencing hearing fully prepared to go to jail with a specific penitentiary area that we were going to request," Sullivan tells Dark Reading. "I had to research all the different federal facilities and figure out which one would be the one that my family would be able to most visit and that I would be the safest. And I had to think about who would take care of my kids and who would pay my bills on my house and manage everything else."

**Joe Sullivan, Post-Uber Breach**

Now that the matter has been decided, Sullivan is free to speak out, and he plans to share his story in a keynote address at Black Hat Europe 2023 on Dec. 7. Sullivan says biting his tongue for over six years wasn't easy. "My lawyers wouldn't let me say a word," Sullivan laments.

"If somebody labels what you're doing a coverup, it's really easy for people to buy into that idea," he says. "For six years, I had to listen to and see my name in the media saying things about me that I knew weren't true. And my kids had to be subjected to everybody they know asking them what they saw about their dad on the news."

In getting the minimum sentence, Sullivan says he was vindicated. "The judge said we did an amazing job on the investigation," he says. "We followed our playbook. What people don't understand is the company had D&O \[directors and officers\] insurance policies. We had a data-breach response policy that designated a specific lawyer we were supposed to call. The team called in that lawyer and called in PR. I looped in the CEO and kept him up-to-date."

**Transparency Is the Most Significant Lesson**

Sullivan says the key mistake he made was not bringing in third-party investigators and counsel to review how his team handled the breach. "The thing we didn't do was insist that we bring in a third party to validate all of the decisions that were made," he says. "I hate to say it, but it's more CYA."

Now, Sullivan advises other CISOs and companies about navigating their responsibilities in disclosing breaches, especially as the new Securities & Exchange Commission (SEC) incident reporting requirements are set to take effect. Sullivan says he welcomes the new regulations. "I think anything that pushes towards more transparency is a good thing," he says. He recalls that when he was on former President Barack Obama's Commission on Enhancing National Cybersecurity, Sullivan was pushing to give companies immunity if they are transparent early on during security incidents.

That hasn't happened until now, according to Sullivan, who says the jury is still out on the new regulations, which will require action starting in December.

"Right now, too many companies think it's not in their best interest to be transparent," Sullivan says. "I think the SEC is trying to change the incentives through sticks rather than carrots. But that's the tool that they have, which is better than nothing."

**SolarWinds Sends Mixed Signals from the SEC**

Meanwhile, the SEC is signaling a zero-tolerance focus when it comes to data beach mishandling, with its recent charge of fraud in the US District Court in the Southern District of New York against SolarWinds Corp. and its CISO Tim Brown, regarding the software supply chain attack on the company's Orion platform in October 2020.

But Sullivan says the SEC's decision to charge SolarWinds and Brown contradicts the agency's approach in rolling out its new disclosure rules just months earlier.

"On the one hand, they are engaged with the community and have set some new expectations, which I think is great because they're trying to set some rules for the road, and they got feedback from the public," Sullivan says. "But if you look at the Solar Winds and Tim Brown enforcement action, you see a very different approach, which is not so collaborative, and a lot of commentators have suggested that maybe they don't seem to fully understand what life is really like doing security inside of a corporation."

It's too early to predict how the case will play out since only the parties involved know what evidence will be presented, Sullivan says. But based on the SEC's charges, he sees similarities to his own situation.

"The government, the FTC in my case, felt that my company wasn't sufficiently transparent, and they sought to hold me personally accountable for that, even though it wasn't my job to be the communicator of our security posture or answer any of their questions," Sullivan says. "In fact, I hadn't seen a lot of the documents. And so, their case was about me being held personally responsible for the company's approach to communication. Tim Brown's case is the exact same thing."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds

As industries around the world act to mitigate the increase in cyber threats, the aviation sector should be leading the cybersecurity uprising, explains William "Hutch" Hutchison, CEO of SimSpace.

Source: Allen Creative/Steve Allen via Alamy Stock Photo

COMMENTARY

Over the last three years, the global aviation industry has been left reeling by a post-pandemic sucker punch that hit the sector with over $185 billion in losses. Once a bastion of American prosperity, airlines were forced into survival mode, cutting staff from their workforce and flights from their schedules.

Capital preservation was the default setting for boards across the country, but as the sector emerges from economic instability, CEOs and CISOs want to know where to invest to ensure long-term growth. The North Star of success in aviation continues to be the safety of passengers, systems, and the data they house. For decades, this safety was only challenged by spilled coffee, crosswinds, and external market forces.

The cybersecurity of airlines and manufacturers has opened a new domain of safety crucial for the continuity of flight systems, servers, and communication equipment. Security has become an integral component of an economic powerhouse that has contributed to American transportation, trade, and commerce for over 100 years.

To ensure the security of the industry for the next century, protecting critical infrastructure from increasingly complex and frequent cyberattacks should be the No. 1 priority for large organizations across the US. The new litmus test for investors and insurers will be how prepared airlines and manufacturers are for the potentially debilitating consequences of a cyberattack.

**The Rising Tide of Accountability**

Of all cyberattacks against the aviation industry in 2021, 55% resulted in financial loss, and over one-third resulted in the leaking or theft of personal data. The improving success rate of hackers compelled them to go bigger and better, as the average ransomware demand skyrocketed to $2.2m in 2022, although payouts often were less.  Ransomware responses continue to evolve as regulations tighten.

In light of this, regulatory bodies and lawmakers have sounded the alarm, placing a spotlight on securing systems and networks against rising threats. In March 2023, the Transportation Security Administration (TSA) issued an "emergency amendment" to airports and aircraft operators' security programs. The amendment mandates TSA-regulated entities develop implementation plans to improve their cybersecurity resilience, aiming to prevent disruption and degradation to their infrastructure.

At the same time, the US government's new National Cybersecurity Strategy this year has reinforced the necessity of defending critical infrastructure by shifting responsibility from individuals to large organizations. This coordinated governmental strategy has, in part, been a response to the abundance of attacks against targets in the aviation sector. Canadian low-cost airline SunWing faced four days of flight delays last year after third-party software systems breached the check-in process. Indian carrier SpiceJet was also hit by a ransomware attack that left hundreds stranded at airports nationwide, showing that these events are occurring in all corners of the world.

The International Air Transportation Association (IATA) is the foremost authority of global aviation best practice. They made the responsibility of civil aviation cybersecurity clear, stating that "people, processes, and technology" (PDF) are the three main components dependent upon each other to create a unified cyber strategy. We are in an age where nation-state tactics and techniques are accelerating beyond the ability of the commercial sector to defend themselves. However, traditional General Data Protection Regulation (GDPR) approaches to assessing and reducing cyber-risk have simply become obsolete.

If pilots navigated planes only using their knowledge of flight controls, this would not prepare them for the demands of neutralizing an engine failure at 30,000 feet. This is why they test and train their skill set in simulators designed to mimic real-world scenarios, so their knowledge and reactions are robustly exercised for maximum performance. The next generation of cybersecurity is now taking this concept and applying it to the defense of critical assets in the aviation industry.

**One Small Step for Tech, One Giant Leap for Cybersecurity**

Cyber-ranges are the government-grade flight simulators of cybersecurity. By battle-testing defenses in real-world conditions, airlines' IT and OT environments can experience the equivalent of three years' worth of attacks in just 24 hours. However, many airlines use data collection and storage software seen in most industries, making lateral movement through networks relatively straightforward.

Decision-makers in the halls of aviation titans around the country are now deciding how to implement precautions to secure these systems and bolster their company's investment strategy for the next stage of growth. Prioritizing government-grade cybersecurity can help them refine their incident response plans, train employees, and comply with the latest groundswell of regulation. By implementing a "train to failure" mindset, companies can test their defenses against phishing, DDoS attacks and data-breach techniques that contribute to around two-thirds of all cyber threats in the industry today.

If an aviation organization loses less than 1% of its customers as a result of a data breach, millions of dollars in revenue could be lost. Carriers and manufacturers need the data and insight into their IT and OT environments to see what is working, and what isn't.

By implementing a proactive approach to cybersecurity, effective mitigation of threats can be achieved, reducing the dwell time of attackers. By removing the "unknown unknowns" of cyber threats, businesses can achieve the maximum levels of protection needed to keep their company safe.

**About the Author(s)**

CEO & Co-Founder, SimSpace

William "Hutch" Hutchison is the CEO and Co-Founder of SimSpace. He had extensive experience working in the NSA as a senior officer with US Cyber Command. US Cyber Command and the National Security Agency (NSA) are the premier organizations of the US Department of Defense and Intelligence Community, responsible for conducting military and intelligence operations in the cyber domain. Hutch was appointed through presidential order to create a team focused on defending US national infrastructure against state cyberthreats. In 2015 Hutch started the cyber readiness platform to deliver military-grade cybersecurity protection against advanced cyber threats for governments and organisations worldwide.

As a former F-15 fighter pilot, Hutch went on to lead cyber exercises at the US Cyber Command, and created numerous Department of Defense (DoD) cybersecurity training, testing and assessment programs. Hutch helped create a "Special Forces" approach to testing cyber defense teams and continues to serve as the Test Director for cyber operational assessments at the DoD.

At SimSpace, Hutch spearheaded multiple deployments in financial and other commercial sectors. Hutch holds a Bachelor’s degree from Duke University, a Master’s degree in aerospace engineering from University of Texas at Austin, and a master's degree from the MIT Sloan School of Management.

Fight or Flight: How to Keep Cyberattacks From Taking Off

Online shopping websites often lack basic security protections when it comes to PII, allowing malicious actors to capitalize on consumer data or perpetuate retail and hospitality scams.

Source: Valentin Valkov via Alamy Stock Photo

The post-Thanksgiving e-commerce shopping event known as Cyber Monday draws millions of consumers each year seeking out bargains online — to the tune of $11 billion in 2022.

However, amid the purchasing spree, consumers routinely share sensitive personally identifiable information (PII) on e-commerce platforms, including credit card details and addresses, and a recent survey by CyCognito explores the question of whether these sites prioritize security and compliance.

The report unveiled concerning insights on the risk of compromised PII, of which many remain unaware – and discovered substantial pitfalls in the security landscape of Cyber Monday e-commerce platforms.

Even though more than half (52%) of e-commerce Web apps exist in the cloud, the research indicated they aren't immune to security vulnerabilities.

The study revealed 2% HTTPS, the the secure version of HTTP and a protocol for secure data transmission. This poses a risk to around 520,000 of the estimated 26 million global e-commerce stores.

Researchers discovered more than a quarter (28%) of these platforms operate without a Web application firewall (WAF), and nearly one in four (24%) e-commerce Web apps that collect PII are missing a WAF.

Additionally, nearly six in ten (58%) e-commerce Web apps collect user PII, raising concerns about data handling. Equally worrisome is that 78% of these platforms don't seek user consent for cookies, a compliance red flag.

The array of security issues doesn't stop there, with 13% of ecommerce Web apps throwing up certificate validity issues, and just under half (48%) of platforms have one or more cryptographic vulnerabilities.

The report also found that 2% of ecommerce Web apps carry critical security issues, half of which involve PII, and more than three quarters (76%) of these critical issues are easily exploitable.

Rounding out the research findings was the discovery that 7% of all e-commerce Web apps monitored had at least one issue from the OWASP Top Ten list, a commonly used awareness document for developers and Web application security.

**Threats Rise As Holiday Shopping Season Kicks Off**

On the individual shopper front, it's worth a reminder that Holiday spending perennially catches the eye of threat actors, who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

This has risks for organizations, too: Companies continually battle credential harvesting, phishing, bots, and various malware variants, with a recent Malwarebytes Labs report warning of a 50% uptick in credit card skimming in 2023 — and that's only set to get worse during the holiday shopping season.

Vandan Pathak, senior application security consultant at Optiv, says scammers are going to activate their plexus network of techniques to entice victims with fake promotions.

"Individuals are highly advised not to entertain any messages or calls they receive which offer them direct holiday discounts," he says. "In the past, we have seen individuals fall for these traps frequently and the number is going to increase during the holiday season."

He notes that individuals must be aware of scammers and fake gift card offers — often, these "offers" come with the light lift of filling out a survey.

"Only, the survey is fake, and the sole result is your personal information is now in the hands of a bad actor," he explains. "These have historically been quite successful tactics during the holiday months."

He adds security front liners, such as network security engineers or analysts, should be attentive to upticks in unusual activity in company environments.

"Attacks on organizations during this time of the year are successful often due to teams' guards being down," Pathak cautions.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Cyber Monday Kicks Off Holiday Shopping Season With E-Commerce Security Risks

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Someone always has to take the fall. Pity the poor CISO? Come up with a clever cybersecurity-related caption to describe the scene, above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Dec. 13, 2023, deadline:

*   Via social media: X (formerly known as Twitter), Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

Last Month's Winner

Dave Brassey for the win! The manager of privacy, security and risk assurance at Australia-based software company Family Zone Cyber Safety scored himself an Amazon gift card for his caption to accompany October's "Modern Monarchy" contest:

Thank you to all who participated. Keep on trying!

**About the Author(s)**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Slam Dunk

A determination to be taken seriously as a cyber player sees the United Arab Emirates announce a series of collaborations.

The United Arab Emirates' Cybersecurity Council has agreed to a number of partnerships to better improve its threat intelligence sharing capabilities, including forging ahead with collaborations with other nations.

Following a spate of recent cybersecurity conferences, the UAE has signed a series of memorandums of understanding (MoUs) to better improve the state of cybersecurity within the country, including with the US Treasury Department. 

The MoU with the US is an agreement to share information on threats and incidents affecting the financial services industry. This should be particularly relevant when considering that the UAE has been given an AA- rating with a "stable outlook" for its banking sector.

The country also signed a MoU with Morocco, where the two states will set up a joint committee to plan and oversee the implementation of capabilities to respond to cyberattacks (details on specific points of the agreement are not available), and also with Chad, where the two countries have pledged international cooperation on cyber matters. The outreach to Africa is notable given that cybersecurity centers are rapidly being opened across the continent — Morocco's opened last year following directives that were written in the last decade.

**A UAE Cyber Vision for the Next Few Decades**

Mohamed Hamad Al Kuwaiti, head of cybersecurity for the UAE government, told local media that these partnerships are part of a vision of establishing an advanced digital infrastructure to prepare for the next half century.

And indeed, this comes at an opportune time for the UAE, as its overall cybersecurity posture has been improving over the past few years. It ranked fifth in the most recent Global Cybersecurity Index, jumping 33 places from its previous placing, following the opening of its Cybersecurity Council in 2020.

"This allows the parties involved to see the issue of cyber defense from different points of view, and will certainly aid in a better and more well-rounded security posture for all involved, not just the UAE," says Andi Ursry, cyber-threat intelligence analyst at Optiv.

**UAE's Business Agreements on Cybersecurity Readiness**

On top of the national agreements, the UAE also signed MoUs with several cybersecurity vendors. With Kaspersky, for instance, the UAE will collaborate to share information on identifying, investigating, and responding to evolving cyber threats, and exchange expertise on the latest malware trends, indicators of compromise, and security risks faced by the economic sectors of the country.

And with Microsoft, the UAE will cooperate and conduct information exchanges in cybersecurity related fields, with particular attention paid to national cooperation, deterrence, prevention, and responses to cyberattacks. The two parties will also work together to promote awareness-building through educational programs, as well as exploring business and economic exchanges for cybersecurity, they said.

Al Kuwaiti commented that the UAE's ICT industry has opened new "windows of opportunity" but added that the nation is also vulnerable to new and sophisticated types of security risks, which are dynamic and evolving in nature. As a result, these MoUs are forged with partners "with the essential expertise and tools to eliminate information security incidents."

The UAE Cybersecurity Council's actions in the past few weeks show clear ambitions for the country to be more global in its cyber capabilities, says Vibin Shaju, UAE general manager at Trellix. 

"MOUs and public-private partnerships can encompass information sharing, collaborative incident response, regulatory compliance, public awareness and education, collaborative exercises and drills," he notes. "Such collaboration is critical for addressing the dynamic and evolving nature of cybersecurity threats."

UAE Bolsters Cyber Future With US Treasury Partnership, Collaborations

From communicating why security should be a priority to advocating for accountability and greater focus on protecting data in the cloud, CISOs can make the case for keeping people and sensitive data secure.

According to a new study (subscription required), only 12% of S&P 500 companies have board directors with relevant cyber credentials, showing a major gap in the expertise needed to keep organizations secure.

As most organizations shift to digital and cloud-first strategies, businesses of all shapes and sizes must protect their assets. Similar to the Sarbanes-Oxley (SOX) Act of 2002 — which requires corporations to adhere to certain practices in financial record keeping and reporting — the SEC implemented federal compliance for cybersecurity in July. Companies had to begin complying by Sept. 5. These regulations require businesses to provide annual cybersecurity risk management, strategy, governance disclosures, and disclosure of any cybersecurity incidents. Although security has been a board-level conversation for some time, CISOs will be the ultimate source for ensuring best security practices are being followed.

**Closing Board Gaps**

Unfortunately, there's a considerable gap between security leaders and the board directors responsible for managing businesses. A recent Harvard Business Review survey of 600 boardrooms revealed just 47% regularly interact with their company's CISO. That's a severe knowledge gap for a company's security and business leaders. It's high time we started looking at CISOs as critical assets for every company's board to fix this problem. After all, security failures can crush more than just a company's reputation; they can also tank stock prices.

Yet according to research from the CAP Group, among Fortune 100 companies, just 51% have directors with relevant cybersecurity experience. The situation is even more alarming in the Fortune 500, where only 9% of boards have directors with a strong understanding of cybersecurity. This problem extends to companies in the Russell 3000, where just 8% have directors with cybersecurity expertise.

Introducing CISOs to the boardroom is not just about compliance or avoiding enforcement from the SEC; it's also about ensuring transparency and accountability. CISOs are already building security programs from the ground up. They provide business compliance, hire the right people, and find the right technology to supplement their team's efforts. Security posture is critical to an enterprise's future success, and having a CISO on the board that speaks the language can help a board understand if their business is making suitable security investments.

**Increased Stakes in a Cloud Era**

Of course, the cloud unlocks huge advantages — notably, the ability to innovate faster — but also creates new security challenges. The cloud has an exploding risk surface area and a 1,000x rate of change, which means most of an organization's code is created upstream and is often open source, not to mention developers define containers, workloads, networks — everything — as code.

Given how rapidly the current threat landscape shifts, every organization would benefit from the CISO having a boardroom seat. Not only are revenue and profitability directly impacted by a company's digital business, but these corporations are trusted by millions of individuals to use their data appropriately and securely. When assets are at risk of attack, so is the company's ability to thrive. Introducing a CISO to the boardroom helps assuage fears of security threats, as the CISO can effectively communicate risks and keep them out of the shadows of how security impacts business.

But as CISOs enter the boardroom conversation, they also undergo the expectation from CEOs and board members to drive the probability of intrusions, data exfiltration, ransomware, and other attacks, to effectively zero. Many individuals outside of security don't understand that this task is essentially impossible, and it's up to the CISO to communicate that to the board while still assuring them their assets are well-protected by the organization's security practice and team.

**Being More Than a Technical Expert**

At the board level, CISOs ensure compliance with appropriate regulations and standards while driving business growth. These regulations shouldn't be seen as profitability roadblocks but opportunities for CISOs to communicate why security should be a priority and not an afterthought. The increased scrutiny of today's economic environment and the new rules set by the SEC open a door for security leaders to decrease complexity, raise awareness, and solidify engagement with security efforts across the company.

But aligning an entire organization on security is challenging since most employees don't have technical expertise. When proposing a security strategy to a room full of nontechnical folks, there's the possibility that the audience will leave with more questions than answers. That's why CISOs are prioritizing soft skills. The CISO's sole responsibility is addressing security threats and vulnerabilities and getting people to buy into processes and best practices. CISOs' roles are complex and nuanced and need to be treated as such. Their presence in the boardroom would bring greater task efficiency, focus, and accountability.

CISOs are indispensable when it comes to establishing a modern security posture. As the SEC tightens its reins on security and more business leaders understand the business implications of a secure cloud environment, we can expect to see more CISOs join the boardroom to spearhead a change we need to see for a greater focus on protecting the cloud and the data that lives within it. And while the responsibilities of the CISO are changing, one thing remains the same: Keeping people and sensitive data safe and secure is always the No.1 priority.

That's something every board of directors can benefit from.

Source

DARKReading