The Bureau of Industry and Security will add four companies in Israel, Russia and Singapore to the entity list for "malicious cyber activities" contrary to U.S. foreign policy and national security, BIS said; see also a State Department announcement. The two Israeli companies that include NSO Group supply malicious spyware to foreign governments, and the companies in Russia and Singapore “traffic in cyber exploits” that threaten the “privacy and security of individuals and organizations worldwide.” BIS' parent agency the Commerce Department said these additions -- which take effect Thursday, when they're to be published in the Federal Register -- reflect a government-wide effort to "stem the proliferation of digital tools used for repression." Adding NSO and others is "long overdue," Access Now said. It said the EU and other governments "should implement similar restrictions on surveillance tech companies who facilitate human rights violations. The privacy advocacy group wants the U.S. government to sanction owners and affiliates of NSO Group and Candiru, another company that's being added to the BIS list. NSO "is dismayed by" BIS' decision because "our technologies support US national security interests and policies by preventing terrorism and crime," emailed a company spokesperson. "We will advocate for this decision to be reversed.”

Technologies are emerging to combat deepfakes, but rules might be needed, panelists said at a Tuesday webinar hosted by the Convention of National Associations of Electrical Engineers of Europe (EUREL). Deepfake technology enabled some beneficial uses, but it's increasingly difficult to distinguish between real and fake content and people, said Sebastian Hallensleben, chairman of German EUREL member VDE e.V. One common argument is that AI fabrications aren't a problem because we can use other AI systems to detect them. As deepfakes become more sophisticated, there will be more countermeasures, causing a "detection arms race," said Hallensleben. What's needed is a "game-changer" to show what's real online and what isn't, Hallensleben said. He's working on "authentic pseudonyms," identifiers guaranteed to belong to a given physical person and to be singular in a given context. This could be done through restricted identification along the lines of citizens' ID cards; a second route is through self-sovereign identity (SSI). If widely used, authentic pseudonyms would avoid the "authoritarian approach" to deepfakes, Hallensleben said. SSI is a new paradigm for creating digital ID, said Technical University of Berlin professor Axel Kupper. The ID holder (a person) becomes her own identity provider and can decide where to store her identity documents and what services to use. The infrastructure is a decentralized, tamper-proof, distributed ledger. The question is how to use the technology to mitigate the use of automated content creation, Kupper said. Many perspectives besides technology must be considered for cross-border identification infrastructure, including regulation, governance, interoperability and social factors, said Tanja Pavleska, a researcher at the Joef Stefan Institut Laboratory for Open Systems and Networks in Slovenia. Trust applies in all those contexts, she said. Asked whether the proposed EU AI Act should classify deepfakes as high-risk technology, she said such fakes aren't just done by a single player or type of actor, so rules aimed at single points might be difficult. All panelists agreed the EU general data protection regulation should be interpreted to cover voice and facial data.

“Attribution in a security incident is complicated and can be speculative,” emailed a Sinclair spokesperson in response to a report that the company’s recent hack (see 2110180063) was the work of a Russian-based gang of cybercriminals called “Evil Corp.” “Our focus remains on continuing to work closely with a third-party cybersecurity firm, other incident response professionals, law enforcement and governmental agencies as part of our investigation,” the spokesperson said. The company is making progress at restoring systems after the attack, Sinclair said. “All of our stations and Regional Sports Networks (RSNs) are currently on the air and broadcasting,” and “a large portion of other programming has and is airing as scheduled,” said the spokesperson. “We are still working to return to our complete regular programming schedule and to resolve all programming issues that may arise.”

The Bureau of Industry and Security will issue new export controls on certain cybersecurity items and create a new license exception for those exports, said an interim final rule Wednesday. It will establish more restrictions on items that can be used for “malicious cyber activities” by imposing a license requirement for shipments to certain countries, said BIS, part of the Commerce Department. The changes, effective Jan. 19, will align U.S. cybersecurity restrictions with controls previously agreed to at the multilateral Wassenaar Arrangement. BIS seeks comment on the changes by Dec. 6, says Thursday's Federal Register.

The cybercrime “attack surface” is larger than ever, with millions of employees still working from home, “in some cases using personal devices to access cloud apps and corporate resources,” a Citrix survey found. The company commissioned Sapio Research to canvass 1,250 security decision-makers in the U.S., U.K., France, Germany and the Netherlands, finding 74% say procedures and controls are becoming “more complex” as their organizations transition more permanently to remote and hybrid work. About an equal proportion said they're fighting to keep up with the increased volume of security threats that the remote-work models create, said Citrix Thursday. Nearly eight in 10 respondents said this pandemic created an opportunity to “completely rethink” long-term strategies to secure their networks without harming employees' experience, it said. But remote-work challenges abound, including poor connectivity (cited by 43% of respondents as a key hurdle), navigating technical problems virtually (34%) and workers’ inability to get tech support quickly or easily (32%).

Businesses take 20.9 hours on average to respond with mitigating actions to cyberattacks, a Deep Instinct survey found. The predictive-analytics vendor commissioned Hayhurst Consultancy to canvass 1,500 senior cybersecurity executives in 11 countries in July, finding lack of threat prevention “specific to never-before-seen malware” was a “top concern” among 44%. “Given the lag time that security teams often face when responding to an attack, survey respondents were uncertain whether it is possible to prevent the constant waves of attacks from cybercriminals,” said Deep Instinct. “Threats from within” remain a “persistent issue,” it said, finding 86% lacked confidence “that their fellow employees will not click on malicious links, easily allowing threats into an environment and initiating an attack or breach.”

Many commercial space operators are designing their systems with cybersecurity protection in mind, but "there are still gaps we have to address," said Commerce Department Deputy Secretary Don Graves Wednesday during a Commerce/Department of Homeland Security cybersecurity symposium. Cyberattacks are one of the easiest ways to disrupt or manipulate satellites, and operators need to evaluate their systems using the National Institute of Standards and Technology cybersecurity framework, he said. Bob Kolasky, head of DHS' National Risk Management Center, said federal government action on President Joe Biden's cybersecurity executive order issued earlier this year (see 2105130065) could have a cascading effect on private sector supply chains.

The recent spate of ransomware attacks and other cyberthreats prompted Google to form a cybersecurity action team to offer customers “strategic advisory services” and threat intelligence and incident response expertise, said the company Tuesday. “Cybersecurity is at the top of every C-level and board agenda.

House members introduced legislation Friday that would direct the federal government to establish cyber incident reporting requirements for critical infrastructure owners and operators. Introduced by House Homeland Security Committee Chairman Bennie Thompson, D-Miss.; ranking member John Katko, R-N.Y.; Cybersecurity Subcommittee Chair Yvette Clarke, D-N.Y.; and ranking member Andrew Garbarino, R-N.Y., the Cyber Incident Reporting for Critical Infrastructure Act would direct the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to establish requirements. Entities would report to a new cyber incident review office established by CISA. It would allow for a reporting window of at least 72 hours and provide liability protections. The bill was included as a bipartisan amendment to the National Defense Authorization Act for FY 2022, which passed the House in September. Senate members are negotiating various pieces of mandatory cyber reporting legislation (see 2109230065).

Telework is “essential” for federal operations in emergencies, but it creates cyber risks, GAO said Thursday. All 12 agencies examined have the technology to support telework, but not all had “fully addressed relevant guidance for securing their remote access systems,” the auditor said. The study included offices at DOJ, and the departments of Homeland Security and Transportation. If agencies don’t “sufficiently document relevant security controls, assess the controls, and fully document remedial actions for weaknesses identified in security controls, they are at increased risk that vulnerabilities in their systems that provide remote access could be exploited,” the report said. Agencies agreed with recommendations to “document and assess relevant controls, and to fully document remedial actions for systems supporting remote access.”