This episode features an in-depth discussion on AI security, cyber policy, and the evolving landscape of cybersecurity, featuring experts from the EU and industry leaders. Topics include Project Glasswing, EU cybersecurity legislation, quantum computing, and the dark economy of hacking.

Interview:

• European Cybersecurity Act 2.0

News:

• Anthropic’s Mythos 
• UK Tracking Russian Submarines over its Subsea Cables

Community Corner:

• US version: "Dark Screens: Hackers and Heroes in the Shadowy World of Ransomware"(release date 28 April)
• UK version: "We Know You Can Pay A Million: Inside the Dark Economy of Hacking and Ransomware" (release date 2nd April)

From shifting global norms to the rising pressure for stronger deterrence, our guests break down why offensive capabilities are back in the spotlight and what it means for national security. They dig into the debate over whether these operations should remain strictly government-run or if there’s ever a world where the private sector plays a significant role. They also break down the risks, the misconceptions, and the practical challenges that keep the “hack back” debate alive, including concerns about misattribution, escalation, and potential interference with intelligence or law enforcement operations.

Interview:

• Pall Mall Process Industry Code of Practice (due Dec. 22)
• Computer Fraud and Abuse Act (CFAA)

News:

• India Orders Smartphones Makers to Preload State-Owned Cyber Safety App
• CISA, Australia, and Part and Partners Author Joint Guidance on Securely Integrating Artificial Intelligence in Operational Technology

Community Corner:

• Carveout for Security Research in Portugal's NIS2

Instead of the news segment this week, Jen and Alex share details on the upcoming CyberNext DC conference, co-hosted by CCPL and the Cyber Threat Alliance, which is taking place this Dec. 12. You can register for virtual attendance here.

Both came on to discuss the then-recently released Executive Order 14117 and the associated Advanced Notice of Proposed Rulemaking (ANPRM). Since then, the DOJ issued a Notice of Proposed Rulemaking (NPRM), with written comments from the public due by November 29, 2024. Additionally, as directed by the EO, CISA has developed proposed security requirements to apply to classes of restricted transactions identified in the NPRM. In the episode, Lee and Grant dig into the proposed rule and security requirements, as well as the next steps in the rule making process.

Interview:

• Executive Order 14117
• DOJ Notice of Proposed Rulemaking (NPRM)
• CISA Proposed Security Requirements  

News:

•  Streamlining Federal Cybersecurity Regulations Act (Senate); Streamlining Federal Cybersecurity Regulations Act (House) 
• Pall Mall Process Meeting
• IST's 2nd Annual Cyber Policy Awards, open for submissions through December 6th

Community Corner:

• Citizen Lab Report - Rivers of Phish, Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe
  
  

News:

• CISA's Call for Comment on Cyber Incident Reporting Form

Community Corner:

• Paris Peace Summit

As always, if you would like to submit something for the Community Corner segment, or have topic ideas for upcoming episodes, please email iaj01@venable.com. 

• The Pall Mall Process 
• The official adoption of the EU’s  Cyber Resilience Act (CRA)
• The publication of the EU’s Network and Information Security Directive (NIS 2) Implementing Act
• Ghana’s New National Cybersecurity Policy and Strategy 

Community Corner:

• “Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware” by Cassie Crossely 

As always, if you would like to join us for the community corner segment, or have topic ideas for upcoming episodes, please email iaj01@venable.com. 

News:

• Senate Confirms Michael Sulmeyer as DoD Cyber Policy Chief
• DoD Establishes the Office of the Assistant Secretary of Defense for Cyber Policy
• Chile’s Public Consultation on Cybersecurity Framework Law Regulations
• Chile’s New Cybersecurity Framework Law
• EU Product Liability Directive

Interview:

• Costa Rica's 2023-2027 Cybersecurity Strategy 
• United States Announces $25M to Strengthen Costa Rica’s Cybersecurity
• DigiAmericas LATAM CISO Summit 

News:

• Chevron Pattern Disrupted: The Impact on Cybersecurity Regulations
• Polish Parliament Investigation Into Spyware Progresses
• Pall Mall Process
• European Commission Consultation on NIS2 Implementing Regulation 

Interview:

• National Defense Authorization Act 
• Assessing an Independent Cyber Force
• FISMA Amendment 

Community Corner

• Policy @ DEF CON programming

News:

• ONCD Releases its Summary of the 2023 Cybersecurity Regulatory Harmonization RFI
• White House highlights voluntary commitments from Google, Microsoft to provide cyber services for health sector

Interview:

• Digital Covid Certificate
• NIS Directive
• CRA
• U.S.-EU Sign Joint Cybersafe Products Action Plan
• U.S.-EU Trade and Technology Council Meeting

Community Corner:

• ICS Village
• Hack the Capitol

News:

• International Cyberspace and Digital Policy Strategy
• CISA's Secure by Design Pledge
• UK's Product Security and Telecommunications Infrastructure (PSTI) Act
• UK Consultation for draft code of practice for software vendors
• UK Consultation for draft code of practice for cybersecurity of AI  

Interview:

• National Vulnerability Database
• Common Vulnerability Exposures
• Forum of Incident Response and Security Teams (FIRST)

Community Corner:

• Inaugural Cyber Policy Awards

In addition, this week, Alex and Jen are joined by Michael Daniel, president and CEO of the Cyber Threat Alliance, to discuss the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). As always, if you would like to submit cyber policy trivia, or have topic ideas for upcoming episodes, please email iaj01@venable.com.

News:

• Notice of Proposed Rule Making to Implement the Cyber Incident 
• Reporting for Critical Infrastructure Act (CIRCIA) of 2022 
• The Ransomware Task Force (RTF) celebrated its third anniversary with a one day event co-hosted by the Center for Cybersecurity Policy and Law, and you can watch the recording here. 
• CR2’s Guarding Global Commerce Report 

Interview:

• EO 14117 on "Preventing Access to Americans' Bulk Sensitive Data and United States Government-Related Data by Countries of Concern"
• EO 14117 Advanced Notice of Proposed Rule Making
• ICT Supply Chain, Department of Commerce 

The jam-packed discussion delves into the importance of workforce diversity, the notion of responsible cyber power, and the commercial proliferation of offensive cyber weapons like spyware. In addition, this week’s episode features cyber policy recommendations from the Cybersecurity Coalition’s EU Policy Roadmap 2024 - 2029. Our Mystery Trivia Master is the wonderful Liz Wharton (@lawyerliz), founder and CEO of Silver Key Strategies. 

News:

• Cybersecurity Coalition EU Policy Roadmap 2024 - 2029

Interview:

• UK National Cyber Force Paper on Responsible Cyber Power
• Australian Cyber Policy with Ambassador Brendan Dowling
• UK's 2022 Cybersecurity Strategy
• African Union Position on the Application of International Law in Cyberspace
• Pall Mall Process Declaration 
• Summit for Democracy Joint Statement

Trivia:

• Air-Control Hacker Faces Charges (Wired, 1998)

News:

• NIST’s CSF 2.0
• UK Call for views on cyber security and economic growth
• UK Cyber Duty to Protect Survey

🧠 What's next for AI?

⚛ Will 2024 be the year of Quantum?

🔑 Can we finally ditch Passwords? 

🏷 Will Cyber Labels nudge consumers towards better security decisions?

📜 Will Certifications and Self-Attestations raise the bar for enterprises?

Episode Guest List:

Brendan Dowling - Australian Ambassador for Cyber Affairs and Critical Technology

Irfan Hemani - Deputy Director of Cyber Security Policy, UK Department for Science, Innovation and Technology‍

Alison King - Vice President of Government Affairs, Forescout Technologies

Ari Schwartz - Managing Director of Cybersecurity Services, Venable LLP & Coordinator, Cybersecurity Coalition 

Jeremy Grant - Managing Director of Technology Business Strategy, Venable LLP & Coordinator, Better Identity Coalition

Inés Jordan-Zoob - Program Manager, Cyber Security and Privacy, Venable LLP

Heather West - Senior Director of Cybersecurity and Privacy Services, Venable LLP

News:

• Australian Cyber Security Strategy Release
• EU CRA Political Agreement Reached

Interview:

• Munich Security Conference 2023
• US National Cybersecurity Strategy 
• US National Cybersecurity Strategy Implementation Plan
• Biden-Harris Administration’s Cybersecurity Priorities for the Fiscal Year 2025 Budget
• US National Cyber Workforce and Education Strategy 
• Request for Information: Opportunities For and Obstacles To Harmonizing Cybersecurity Regulations
• Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages
• Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization
• Log4j Vulnerability 
• Heartbleed Bug

Trivia:

• Belgian Whistleblower Law

News:

• UK’s AI Safety Summit
• Bletchley Declaration
• U.S. Executive Order on AI 
• Heather West’s analysis of the AI EO 
• International Counter Ransomware Initiative
• Recent ransomware attack in Germany

Interview:

• Upcoming 2023-2030 Australian national cybersecurity strategy 
• Appointment of the inaugural Australian National Cyber Security Coordinator
• Medibank incident
• Optus incident 

Trivia:

• Sarbanes-Oxley Act of 2002
• Chips and Science Act of 2022

In addition to the above, this week’s episode features Alex’s updates from Singapore International Cyber Week, and he also highlighted Singapore’s Cybersecurity Labeling Scheme for Medical Devices sandbox, which medical device manufacturers are invited to join. Jen covered some recent research from Lloyd’s on the potential cost and impact of a large scale cyber attack against payments systems. 

Our Mystery Trivia Master this week is the wonderful Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology and Executive Director of the Ransomware Task Force.

News Section:

• Singapore International Cyber Week 2023
• Singapore Cybersecurity Labeling Scheme for Medical Devices Sandbox
• Lloyd’s of London finds hypothetical cyberattack could cost world economy $3.5 trillion

Interview Section:

• Computer Crime and Intellectual Property Section (CCIPS)
• Digital Millennium Copyright Act (DMCA)
• Ninth Triennial Section 1201 Proceeding, 2024 Cycle
• Cybercrime and the Law: Computer Fraud and Abuse Act (CFAA) and the 116th Congress
• Computer Fraud and Abuse Act (CFAA) Guidance from DOJ
• Ninth Triennial Section 1201 Proceeding, 2024 Cycle

Trivia Section:

• Comprehensive National Cybersecurity Initiative (CNSI)
• Archived White House Release of CNSI

News Section:

• TSA Finalizing Cybersecurity Guidelines for Pipeline Operators and Vendors
• Deputy National Security Advisor provides details on ratings effort to determine security of pipeline, rail sectors
• LATAM CISO Summit 2023
• Microsoft Digital Defense Report

Interview Section:

• Cyber Power Index
• ETSI EN 303 645 Cybersecurity Standard for Consumer IoT Devices
• Product Security and Telecommunications Infrastructure (PSTI) Act
• UK AI Safety Summit

Trivia Section:

• Soviet Memorial Causes Rift between Estonia and Russia
• The Bronze Soldier Crisis of 2007: Revisiting an Early Case of Hybrid Conflict

• Clorox Cyberattack Brings Early Test of New SEC Cyber Rules
• Australia to ‘Build Six Cyber Shields’
• International Criminal Court Will Now Prosecute Cyberwar Crimes
• International Criminal Court Hack 

Interview Section:

• Cyberspace Solarium Commission Report
• Longtime Congressman James Langevin to serve as senior fellow at Brown’s Watson Institute
• Former Congressman James Langevin to serve as visiting scholar at URI
• Elissa Slotkin to co-chair Congressional Cybersecurity Caucus 
• ‘Cyber risk is business risk, and the SEC knows it’, Chris Inglis, Jim Langevin & Mark Montgomery

Trivia Section:

• NIST Cybersecurity Framework
• CR2 and NIST workshop: “A Cyber Framework Fit for Global Use: Cybersecurity Framework (CSF) 2.0”

News Section:

• Microsoft’s post on the UN Cybercrime Treaty
• UK’s review of the Investigatory Powers Act
• CISA appoints Mudge
• CISA’s VDP Platform Report 

Interview Section:

• 2023 DoD Cyber Strategy 
• DASD Mieke Eoyang at DEF CON
• Employment Opportunities at DoD
• The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations

Trivia Section:

• ENISA’s Certification Schemes 

• Chinese military hackers penetrated Japan’s most sensitive computer networks
• Police Service of Northern Ireland (PSNI) Breaches
• Norfolk and Suffolk police: Victims and witnesses hit by data breach
• Bangladesh proposes a new Cybersecurity Law

Interview Section:

• I Am The Cavalry Site
• Original Cavalry Launch video "The Cavalry Isn't Coming…
• 10 Years Later Keynote "And together we crossed the river.. "
• Cavalry Track Day 1
• Cavalry Track Day 2

Trivia Section:

• Skipjack

• Kenya Experiences Major Cyber Attack
• SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
• DNI Haines Statement on the President’s Intent to Nominate Harry Coker Jr. as the National Cyber Director

Interview:

• Beau Woods
• Harley Geiger
• Hacking Policy Council
• The Hackers, the Lawyers, and the Defense Fund - Harley's Presentation at DEF CON
• Policy @ DEF CON
• AI Village @ DEF CON 31
• Hacker Summer Camp Party List

Trivia: 

• EFF Tech Trivia @ DEF CON 31
• Investigation Into Encrypted Phone Network Leads to 6,500 Arrests

If you have a trivia question for Jen and Alex, email it to info@centerforcybersecuritypolicy.org!

News:

• National Cyber Strategy Issues Implementation Plan 
• Acting National Cyber Director Withdraws Nomination
• White House IoT Labeling Program
• Evaluation of the European Union Agency for Cybersecurity (ENISA) and the European Cybersecurity Certification Framework

Interview Section:

• UN Cybercrime Convention Draft
• Paris Call
• The Budapest Convention on Cyber Crime

Trivia:

• Intelligence-Driven Incident Response, 2nd Edition by Rebekah Brown, Scott J. Roberts
• PPD-41

MEP Groothuis, drawing from his experience as Parliament's cybersecurity rapporteur, sheds light on the extensive influence an individual can have in shaping legislation. He emphasizes the importance of understanding the subject matter and leveraging expertise to convince stakeholders, ultimately shaping the language and provisions of the CRA. This insightful perspective highlights the significant role of security professionals in driving meaningful change.

The conversation then delves into the concept of software liability.  Groothuis explains how the legislation provides a framework for legal disputes arising from cybersecurity incidents. He emphasizes the need for clear legislation concerning risky vendors, particularly those associated with countries known for offensive espionage programs.  Groothuis advocates for de-risking practices and the incorporation of non-technical factors when evaluating software for critical infrastructure.

Throughout the episode, Groothuis’ expertise and passion for cybersecurity legislation shine. His calls for stronger measures against risky vendors and his efforts to ensure the protection of critical infrastructure create a compelling narrative. Listeners gain valuable insights into the complex world of cybersecurity legislation and the vital role it plays in securing our digital landscape.

Additional Resources:
Europol press release on EncroChat

Australia’s New National Cyber Coordinator
Google Announces $20M for Cyber Clinics
CRA Proposal

ITRE Amendments:
Amendments 124-404
Amendments 405-546