The Federal Communications Commission approved new rules Thursday that boost cybersecurity regulations for the nation’s emergency alert systems and update security rules for the nation’s undersea cables.

The new rule would overhaul two national emergency systems, the Emergency Alert System and Wireless Emergency Alerts, to better protect against hijacking attacks from malicious actors.

The EAS is a national public warning system that state and local authorities use to disseminate information related to weather events, AMBER alerts and other emergencies via radio and television broadcasting stations. The WEA handles much of the same messaging via text.

A compromise of either system by a foreign government, cybercriminal group or other rogue actor could be used to sow chaos and disinformation in calmer times, or impede coordination efforts in the face of a genuine emergency. Any vulnerability in systems like the Emergency Alert System “can have serious consequences,” said FCC Commissioner Olivia Trusty in a statement after the vote.

“That is why it has been appropriate for the Commission to conduct a comprehensive review of the EAS framework by focusing on the security of the system itself,” Trusty continued. “As cybersecurity threats continue to evolve, EAS participants must take appropriate steps to safeguard the infrastructure that supports the delivery of life-saving alerts.”

The new rules amount to basic – but still critical – cyber hygiene practices for users accessing and updating the EAS and WEA systems. They must use strong passwords, quickly install security patches from vendors and use firewalls to limit access to their equipment.

The rule also creates a new authentication ID system to verify alerts before they’re submitted and avoid duplicate or unauthorized alerts from spreading.

Another rule passed by the Commission Thursday provided the first comprehensive update to the FCC’s submarine cable regulations in decades, and moves to tighten cybersecurity requirements in some areas while loosening them in others.

It exempts some undersea cable providers from submitting to stringent national security licensing reviews needed to land and operate cables that touch U.S. territory.

The review, called “Team Telecom,” is an interagency body led by the Department of Justice’s Foreign Investment Review Section and other federal agencies that advise the FCC on the national security implications of their telecom policies.

The new rules would presumptively exempt applications for undersea cable licensees when the provider can self-certify to “high security standards” that are “structured to increase certainty, predictability, and faster timelines for the licensing process.”

“Currently, all submarine cable applications get referred to Team Telecom…the changes adopted would exempt applications from applicants that have operated cables without incident, can certify to the highest national security standards, and agree to ongoing oversight and monitoring,” the FCC said in a release.

Other parts of the rule give the FCC greater oversight of critical functions within undersea cable operations. Owners and operators of submarine line terminal equipment, who connect submarine cables to land-based facilities in the U.S., will be subject to a new licensing requirement.

The rule also moves to update safeguards meant to address vulnerabilities related to principal equipment, third-party service providers, and other areas of concern in the undersea cable supply chain.

The post FCC passes new cybersecurity rules for emergency systems, undersea cables appeared first on CyberScoop.

French President Emmanuel Macron urged the world’s wealthy democracies to work together on regulating advanced AI systems.

The post French President Urges US to Share Cutting-Edge AI and Democracies to Cooperate on Regulation appeared first on SecurityWeek.

A policy paper published Tuesday advocates for software bills of materials (SBOMs) for artificial intelligence as a mechanism for reducing cyber risk and improving transparency, and seeks to give lawmakers, federal agencies and others a roadmap on how to proceed.

The SBOM, commonly described as an inventory of software ingredients, emerged in the 2010s and has expanded beyond software to include hardware and AI.

But the paper from the Institute for Security and Technology, which CyberScoop is the first to report on, argues that AIBOMS require foundational work before they can be widely implemented.  This comes as some companies are already offering AIBOM services and other organizations are actively shaping AIBOM policy.

“What we’re worried about is we would end up in a ‘fire, ready, aim’ situation where everyone was doing it, but we were all doing slightly different things,” said a co-author of the paper, Allan Friedman, who has worked on SBOMs in multiple U.S. government roles. “If we don’t have a shared vision, it becomes a lot harder to have a coherent policy. It becomes a lot harder to have common tools and interoperable data and it becomes a lot harder to use the data that we’re tracking to actually deliver on the promise of supply chain transparency.”

The idea for the paper sprung from discussions with Hill aides and Pentagon staffers, Friedman said, and people like them are the target audience as well.

A key premise is that AIBOM policy needs to explore the topic from two sides.

“How do you solve the chicken-and-egg issue, where no one’s providing the data, so no one’s asking for it, and no one’s asking for it, so no one’s providing it?” Friedman told CyberScoop. “The answer is, you have to go from both supply and demand.”

On the supply side, “An AIBOM should capture relevant details about the models and datasets used for training, fine-tuning, evaluation, validation, testing, retrieval, grounding, augmentation, or other model development or operational purposes,” the paper suggests.

“The demand side begins with some form of forcing function or requirement that organizations understand what is in the products they manufacture and sell,” it states, with one such requirement potentially being an industry mandate to require the tracking of system components — for example, like the “lightweight” standards used in the payment card industry on data security that isn’t overly exact about how components should be tracked.

But it could also include government regulations or contracting conditions, Friedman argues with his Institute for Security and Technology colleague Nick Leiserson. (The scope of government directives on AI is a topic of considerable debate on Capitol Hill and within the Trump administration right now.)

Friedman said the paper isn’t meant to be the be-all, end-all, and acknowledged the prior work of organizations like the Open Worldwide Application Security Project (OWASP) and Linux Foundation.

“We’re not saying this is a brand new topic, nor are we saying that AIBOM will solve all AI security issues,” he said. “I’ve been fighting this fight for SBOM for a decade. You know, SBOM will not pick up your dry cleaning.”

And as AI continues to evolve rapidly, that means papers like the one published Tuesday are just at the beginning of the discussion, Friedman said.

The post A case for how to shape ‘ingredient lists’ for AI models appeared first on CyberScoop.

The U.S. Postal Service is moving forward with mail-in ballot restrictions, following a court’s rejection of a request by voting rights groups to immediately block an executive order from President Donald Trump ordering the changes.

A new regulation proposed last Friday seeks to apply “uniform standards for the mailing of absentee ballots to and from voters,” including new ballot envelope standards with unique barcodes, election mail logos and other changes that would allow the federal government unprecedented abilities to track – and halt – the movement of mail-in ballots across the country.

Trump has long argued that mail-in ballots facilitated election fraud in 2020 that cost him the presidency, though election experts, election officials and even some Trump allies have dismissed those claims as baseless.

According to the proposed rule, these changes would allow USPS to follow ballots at a granular and individual level, something critics have said will make it easier for the Trump administration to meddle with their delivery.

“Uniquely serialized [barcodes] facilitate the tracking of individual pieces of Ballot Mail to and from individual voters as the barcodes are scanned on the Postal Service’s mail processing equipment,” the proposed rule states.

Trump’s executive order, issued in March, would require states to send the federal government a list of all voters eligible to vote by mail prior to USPS mailing them ballots. The federal government has indicated that it plans to cross-check those voters with data from the Department of Homeland Security and the Department of Justice.

The proposed rule says that after states submit their list of eligible mail-in and absentee voters, USPS will “compile” the information and then provide a “Mail-In and Absentee Participation List” back to them. The Postal Service said it “would not change the information provided by states” when compiling the return list. 

Further, the proposed regulation also includes new “verification” procedures that could potentially place USPS above states in deciding which voters are eligible to receive ballots. This would include having the USPS “confirm that a state submitted a list consistent with the conditions laid out in the proposed rule, and that the outbound ballot mail, and thus the blank ballot that could be returned by mail, is destined to individuals on the list, by checking the barcodes.”

The rule claims that USPS “would not verify whether individuals should be included” on state lists and that states retain “full control over the content of that list.”

However, the White House’s March order also instructed the Department of Justice to prioritize the investigation and prosecution of state and local officials or any others involved in the administration of federal elections who issue federal ballots to individuals not eligible to vote in a federal election.

That order was immediately challenged through lawsuits in multiple federal courts, where many of the White House’s plans to take greater control of elections have fallen short. That includes a lawsuit brought by Democrats and nonprofits in Washington.

While Judge Carl Nichols declined to halt the order, that decision was made on strictly procedural grounds, and he indicated the plaintiffs could be in a better position to prove their case later.

“The Court recognizes that the Postal Service may ultimately issue a final rule that directly affects Plaintiffs or their members, or that the Government may develop State Citizenship Lists that omit specific individuals due to particularized flaws,” Nichols wrote. “Plaintiffs may, of course, renew their motions if and when those future actions occur. Until then, however, Plaintiffs cannot show that preliminary injunctive relief is warranted.”

A separate federal lawsuit challenging the order in Massachusetts remains ongoing.

Alexandra Chandler, director of Free and Fair Elections at nonprofit Protect Democracy, noted that USPS and the federal government have no constitutional authority to regulate how states administer their elections, including micromanaging voter roll maintenance.

While the proposed regulation claims USPS will not overrule states on a voter’s eligibility to receive mail-in or absentee ballots, it’s also peppered with caveats and exceptions that could allow USPS to do just that if they determine it is part of their obligation to uphold federal laws or assist law enforcement investigations.

The rule states that USPS “assumes no responsibility for any outbound ballot mailing” until its accepted into the mail, and is “not responsible for service delays” whenever preparation or entry standards aren’t met.

Chandler called the proposed rule a clear attempt to disrupt election processes, sow distrust in elections among voters and lay “the groundwork to disrupt ballot delivery in real time, create fodder for false investigations and prosecutions, and to contest the midterms after the fact.”

“The administration is trying to turn postal workers into de facto election auditors with the power to decide whether people’s votes get counted while at the same time building an entire federal voter data and technical infrastructure it has no legal authority to create,” Chandler said.

The post USPS moving forward with mail-in ballot changes as courts weigh Trump’s election order  appeared first on CyberScoop.

The Federal Trade Commission is set to begin enforcing a key provision of the Take Down Act on May 19, requiring websites and online services to remove nonconsensual deepfake media within 48 hours after a victim’s notice—or risk fines and FTC investigation.

The law, passed by Congress last year, allowed law enforcement to immediately prosecute individuals who create and post such content online. But platforms and websites that host the material were given a yearlong runway to build out their reporting and takedown system. Under the enforcement regime taking effect, businesses that fail to remove flagged media within the 48-hour notification window could face fines and an investigation from the FTC.

This week, FTC Chair Andrew Ferguson sent letters to private-sector companies detailing how the commission intends to police compliance once enforcement begins. The FTC set a maximum civil penalty of – $53,088 per violation for companies that don’t take down content as required, and Ferguson’s letter outlines other requirements, including that companies make it easy and convenient for users to submit takedown requests.

“We stand ready to monitor compliance, investigate violations, and enforce the Take It Down Act,” Ferguson said in a statement. “Protecting the vulnerable—especially children—from this harmful abuse is a top priority for this agency and this administration.”

Ferguson’s letter sheds new light on how the FTC will enforce content takedowns under the law.  Both nonconsensual intimate imagery posted online using real photos of other individuals as well as AI-generated or modified “digital forgeries” would be considered violations.

Companies must also make it easy for victims without accounts to report potential violations, details their reporting and removal program on their website “in plain language” and provide “clear and conspicuous” notice to users about how to request removals.

According to the FTC, the law covers websites, apps, social media, image or video sharing services and gaming platforms. Ferguson’s letters were addressed to a who’s who of tech and social media companies, including Amazon, Alphabet, Apple, Automattic, Bumble, Discord, Match Group, Meta, Microsoft, Pinterest, Reddit, SmugMug, Snapchat, TikTok and X.

Earlier this year, Grok, the AI service that X users have access to, was used to flood the social media site with nonconsensual, sexualized deepfakes of real people. Elon Musk, X’s owner, initially brushed off critics but has since been hit with multiple criminal and civil investigations stemming from the incident, as well as lawsuits and calls from some world leaders to ban the app entirely.

 The FTC is also recommending that companies implement hashing technologies “to prevent the reappearance of intimate content you already removed from your platform” and share their findings with nonprofits like the National Center for Missing and Exploited Children and StopNCII.org to track across other parts of the internet.

Becca Branum, director of the Free Expression Project at the Center for Democracy and Technology, told CyberScoop that some elements of the FTC’s approach – like requiring clear and simple reporting options for victims – aligns with best practices established by civil society groups.

But she also said the FTC’s role under the Take It Down Act is materially different from anything the commission has done before. The sheer scale of enforcement and monitoring will require human and technical resources on par with those of major social media companies.

“I’m very concerned about the FTC and its ability to fairly enforce this law,” said Branum. “They are now in the business of regulating content moderation. That is hard work and not something they’re used to doing.”

Some legal and privacy experts pointed to the large financial penalties set by the FTC as a sign that policymakers are looking to put real teeth behind enforcement. Those penalties could pile up quickly if a business is hosting or publishing multiple copies of the same flagged media and declines to remove it within two days.

“For covered platforms, compliance with the Act is critical given the FTC’s emphasis on enforcement – reflecting White House priorities – and potential civil penalties up to $53,088 per violation,” wrote privacy attorneys Duane Pozza and Ian Barlow.

But Branum said the hefty fines also emphasize “just how much incentive will be in place for platforms to take anything that comes down the complaint line.”

While the Take It Down Act is designed to force companies to investigate claims and remove violating content, the regulatory and financial incentives push them to simply remove almost all content reported by default. That approach, which many of the same tech companies have taken under laws like the Digital Millenium Copyright Act, can be exploited by bad faith actors seeking to shut down legal speech or content online.

“If you think there’s any given post [where] if you ask an attorney is it worth $53,000 for me to keep this post up, the answer is always going to be taken it down,” Branum said. “I can’t imagine any service wanting to risk that type of fine on edge cases or anything they can’t verify or account for within 48 hours.”

The post Here’s how the FTC plans to enforce the Take It Down Act appeared first on CyberScoop.

The Federal Communications Commission approved new regulations Wednesday designed to crack down on robocalling, protect telecommunications networks from cyberattacks and further vet equipment-testing labs based overseas.

Commissioners unanimously passed a measure to strengthen telecom companies’ “Know Your Customer” requirements for verifying callers’ identities. Among the potential solutions being considered are requiring telecoms to verify a customer’s name, address, government ID and alternative phone numbers prior to enabling their service.

In a statement ahead of the vote, FCC Chair Brendan Carr said that under current rules some telecoms “do the bare minimum” to verify callers and have “become complicit in illegal robocalling schemes.”

“As we have continued to investigate the problem of illegal robocalls over the last year, it has become clear that some originating providers are not doing enough to vet their customers, allowing bad actors to infiltrate our U.S. phone networks,” he said.

Current rules require telecoms to take “affirmative, effective” measures to verify callers and block illegal calls, but in practice this system has largely relied on self-attestation from the companies. Because a single call can traverse multiple networks, carriers must also often rely on identity verification performed by other telecoms.

For example, the telecom that transmitted thousands of false robocalls imitating then-President Joe Biden during the 2024 New Hampshire presidential primary initially reported to the FCC that they had the highest level of confidence in the identity of those using the phone numbers. That turned out to be false, as the robocallers spoofed a well-known former state Democratic Party official.

Unsurprisingly, the commission is also interested in finding ways to better enforce Know Your Customer rules, including tying penalties to the number of illegal calls that were placed.

Since 1999, the FCC has traditionally granted blanket authorization for domestic carriers to operate interstate telecommunications services within U.S. borders. Another rule passed by the commission today would formally end that practice for foreign companies on the FCC’s covered entity list.  

The list bans a small number of foreign companies based in Russia or China from selling their equipment in the U.S. on national security grounds, but Carr said equipment from those companies often wind up in U.S. products by providing services that don’t fall under the current legal definition of international telecommunications authority.

Commissioner Olivia Trusty, who helped lead the development of the rule, said cybersecurity threats facing telecom networks today “exceed those of any recent era” and that updates must be made to modernize and harden networks.

“In response to these growing hostilities, it is imperative that we re-examine policies that permit access to U.S. networks to ensure that frameworks originally designed to promote economic growth are not exploited in ways that jeopardize our national and economic security,” Trusty said in a statement after the vote passed.

The FCC also passed a third measure that would refuse to recognize any testing or equipment lab based overseas that does not have a reciprocity agreement in place with U.S.-based labs. The rule builds off efforts last year to prohibit telecoms from relying on testing and certification labs that are owned or operated by foreign adversarial countries like China or Russia, which led to the FCC withdrawing or denying certification of 23 overseas labs.

The post FCC tightens KYC rules for telecoms, closes loophole for banned foreign services appeared first on CyberScoop.

The Federal Communications Commission is moving to crack down on illegal robocalls and the use of foreign call centers.

At a meeting Thursday, the three-member commission unanimously approved a new proposed regulation to increase certification and disclosure requirements for obtaining phone numbers, while also expanding those same requirements to all providers seeking phone numbers from the North American Numbering Plan Administrator and resellers.

The rule – which will be shaped through public comments – is meant to make it more difficult for spammers, scammers and other illegal robocallers to obtain legitimate phone numbers. The FCC’s Office of Communications said a majority of the agency’s investigations into illegal robocalling have involved resold numbers.

It would also impose stricter disclosure requirements on telecoms about the callers on their networks and their identities, information that will assist organizations like the Industry Traceback Group track and identify robocallers as their calls hop across the nation’s patchwork, decentralized telephone networks.

Commissioner Anna Gomez said the proposed rules would help raise the bar for bad actors to obtain valid phone numbers and help close gaps in reporting that make it harder for industry and regulators to find and expunge robocallers from networks.

“Right now, bad actors are exploiting gaps in a phone number system that was designed for a simpler time,” Gomez said.

The commission plans to explore a range of solutions to strengthen numbering requirements and policies, including cracking down on common tactics that rely heavily on resold numbers — like number cycling where “service providers churn through large quantities of telephone numbers [on] a rotating and even single-use basis to evade detection.”

Commissioner Olivia Trusty said that while changes in technology and the marketplace have brought significant benefits to consumers, it has also “made it more difficult to identify who is using telephone numbers and for what purposes, complicating both robocall enforcement and numbering administration.”

Last month, the FCC finalized regulations that require telecoms to annually certify that their caller information is accurate and provide updated information to the agency’s Robocall Mitigation Database. 

A separate proposed regulation passed by the commission Thursday would place new restrictions on the ability of U.S. telephone providers to outsource their call-center services to foreign countries. It specifically asks about the feasibility of giving consumers the option to require that their calls be routed to U.S.-based call centers, requiring calls involving “certain types of sensitive information” to be processed at U.S. locations, requiring providers to disclose the use of overseas centers to callers during a call and requiring operators to speak proficient English.

FCC Chair Brendan Carr touted the initiative as part of the Trump administration’s stated efforts to convince American companies to onshore more of their services in the U.S.

But organizations like the AARP have also found that overseas call centers operating outside of U.S. or international law play a big role in the nation’s robocalling epidemic. In a press conference after the meeting, Carr echoed that sentiment, claiming that some criminal scammers plaguing Americans today first broke into the industry by working at outsourced call centers.

“I think it also helps us crack down on some of the illegal robocallers,” Carr said about the new onshoring rules. “At the end of the day, I think American callers should expect and deserve to reach American call centers.”

The post FCC pushes new rules to crack down on robocallers, foreign call centers appeared first on CyberScoop.

The Federal Communications Commission’s move to ban foreign-made routers touches on a real threat, but critics say the agency rule is overly broad, practically unworkable and doesn’t meaningfully address weaknesses in router security that have led to major breaches on American governments and businesses.

Under the Secure Equipment Act and Secure Networks Act, the FCC may ban foreign technology manufacturers if they are deemed a national security risk. But the federal government has almost always opted to narrowly target specific foreign companies with known or problematic connections to foreign adversaries, like Chinese telecom Huawei or Russian antivirus firm Kaspersky Labs.

The restrictions announced Monday, however, simply ban all routers “produced in a foreign country” except those granted conditional approval by the departments of Defense or Homeland Security.

The order imposes a sweeping and immediate halt to the purchase of non-American routers and Wi-Fi services for government agencies and businesses, along with unanswered questions about where to buy next and what to do with the foreign devices already embedded in their networks.

In justifying the decision, FCC Chair Brendan Carr cited a March 20 White House-led interagency report that concluded foreign-made routers pose “unacceptable” risks to U.S. national security. 

“Following President Trump’s leadership, the FCC will continue [to do] our part in making sure that U.S. cyberspace, critical infrastructure, and supply chains are safe and secure,” Carr said. 

U.S. policymakers have worried about the potential cybersecurity risks of relying on technology and equipment from countries like China or Russia, where local laws compel domestic companies to cooperate in national security investigations and hand over sensitive data. 

In 2024, members of Congress called for the Department of Commerce to investigate Chinese Wi-Fi and router makers like TP-Link, alleging the company’s “unusual degree of vulnerabilities and required compliance with [Chinese] law” amounted to an unacceptable national security risk.

Last year, five House Republican committee chairs urged Commerce Secretary Howard Lutnick to use the department’s authority “to eliminate products and services created by China and other foreign adversaries from domestic supply chains that are shown to have the potential to introduce security vulnerabilities.” An attached list of industries “needing immediate action” included routers and Wi-Fi, while mentioning TP-Link and Huawei as “Chinese or Chinese-controlled” entities.

While router insecurity is a major problem, it’s worth noting that American-made products are far from immune to foreign hacking. Major Chinese hacking campaigns, such as Salt Typhoon, succeeded not because of backdoors in Chinese-made tech but through the exploitation of known, previously reported vulnerabilities in U.S. and Western products.  

One former U.S. intelligence leader told CyberScoop that country of origin matters more when you’re dealing with an adversary like China, which has national security and vulnerability disclosure laws that require Chinese router companies to disclose cybersecurity vulnerabilities to the government first.

But it’s not just Chinese routers, or those made by America’s direct rivals, that concern intelligence officials.

Even in a global, digitally connected world, proximity still matters. Foreign countries can more easily disrupt or infect the supply chain of neighboring or bordering countries that may rely on similar parts, components or internet infrastructure.

“Attackers have so many options with what can be done with router access. [It’s] even easier if you have the country that runs and accesses them in your backyard,” said the official, who requested anonymity to speak candidly.

Investors may be drawing similar conclusions. Notably, stocks for Asian router companies fell following the FCC announcement, while U.S. company NetGear, which does not rely on Chinese supply chains, saw its shares jump 12%.  

A new point of leverage

The broad nature of the order — along with the ability to dole out exemptions to specific companies at will — effectively resets the regulatory relationship between foreign router companies and the U.S. government. Under it, each company with manufacturing operations in China or overseas would have to petition the FCC for an exemption to the rule.

The ambiguity behind what, specifically, a company would need to do to obtain an exemption could open the process up to potential abuse or political patronage, experts said.

A former FCC official told CyberScoop they were puzzled by the move, and questioned whether it was related to national security or if it would even pass legal muster in the courts.

Instead of adding targeted companies with foreign ties or a history of cybersecurity vulnerabilities to the list of banned providers — as the government has done and successfully defended in court in the past — the FCC instead sought to ban all foreign-made routers around the globe. That represents a potentially significant disruptive action to take in an environment where many businesses and governments today use TP-Link and other foreign companies for their internet needs. 

The net effect is “actually creating a new federal program of conditional approvals” for foreign router companies, the FCC alum said, one that is so broad it would take a massive combined federal effort to effectively remove bad actors from the foreign supply chain.

“I have a hard time believing that this administration — given what we’ve seen at CISA and other agencies and the mass departures — will actually roll out a sophisticated and tailored program to adequately address this kind of huge swing of an entire base of consumer products,” said the official, who was granted anonymity to speak candidly.

The official pointed to an attempt earlier this year by the FCC to ban imports of foreign drone components, saying there were similar “big swing” parallels to the legal rationale here. The drone ban is currently being challenged in court, and the official said they expect the FCC’s router order to be subject to similar lawsuits from companies.

Earlier this month, Carr also proposed new regulations that would place English language requirements on offshore call centers and asked the public for insight on potential policies to “encourage” companies to set up U.S.-based call centers, “including limits on call volume from overseas call centers.”

Carr said the FCC was also “opening up a new front in our efforts to block illegal robocalls from abroad by examining the targeted use of tariffs or bonds.”

The former FCC official said Carr’s prioritization on novel application of tariff authorities while discussing the implementation of two laws — the TRACED Act and the Truth In Caller ID Act — that are unrelated to trade makes it impossible to disentangle the agency’s genuine national security concerns from the Trump administration’s broader attempts to gain leverage over foreign companies in their trade fights.

“Those are weird kind of random hops that seem to be in response to this broader picture of the big tariff decision that came out,” the official said.

The post Critics call FCC router rule a ‘big swing’ that could create more supply chain uncertainty appeared first on CyberScoop.

President Donald Trump released his administration’s cyber strategy Friday, promoting offense operations in cyberspace, securing federal networks and critical infrastructure, streamlining regulations, leveraging emerging technologies and strengthening the cybersecurity workforce.

Trump also signed an executive order Friday directing agencies to take action to combat cybercrime and fraud.

A little more than half of the five pages of strategy text of the long-anticipated document is preamble, and two of its seven pages are title and ending pages. Administration officials have said the strategy is deliberately high-level, and the White House promised more detailed guidance in the future.

The strategy “calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation, and to make the most of America’s cyber capabilities for both offensive and defensive missions,” the White House said in a statement accompanying its release.

Each of the six “pillars” of the strategy offer some prescriptions.

“Shaping adversary behavior” calls for using U.S. government offensive and defensive capabilities in cyberspace, as well as incentivizing the private sector to disrupt adversary networks.

It also says Trump will “counter the spread of the surveillance state and authoritarian technologies that monitor and repress citizens,” even as administration critics argue that his administration has fostered surveillance and repression against U.S. citizens.

The shortest pillar, “promote common sense regulation,” decries rules that are only “costly checklists.” The Biden administration expanded cyber regulations, spurring some industry resistance. But the Trump pillar does talk about addressing liability, a point of emphasis for the prior administration as well.

“Modernize and secure federal networks” talks about using concepts and technologies like post-quantum cryptography, artificial intelligence, zero-trust and lowering barriers for vendors to sell tech to the government to meet those goals.

To “secure critical infrastructure,” the strategy calls for fortifying not just owners and operators but also the supply chain, in part by focusing on U.S.-made rather than adversary-made products.

“We will deny our adversaries initial access, and in the event of an incident, we must be able to recover quickly,” the strategy reads. “We will galvanize the role of state, local, Tribal, and territorial authorities as a complement to— not a substitute for — our national cybersecurity efforts.” Some critics of the administration’s cybersecurity actions have contended that it has shifted the burden to state and local governments too much.

AI usage makes up the bulk of the pillar entitled “sustain superiority in critical and emerging technologies,” in addition to reflecting earlier parts of the strategy on the topics of quantum cryptography and privacy protection. That includes the protection of data centers, the subject of localized fights across the country over their location and resource costs.

The final pillar says the United States must “build talent and capability,” after a year of the administration cutting a significant number of cyber positions in the federal government. “We will eliminate roadblocks that prevent industry, academia, government, and the military from aligning incentives and building a highly skilled cyber workforce,” it states.

Some positive reviews rolled in about the strategy despite the late-Friday afternoon release, traditionally the time of week when an administration looks to publish news it hopes will garner little attention.

“As new and more sophisticated threats emerge, America needed a new national cyber strategy that captures the urgency of this moment,” USTelecom President and CEO Jonathan Spalter said in a news release. “The President’s strategy rightly recognizes that harnessing America’s unique mix of private-sector innovation with public-sector capacity is the best deterrence.”

Frank Cilluffo, Director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University, was struck by the focus on deterrence: “This unified strategy determining a direction on offensive and defensive cyber operations and collaboration couldn’t be more timely.”

The Business Software Alliance cheered the call for streamlining cyber regulations, in particular.

A number of cyber vendors took note of the passages on AI. “Redirecting resources from paperwork to AI-powered security capabilities is the only way to keep pace with modern threats and adversaries who operate at great speed,” said Bill Wright, global head of government affairs at Elastic. “This strategy appears to recognize that fundamental truth.”

Not all the reviews were flattering, however, including from the top Democrat on the House Homeland Security Committee, Bennie Thompson, who said the strategy’s “underachieving” was the only thing impressive about it.

“What little ‘substance’ does exist in this pamphlet is a mishmash of vague platitudes, a long catalogue of ‘we will’ statements that may or may not match the Administration’s current behavior, and, mercifully, an apparent extension of some Biden-era policies,” he said. “Completely lacking is even the most basic blueprint for how the Administration will go about achieving any of its cybersecurity goals — an objective possibly hamstrung by the hemorrhage in cyber talent across all Federal agencies since Trump took office.”

The executive order Trump signed Friday coincides with the release of the strategy but there’s little overlap between the subject matter; the strategy makes one mention of cybercrime.

The order directs the attorney general to prioritize prosecution of cybercrime and fraud, orders agencies to review tools that they could use to counter international criminal organizations and  gives the Department of Homeland Security marching orders to improve training, in addition to other steps, according to a fact sheet.

“President Trump is unleashing every available tool to stop foreign-backed criminal networks that exploit vulnerable Americans through cyber-enabled fraud and extortion,” the fact sheet states.

The post The long-awaited Trump cyber strategy has arrived appeared first on CyberScoop.

CJ Cox// Spring storms are often more dangerous and unpredictable than winter storms. The GDPR looks to be no exception. The General Data Protection Regulation is a universal law brought […]

The post WEBCAST: GDPR – Spring Storm Warning appeared first on Black Hills Information Security, Inc..