Hackers accessed one of the company’s AWS accounts and compromised AI provider secrets stored in Braintrust.

The post AI Firm Braintrust Prompts API Key Rotation After Data Breach appeared first on SecurityWeek.

A year-long effort to strengthen cybersecurity and modernize tech at U.S. intelligence agencies has led to policy standards for using AI to bolster cyber defenses, a shared repository of all apps that have undergone a cybersecurity review and more, the Office of the Director of National Intelligence announced Thursday.

An unclassified summary of cyber and tech modernization work under the first year of DNI Tulsi Gabbard’s stewardship states that the office has expanded the automation of threat hunting across intelligence community networks. (The Cybersecurity and Infrastructure Security Agency conducts threat hunting across federal civilian agencies.)

The ODNI also has developed a zero-trust strategy that shifts “to a data-centric security model that protects information regardless of location or network,” according to the summary.

“Over the past year, we have taken meaningful steps to begin fulfilling that responsibility through the largest IC-wide technology investment and modernization effort in history,” Gabbard said in a news release. “President Trump’s Intelligence Community is moving faster and more decisively on cybersecurity modernization and investments in IT than ever before, delivering stronger defenses, greater efficiency, and real cost savings for the American people.”   

It constitutes the first significant cybersecurity announcement out of the office under Gabbard and the second Trump administration.

While the year-long effort began before the recent release of a national cyber strategy, the ODNI initiatives reflect many of its goals, including better protection of federal networks, advancing artificial intelligence for defensive purposes and going on offense against cyber adversaries.

The ODNI directed its National Counterintelligence and Security Center “to proactively combat foreign intelligence actors seeking to engage in cyber-attacks against U.S. interests,” according to the summary. 

The idea of an intelligence community repository of cybersecurity authorizations is to save both time and money, as it would allow agencies to capitalize on the testing of apps that other agencies have done without having to repeat them. 

On AI, the ODNI is “developing the policy framework, governance, and standards necessary to accelerate AI adoption for cybersecurity and other critical technology,” the summary states.

“Protecting our nation’s most sensitive information from those who seek to exploit it, while making sure our intelligence professionals have the tools and access they need to do their jobs, is not optional. It is essential to our national security,” Gabbard said. 

Gabbard’s appearance earlier this year during an FBI search of an elections office in Georgia has drawn congressional scrutiny, an appearance she has defended in part by citing her office’s role in coordinating and analyzing intelligence related to cybersecurity. Gabbard’s own personal cybersecurity practices prior to taking the job of DNI have also raised questions.

The post ODNI tackles AI, threat hunting, app cybersecurity in year-one tech review appeared first on CyberScoop.

For the past decade, cybersecurity experts in the federal government have argued that trust, or a lack of it, was key to developing effective security policies for agency systems and data.

But today, cybercriminals and state-sponsored hackers are using artificial intelligence to develop and launch cyberattacks more quickly and efficiently. Governments and businesses are facing pressure to adopt AI-powered cybersecurity defenses,  along with security architectures that delegate key security decisions to AI agents.

Jennifer Franks, Director of the Center for Enhanced Cybersecurity at the Government Accountability Office, said federal agencies were currently grappling with how to do both.

“We’re having to consider a two-in-one approach,” Franks said Thursday at the Elastic Public Sector Summit presented by FedScoop. “It’s not something that we have to consider as a tool that’s nice to have, it’s a needed necessity right now in an environment to really look at the best practices for really anticipating the adversaries that could target your environment.”

Zero Trust – a set of security principles with roots in older cybersecurity concepts like “least privilege access” — essentially argues that defenders should treat everything on their network as a potential compromised asset. Thus, everything requires constant verification of identity, access, and authorization to protect from hackers, data breaches and insider threats.

But threat researchers are reporting that malicious hackers have been able to leverage AI-driven automation and scaling to significantly increase the speed of their attacks, making it increasingly difficult for human operators on the defensive side to keep up or make decisions in real time.  

At the same event Mike Nichols, general manager for security solutions at Elastic, said his company and other threat research firms have found that AI tools have helped drive down the time it takes to execute an attack and gain access to an organization’s network to around 11 minutes.

Other metrics over the past year point to a lowered barrier for malicious hackers, including an 80-90% decrease in the cost to develop custom malware and a 42% increase in exploitation of zero days before public disclosure.

He argued that cybersecurity defenders will need to embrace AI to defend at similar speeds, going so far as to say “if you’re not using it, you are going to be compromised…like that is a guarantee at this point.”

Nichols said that despite what “disingenuous vendors” may promise, there is currently no technology or process that can provide an organization with genuine, agentic, autonomous cybersecurity operations. Human operators can still control critical decisions made by AI agents through planning on the front end.

“The bottom line is these things are executing your existing processes and adding some reasoning to it,” he said. “And so…you have to have a well-oiled process and documented process.”

Cybersecurity veteran and author Chase Cunningham — who has earned the nickname “Dr. Zero Trust” for his advocacy of the principles – told CyberScoop that agentic AI can “absolutely” co-exist within a Zero Trust security architecture, as long as you treat agents like any other non-human identity in an enterprise.

He said that network microsegmentation, strict account controls, and continuous logging all align with Zero Trust principles and would limit the potential damage an AI agent could cause.

“It is just another entity on the network that needs to be explicitly known, verified, constrained, monitored, and governed,” he said. “If you do not know what model it is, what data it can access, what systems it can call, what actions it can take, and under what conditions it can do those things, then you have introduced ambiguity into the environment. And ambiguity is exactly what Zero Trust is supposed to remove.”

But Nichols said humans should always be in the loop when agents make decisions on their behalf, and said AI vendors had an equal responsibility to provide more transparency behind the products they’re selling.

“You can’t have a black box anymore, you can’t have an AI that says ‘hey, we fixed it, I’m not going to explain why that’s the case,’” said Nichols. “By design you need to find a vendor that’s open API [and who can provide] explainability, the work that has to be there.”

The post Can Zero Trust survive the AI era? appeared first on CyberScoop.

President Donald Trump released his administration’s cyber strategy Friday, promoting offense operations in cyberspace, securing federal networks and critical infrastructure, streamlining regulations, leveraging emerging technologies and strengthening the cybersecurity workforce.

Trump also signed an executive order Friday directing agencies to take action to combat cybercrime and fraud.

A little more than half of the five pages of strategy text of the long-anticipated document is preamble, and two of its seven pages are title and ending pages. Administration officials have said the strategy is deliberately high-level, and the White House promised more detailed guidance in the future.

The strategy “calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation, and to make the most of America’s cyber capabilities for both offensive and defensive missions,” the White House said in a statement accompanying its release.

Each of the six “pillars” of the strategy offer some prescriptions.

“Shaping adversary behavior” calls for using U.S. government offensive and defensive capabilities in cyberspace, as well as incentivizing the private sector to disrupt adversary networks.

It also says Trump will “counter the spread of the surveillance state and authoritarian technologies that monitor and repress citizens,” even as administration critics argue that his administration has fostered surveillance and repression against U.S. citizens.

The shortest pillar, “promote common sense regulation,” decries rules that are only “costly checklists.” The Biden administration expanded cyber regulations, spurring some industry resistance. But the Trump pillar does talk about addressing liability, a point of emphasis for the prior administration as well.

“Modernize and secure federal networks” talks about using concepts and technologies like post-quantum cryptography, artificial intelligence, zero-trust and lowering barriers for vendors to sell tech to the government to meet those goals.

To “secure critical infrastructure,” the strategy calls for fortifying not just owners and operators but also the supply chain, in part by focusing on U.S.-made rather than adversary-made products.

“We will deny our adversaries initial access, and in the event of an incident, we must be able to recover quickly,” the strategy reads. “We will galvanize the role of state, local, Tribal, and territorial authorities as a complement to— not a substitute for — our national cybersecurity efforts.” Some critics of the administration’s cybersecurity actions have contended that it has shifted the burden to state and local governments too much.

AI usage makes up the bulk of the pillar entitled “sustain superiority in critical and emerging technologies,” in addition to reflecting earlier parts of the strategy on the topics of quantum cryptography and privacy protection. That includes the protection of data centers, the subject of localized fights across the country over their location and resource costs.

The final pillar says the United States must “build talent and capability,” after a year of the administration cutting a significant number of cyber positions in the federal government. “We will eliminate roadblocks that prevent industry, academia, government, and the military from aligning incentives and building a highly skilled cyber workforce,” it states.

Some positive reviews rolled in about the strategy despite the late-Friday afternoon release, traditionally the time of week when an administration looks to publish news it hopes will garner little attention.

“As new and more sophisticated threats emerge, America needed a new national cyber strategy that captures the urgency of this moment,” USTelecom President and CEO Jonathan Spalter said in a news release. “The President’s strategy rightly recognizes that harnessing America’s unique mix of private-sector innovation with public-sector capacity is the best deterrence.”

Frank Cilluffo, Director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University, was struck by the focus on deterrence: “This unified strategy determining a direction on offensive and defensive cyber operations and collaboration couldn’t be more timely.”

The Business Software Alliance cheered the call for streamlining cyber regulations, in particular.

A number of cyber vendors took note of the passages on AI. “Redirecting resources from paperwork to AI-powered security capabilities is the only way to keep pace with modern threats and adversaries who operate at great speed,” said Bill Wright, global head of government affairs at Elastic. “This strategy appears to recognize that fundamental truth.”

Not all the reviews were flattering, however, including from the top Democrat on the House Homeland Security Committee, Bennie Thompson, who said the strategy’s “underachieving” was the only thing impressive about it.

“What little ‘substance’ does exist in this pamphlet is a mishmash of vague platitudes, a long catalogue of ‘we will’ statements that may or may not match the Administration’s current behavior, and, mercifully, an apparent extension of some Biden-era policies,” he said. “Completely lacking is even the most basic blueprint for how the Administration will go about achieving any of its cybersecurity goals — an objective possibly hamstrung by the hemorrhage in cyber talent across all Federal agencies since Trump took office.”

The executive order Trump signed Friday coincides with the release of the strategy but there’s little overlap between the subject matter; the strategy makes one mention of cybercrime.

The order directs the attorney general to prioritize prosecution of cybercrime and fraud, orders agencies to review tools that they could use to counter international criminal organizations and  gives the Department of Homeland Security marching orders to improve training, in addition to other steps, according to a fact sheet.

“President Trump is unleashing every available tool to stop foreign-backed criminal networks that exploit vulnerable Americans through cyber-enabled fraud and extortion,” the fact sheet states.

The post The long-awaited Trump cyber strategy has arrived appeared first on CyberScoop.

WINDOWS 11 By Chris Hoffman On modern Windows PCs, you rarely need to download a software installer from a website. Windows has traditionally required you to download software installers — EXE files, MSI packages, and other formats — to install applications. But Windows is quietly shifting away from that. On a modern Windows PC, you […]

For decades, the United States government and private sector have worked tirelessly to secure cyberspace, yet our nation remains frighteningly vulnerable to a litany of cyberthreats posed by cybercriminals and foreign adversaries alike. Daily news reports of cyber intrusions ranging from criminal ransomware attacks to foreign state-sponsored intrusions into power, water, and other critical infrastructure systems are a constant reminder that “by almost every measure, the cybersecurity threat landscape is actually worse.” We can, and must, do better. To develop an effective national cybersecurity strategy, policymakers should consider the following ten points.  

Prioritize “Key Systems”

Policymakers should prioritize securing critical infrastructure whose cybersecurity failures could have catastrophic impacts on national security, economic security, public health or safety. Such systems include the electrical grid, water systems, ports, rail and air transportation as well as national, state, and local governments. 

Use Memory Safe languages for key systems

A fundamental cybersecurity problem stems from the widespread use of  software written in unsafe programming languages. These languages, developed in the early days of computing—before cybersecurity was even a consideration—were designed for efficiency, but are vulnerable to a class of programming bugs known as “memory safety errors.” 

Memory safety errors have been described as “today’s biggest attack surface for hackers” and are estimated to be responsible for nearly 70% of software vulnerabilities. Fortunately, today’s memory safe programming languages (e.g., Rust) are specifically designed to eliminate memory safety errors.

The federal government has developed a roadmap to help companies transition to memory safe code, and many companies have begun the journey. Accelerating this transition will significantly strengthen the nation’s cybersecurity.  

Apply formal methods for key systems

Memory-safe languages eliminate many software vulnerabilities but are not a cure-all.  Using “formal methods” offers even greater security. Formal methods rely on mathematical proof “to create ultra-secure, ultra-reliable software.” In fact, when the Defense Advanced Research Projects Agency (DARPA) used formal methods to program a military helicopter’s flight control computer, all subsequent hacking attempts failed.

Formal methods are currently in use by numerous leading technology companies, such as Amazon Web Services and Microsoft, and in high-assurance contexts, such as development of flight-control software. Implementation of formal methods requires some work, but the necessary tools are publicly available, the benefits are significant, and future advancements in automation will likely make implementation even easier. 

Establish resilient architectures

Migrating to resilient architectures based on “zero trust” principles will further strengthen the cybersecurity of key systems. Traditional security models automatically trust users within an organization’s perimeter.  In contrast, zero trust models trust no one by default. Taking a “never trust, always verify” approach, these models reduce the chance of breach by verifying every access request, regardless of where it originates.

Policymakers should ensure that zero trust architectures are established for key critical infrastructure through Congressional action and/or federal regulations akin to those already established for interstate electric transmission, railroads, and pipelines.

Build data resilience

Data resilience is the ability to keep data accessible and uncorrupted, even during a cyberattack. One effective way to improve data resilience is to back up key systems in the cloud—an approach Ukraine famously used just before Russia’s invasion. By migrating thousands of terabytes of critical government data to the cloud, Ukraine was able to maintain government operations despite intense kinetic operations and cyberattacks.

Defend proactively through threat hunting 

Policymakers should ensure that defensive cyber “threat hunting”—proactively searching networks for undetected cyberthreats—is conducted regularly undertaken on key networks.  Many key systems already receive threat hunting services through contracts with private firms, but policymakers should make sure that every key system is covered, potentially by establishing necessary baseline requirements. While private companies can provide much of this support, government agencies— such as the Coast Guard under its “Captain of the Port” authorities to protect critical port infrastructure—can also play a role. Finally, because defensive threat hunting on key networks serves the public interest, Congress should consider providing financial support, such as tax credits or dedicated budget allocations.

Coordinate government and private sector cybersecurity actions

Effective cybersecurity requires close collaboration between the government and the private sector. To ensure this coordination, a central body overseen by the National Cyber Director should be established. The NCD would act as a “head coach,” guiding efforts across both sectors, while leaving day-to-day operations to the organizations best equipped to handle them.

Establish “Regional Resilience Districts” 

Policymakers should support regional approaches to cybersecurity, which help manage risks across sectors in critical areas. Piloting regional resilience districts in places with major military installations, such as Charleston, South Carolina or the Houston ship channel, would strengthen cross-sector protection, limit cascading effects from cybersecurity failures, and improve recovery from major attacks.

Incorporate adversary disruption into cyber campaigns 

Policymakers should collaborate with key private sector firms to assess their ability to disrupt adversarial cyber attacks—for example, by banning entities that violate terms of service from their networks. They should then determine when and how private sector and government actions, whether individually or together, can most effectively contribute to disrupting adversaries.

Governments have previously worked with the private sector to take down criminal cyber organizations, sometimes using the Fourth Amendment’s asset seizure authority. Given the rise in cyber intrusions by both criminals (e.g., ransomware operators) and nation-state adversaries (e.g., China’s Typhoons), policymakers should consider expanding these efforts beyond asset seizure to include active disruption.

Capitalize on emerging technology 

Finally, policymakers should leverage the innovation pipeline—including expertise from industry, government, federal R&D centers, national laboratories, and academia—to effectively apply emerging technologies like artificial intelligence in support of both offensive and defensive cybersecurity missions. 

Cybersecurity policymakers have a unique opportunity to dramatically strengthen our digital defenses by following the ten steps outlined above. Implementing these measures will help safeguard national security, critical infrastructure, and the public good in an increasingly complex threat environment. The time for decisive action is now.

This op-ed is derived from the forthcoming Atlantic Council report by the authors on “Cybersecurity Strategy for the United States.”

Franklin D. Kramer is a distinguished fellow at and serves on the board of the Atlantic Council. He is a former assistant secretary of defense for international security affairs.

Robert J. Butler is the co-founder and managing director of Cyber Strategies LLC, served as the first deputy assistant secretary of defense for space and cyber policy, and served as the Chief Security Officer for IO Data Centers, a global data center enterprise, among other cybersecurity-related roles in both corporate and government organizations.

Melanie J. Teplinsky is an adjunct professor and senior fellow in the Technology, Law and Security Program at American University (AU), Washington College of Law.  She previously practiced technology law at Steptoe & Jonson LLP and served on the pre-IPO advisory board for CrowdStrike.

The post The 10 key reforms that can close America’s cybersecurity gaps appeared first on CyberScoop.

Heather Doerges // Of all the services we offer at BHIS, Social Engineering is the most interesting to me. It’s something (and quite possibly the only thing) I completely understand […]

The post The Easiest Con – Hacking the Human & 9 Tips to Avoid Social Engineering appeared first on Black Hills Information Security, Inc..

Logan Lembke // Living in the information age is great, isn’t it? With just a visit to the internet you can learn what happened in London on September 2nd, 1666, […]

The post What’s Trust Among Friends: Secure Connections & Man-in-the-Middle Attacks appeared first on Black Hills Information Security, Inc..