Audit , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
ISMG Editors: What Happened to the Cyberwar in Israel?
Also: Potential HIPAA Audit Revival; Security Risks of Sovereign AI Anna Delaney (annamadeline) • February 16, 2024In the latest weekly update, four Information Security Media Group editors discussed the relatively low profile of cyberwarfare in recent international conflicts, the potential revival of a dormant HIPAA compliance audit program and the security implications of sovereign AI development.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discussed:
- Why Hamas did not deploy cyber operations in its latest war with Israel;
- Why U.S. federal regulators are considering reviving a dormant HIPAA compliance audit program in an effort to bolster cybersecurity in the healthcare sector;
- How to strike the balance between national security interests and global collaboration in AI research and development.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Feb. 2 edition on why Microsoft's systems are so vulnerable and the Feb. 9 edition on what CISOs should prepare for in 2024.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. And today we're exploring topics ranging from the role of cyber warfare in recent international conflicts to the potential revival of a dormant HIPAA compliance audit program, and the security implications of sovereign AI development. The brilliant team today include Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity, Mathew Schwartz, executive editor of DataBreachToday and Europe; and Tony Morbin, executive news editor, EU. Great to see you all. Tony, you're lying in a bed of roses. That is not a good idea.
Tony Morbin: Well, it's just a slight nod to the fact that we're recording on Valentine's Day. So you know, I just wanted it to be acknowledged.
Delaney: Very good. Happy Valentine's Day to y'all. And Marianne, we got the memo: bit of snow?
Marianne McGee: Yeah, we got like about three, four inches yesterday, but it's already melting. And you know what that's like, Anna, right?
Delaney: Yes. This is Central Park, yesterday, in Manhattan. But the sun is shining now. So it was short lived. But still exciting for a moment. Mathew, no snow where you are?
Mathew Schwartz: No snow in Scotland, we live in hope. Just a view of the Tay Bridge stretching over the river day right before it empties into the North Sea one recent evening.
Delaney: Very nice. Very good. Well, Matt, starting with you. Quite often, we talk about cyber warfare being increasingly intertwined with traditional warfare strategies. For example, we've seen that while much of the Russia-Ukraine wars been fought in the physical realm, cyber operations have also played a significant role. It's not been quite the same kind of story with the Hamas-Israel war, has it?
Schwartz: Not at all. And I don't know if that is something that should catch people by surprise or not. But I think we're at a useful point to look back and take stock of what did and didn't happen when it comes to the Israel Hamas war. If we rewind back to October, October 7, militants unexpectedly storms from the Gaza strip into nearby Israeli towns. And what is interesting from a cybersecurity standpoint is we expect to see much more in the way of cyber operations these days. What is cyber war? Still an open question. But cyber operations, for sure, have been a massive component of multiple conflicts, and especially the Russia Ukraine war. There's a new report out from Google's threat analysis group, which combats nation-state threats, especially against its users, together with Mandiant, which is now Google Cloud's Threat Intelligence division. And they looked at what has been happening on the cyber front, with Hamas, and also with proxies, and their clear and definitive conclusion is there is not a cyber component, or Hamas or Hamas-linked groups, when it comes to this conflict. In fact, there was no change in the general activity being seen. If we look last year, up until October 7, everything looked normal. And by normal, these are phishing attacks, oftentimes attempting to distribute mobile malware or information stealing malware, a lot of them with some intelligence, or cyber espionage, probably motivations, targeting not just Israel, but into Palestine, also, sometimes European or U.S. governments. So that was kind of the table stakes. And what was interesting is, this may have been by design, certainly with the planning of the physical, i.e., the ground assault. It looks like Hamas did that without using anything cyber, without using digital tools precisely to try to defeat the well-known Israeli digital dragnet. It seems like they either issued instructions to keep everything the same, or just didn't tell anybody what they were doing and things stayed the same, perhaps to not tip their hand. So unlike Russia massing forces in the border of Ukraine for months, and then especially in the month or two before the all-out invasion, launching wiped them out were all sorts of cyber operations really escalating not only on the border, but in the digital domain. We didn't see that at all with Hamas. Now, that is not to say that we haven't seen a lot of cyber operations since October 7. And there have been a lot of regional proxies, in particular, Iran, and also, Iran-backed Hezbollah out of Lebanon, running a lot of cyber operations, and sometimes using aspects of the conflict. For example, creating mobile malware that got distributed by a legitimate hospital that was looking for blood donations, they created a blood donation themed piece of malware to try to trick people amongst other sorts of social engineering enterprises, if you will. So, Hamas, nothing different. October 7 happens and then all of their cyber activity has fallen off to nothing, and it's staying at nothing. But as I was saying, proxy forces are taking advantage. We've also seen the reemergence of Predatory Sparrow - nudge nudge, wink wink, might be Israel, which is only taking credit for a handful of attacks. Last December, it knocked offline a bunch of Iranian gas stations. And it seems to do this in a way that never causes loss of life, and seems to be very circumscribed. A lot of people think it is Israel, but researchers and other governments haven't been drawn yet, they say there's not enough evidence to be conclusive about this. So a lot of players, Hamas now being one of them in the cyber realm, but nevertheless, a lot of cyber activity.
Delaney: It's really very interesting. And so you mentioned the involvement of Iran-backed groups in cyber operations. How do you think these activities are impacting regional stability?
Schwartz: Well, that might be a little bit beyond my geopolitical analysis, paygrade. But it's certainly not helping it, I would think. It would be inflaming what is already a delicate situation. One of the points made by the Google and Mandiant researchers is that the APT groups, the nation-state groups, groups aligned with Tehran, that they have seen operating are the same ones that have also in the past been responsible for election interference. So we have got some combustibles in the mix, certainly. It won't be helping to put this conflict to bed in the sense of everybody just going home and calling it a day.
Delaney: Why do you think Russia hasn't opted for a similar strategy here? You know, how would you compare and contrast the different styles?
Schwartz: So there's a lot of signaling from Russia and Russia-affiliated groups about what they're trying to do. And some of that is to make Russia look a lot mightier than it really is. Aannouncing DDoS attacks against a lot of targets, Canadian airports, hospitals, in many cases, these attacks amounted to nothing. They are, though, information operations. And when they get written up in the media, or talked about by government figures, it furthers Russia's agenda of appearing to be mightier than it is, and also signaling its intent that it's going after these various organizations, whether or not it is successful. And so that is, I think, an age old strategy. Soviet, now Russia. And we've seen it again now with Ukraine. Hamas has taken a very different approach, it seems, for example, with absolutely no cyber operations, they are attempting to, perhaps negotiate their way out of whatever is happening now. Trying to keep things more on the down low, as opposed to Moscow, which is seeming as belligerent as ever.
Delaney: And so what lessons can organizations take away from these kind of contrasting trends here, whether they're small, medium, large enterprises across the globe? Is there anything they should be doing to maybe modify their cybersecurity strategies or preparations?
Schwartz: Well, there's some warnings that Iran is no stranger to destructive wiper malware. And Iranian group last December also started serving this up. And there are predictions that we will see more of this, especially as we're heading into a global election season. Some elections have happened already. But there's a lot more coming down the pipe especially for example, in the United States. So beware of destructive wiper malware is one of the big warnings that was being sounded by Google in Mandiant. Another one geopolitically is that we can't apply the lessons of the last war to the next war. And how cyber does or doesn't get used remains an open "question". Very tied to the nature of the conflict. And I think this is a great point that they were making with cyber operations and Hamas and Hamas-affiliated groups. This is not the Russia-Ukraine war. And you should never make assumptions about what is going to happen based on the last conflict. So I think that's a great note to sound.
Delaney: Fascinating insight. Thank you so much, Matt. Well, U.S. federal regulators, Marianne, are considering reviving a dormant HIPAA compliance audit program as part of efforts to bolster cybersecurity in the healthcare sector. Tell us about it.
McGee: Sure. Well, you just referenced with the audits. Back in December, the Biden administration issued a concept paper outlining the administration's framework for improving cybersecurity in the healthcare sector. And since then, the Department of Health and Human Services has slowly begun to disclose details about the strategy. For instance, a few weeks ago, HHS released a guidance document describing voluntary cybersecurity performance goals or CPGs, for healthcare sector entities to implement. Those goals are based on industry best practices, including the NIST cybersecurity framework. And they include both essential goals, which are foundational best practices and then enhanced goals to encourage the adoption of more advanced practices. HHS has said that the CPGs are voluntary, but envisions that they will be establishing two financial programs to incentivize healthcare entities into implementing those performance goals. Now, those financial programs haven't been flushed out, there's talk about sticks and carrots, you know, perhaps a reward for under-resourced organizations to invest in cybersecurity, and perhaps penalties when it comes to Medicare reimbursements when it comes to those entities that failed to do certain things. Now, in the meantime, HHS has also said it plans to propose an update to the HIPAA security rule this spring. And while we're not sure what that might look like, there's a lot of chatter on whether or not this updated rule might be more prescriptive than what's contained in the current HIPAA Security Rule, which was written many years ago. But that brings me to what happened this week, which is that the Department of Health and Human Services Office for Civil Rights which enforces HIPAA, hinted about another move. And that's the return of the dreaded HIPAA compliance audit program. Now, that program has been pretty much gathering dust for the last seven years, the audit program was mandated under the High Tech Act of 2009, requiring HHS OCR to conduct regular audits of HIPAA-regulated entities and to then report to Congress on the state of affairs. But that program has not been utilized very often, and it certainly hasn't been used in a long time by HHS. The last round of the audits were actually conducted in 2016 and 2017, during which time about 207 covered entities and business associates were randomly audited. But in a public notice published in the Federal Register this week, which you know, a lot of people don't read that - maybe the lawyers do. So it's kind of, you know, kind of slipping it in there that HHS said it would soon be conducting online surveys of the covered entities and business associates that were audited in 2016 and 2017, asking for feedback about the audit program. HHS OCR says the surveys would be used by the agency to gain better insight into the burden imposed on entities to collect the audit-related documents and respond to audit-related requests that HHS OCR requested of these audits and what kind of impact did it have on their day-to-day operations. Now back in 2016 and 2017, the audits were conducted as streamlined so-called desk audits, which meant that the randomly chosen audits were required to submit the requested information to OCR through a secure portal within 10 days of OCR requesting the information. The audits examined the entity's compliance with specific requirements of the HIPAA privacy, security and breach notification rules. Now, that ended in 2017. And then three years later, in 2020, OCR published a report about the findings from that - a round of audits. But since then, HHS OCR hasn't said much else about its audit program or where it's headed until this week. So being that HHS is looking for potential ways to crack the whip in getting healthcare sector entities into better cybersecurity shape, there's a strong possibility that these HIPAA compliance audits might be making a comeback. Once again, as an enforcement tool, we'll have to see but you know, it's one of those things that, you know, just like you're audited by the IRS, you don't know if it's going to happen, you don't want it to happen. But when it happens, it's a lot of work. And in the meantime, you know, when it comes to these, you know, possible audits on HIPAA-regulated entities, you know, kind of gives some food for thought here. Well, you know, just in case we're audited up to make sure things are in good shape. So we'll see what happens with that. But it was interesting, because I think this totally caught the HIPAA experts that I talk to on a regular basis by surprise. It's a lot of work. It's a lot of work for the agency to when they didn't see did this in the past. They had money to hire a contractor to do that, what it's for them. But you know, somebody pointed out to me the other day or yesterday when I was working on this piece that, you know, what OCR collects in terms of enforcement fines, for HIPAA cases, they can hold on to that money and then reinvest it in more enforcement activity. So they could be taking these millions of dollars that they've collected over the last few years in HIPAA fines and, you know, paying a contractor to carry out some of these audits, again. We'll see.
Delaney: Given the significant time gap since the last HIPAA audits, how's the threat landscape in the healthcare sector changed? And what about the implications in the effectiveness of these future audits?
McGee: Well, it's changed a lot. You know, while last year was a record year, for health data breaches, I forget what the exact numbers were, but I think it's like 135 million people affected, hacking, you know, certainly has overtaken every other sort of breach that's reported. But then, you know, in the meantime, when OCR talks about HIPAA audits, and at the same time, they're also talking about updating the HIPAA Security Rule. You kind of wonder what the timeline might be for all this, you know, once a publisher, you know, proposed update to the rule, you know, they get 60 days generally of public comments, and then they weigh the comments, and they issue another notice of final rulemaking, and then there's a compliance date. So, you know, it couldn't be also that these audits might be something that they'd implemented maybe a couple of years from now, to take into account, whatever the update is on the HIPAA Security Rule, for instance. So, you know, again, it's interesting, because this wasn't an area that they have been talking about for a long time. And I think it's because, you know, they're under resourced as an agency, they've got a lot going on, you know, they have to report, they have to investigate every breach that's reported that's over, you know, 500 affected individuals. And, you know, they've got a lot to do on for themselves, not to mention, you know, trying to crack this whip and get the healthcare sector in better shape as well.
Delaney: Lengthy process, but thank you so much, Marianne. So, Tony, you've picked a juicy question to answer this week: Every country needs sovereign AI, and is this the security issue?
Morbin: Well, that's the whole issue. Every country needs sovereign AI, what are the implications? You know, the whole concept is new. I'm saying it's new, but we've kind of been here before, all of us working in cybersecurity in any capacity here because when the internet globalized and democratized the transfer of digital data, it brought with it global cybercrime, digital espionage, or cyber warfare disinformation. It was also accompanied by concerns then about, well, certainly outside the U.S., about who owned and ran the internet, and therefore whose values and norms it adhered to. To a greater or lesser extent, we're now seeing those concerns translated into a balkanization of the internet. We've got China's population getting online access behind that country's great firewall. Russians are using Yandex and Europeans and others are mandating that their data resides locally. Now, that same situation seems to be set to be repeated with generative AI with ownership and control key concerns. What got me going on the subject was when I saw the World Government Summit in Dubai this month, NVIDIA founder and CEO Jensen Huang called for sovereign AI telling attendees. Every country needs to own the production of their own intelligence. Huang was telling the UAE Minister His Excellency Omar Al Olama. It codifies your culture, your society's intelligence, your common sense your history, and your own data. Olama responded, "We completely subscribe to that vision, adding that the UAE is moving aggressively to creating large language models and mobilizing to compute." And it's likely that we're going to see other countries on Huang's global tour, possibly following suit. There's other developments have been happening just recently in the U.S. ownership of global tech companies, generally seen as a given, but they're both effective accelerationist. They call themselves calling for a gung ho approach to deployment of AI and the effective altruists taking a more cautious approach in a nod to the latter group. This month we saw the White House launch the artificial intelligence Safety Institute consortium set up to develop guidelines for AI safety, security, and serve as a liaison between AI developers and federal agencies. That was largely in response to cybersecurity experts and lawmakers, among others, have been raising concern that AI developers lack comprehensive regulations, standards or even a set of best practices to follow when they're developing AI, particularly the advanced models that could have significant risks for national security and public health. In Europe we've seen unsurprisingly, a regulatory approach. The European Parliament has just approved the AI Act, and the regulation bans high risk systems such as emotion recognition in the workplace, or educational settings, social scoring or scraping the internet for images used to train facial recognition algorithms. In a move that would appear to vindicate Huang's view that your AI can codify your culture, statement by the relevant EU committee noted, "This regulation aims to protect fundamental rights, democracy, rule of law and environmental sustainability from high-risk AI." It's also obviously aiming to boost innovation, establish Europe as a leader in the AI field. Its proposed AI transparency requirements, will need AI developers to be compliant with existing cyber and copyright measures, which raises all the concerns about where AI learns from AI systems will have to be compliant with the GDPR regulation. And the developers will have to disclose vulnerabilities to the European Union agency for cybersecurity. Just using those three examples, clearly sovereign AI will give us different AIs with very different perspectives on what is and what's not acceptable best practice, especially in relation to personal privacy, government authority, entrepreneurial autonomy, and it's likely to prove pretty challenging for compliance issues for global players. There was another interesting comment from Huang saying that we're creating computing technologies that nobody has to program, and therefore the programming language is human, and concluding that everybody in the world is now a programmer. As a result of that, my colleague back here recently reported that anybody who wants to influence an election can use generative AI tools at scale, in a way never before possible. He also cited a U.S. official telling CNN, "We're in uncharted territory right now." I'm totally agreeing with that comment. The breakneck speed of development in AI means that change is now happening on something like a four weekly cycle. Our regulators are struggling to keep up and agree to what norms they want to impose, even within one country, let alone internationally. So in the likely absence of effective externally imposed controls, all I would say to AI developers, which is now all of us, is to quote the philosopher, Immanuel Kant, "do the right thing, because it's right."
Delaney: Good luck, I'd love a bit of philosophy moving into the Editors' Panel. What about striking that balance between national security interest in global collaboration and AI and research and development? Are you hearing discussions around how do we do that? What's the best way to strike that balance? Or is it too early?
Morbin: In the West, there's more of a push for globalization. But even here, you know, as you see within the American election, there were plenty of people who were against globalization. So, you know, but the industry does seem to want standards along the lines of, you know, aviation standards where everybody can play by the same rulebook. But the truth is that different countries, territories, jurisdictions do have different norms and perspectives. So in a way, it's kind of inevitable now that the technology of AI is more democratically available. It's going to be applied differentially.
Delaney: Good. Tony, thanks for your deep perspectives, as always, made us think. And finally and just for fun, this last question is courtesy of Matt's creative thinking. If you ran away and joined the cyber circus, what would your clown name be? Matt, do you want to start us off?
Schwartz: No pressure having to come up with the idea, right? Sounded fine in theory, and then in practice? Yeah, what actually happens? So I was noodling a few things. Hope this doesn't ruin anything for anybody else. But Silver Bullet Sid. Scary day vulnerability doesn't really have a name. But I settled on Zero Days Zelda.
Delaney: Oh! yes. Zelda. Yeah. Great one.
Morbin: I'd go for Mr. Invisible, because of course, he's there for everybody to see if you look in the right place. So the cyber you know, our attackers can be spotted if you've got the right visibility, and it works for a clown act too.
McGee: Well, mine I'd go back to the sort of the HIPAA theme, I'd be a HIPAA hippie. I would have a stethoscope made of love beads, and my headband would be made out of flowers stolen from the getwell bouquets and patient rooms. And instead of like throwing confetti at the kids, I just thrown torn patient records.
Delaney: I was toying between cyber loop lollipop or quantum quirk quincy. I think I'm going for quantum quirk quincy. He's always smiling. Anyway, thank you so much for that Matt. Enjoyed that. Thanks, everyone. It's been an excellent discussion. Thanks for all your insights.