Cyber
The Next Frontier
Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.
The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.
The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.
Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.
Cyber
Engineering
Defense
& Forensics
Cyber Law
& Policy
Program News
DoD Cyber Scholarship Program (CySP)
The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.Cyber News
Proposed data broker regulations draw industry pushback on anonymized data...
The Biden administration should adopt less-strict standards about what triggers a proposed prohibition on data brokers selling bulk sensitive information to adversarial foreign entities, industry groups argued in public comments due last week.
Among their biggest suggestions is that any potential rules should make exceptions for anonymized data. Another is that they should raise the volume threshold for what counts as bulk information.
The groups’ comments, which were submitted by Friday under a Department of Justice deadline, broadly reflect their desire to scale back those potential rules directed by a February executive order.
“We recommend that the regulations do not treat data that is protected via anonymization, pseudonymization, de-identification, or encryption as sensitive personal data,” wrote the Interactive Advertising Bureau, which represents digital ad marketers. “Such data does not present the same level of threats to U.S. national security and foreign policy given that countries of concern would not be able to use this data to track and build profiles on specific U.S. individuals for the nefarious purposes described in the” DOJ rulemaking notice.
But a prominent expert on data brokerage said that treating anonymized or de-identified data differently could leave Americans dangerously exposed. “There is an ever-evolving body of computer science and statistics literature demonstrating the ways in which companies, governments, and other organizations can combine large datasets together or analyze datasets to link data points back to specific individuals,” wrote Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy, where he runs its data brokerage research project, and a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative.
The executive order is part of a recent U.S. government trend toward taking action to prevent abuses by data brokers, which collect and sell massive amounts of sensitive information like geolocation data or health data. The efforts include two House–passed bills, a bipartisan House-Senate privacy measure that includes data broker provisions and proposed regulations from the Consumer Financial Protection Bureau.
At least eight of the industry organizations that supplied public comments during an advanced notice of proposed rulemaking — ranging from organizations representing CEOs to major tech companies to clinical researchers — said the Justice Department should make exceptions to the definition of sensitive personal data under the proposed rules.
“Likening such data with other sensitive personal data that is unprotected or unmasked fails to distinguish the significant harm reduction afforded to U.S. persons when their data is encrypted or rendered unintelligible through anonymization,” representatives of the Bank Policy Institute wrote.
While Sherman said that there are some ways to protect sensitive datasets, in some cases it simply isn’t feasible. “It is incredibly difficult if not sometimes virtually impossible to effectively ‘anonymize’ device-level geolocation data while still leaving the data in a form that companies find usable for their desired business purpose,” he wrote.
According to its public notice, the Justice Department is looking at establishing ranges of bulk dataset thresholds to which regulations apply based on the kind of data. For example, the low total for personal financial data would be 1,000 U.S. persons, with a high of 1 million.
Most industry groups favored the higher ranges, or a wholesale rethinking of those thresholds.
“Biopharmaceutical firms, from small- and medium-sized biotech companies to multinational biopharmaceutical companies, are likely to exceed the minimum bulk volume thresholds that are proposed in the rules in the normal course of their research and business operations and, thus, potentially risk engaging in prohibited bulk volume transfers of sensitive personal data of U.S. individuals,” the Biotechnology Innovation Organization wrote.
Said the U.S.-China Business Council: “At a minimum, we suggest that the DOJ substantially raise its thresholds until it has provided further guidance to industry.”
The Center for Democracy and Technology, however, argued for adopting the lower thresholds.
“The goal of this proceeding is to prevent as much information about US individuals from being sold to countries of concern,” it said. “To best achieve that goal, and to best protect people’s privacy generally, the bulk definition should be as low as reasonably possible.”
The issues of sensitive personal information anonymization and bulk threshold definitions attracted the most attention from commenters, but they weren’t the only kinds of feedback directed to the DOJ.
The Future of Privacy Forum, for instance, said that the definition of the kind of “persons” covered under the rules should exclude organizations like businesses or nonprofits, while adding in data related to “households,” like residential utility usage.
Sherman further contended that DOJ should use a wider definition of “personal health data” since, as proposed, it would exclude “numerous wearable device vendors, mobile apps, telehealth companies, social media platforms, advertising technology firms, and data brokers.”
Others suggested that the department develop a different method of identifying “countries of concern” to whom the prohibition applies, which as of now foresees that list as China, Russia, North Korea, Iran, Cuba and Venezuela. A group of industry organizations representing communications providers suggested tying the list to the Commerce Department’s list of foreign adversaries.
The Information Technology Industry Council, meanwhile, questioned the overall approach of the DOJ’s proposed rulemaking. It “sets out a multilayered regulatory regime that establishes and regulates multiple classes of prohibited transactions, restricted transactions, exemptions, categories of sensitive data with different bulk data thresholds, and licensing requirements,” the organization wrote. “There are important upfront questions about whether this proposed regulatory approach will be successful in addressing the articulated national security threat.”
The post Proposed data broker regulations draw industry pushback on anonymized data exceptions, bulk thresholds appeared first on CyberScoop.
Cybersecurity executive order requirements are nearly complete, GAO says
The post Cybersecurity executive order requirements are nearly complete, GAO says appeared first on CyberScoop.
FISA reauthorization heads to Biden’s desk after Senate passage
Legislation to extend potent surveillance authorities won the precise number of votes it needed for passage early Saturday, sending the bill to the president for a signature after a midnight lapse of the spying law and a tumultuous path to victory for the Biden administration.
While administration officials touted the two-year extension of what National Security Adviser Jake Sullivan called “one of the United States’ most vital intelligence collection tools,” it was a disappointing outcome for those who sought additional privacy safeguards for the Section 702 powers used to surveil overseas targets — but that sometimes can sweep in the communications of Americans.
The final vote on the Foreign Intelligence Surveillance Act measure, which the House passed last week, was 60-34.
Senate Majority Whip Dick Durbin, D-Ill., called it an “alarming bill.” Beyond seeking improvements to the legislation’s privacy protections, he and like-minded lawmakers and advocacy groups are worried that a provision changing the definition of “electronic communication service providers” would add a wide swath of organizations obligated to assist U.S. government surveillance.
“Rather than fixing the flaws in Section 702, the House bill will dangerously and unnecessarily expand it,” he said during debate Thursday.
Senate Intelligence Chairman Mark Warner, D-Va., said on the floor Thursday that he thought the service providers amendment “could have been drafted better” in the House, but would not do what some feared. He added that the effects of the change would be subject to court and congressional oversight, and Congress would have a chance to revisit the law in 24 months.
Sullivan touted adjustments in the bill, which included a requirement that an FBI supervisor or attorney sign off on any queries of the Section 702 database for U.S. person identifiers, such as phone numbers or emails, as “the most robust set of reforms ever included in legislation to reauthorize Section 702.”
Critics of the legislation — which included an unconventional mix of Democrats and Republicans — say those changes fell far short, but were unable to win adoption of six amendments that would achieve their aims. A Durbin amendment to prohibit warrantless access to the communications and other information on U.S. persons, the biggest adjustment that critics sought, fell on a 42-50 vote, marking the latest razor-thin margin for that proposal. A House amendment on a warrant requirement fell on a 212-212 vote.
Sullivan said that President Joe Biden would swiftly sign the legislation. Privacy advocates looked ahead to the next expiration of Section 702 powers in two years.
“Senators were aware of the threat this surveillance bill posed to our civil liberties and pushed it through anyway, promising they would attempt to address some of the most heinous expansions in the near future,” the American Civil Liberties Union posted on X, formerly known as Twitter. “We will do everything in our power to ensure that these promises are kept.”
The post FISA reauthorization heads to Biden’s desk after Senate passage appeared first on CyberScoop.
FBI director warns of China’s preparations for disruptive infrastructure attacks
FBI Director Christopher Wray warned Thursday that the threat posed by Chinese hacking operations to U.S. critical infrastructure has become more urgent, as intelligence agencies have said that groups like Volt Typhoon are preparing for the possibility of widespread disruptive actions as early as 2027.
Wray said during a speech at Vanderbilt University that China has targeted dozens of oil pipeline entities since 2011, in some cases ignoring business and financial information entirely while stealing data on control and monitoring systems.
More recently, Volt Typhoon has conducted broad targeting of American companies in the water, energy and telecommunications sectors, among others, which U.S. officials have described as “pre-positioning” for future attacks that could disrupt or halt systems responsible for critical services upon which Americans rely. Dragos, a private threat intelligence company that focuses on critical infrastructure, said in February that the group has also been observed targeting entities that provide satellite and emergency management services.
The ultimate purpose of this activity is to give Beijing “the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” Wray said.
The comments mark something of a shift in how the bureau and other national security officials have described the threat posed by Chinese hackers in the past.
U.S. officials have long sounded the alarm on the broader threat posed by China’s hacking operations, in particular the pervasive targeting of American companies in order to steal sensitive technologies and intellectual property that can be passed along to Chinese industry. This kind of economic espionage has persisted for decades, even after U.S. President Barack Obama and Chinese President Xi Jinping announced a deal in 2015 promising to curb such activity.
Law enforcement and intelligence agencies have also warned that Chinese hackers — which Wray said are so numerous that they outnumber the bureau’s total cyber personnel 50 to 1 — threaten American critical infrastructure and government agencies, but have historically described Beijing’s operations as more of a slow-burn, longer-term concern compared to other countries, like Russia.
“I kind of look at Russia as the hurricane. It comes in fast and hard” while China “is climate change: long, slow, pervasive,” Rob Joyce, NSA’s former cybersecurity director, told reporters in 2019 at the RSA Conference in San Francisco.
Wray said Thursday that the FBI and other federal agencies were preparing 2024 budgets with an eye towards the kind of resources they’ll need to defend against a potential broad attack on critical infrastructure.
He noted that the Office of the Director of National Intelligence assessed last year that Beijing is trying to build the capability to deter U.S. intervention in a crisis between China and Taiwan by 2027. That timeframe “is not exactly long-term” and some of the planning for that possibility is being carried out now.
“A few years ago, we might have said China represents the most significant long-term threat. That’s no longer the best way to describe the danger,” Wray said.
An annual threat assessment from ODNI last year assessed that China was “working to meet its goal of fielding a military by 2027 designed to deter U.S. intervention in a future cross-Strait crisis.” The 2024 version of that report noted that activity from Volt Typhoon was likely “intended to pre-position cyber attacks against infrastructure in Guam and to enable disrupting communications between the United States and Asia.”
Wray’s comments built on a series of increasingly pitched warnings U.S. officials have made since the start of the year around Chinese targeting of U.S. critical infrastructure. However, despite the alarms, digital defenders in critical infrastructure have expressed frustration at the lack of detail these warnings contain, as well as an explanation for how China’s actions over the past year differ from the kind of activity that the bureau acknowledged has been ongoing since at least 2011.
The post FBI director warns of China’s preparations for disruptive infrastructure attacks appeared first on CyberScoop.
Treasury official: Small financial institutions have ‘growth to do’ in using AI...
Major financial institutions have used artificial intelligence to play increasingly stingy defense against fraud and cybersecurity threats over the past decade, a top Treasury Department official said Thursday. But “there’s growth to do” when it comes to deploying those same technologies for smaller banks.
Todd Conklin, the Treasury Department’s chief AI officer and deputy assistant secretary for the Office of Cybersecurity and Critical Infrastructure Protection, said during an American Bankers Association virtual event that the sector has done “very well” to narrow the cybersecurity gap between large and small lenders.
But though Conklin has seen a “significant reduction” in fraud at some of the country’s largest financial institutions thanks to AI, there’s a concerted public-private effort now on “how do we ensure that we’re … leveraging the capabilities of our largest institutions and making sure that our smallest institutions have the same advantage from a defensive perspective.”
Protecting small financial institutions from AI-fueled threats was a primary topic of discussion during Thursday’s press briefing featuring Conklin and two members of the Financial Services Sector Coordinating Council, which contributed to Treasury’s March report on managing AI-specific cyber risks in the financial services sector.
Paul Benda, vice chair of the FSSCC and executive vice president of fraud, risk and cybersecurity at the ABA, said the focus of current and future public-private financial sector coalitions will be to “figure out ways to provide more data and better training systems” to smaller institutions.
“By their nature, small institutions simply don’t have the same volume of data to train their systems on,” Benda said. “They may not have access to some [of the] same high-end technical systems that some of the larger institutions have. … Can we take those lessons learned from those larger institutions that are more leaning forward, that have sandboxes they can play in to test out these capabilities, and extend those to small institutions?”
At least some of the dozens of financial institutions interviewed as part of last month’s Treasury report raised “significant concerns about the data used to train commercial generative AI because of privacy and liability concerns.” A potential solution floated by representatives from those participating banks would be a “standardized description, similar to a nutrition label, for vendor-provided generative AI systems to clearly identify what data was used to train a model, where it came from, and how any data submitted to the model will be incorporated.”
Debbie Guild, the FSSCC chair and head of enterprise technology & security at PNC Financial Services Group, acknowledged during Thursday’s call that nutrition labels won’t “be something that everybody will care about.” But there is plenty of value for financial institutions large and small to be transparent about when an AI model “stopped being trained” given the decision-making that revolves around those outputs, she said.
Conklin added that nutrition labels will be “really significant” for small financial institutions given their reliance on third-party data sources “to meet the level of explainability that’s going to be required of them by the Regulatory Oversight Committee,” an international body of more than 65 markets regulators and other public officials from 50-plus countries.
Treasury and the FSSCC, meanwhile, have enlisted “multiple core providers” — makers of software used by banks to manage processes — in discussions on how best to adopt and apply AI to financial services, Conklin said.
Those third-party services “have a significant role to play as does, frankly, the U.S. Treasury Department, in terms of making sure we’re working in lockstep with our sector partners to try to close the gap between our largest and smallest institutions,” he added. “We’re going to definitely try to encourage as much innovation in that space as reasonably possible.”
The post Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats appeared first on CyberScoop.