Cyber Week in Review: November 15, 2024

Biden Administration to support the UN Cybercrime Convention

The Biden administration has chosen to support the controversial U.N. Cybercrime Convention (UNCC), capping a months-long debate within the administration over whether to shift support for the treaty. Proponents of the treaty have argued that it will enable international collaboration to combat cybercrime by facilitating the exchange of data and extradition of criminal suspects. Opponents, however, have cited concerns that the treaty will be leveraged by authoritarian and illiberal states to access sensitive data and to target critics and dissidents abroad under the guise of prosecuting cybercrime. A senior U.S. administration official anonymously reported that the U.S. government determined it had a greater ability to influence the convention “in a rights-respecting manner” by joining consensus around the treaty rather than withdrawing support. The UNCC was first proposed by Russia in 2017 and was later brought into the UN process during a 2019 vote, with both the United States and EU voting against moving the treaty forward. While the treaty clearly has an origin in an authoritarian vision of the internet, United States officials who took part in negotiations claim they have introduced enough safeguards to mitigate risks of abuse. Although the Biden Administration has premised its continued support on a commitment to protect rights moving forward and to engage with non-governmental experts in influencing the treaty’s implementation, the upcoming shift in administrations renders such “commitments” aspirational at best. While the treaty will receive U.S. support in the U.N. General Assembly, it is unlikely to be ratified by the Senate, given existing opposition from a group of senators.

Norway selected over Russia to host the UN Internet Governance Forum

Norway has been selected to host the United Nations’ Internet Governance Forum (IGF) in June of 2025. The IGF is a multistakeholder body that brings together government officials, members of civil society, the private sector, and academia to discuss key issues relating to internet governance. In 2024, Saudi Arabia was selected to host the IGF despite outcries from civil society organizations who criticized Saudi Arabia’s history of human rights abuses and sweeping digital surveillance. Many civil society advocates expressed fear for their safety should they attend the Forum in Riyadh and underscored that these threats to their participation undermines the IGF’s function as a global multistakeholder platform. Norway was chosen to host this year’s IGF over Russia, which has previously been criticized for information crackdowns online, among numerous other violations of internet freedom. Norway’s foreign minister Espin Barth Eide has already highlighted freedom of expression online as an area of national interest. The decision to host the IGF in Norway appears to run counter to Russian expectations, with the Russian Internet Governance Forum issuing a statement celebrating the “official confirmation of Russia’s host status” for the 2025 IGF in October 2020. Dmitry Chernyshenko, Russia’s deputy prime minister, also celebrated this “official confirmation” in a December 2021 speech, saying, “Choosing Russia as the venue to host the 20th forum is a great honor.”

U.S. Department of Homeland Security releases framework for responsible AI in critical infrastructure

The U.S. Department of Homeland Security (DHS) released a set of recommendations, the Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure, for organizations seeking to integrate AI tools into critical infrastructure systems. The framework provides recommendations across five areas: cloud and compute infrastructure providers, AI developers, critical infrastructure owners and operators, civil society, and the public sector. The framework recommends that compute and cloud providers and AI developers build security into the design of their systems, conduct safety assessments, and develop strong access management practices. For operators of critical infrastructure systems, the framework recommends providing meaningful transparency around where they’re using AI, actively monitoring the performance of their AI systems, and maintaining strong cybersecurity practices. Civil society and the public sector are tasked with engaging on AI safety and security issues, supporting the adoption of AI to improve public services, and, in the case of governments, collaborating to establish safety standards worldwide. The framework is the consequence of months of engagement with academics, government officials, and private sector firms on the part of DHS; however, given the upcoming change in administrations, it is unclear if the framework will be carried forward.

CISA releases list of top exploited vulnerabilities from 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and FBI released a list of the top exploited vulnerabilities worldwide in 2023, in collaboration with partner agencies from the Five Eyes intelligence alliance. The list, which is released annually, is notable in that, for the first time, a majority of its entries are zero-days, a vulnerability that is unknown to the software creator and for which no patch is available. In its release of the list, CISA also issued guidance on mitigating potential vulnerabilities in systems, including by implementing secure by design and default practices. The report demonstrates the ubiquity and staying power of several major exploits, including the 2021 Log4Shell vulnerability, which was notable both for the scale of the vulnerability and the difficulties around patching it. Two zero-day vulnerabilities in Citrix NetScaler servers were also exploited widely in tandem, with one threat actor using the flaw to breach nearly 6 percent of all Citrix servers in operation. The vulnerabilities were also widely exploited by ransomware gangs, with LockBit using the Citrix vulnerabilities to break into the systems of Boeing and the Industrial and Commercial Bank of China.

State Department Global Engagement Center faces shutdown amid lapse in funding

The State Department’s Global Engagement Center (GEC), responsible for combatting disinformation campaigns abroad, faces a possible shutdown at the end of the year should Congress fail to allocate funding before the center’s current funding lapses on December 23. GEC synthesizes high-level intelligence from different U.S. intelligence agencies to actively counter Russian and Chinese influence and propaganda operations. The center has its origins in attempts to combat terrorist propaganda abroad, but its role was gradually expanded and, under the Trump administration, it became a major player in countering Russian and Chinese propaganda. The GEC has long been a source of controversy regarding the appropriate role of the State Department in implementing information operations ethically and effectively. It became a particular source of controversy among certain Republicans after it provided a $100,000 grant to the Global Disinformation Index (GDI), a UK-based organization, to monitor disinformation in Asia. GDI had previously labeled Newsmax and other conservative U.S. outlets as risks for spreading misinformation under a separate, independent grant. The GEC grant to GDI led some Republican lawmakers to accuse the center of censorship. However, Special Envoy and Coordinator of the GEC James Rubin has emphasized the Center’s focus on international influence campaigns rather than U.S. politics. Not all Republicans are opposed to the GEC, with Senator John Cornyn (R-TX) and Senator Chris Murphy (D-CT) proposing an amendment to this year’s National Defense Authorization Act (NDAA) that would fund the GEC through 2031; it remains unclear if the amendment will be added to the NDAA and, if it is, whether House Republicans will try and scuttle such a measure.

Maya Schmidt is the intern for the Digital and Cyberspace Policy Program.