Cyber Week in Review: October 25, 2024

Biden administration releases national security memorandum on AI

The Biden administration announced the release of the long-awaited National Security Memorandum (NSM) on the use of AI in national security systems. The NSM, and its companion document, the Framework for AI Governance and Risk Management for National Security, will govern the use of AI in national security systems throughout the Department of Defense and the broader Intelligence Community (IC). The U.S. Office of Management and Budget (OMB) released a memo earlier this year that regulated the use of AI in unclassified systems. The NSM represents the first guidance from the U.S. government on AI governance and risk management in national security systems. Although both orders emphasize the need to ensure responsible AI development and use, the classified nature of most national security applications limits and the extremely high risks inherent to some national security use cases make the National Security Memorandum and its accompanying framework a critical tool for balancing commitments to innovation with commitments to rights protections and democratic values. In addition to laying out prohibited uses of AI, clarifying requirements for the responsible use of high impact systems, and establishing stronger expectations around oversight, governance, and transparency, the NSM establishes the national security imperative of protecting chip supply chains, elevates the importance of intelligence collection around adversaries” AI capabilities, and emphasizes the importance of immigration policies that will protect and build STEM talent pipelines. The status of the NSM under a potential Trump administration is unclear with the presidential election only weeks away. Trump has previously said he would repeal an October 2023 executive order signed by President Biden, arguing that it would curtail American innovation.

White House reviews ICE contract with spyware vendor Paragon Solutions

The Biden administration has paused a contract between the U.S. Immigration and Customs Enforcement (ICE) and spyware vendor Paragon Solutions while it reviews whether the contract violates an Executive Order restricting the use of spyware signed in March 2023. ICE signed the one-year contract for a single surveillance system with Paragon on September 27The $2 million contract was signed outside of the typical competitive process, meaning that Paragon did not have to bid against other firms. Paragon offers several spyware options, including its flagship Graphite product, which can be used to extract data from the cloud backups of individual devices; it is unclear which specific system ICE procured under the contract. Under the review process, ICE will be required to supply information to address several concerns around the spyware, including whether it poses counterintelligence, security, or improper use risks. The United States has significantly increased its efforts to stamp out the use of spyware globally since President Biden signed the 2023 Executive Order, and recently announced a new initiative to fund civil society research into the repressive use of spyware. Civil society groups have said that allowing the contract to continue would undermine U.S. credibility as it seeks to fight the spread of spyware abroad; it remains unclear how the review might impact ICE’s ability to use the surveillance system.

China expands its crackdown on the use of some puns online

China’s internet censors have launched a campaign to crack down on the use of puns and homophones on the country’s internet. China maintains one of the world’s largest and most complex censorship apparatuses, employing a wide range of human reviewers and automated tools to filter out particular words or concepts from its online discourse. Homophones and puns have been used to get around this censorship for decades, with users employing words that sound similar in Mandarin, or that have a certain connotation, to get around censors’ controls. In 2009, viral videos described the adventures of the “grass mud horse,” a homophonic pun on an especially strong Chinese obscenity, and its battles against the “river crab,” a play on the Chinese word for “harmony.” While such puns might seem sophomoric on their face, harmony was often used as a government slogan at the time, making many of the videos slyly subversive. The government has often targeted these puns for censorship, engaging in a near-constant race to stamp out homophones related to CCP General Secretary Xi Jinping, among others. However, according to some experts, the new campaign against online puns, run largely by the Cyberspace Administration of China and the Ministry of Education, has been especially expansive in its choice of targets. State media have hinted that the new campaign will target even common idioms that have no political connotation, such as the phrase yunüwugua (与你无瓜, “rainy girl without melons”), often used in place of yuniwuguan (与你无关, “it’s none of your business”).

SEC fines four companies for misleading SolarWinds attack disclosures

On Tuesday, the Securities and Exchanges Commission (SEC) charged four companies for making materially misleading public disclosures of the 2020 SolarWinds hack. The SolarWinds hack occurred when a Russia-affiliated hacking group, The Dukes, compromised SolarWinds’ Orion platform and embedded malicious code in an update that was shipped to thousands of customers. The hack compromised a vast range of organizations, including the U.S. State Department, Homeland Security Department, cybersecurity company FireEye, and Microsoft, among others. In response to the hack, the SEC has tightened its rules around cybersecurity disclosures, charging SolarWinds and its chief information security officer (CISO) Tim Brown with fraud ( although the case was dismissed in July), and announcing a requirement that companies file a Form 8-K disclosure within four days of a material cybersecurity incident.. The SEC charged the four companies in the case, Unisys, Avaya, Check Point, and Mimecast, with failing to disclose that they had been impacted by the 2020 SolarWinds breach. The companies have all agreed to pay civil penalties of different amounts, with Unisys paying the largest penalty at $4 million.

UK announces investigation into partnership between Google and Anthropic

The UK Competition and Markets Authority (CMA), the country’s lead antitrust regulator, is launching a full investigation into Google’s partnership with artificial intelligence leader Anthropic over concerns that the partnership could dampen competition for AI services in the UK. Google invested nearly $2 billion in Anthropic in July 2023, around the same time as a similar $4 billion investment by Amazon. The CMA is shifting its investigation of Google and Anthropic from preliminary to full status and will have until December 19 to decide whether to expand its investigation or approve the partnership. CMA also investigated Amazon for its partnership with Anthropic, but closed the investigation on September 27. The escalation of the CMA’s current investigation, and description of the partnership as a “relevant merger situation,” suggests that Google may have deeper ties with, and potential influence over, Anthropic than Amazon.

Maya Schmidt is the intern for the Digital and Cyberspace Policy Program.