< ciso
brief />
Regulation and Policy Brief Banner

All news in category “Regulation and Policy Brief

403 articles · page 2 of 21

FCC Proposal Would End Anonymous 'Burner' Phones

🛡️ The FCC has proposed a rule that would eliminate so-called burner phones by requiring telecom providers to collect and retain detailed personal information from virtually all phone customers. The rule would mandate submission of government-issued ID numbers, physical addresses, and additional data for business and foreign accounts, raising alarm among privacy and civil rights advocates. Supporters argue the changes target scammers and illicit activity, while critics warn of significant privacy, surveillance, and cybersecurity consequences if carriers must store this expanded dataset.
read more →

Experts Urge US to Reconsider Ban on Anthropic Models

🛡️ Over 50 cybersecurity professionals have urged the US government to lift its export-control directive that suspended access to Anthropic’s Mythos 5 and Fable 5 LLMs. The directive, issued on June 12, led Anthropic to suspend access to both models while it complies with the government order, which cited national security concerns tied to alleged guardrail bypass research. The signees argue the ban removes valuable defensive capabilities and call for a transparent, scientific AI risk-assessment process.
read more →

Short lapse in Section 702 surveillance affects US monitoring

🔍 Congress failed to extend Section 702 of the Foreign Intelligence Surveillance Act, creating a short pause in warrantless monitoring of foreign communications. The extension vote was rejected, leaving surveillance put on hold until the next possible vote on June 28, and creating uncertainty about immediate intelligence collection practices. CISOs should note potential impacts on cross-border communications and legal challenges ahead.
read more →

Debating a Sovereign AI Wealth Fund for Public Good

📝 The authors critique Senator Bernie Sanders’s proposal for a US sovereign wealth fund that would take large equity stakes in AI firms. They agree on the need for public influence and redistribution of AI-generated wealth but warn public ownership can entangle government incentives with corporate profit. Instead, they recommend taxation (e.g., datacenter or AI token taxes) and a public AI option like Switzerland’s Apertus to promote transparency, sustainability and democratic control.
read more →

CISA Directive Replaces Deadline Patching With Risk

🔒 CISA has issued Binding Operational Directive 26-04 requiring US federal agencies to shift from rigid, deadline-driven patching to a risk-based remediation model that prioritizes actively exploited threats. The directive ties remediation windows to risk — including a three-day forensic and patching requirement for the most critical flaws — and consolidates previous mandates into a single framework. It replaces CVSS-based prioritization with a four-factor risk assessment and gives agencies 180 days to meet the new timelines.
read more →

South Korea levies record fine after Coupang breach

🔒 The Personal Information Protection Commission (PIPC) fined e-commerce firm Coupang 624.6 billion won (~$409M) after a major data breach that exposed about 37.55 million people’s information. A subsidiary, Coupang Fulfillment Service, was also fined 248 million won for unlawful handling of personal and sensitive data. Investigators cited poor authentication key management, inadequate access controls, delayed breach disclosure, interference with the data protection officer’s independence, and obstruction of the probe.
read more →

CISA mandates rapid remediation of critical federal flaws

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04 to require Federal Civilian Executive Branch agencies to prioritize and accelerate patching of high-risk vulnerabilities. The directive sets remediation timelines based on asset exposure, presence in CISA's Known Exploited Vulnerabilities (KEV) catalog, exploit automation risk, and potential for system control, with the shortest deadline as three days. It supersedes previous BODs and applies to on-premises, third-party hosted, and cloud environments, excluding certain military, intelligence, and contractor systems.
read more →

CISA Directive Pushes Risk-Based, Contextual Patching

🔒 CISA issued Binding Operational Directive 26-04 to prioritize vulnerabilities by contextual risk rather than CVSS alone. The directive uses four factors — internet exposure, KEV listing, exploit automation, and post-exploitation impact — to set dynamic remediation timelines, including a three-day requirement for the highest-risk cases. The guidance aims to help agencies focus scarce resources on flaws most likely to be exploited amid faster discovery driven by AI.
read more →

UK filtering plan raises encryption and security concerns

🔒 UK Prime Minister Keir Starmer urged tech firms to implement device controls to block children from viewing or creating sexually explicit imagery, prompting CISOs to warn the plan could undermine enterprise encryption. Starmer gave companies three months to propose voluntary measures before pushing legislation; analysts caution on-device scanning is unlikely at scale and cloud processing would introduce new risks. Experts highlight logistical, performance, age-verification, and abuse risks that could create exploitable inspection vectors.
read more →

OpenSSF Warns of Poor CRA Readiness in Open Source

🔒 The Open Source Security Foundation (OpenSSF) warns of broad unfamiliarity and structural unreadiness for the EU Cyber Resilience Act (CRA), with 66% of surveyed manufacturers and developers reporting limited awareness. The report highlights confusion over applicability, deadlines, penalties and roles like manufacturers versus stewards, and notes low adoption of full Software Bills of Materials (SBOMs). OpenSSF also flags risky reliance on private forks and passive upstream dependence as potential compliance failures.
read more →

US Sanctions Nobitex Exchange Over Ties to IRGC

🛡️ The U.S. Treasury's OFAC has sanctioned Nobitex, Iran's largest crypto exchange, accusing it of facilitating payments for terrorist activities and sanctions evasion. The designation names several Nobitex executives and founders and is part of the broader "Economic Fury" campaign that also targets Wallex, Bitpin, and Ramzinex. OFAC cites Chainalysis data showing Iran's crypto ecosystem received nearly $7.8 billion in 2025, with IRGC-linked addresses receiving over half of Q4 inflows. Sanctions freeze U.S.-jurisdiction assets and bar U.S. persons from transacting with the designated entities.
read more →

US issues voluntary frontier AI pre-release review order

🛡️ The Trump administration has issued an executive order establishing a voluntary framework for developers of powerful AI models to submit a "covered frontier model" to US agencies for up to 30 days of cybersecurity review before wider release. The order explicitly forbids mandatory licensing or preclearance, tasks NSA, CISA and NIST with creating a classified benchmark to define covered models, and directs agencies to harden federal systems and expand AI-enabled defensive tools for smaller operators. It also creates an AI cybersecurity clearinghouse under the Treasury and leaves effectiveness dependent on possible future congressional action.
read more →

AI-Driven Exploitability Forces Faster Patching

🔒 As AI models like GPT5.5 and Claude Mythos accelerate exploit discovery, organisations face shrinking windows to patch vulnerabilities. Industry experts at Infosecurity Europe warn mean time to exploit has fallen from days to hours, prompting regulatory responses such as India’s 12-hour patch expectation. Analysts contrast vendor-centric EU rules with market-driven US approaches and recommend exploit-intelligence led patching, automation, segmentation and stronger producer SLAs.
read more →

Trump revives cybersecurity-focused AI directive

🔐 President Trump signed an executive order, “Promoting Advanced Artificial Intelligence Innovation and Security,” to bolster cybersecurity and create voluntary government-industry cooperation on advanced AI models. The directive accelerates deployment of AI-enabled defenses, establishes an AI cybersecurity clearinghouse, and mandates classified benchmarking of frontier-model cyber capabilities. It emphasizes voluntary review and explicitly rejects mandatory licensing, while directing agencies to extend protections to federal, state, and critical infrastructure systems.
read more →

NCSC: Act Now to Build Cyber Resilience

🔒 Paul Chichester of the NCSC warned at Infosecurity Europe that escalating technological change, geopolitical tensions and evolving threats make predicting cyber risk harder than ever. He highlighted hyper-connectivity, rapid tech transformation and state-backed cyber operations as key challenges, and urged stronger public-private collaboration. Chichester praised the Cyber Security and Resilience Bill and called for practical steps like reducing attack surface, addressing legacy systems, enforcing access controls and running incident exercises.
read more →

Responsible Vulnerability Disclosure in the AI Era

🛡️ Responsible Disclosure in the Age of AI argues that frontier AI systems now autonomously discover software vulnerabilities at unprecedented speed and scale, exposing long-standing technical debt in the software industry. The piece traces the evolution of assurance practices and disclosure frameworks and highlights growing tension between offensive and defensive cyber equities, particularly in the U.S. and China. It calls for coordinated national and international efforts to accelerate remediation, patch management, and investment in automated repair capabilities to close the narrowing window before adversaries exploit these advances.
read more →

Chilling Effects: How Fear Is Reshaping Speech

📰 Chilling effects—the self-censorship and restraint people adopt under threat—are spreading across U.S. campuses and institutions in response to the Trump administration’s punitive tactics. Students, professors, journalists, researchers and cultural organizations report altering speech, research and programming to avoid legal, immigration, and institutional reprisals. The authors argue these effects are intentional, part of a broader strategy that leverages surveillance, uncertainty, and abuse of power to produce conformity and weaken democratic checks.
read more →

GDPR’s legacy and the coming AI regulatory battles

📰 Over eight years GDPR set global data-protection norms, notably the 72-hour breach notification standard, but nearly 40% of announced EU fines by value are annulled or under appeal. Experts say large tech firms contesting fines isn’t surprising and that rulings provide practical guidance for compliance teams. As the EU’s AI Act and proposed GDPR reforms arrive, regulators must shore up procedural robustness while organisations adapt governance to evolving AI risks.
read more →

CERT-In urges tighter remediation timelines amid AI risks

🔒 India’s cybersecurity agency, CERT-In, has issued a framework urging organizations to patch, mitigate, or isolate known exploited internet-facing “crown jewel” systems within 12 hours where feasible, citing AI-assisted attacks that compress exploitation timelines. The 38-page blueprint prescribes tiered remediation windows—one day for externally exposed critical flaws, three days for critical internal issues, and five days for high-severity vulnerabilities—while emphasizing temporary mitigations and continuous exposure management over periodic assessments.
read more →

GCHQ warns businesses: urgent cyber action on AI

⚠️ Anne Keast-Butler, director of GCHQ, urged UK businesses to treat cybersecurity as national defence during the agency's first annual lecture at Bletchley Park on May 27. She warned that rapid AI development narrows the window to stay ahead of threats and called on boardrooms to act now. GCHQ plans a machine-speed national cyber defence using agentic AI within five years while urging adoption of basic controls and quantum-resistant cryptography.
read more →