All news with #regulatory action tag

Tackling the National Gap in Software Understanding

🔍 CISA, with partners including DARPA, OUSD R&E, and the NSA, is leading an interagency effort to close a national gap in software understanding that endangers critical infrastructure. A new Sandia National Laboratories report, The National Need for Software Understanding, describes the gap’s causes, risks, and options for remediation. CISA urges manufacturers to design software for independent analysis and invites experts and mission owners to engage on research priorities.

Black Hat USA 2025: Policy, Compliance and AI Limits

🛡️ At Black Hat USA 2025 a policy panel debated whether regulation, financial risk and AI can solve rising compliance burdens. Panelists said no single vendor or rule is a silver bullet; cybersecurity requires coordinated sharing between organisations and sustained human oversight. They warned that AI compliance tools should complement experts, not replace them, because errors could still carry regulatory and financial penalties. The panel also urged nationwide adoption of MFA as a baseline.

CISA Issues Emergency Directive for Microsoft Exchange

⚠️ CISA issued Emergency Directive 25-02 directing federal civilian agencies to immediately update and secure hybrid Microsoft Exchange environments to address a post-authentication privilege escalation vulnerability. The flaw, tracked as CVE-2025-53786, could allow an actor with administrative access on an Exchange server to escalate privileges and affect identities and administrative access in connected cloud services. CISA says it is not aware of active exploitation but mandates agencies implement vendor mitigation guidance and will monitor and support compliance. All organizations using hybrid Exchange configurations are urged to adopt the recommended mitigations.

Thai Hospital Fined After Patient Records Used as Wrappers

📄 A Thai hospital was fined after more than 1,000 patient records, sent for destruction, were found being used as street-food wrappers for crispy crepes. Thailand’s Personal Data Protection Committee (PDPC) determined the documents leaked following handling by a contracted disposal firm that stored them at a private residence. The hospital was fined 1.21 million baht and the disposal business owner received a separate penalty. The episode highlights failures in secure disposal and vendor oversight.

DHS Launches $100M+ Funding to Strengthen Cybersecurity

🔐 CISA and FEMA announced the availability of more than $100 million in grant funding to bolster state, local, and tribal cybersecurity capabilities. The FY2025 Notice of Funding Opportunity includes the State and Local Cybersecurity Grant Program (SLCGP) with $91.7 million and the Tribal Cybersecurity Grant Program (TCGP) with $12.1 million. Awards may support planning, exercises, hiring cybersecurity experts, network hardening, and improvements to services provided to citizens. Applicants should consult CISA application resources to prepare proposals.

Tech industry must resist weakening end-to-end encryption

🔐 The UK government's proposal to require access to end-to-end encrypted data—intended to combat terrorism and child sexual abuse—would effectively demand backdoors that major vendors refuse to build. Apple removed Advanced Data Protection for UK users after a non-public notice under the Investigatory Powers Act reportedly sought access, and WhatsApp has supported Apple's stance. The article argues such per-country mandates are technically unenforceable and easily circumvented, creating border chaos and disproportionate privacy harms. ESET recommends preserving strong encryption and using court-backed, oversightable access mechanisms rather than backdoors.

July 2025 Cybersecurity Roundup: Key Incidents and Risks

🛡️ In July 2025, ESET Chief Security Evangelist Tony Anscombe highlighted major cybersecurity incidents, including exploitation of ToolShell zero‑day vulnerabilities in on‑premises Microsoft SharePoint and the confirmed return of Lumma Stealer. Other critical stories included a ransomware attack that closed UK transport firm KNP, a massive data exposure in McDonald's hiring chatbot McHire, and the discovery of PerfektBlue Bluetooth flaws affecting vehicles. The UK also proposed banning ransom payments by public bodies.

AWS Guide Updated for Australian Financial Regulations

🛡️ AWS published an updated AWS User Guide to Financial Services Regulations and Guidelines in Australia to reflect APRA’s Prudential Standard CPS 230 Operational Risk Management, effective 1 July 2025, and APRA’s February 2025 rescission of its 2018 cloud outsourcing information paper. The whitepaper is intended for APRA‑regulated institutions and is particularly useful for leadership, governance, security, risk, and compliance teams seeking to run workloads on AWS. It summarizes APRA expectations on operational risk management and information security and provides materials to begin due diligence and implement appropriate programs within a shared responsibility model. AWS will continue to publish updates through its Security Blog and Compliance resources and encourages customers to engage their AWS account managers for assistance.

CLOUD Act Explained: Provider Obligations and Protections

🔒 AWS clarifies five key points about the CLOUD Act, stressing it does not grant automatic or unfettered access to customer content and that U.S. law requires judicial process for compelled disclosures. AWS reports no disclosure of enterprise or government customer content stored outside the U.S. since 2020. The company notes the Act applies to any provider with a U.S. presence and aligns with international law, while technical controls like AWS Nitro and AWS KMS limit operator access.

SAFECOM Updates Emergency Communications Lifecycle Guide

📢 CISA, in partnership with SAFECOM and NCSWIC, released an updated Emergency Communications System Lifecycle Planning Guide and companion Lifecycle Planning Tool on July 2, 2025. The suite refreshes the 2011 and 2018 materials and incorporates public safety practitioners' experiences to inform system build, maintenance, operation, decommission, and replacement decisions. The Lifecycle Guide offers recommendations and the Lifecycle Planning Tool provides checklists for each lifecycle phase. Resources and funding guidance are aligned to help jurisdictions plan technology upgrades.

Secure Age Assurance for Europe and Global Internet

🔒 Google outlines a privacy-forward approach to online age assurance that emphasizes interoperability and targeted protections for children, teens, and parents. The post highlights the new Credential Manager API on Android, which enables sites and apps to request only necessary age information from trusted credential holders. Backed by zero-knowledge proofs, the system can verify age thresholds (for example, over 18) without exposing identity or additional personal data. Google urges standards development and cross-sector collaboration to extend and adopt this secure infrastructure.

Building Resilient ICT Supply Chains: Supply Chain Month

🔒 This April, CISA highlights the 8th annual Supply Chain Integrity Month focused on strengthening the resilience of global information and communications technology (ICT) supply chains. The agency promotes four weekly themes—Preparedness, Mitigation, Trust, and Transparency—and showcases practical resources such as the Supply Chain Risk Management Essentials and Threat Scenarios Report. CISA also emphasizes vendor evaluation with the Vendor SCRM Template, hardware transparency via the HBOM Framework, and consolidated software guidance to help organizations assess, mitigate, and communicate ICT supply chain risks.

Twitter Whistleblower Alleges Major Security Failures

🔍 An 84-page whistleblower complaint from former Twitter head of security Peiter “Mudge” Zatko alleges systemic security and privacy failings at the company, including excessive staff access, unpatched servers, and potential foreign-agent infiltration. Zatko says these issues violate a 2010 FTC order and pose a national security risk. Twitter calls him a disgruntled ex-employee and says many issues are addressed. Congressional inquiries have already begun.