ISMG Editors: Impact of Israel-Hamas War on CybersecurityAlso: AI in Banking, Highlights from ISMG New York Summit, Update on AI Rules in US Anna Delaney (annamadeline) • October 20, 2023
In the latest weekly update, editors at Information Security Media Group discuss the impact of the Israel-Hamas war on cybersecurity technology and the workforce, the role of the U.S. in shaping the future of AI technology, and highlights from ISMG's Financial Services Summit in New York.
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Michael Novinson, managing editor, ISMG Business - discussed:
- The impact of the Israel-Hamas war on the threat landscape and the cybersecurity workforce, including measures taken by security vendors to safeguard their operations and data;
- Why members of a U.S. House panel emphasized the need to initiate congressional regulation of artificial intelligence with a national privacy law;
- Key takeaways from ISMG's Financial Services Summit, which included discussions on how generative AI can be used to safeguard sensitive data and financial assets.
This transcript has been edited and refined for clarity.
Anna Delaney: Hello, thanks for joining us at the ISMG Editors' Panel. I'm Anna Delaney, and this is a weekly spot where we tackle the latest cybersecurity news and challenges, as well as explore the most interesting innovations and technologies. The editors joining me are Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity; and Michael Novinson, managing editor, ISMG business. Wonderful to see you all.
Tom Field: Good to be seen, Anna.
Marianne McGee: Thanks for having us.
Michael Novinson: Thanks for having us.
Delaney: Michael, it's fair to say that the whole world has been watching the current horrific events unfold in Israel and Gaza. You've been taking a close look at its impact, both when it comes to cyber activity and cyber workforce. What can you share?
Novinson: Thank you for the opportunity, Anna, I'll take each of those in order. In terms of cyber activity, it's been nearing two weeks since the initial attack by Hamas on Israel on October 7. Cyber activity, at this point, has been relatively limited. From what we've seen, it's been hacktivism, DDoS attacks and shutting down websites like the Jerusalem Post. Anonymous Sudan is claimed to be involved; they do claim to be involved in a lot. It has been amateur-type groups doing low-impact, low-level attacks. What's going to be interesting to see is as the kinetic activity escalates, in particular as a ground invasion of Gaza, perhaps into Lebanon, seems imminent. What does that mean from a cyber dimension? I'd had the opportunity to talk to Rob T. Lee of the SANS Institute about this. He was saying it would be good to keep an eye out in terms of the targeting of communications and command-and-control infrastructure; he feels that that would be an initial step as the kinetic activity escalates. I think a key question here is going to be to what extent is this a local conflict? To what extent does it become a regional conflict with the involvement of Iran? To what extent does it become a global conflict with the involvement of the United States? Each of those dimensions brings a cyber component as well. In terms of Iran, Lee was talking about Iran's capabilities to use cyber almost as a precursor to kinetic, so that can they get intelligence on what Israel has planned, what their strikes are, and maybe even what's going on with the U.S. military presence in the Middle East about the Mediterranean Sea. It is a way of getting involved in supporting without committing actual troops. Lee was talking about it being focused on intelligence gathering to understand where future military action is going to take place to try to counter it before the kinetic occurs. From the U.S. standpoint, that would be two things. One would be around intelligence sharing, and we had heard last week from leadership at CISA that there's been very close contact between CISA and their counterparts in Israel. However, in continued intelligence sharing now we see, the big clash would be probably that the public would know, but in terms of zero day exploits, the U.S. does have some of its reserves as the U.S. ends up sharing any of those with Israel, if this conflict escalates. With entities like Iran, with their own cyber capabilities, getting involved, there's a risk to that as zero days are very resource intensive to develop. As we've seen, there can be some downstream impacts that zero days that get released out into the wild can end up in the hands of bad actors and used against our own interest. Certainly, from the standpoint of Lee that wouldn't be an initial step. However, if this is turning into a more pronounced cyber conflict, it is another way that the U.S. could assist Israel. From a workforce perspective, the big thing is just this unprecedented calling up of reserves to serve in the Israeli military. It is something that, being from a more population-rich country of the United States, is hard to comprehend. So, about 360,000 reservists have been called up. In a country of 9.7 million people, that is 4% of the overall population. Thus, not just the adult population, but 4% of the overall population of Israel has been called up in one of the largest mass mobilizations in history, according to The Washington Post. Those who work at cyber companies include a lot of folks who came out of Mossad, Unit 8200 infantry and IDF. A lot of these startups are started by folks, in their 20s and 30s, who are only a few years out of the military service. Moreover, not that many companies have been public, but for those that have been public, including Armis, Pentera and Aqua Security, roughly 10% of the Israeli workforce has been called up. The question then becomes how well can these companies absorb that? For Armis, i.e., you're maybe a bit larger, or Palo Alto Networks, i.e., you’re global, it's easier to absorb. For a smaller company like Cyera, who's in the data security space, half of the workforce is in Israel. So, 10% of half, or 5%, of the overall workforce is out of commission. What does that mean for you? What type of redundancy do you have? The impact, in particular, is going to be pronounced in terms of research and development. As these companies mature as startups get to that DNC phase, they tend to move corporate headquarters to the U.S., they build up sales and marketing and channels and other go-to-market stuff in the larger regions. However, the R&D core often stays in Israel because of the immense cyber talent. There are about three places globally where R&D takes place. Israel's huge; India has a fair amount; and then Silicon Valley, in the U.S., is the core of R&D. Sales and marketing is seen in Texas and in other parts of the U.S., e.g., the Research Triangle, but the R&D in the U.S. is really in Silicon Valley. The question, for these Israeli companies, then becomes if a lot of your R&D folks have been deployed, what do you have to fall back on? CyberArk - a larger company with a good Israeli presence - has built up an Indian R&D team too. They are going to continue expanding R&D in India and leaning more on the Indian R&D folks, given the Israeli call up. The question is, CyberArk is a publicly traded company, they've been around for 20 years. If you're, in theory, a series A round - B round startup, you don't have those same options. If you're not in India today, trying to build that up from stage zero is hard to do. In Silicon Valley, the competition for skilled cyber talent is enormous. The salaries are enormous if you're a cash-strapped startup. I do think this is going to be a real challenge. In particular, given that all signs from Israel are that this is going to be a prolonged military operation and that they're looking for regime change in Gaza, this could be months or years of military activity in Israel. I think this is going to be an important space to watch.
Delaney: Very well said, Michael. Did you get a sense of what security companies are doing to safeguard their operations on the ground there in Israel and their data during this period of heightened tension? Did that come up in conversations?
Novinson: It has, and it is obvious. They're messaging that everything is business as usual, leaning on other folks and no disruption to customers. I think there has been some increased attention around "are we going to be targeted by hacktivists because we're an Israeli-based company?" There has been some attention paid to watching your rear flank. At this point, it doesn't seem like there's been a ton of targeting of the Israeli private sector, aside from newspapers, which are a bit more public facing. To the extent that there are capabilities here, are they are going to be focused more on the commercial side or on the military side? My gut would tell me, more on the military side. I don't think that's been an enormous concern. Certainly, they're being careful. But, I think it's something, overall, you're going to start to have public companies here in the next couple of weeks Check Point, CyberArk, Palo Alto Networks, companies that have meaningful presence in Israel, are going to have to put out their outlook, and are going to have to be discussing what the impact is to investors. In regulatory filings, I think we're going to get a better sense at that point of how meaningful this impact is going to be of the mass mobilization, as well as the conflict between Israel and Hamas.
Delaney: Tom, I know you've been conducting a fair amount of interviews as well. What are you hearing?
Field: A couple of things I want to say at first, I want to say that this is the enormous story for ISMG. Every one of us on the screen has covered this to one aspect or another. Michael, from the very start, starting with the horrific attacks on October 7, he published our first stories, conducted interviews, and I feel that our coverage has been responsible, it's been thorough, we've offered perspectives within and without Israel, on what's happening, the impact on Israel, on the world, on the industry, and, certainly, on humanity. However, it's not just a story; for us, it's personal. As you know, we have an affiliate, Xtra Mile, based in Israel; we have teammates and friends who are a part of this, and we've spoken to them, and they've shared with us their insights on what is happening. Going forward, I was supposed to take a trip to Israel in mid-November, that's not going to happen now. Instead, I'm going to conduct a series of virtual interviews with security and technology leaders within Israel on exactly these topics, the impacts on their organizations and on their teams, and their message to the world about what is happening, what they expect to happen, and how the world cannot just sit by and watch, but can help and be supportive of the innocents who are being attacked today.
Delaney: Well said, we will be looking forward to watching those. But, Michael and Tom, thank you so much! We'll be definitely coming back to this. Marianne, you attended a House committee hearing this week, which addressed concerns surrounding AI regulation, privacy and the role of the U.S. in shaping the future of AI technology and data-usage standards. What were the main takeaways?
McGee: Congress has been eyeing potential legislation to regulate AI. At that hearing, on Wednesday, by the House Committee on Energy and Commerce - one of their subcommittees - they tried to grapple with some of the issues involving AI, including privacy, biometrics, data minimization and a bunch of other issues. But, one of the overarching messages that some of the expert witnesses offered was the need for the U.S. to first pass national data privacy legislation, which has been talked about for years, and which could set a foundation for some of the similar issues that also dog AI. That includes issues around data collection, retention and deletion. For instance, regulations around how consumers' data are collected and used by data brokers, also relates to how data are collected and used for AI development and deployments. Late last year, the House Energy and Commerce Committee passed, nearly unanimously, a bipartisan privacy bill, the American Data Privacy and Protection Act or ADPPA. However, that bill has not moved beyond the committee for a vote by that full house. During the hearing, witnesses said that the ADPPA could also be sort of a foundation for AI regulations. For instance, one of the witnesses, former Federal Trade Commission Chair and Commissioner, Jon Leibowitz urged the committee to go back to the ADPPA and make some changes in that proposed data privacy regulation or legislation that could establish some of the rules for AI. For instance, he said that although ADPPA - which was criticized by some privacy advocates - is not perfect, he said, it is something that perhaps can be improved upon, and already has some of the potential foundations for AI regulations. For instance, the ADPPA already has provisions for things around prohibiting discrimination in algorithms, which Leibowitz said would also be applicable to prohibiting discrimination with AI. Witnesses during the hearing also warned that the U.S. needs to act swiftly if it wants to be a global leader in setting the rules of the road for AI, before adversaries, like China, dominate. There was also a discussion on how AI has been used in various industries such as healthcare to improve clinical decision making and drug discovery and other areas of medicine. Some of that discussion touched upon whether the current HIPAA regulations might serve as a road map for data protections involving AI use in healthcare. HIPAA only covers certain healthcare data, not all, such as consumer device, health sort-of data, things that are entered by consumers on more of a consumer-health-related website and those sorts of things, which are also often scraped and collected for AI issues or developments. With that in mind, the big question is whether the U.S. even has the wherewithal right now to tackle a national AI legislation, considering that it has not gone very far with national data privacy legislation after so many years, not to mention the big partisan divide right now in Congress. As we're recording this, the U.S. House of Representatives has still not elected a new house speaker. Much of the work in Congress right now, in the near term, is at a standstill, and we don't know how it will proceed with some of the bigger-picture issues that the U.S. is dealing with, and, the global world at large, as Michael was just discussing with the issues in Israel. We also have the Ukraine-Russia war still going on, and funding that's needed. We'll have to see what happens next, not only with this national AI legislation but also with the other important work that Congress needs to do.
Delaney: Excellent overview, and you mentioned the fear about China potentially setting global AI standards. Just talk more about that, and how do censorship requirements imposed by Beijing factor into China's AI development?
McGee: They had industry witnesses who were testifying, and who represented large software companies in the U.S. of all sizes. A part of their worry is the whole idea of competition not having the U.S. lag behind in competition, and setting the standards of what is acceptable? What is not acceptable? What would China do with a lot of the data that it would collect from American consumers and businesses? A lot of thorny and complicated issues have to be worked out, and it will take time.
Delaney: That was a great overview for now. Thank you, Marianne. Tom, funny to think that we were in the same city with Michael, just 48 hours ago, and that we were there for the same reason, to host the ISMG Financial Services Summit. What did you take away from the event?
Field: It was not just the Financial Services Summit, it was the 10th Anniversary Summit for ISMG. We hosted our first such conference, October 21, 2013. Ten years ago, when we hosted that we didn't even know about the Target breach, we didn't have chip-and-PIN cards in the U.S., and we were still dependent upon the mag stripe to a very large extent. When we hosted that people were talking about the merits of bring your own device to work. Now these same organizations are insisting that their employees bring and use their own devices. It is a whole different world. It was a whole different summit. I told you and Michael, when we wrapped up there, to me, the notion of a summit is you bring diverse people together to have meaningful dialogue on topics of importance. If that's the definition, then we succeeded with very high marks because we brought some wonderful speakers together, we brought hundreds of high-level practitioners together in the audience. We had very meaningful discussions about topics such as the threat landscape, such as response to ransomware. Michael, did we or did we not get the topic du jour? Generative AI. I think it was in every session. There were some things, Anna, that I was particularly pleased to have the opportunity to sit on a couple of panels, including the keynote panel that was about navigating the storm, about protecting financial services in an era of cyber turbulence. We had some good speakers. Susan Koski, the CISO of PNC; our event committee chair, Matanda Doss from JP Morgan Chase; to be joined by William Beer of Accenture; and Paul Leonhirth of Palo Alto Networks. Among the things that came out is it's just not navigating one storm, it's navigating multiple storms today. We were talking about things such as the human element. That was another big topic that we discussed throughout the day, is how the insider risk has expanded much more beyond the malicious insider and the accidental insider, to now the exploited insider; exploited by external factors. We talked a lot about that and the impact on institutions. I think that one of the points that resonated home with me was raised by Susan Koski. It's not just about particular threats or threat actors, it's the force multiplication of them, and at the scale that they impact organizations today. We have not seen anything like this in the 10 years that we've been bringing people together for these summits. Those are among the things that resonated with me. I want to ask you, you hosted for the first time one of our Solution Rooms, in this case, dedicated to ransomware response. How did you enjoy participating in that dialogue? What did you see?
Delaney: I loved it! It was great. People love a good immersive experience. To bring members of the Secret Service and members in incident response teams together on tables with CISOs, and then, to dive into what feels like a real-life scenario of a global supply chain attack. They're under pressure, with the time under pressure of 10 minutes, we had a phase I, and then we had various phases, and reduced the time. There was excitement in the room, but it was also brilliant to have those takeaways with the Secret Service afterwards, and people on incident response teams. It's not easy! People will always struggle with this. What happens if all your documents are offline versus online? Who do you call? There are still questions about do we really need to bring in law enforcement? What does that mean? What are the consequences? How will this impact our reputation? Civil lawsuits, for instance? There were a few misconceptions put right. However, it was a very good, very successful event, and very well said, Tom. Congratulations for your 10 years. That's pretty impressive!
Field: Marianne was there for Day 1, she remembers that. I want to say, too, I don't think I shared this, Anna, with you or with you, Michael. I was maybe a little bit nervous going into this event because of all the coverage we had on Israel. I was a little concerned about how it might be received. I want to tell you that there were people there that approached me and sought me out and wanted to talk specifically about stories we've written, interviews we've conducted, and how meaningful they were to them, that I would say that the interview that I conducted with our colleague, Sharon Israel of Xtra Mile a week or so ago, probably the most emotional interview I've ever recorded in my life, and I've recorded a few. But, I want to say that one of our attendees, actually one of our sponsors, came up to me at the event and hugged me, and thanked me for conducting that interview. I wanted to share that with the two of you that made me feel very good about what we've done and the responsible role that we've played in this coverage.
Delaney: That's very moving. Well done! Well done to everybody. Just on generative AI, because I know it's come up a lot. It's had a few months to evolve the conversation, to mature a little bit. We were in RSA, that was the theme du jour, and Michael, I know you've conducted lots of interviews on generative AI. Was there anything new? How do you feel the conversation has shifted slightly?
Novinson: I would say it has certainly matured. There have been three big blocks of interviews I've done. Tom and I know, we were all together in San Francisco at the end of April at RSA, Tom and I already gathered in August at Black Hat, and now it's about two months later that we're speaking to folks in New York. Obviously, it was a bit of a different focus and user practitioners in financial services, while Black Hat was much more threat researchers. I was hearing a lot more about AI hallucination than I had heard before. Several people I spoke to brought it up and it's just one of the downside risks. The fact that they'll just kind of reach and guess and conjecture in ways, and what does that mean if you're using it within your business? It's something I hadn't heard as much about at RSA or Black Hat. That seems to be more top-of-mind for folks. It does seem that people are thinking a little bit more specifically about how they can use it to enhance their operations, not just in security. However, from compliance, legal, risk standpoints, and that, since I was speaking to security leaders at some very large political and financial institutions, how do you break through their silos? Since all of these functions have normally been very segmented? If you are using generative AI in some of these areas? How do you allow for that cross communication to make sure that all the various teams that are taking advantage of it and are also collectively aware of the risk as it was being used in other parts of the organization?
Field: At the end of the day, the evolution I've seen when we started talking about this earlier in the year, it was the need to get a policy around this. We need to stop this, in some cases, before it takes over and has matured to the point now where my discussions are, we have to enable this. We have to have guardrails, if anything else. A comparison was made, I think at a dinner I hosted the other night, that it's like, you've heard this before, it's like brakes on a car, brakes aren't there to stop the vehicle, the brakes are there to give you the security that you can accelerate faster. That's where I'm seeing a lot of security leaders put their energy now; that's encouraging to see.
Delaney: I noticed on one of your panels, one of the speakers said, oh we don't talk about zero trust anymore! It's all about generative AI. We all laughed, but is there any truth in that?
Field: Total truth in that!
Delaney: I hope people, or organizations, are not abandoning there's zero trust policies. There are always strategies. Moving on for a bit of fun, I think we need it. If AI could take over one boring, mundane task in your life, what would it be? And how would you spend your newfound free time? Dive in!
Field: If generative AI could take over my travel plans for me, I'd be delighted! If I could just tell them and tell them where I have to go and have these decisions made for me. Then I would no longer be booking flights and realizing later that when I booked it, it said PM and I meant AM.
Delaney: We've all been there, Tom. Michael, go ahead.
Novinson: Absolutely, all the names it does get tough. I was going to say, and this might be a bit of a stretch, but if AI could somehow help with sorting and folding laundry, particularly balling up socks and folding fitted sheets that would be appreciated. I realized this may be more of a long-term goal, but I would take it. If it freed the time up, I'd love to get back to playing tennis. I played as a kid, I miss it. It'd be a fun activity to do. That's what I'm looking for.
Field: I'm with you there.
McGee: I would say putting the groceries away. After you go grocery shopping, it's all so... But now, when you were just talking about, Michael, about the laundry, I was thinking, when my kids were home and I had a lot of other sort of things to do, like with schoolwork, it would have been great to have some sort of AI tool at the beginning of the school year. When you have to fill out all the paperwork about contacts and emergency contacts and backup contacts and doctors and all that sort of things that would have been great!
Delaney: That's spot on. I think we're all feeling that pain. There's no pain like being a mother and then having to do all of that. I would love AI talking about travel, Tom, I agree. How about an AI to go through airport security for us, with an AI avatar so I could spend more time exploring the new city and less time queuing. One can only hope that the technology advances. Marianne, Tom, Michael, this has been a real pleasure, very moving episode. Thanks so much for watching!
Novinson: Thank you Anna.