Companies are increasingly relying on artificial intelligence and automated security systems, as the majority of cybersecurity attacks result in more than $500,000 in damages, Cisco reported Wednesday. Cisco surveyed 3,600 chief information security officers, and found more than half reported cybersecurity attacks that cost organizations more than $500,000 in damages. Thirty-nine percent of respondents rely on automation, 34 percent on machine learning, and 32 percent are “highly reliant” on AI. The extent of system breaches expanded, with respondents claiming 32 percent of breaches affected more than half their systems. That compares with 15 percent reported for 2016.

Social media platforms like Facebook and Twitter should be required to use open application programming interfaces, so third parties can monitor impacts of social media algorithms, former FCC Chairman Tom Wheeler wrote in The New York Times. Wheeler cited the recent indictment that special counsel Robert Mueller filed against 13 Russians tied to the Internet Research Agency, a Kremlin-led troll farm that allegedly spread misinformation and vitriolic, political content through social media during the 2016 election. Although that editorial content reached millions, the group was able to hide its algorithms for targeting users behind social media platforms. He noted Uber uses the open API of Google Maps to retrieve information about passenger pickup points and destinations. Wheeler said the proposal would open only the results of a company’s algorithms, not the algorithms themselves. Wheeler repeatedly has pitched open algorithms (see 1711010013). The Computer and Communications Industry Association and Internet Association didn't comment Wednesday.

U.S.-based web application attacks increased 31 percent in Q4 from the year-ago quarter, and perpetrators continue to focus on industries with high-value data, Akamai reported Tuesday. The report showed the retail industry was the hardest hit from web application threats, with 38 percent of attacks. Media and entertainment had 18 percent, technology 11, the public sector had 4.4 percent. Senior Editor Martin McKeay said attackers increasingly seek more direct ways for financial gain, such as ransomware. Worldwide web application attacks increased 10 percent, with a 10 percent increase in SQLi attacks globally. “Of the 17 billion login requests tracked through the Akamai platform in November and December, almost half (43 percent) were used for credential abuse,” the report said.

Many web hosting companies that cater to small businesses don't offer proper access to email authentication and anti-phishing technologies, putting small businesses at risk of facilitating phishing, FTC staff reported. Staff surveyed 11 web-hosting companies. Two used domain-based message authentication, a technology to reject phony emails with domain-authentication discrepancies, and three provide a way for configuring that. Small businesses should “pay close attention to the security features offered by web hosts so that they can choose a host that will protect their websites and email accounts with SSL/TLS and email authentication technologies.” The agency didn't identify the companies.

DOJ established a Cyber-Digital Task Force to focus on “detecting, deterring and disrupting malicious cyber activity.” According to a memo from Attorney General Jeff Sessions, it will be chaired by a senior department official appointed by the deputy AG. It would deliver an initial report on the department’s current cyber-related activities and a series of recommendations by June 30.

Without proper balance, the EU’s General Data Privacy Regulation could allow bad actors even more freedom for spreading false information and fostering illicit markets, wrote American Enterprise Institute's Shane Tews in a blog post this week. The GDPR (see 1802070001), which is to take effect in May, is meant to be a uniform set of data privacy and protection laws across the EU. One of the challenges of the new law is its impact on ICANN's WHOIS database, which law enforcement uses to investigate digital crimes, and companies use to protect trademarks. Under the new law, WHOIS data such as names and contact details might be identified as private, protected data requiring individual consent to be distributed. Tews said that could mean “a lot less information on who is contractually responsible for a domain,” allowing perpetrators to better hide their identities. ICANN is reviewing how to adapt to the new EU law. Tews said the larger challenge is keeping a free flow of internet traffic that allows accurate, trusted content, which requires identity verification for who's distributing the content. “Online actors who know how to be deceptive in their ways can weave through online networks to protect themselves. It would be a shame if the well-intended GDPR became one of their tools of the trade,” she wrote.

NTIA's recommendations on botnets and other automated threat issues focus almost “exclusively” on domestic threats, despite NTIA’s acknowledgement that “effective action against botnets requires greater international coordination,” said NCTA in comments on NTIA's draft interagency report to the president (see 1801110006). The comments were released last week. The Information Technology Industry Council suggested that to achieve progress on the draft report’s action items, coordination will be needed with various stakeholders, including: NTIA, the National Institute of Standards and Technology, the Department of Homeland Security and other U.S. stakeholders; small, medium and large private sector entities; and international private and public sector partners. CTA wrote that the report takes a “promising, but still somewhat dour view of existing” security tools. “CTA continues to urge caution with respect to regulatory approaches generally, as they usually tend toward static, prescriptive compliance regimes that inhibit security innovation over time,” the group wrote. The Computer & Communications Industry Association said the “chief educational burden” for policymakers, regulators and cybersecurity professionals is a better understanding of the “things” that make up IoT. The Internet Society suggested government collaborate with stakeholders in clarifying how current liability and consumer protection regulations apply to IoT. “Without clear up-front liability, users are often the ones who pay the price for poor IoT security,” the group wrote, saying liability and consumer protection laws can be a strong incentive for investing in security. Samsung echoed those comments, agreeing with the draft report’s call for the federal government to “lead by example and create market incentives for IoT product vendors to adopt” more secure products. The company recommended Congress and the administration avoid duplicating efforts, such as NIST’s Cybersecurity for IoT Program. The U.S. Chamber of Commerce wrote more dialogue is needed on “so-called market incentives,” saying regulation would “stunt security and innovation, including deployment of IoT.”

Adding government access to data weakens the security of encrypted products and services, but absence of access hampers official investigations, said a report issued Thursday by the National Academies of Sciences, Engineering and Medicine. It was meant to inform policymakers and the technical community when deciding government authorization to access encrypted data, NASEM said in a release. The report results from an 18-month effort from a group that includes law enforcement, computer science, civil liberties, law and other disciplines, it said. “Our hope is that this report and the framework it presents will cut through the rhetoric, inform decision-makers, and help enable an open, frank conversation about the best path forward,” said Fred Cate, a law professor at Indiana University and chair of the committee that wrote the report, in a statement. NASEM said the framework can be applied to regulatory requirements for when “a manufacturer has to ensure lawful access to their products”; funding decisions to support government access; and other details. The report lists several challenges for lawmakers in the debate, including incomplete information about encryption’s impact on investigations and limits in measuring security risks. BSA Senior Director-Policy Tommy Ross called the report “one of the most important analytical examinations of this issue since the debate began.”

The GAO recommended various agencies, including the Department of Homeland Security and the National Institute of Standards and Technology, consult sector partners in adopting NIST’s cybersecurity framework (see 1801190057), in a report. DHS, NIST, sector-specific agencies and others initially identified four challenges to adopting the cybersecurity framework. The agencies and groups explained that: ability may be limited in committing necessary resources for adoption; necessary knowledge and skills may be lacking; various regulatory, industry and other requirements may inhibit adoption; and other priorities may take precedence over conducting cyber-related risk management or adopting the framework. GAO recommended DOD, the departments of Energy, Health and Human Services, Transportation and Treasury, the EPA, the General Services Administration and DHS “take steps to consult with respective sector partners … to develop methods for determining the level and type of framework adoption by entities across their respective sector.” Five agencies agreed with the framework, and four others “neither agreed nor disagreed,” GAO said. NIST scheduled a 2018 Framework Workshop for Sept. 11-13. The agency is reviewing comments for Draft 2 of Framework Version 1.1.

As the Trump administration “dismantles” various consumer protections in a new era of monopolies, outgoing FTC Commissioner Terrell McSweeny called Wednesday for increased support for American consumers. McSweeny, a former domestic policy adviser to Vice President Joe Biden, lamented what she perceives as the administration’s scaling back of consumer choice on sensitive data, rolling back of net neutrality rules and freezing of programs meant to aid defrauded students with their loans. The "administration is brazenly dismantling basic consumer protections that are vital to the economic well-being of American families -- all to favor a small number of dominant companies,” she wrote in The Hill. She said a new antitrust movement is growing, “reminiscent of trust-busting during the Progressive Era or the anti-monopoly movement of the New Deal.” Anti-monopoly champions are taking aim at the political and economic powers propelling inequality and monopolization of online commerce by "tech titans," she wrote. An FTC nomination hearing Wednesday also keyed into this issue (see 1802150035).