There’s a new cybersecurity awareness campaign: Take9. The idea is that people—you, me, everyone—should just pause for nine seconds and think more about the link they are planning to click on, the file they are planning to download, or whatever it is they are planning to share. There’s a website—of course—and a video, well-produced and scary. But the campaign won’t do much to improve cybersecurity. The advice isn’t reasonable, it won’t make either individuals or nations appreciably safer, and it deflects blame from the real causes of our cyberspace insecurities...

Microsoft’s AI Red Team just published “Lessons from Red Teaming 100 Generative AI Products.” Their blog post lists “three takeaways,” but the eight lessons in the report itself are more useful: > 1. Understand what the system can do and where it is applied. > 2. You don’t have to compute gradients to break an AI system. > 3. AI red teaming is not safety benchmarking. > 4. Automation can help cover more of the risk landscape. > 5. The human element of AI red teaming is crucial. > 6. Responsible AI harms are pervasive but difficult to measure. > 7. LLMs amplify existing security risks and introduce new ones...

President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Some details: > The core of the executive order is an array of mandates for protecting > government networks based on lessons learned from recent major > incidents­—namely, the security failures of federal contractors. > > The order requires software vendors to submit proof that they follow secure > development practices, building on a mandate that debuted in 2022 in response > to ...