ETSI blockchain group releases first Reports, targeting industry and governmental bodies

Sophia Antipolis, 15 February 2021

The ETSI Industry Specification Group on Permissioned Distributed Ledger (ISG PDL) has recently released a number of Reports to support industry and government institutions needs for what is commonly known as blockchain. These Reports cover data record compliance to regulation, application scenarios and smart contracts.  

Read More...

ETSI releases the first Group Report on Encrypted Traffic Integration, protecting end users from malicious attacks

Sophia Antipolis, 1 September 2021

ETSI’s Industry Specification Group on Encrypted Traffic Integration (ISG ETI) has concluded the early part of its work, by identifying problems arising from pervasive encrypted traffic in communications networks.

Read More...

CEN, CENELEC AND ETSI HELD A WORKSHOP ON STANDARDS IN SUPPORT OF THE INDUSTRIAL DATA VALUE CHAIN

Sophia Antipolis, 29 September 2021

Industrial data has become one of the top strategic priorities for European and international industry in the recent years. Well managed and duly exploited, industrial data bring a significant competitive edge to businesses and can greatly improve overall efficiency, be it by supporting core processes or by providing a new source of insights.

In this data-driven era, industrial data play an essential role in building the foundation of the next wave of digitization in Europe. For this reason, it is key to the success of a harmonized Single Market and European competitiveness in the global market, but also for the success of the twin transition (green and digital) at the heart of the EU policy agenda.

Read More...

ETSI launches a new group on Reconfigurable Intelligent Surfaces

Sophia Antipolis, 4 October 2021

Improving network performance with cost-effective, low-power and sustainable technology for future wireless systems

ETSI, which produces globally applicable standards for ICT, has launched a new Industry Specification Group on Reconfigurable Intelligent Surfaces (ISG RIS). The group has been created to review and establish global standardization for RIS technology.

Read More...

ETSI releases two Technical Reports to support US NIST standards for post-quantum cryptography

Sophia Antipolis, 6 October 2021

In 2016 the US National Institute of Standards and Technology (NIST) announced their intention to develop new standards for post-quantum cryptography. They subsequently initiated a competition-like standardization process with a call for proposals for quantum-safe digital signatures, public-key encryption schemes, and key encapsulation mechanisms. NIST have stated that they intend to select quantum-safe schemes for standardization at the end of the current, third round of evaluation.

Read More...

ETSI NFV Release 5 kicks off with increased support for cloud-enabled deployments

Sophia Antipolis, 9 November 2021

The ETSI Industry Specification Group (ISG) for Network Functions Virtualization (NFV) has started working on its next specification release, known as "Release 5”, officially kicking off the new Release technical work after their September meeting.

The Release 5 work program is expected to drive ETSI NFV’s work into two main directions: consolidating the NFV framework and expanding its applicability and functionality set. On the one hand, some aspects of the NFV concepts and functionalities that have been addressed in previous Releases, but need additional work, will be further developed in Release 5. For instance, based on development, deployment experience and feedback collected during testing events such as the “NFV/MEC Plugtests”, additional work on VNF configuration was deemed necessary. Another example is the more detailed specification work related to fault management modelling which aims at further defining faults and alarms information to improve interoperability during network operations, in particular for root cause analysis and fault resolution in multi-vendor environments.

Read More...

MEC is ramping up with Phase 3 work on Multi-access Edge Computing

Sophia Antipolis, 15 March 2022

Since the beginning of 2022 the ETSI MEC Industry Specification Group (ETSI ISG MEC) has moved forward with the on-going Phase 3 work, which is foreseen to help accelerate and enable more effective and fruitful collaboration with other organizations.

Read More...

ETSI launches a new open-source group: TeraFlowSDN

Supporting autonomous networks and cybersecurity use cases

Sophia Antipolis, 31 May 2022

Today, ETSI is pleased to announce the creation of a new open-source group called TeraFlowSDN. Based upon the results of the European Union-funded TeraFlow 5G PPP research project, this new group hosted by ETSI will provide a toolbox for rapid prototyping and experimentation with innovative network technologies and use cases.

Read More...

ETSI Encrypted Traffic Integration group extends term to work on cryptographic and key management models

Sophia Antipolis, 2 August 2022

ETSI has recently extended the term of its Industry Specification Group Encrypted Traffic Integration (ISG ETI) for a two-year period through to mid-2024 to work on specific cryptographic and key management models.

Read More...

New ETSI specification allows single UICC to support the use of multiple applications simultaneously

Sophia Antipolis, 26 October 2022

New specifications released by ETSI will enable multiple subscriptions and identities to exist in the same smartphone handset without needing several SIM cards to be within the device.

The mobile telecom industry has been facing an increasing demand for applications running on mobile devices like banking, payments, transport and identity for some time. These new specifications address this demand by adding the possibility to host and address several "virtual secure elements" into the same UICC. This allows multiple virtual secure elements to coexist logically separated, whilst having the ability to be addressed independently through the same physical interface.

Read More...

ETSI TeraFlowSDN Wins Layer123 Network Transformation ‘Upstart of the Year’ Award

Sophia Antipolis, 7 December 2022

The ETSI TeraFlowSDN group (ETSI TFS), launched only six months ago, has won the ‘Upstart of the Year’ award at the Layer123 Network Transformation Awards ceremony, held at the prestigious Berkley Hotel in Knightsbridge, London, last night. This award also recognizes the ETSI strategy to provide new software development tools and practices to an evolving standardization ecosystem.

Read More...

ETSI launches a new group on Terahertz, a candidate technology for 6G

Sophia Antipolis, 12 December 2022

On 8 December the newly launched ETSI Industry Specification Group on Terahertz (ISG THz) held its kick-off meeting and decided on work priorities for this candidate technology for 6G.

“ISG THz provides an opportunity for ETSI members to coordinate their pre-standards research efforts on THz technology across various European collaborative projects, extended with relevant global initiatives, a move towards paving the way for future standardization of the technology,” outlines Thomas Kürner, Chair of ISG THz.

Read More...

Sophia Antipolis, 26 January 2023

The ETSI Industry Specification Group for Network Functions Virtualization (ISG NFV) has just published its next drop of specifications around new enhancements of the NFV architecture that will support cloud-native network functions.

Read More...

Sophia Antipolis, 2 February 2023

ETSI, the organization for globally applicable standards for information and communication technology (ICT), has adopted a new instrument, Software Development Groups (SDGs). This game-changing move will help ETSI adapt to the ever-evolving landscape of technology and standards development. Developing software to accompany standards will accelerate the standardization process, providing faster feedback loops and improving the quality of standards.

Read More...

Sophia Antipolis, 8 February 2023

On 7 February, the European Standards Organizations (ESOs), CEN, CENELEC and ETSI, joined forces with ENISA, the European Union Agency for Cybersecurity, to organise their 7th annual conference. The hybrid conference took place at the Brussels Renaissance Hotel and focused on “European Standardization in support of the EU cybersecurity legislation”.

Read More...

Sophia Antipolis, 22 June 2023

ETSI has just released a new White Paper on “MEC Support for Edge Native Design” written by members of the ETSI Multi-access Edge Computing group (ISG MEC). This White Paper provides an overview and vision about the Edge Native approach, as a natural evolution of Cloud Native. 

Read More...

Sophia Antipolis, 25 July 2023

ETSI is proud to announce the establishment of its first Software Development Group, called OpenSlice. With this group, ETSI positions itself as a focal point for development and experimentation with network slicing.

Read More...

Sophia Antipolis, 5 October 2023

ETSI is pleased to announce the extension of its Zero touch network and Service Management group (ISG ZSM) for an additional 2 year-period.

Read More...

Sophia Antipolis, 17 October 2023

As the second term of the Industry Specification Group Securing AI (ISG SAI) is scheduled to conclude in Q4 2023, and in line with ETSI's commitment to AI and SAI, the group has suggested the closure of ISG SAI, with its activity transferred to  a new ETSI Technical Committee, TC SAI.

Read More...

Sophia Antipolis, 9 November 2023

ETSI is delighted to announce the establishment of a new Software Development Group, called OpenCAPIF. OpenCAPIF is developing an open-source Common API Framework, as defined by 3GPP, allowing for secure and consistent exposure and use of APIs.

Read More...

Sophia Antipolis, 21 November 2023

ETSI is delighted to announce the launch of the Industry Specification Group for Integrated Sensing and Communications (ISG ISAC). This group will establish the technical foundations for ISAC technology development and standardization in 6G. 87 participants from both the industrial sphere and the academic sphere took an active part in the kick-off meeting, which was held at ETSI premises, in Sophia Antipolis, France, on 17 November 2023.

Read More...

Sophia Antipolis, 13 February 2024

Sharing intelligence: ETSI AI Conference highlights role of standardization in supporting ICT industry transformation.

Held at ETSI’s Sophia Antipolis headquarters from 5-7 February, the event welcomed close to 200 participants from 25+ countries, with featured speakers including AI experts from government agencies, standards bodies, academia and industry.

Artificial Intelligence/Machine Learning (AI/ML) technologies are enabling disruptive new applications across a wide range of digital products and services. Reviewing the current status of AI developments worldwide, the Conference explored the role of standardization in ETSI and other SDOs to support the development of a robust market for safe, lawful AI applications and services within the framework of European policymaking.

Read More...

Sophia Antipolis, 30 April 2024

The ETSI TeraFlowSDN community is proud to announce the third release of TeraFlowSDN, an innovative and robust SDN orchestrator and controller, delivering a fully featured Network Automation Platform. In this latest release, TeraFlowSDN enhances its capabilities with the integration of an Optical SDN controller, expanding device support to include gNMI and OpenConfig protocols. It also features enriched network integrations for end-to-end orchestration like IP over DWDM, L3VPN, MEC, and network topology exposure. The management of network topologies is improved with the addition of a new BGP-LS speaker able to discover the topologies, and a new Forecaster component is introduced, providing predictive insights for network management. These additions substantially augment the versatility and management capabilities of the TeraFlowSDN platform.

Read More...

New essay by Kevin K. Gaines, "Racial Uplift Ideology in the Era of the Negro Problem," added to Freedom's Story: Teaching African American Literature and History, TeacherServe from the National Humanities Center.

Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.

Dive into six things that are top of mind for the week ending Oct. 25.

1 - CSA: How to prevent “shadow AI” 

As organizations scale up their AI adoption, they must closely track their AI assets to secure them and mitigate their cyber risk. This includes monitoring the usage of unapproved AI tools by employees — an issue known as “shadow AI.”

So how do you identify, manage and prevent shadow AI? You may find useful ideas in the Cloud Security Alliance’s new “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper.

The white paper covers shadow AI topics including:

• Creating a comprehensive inventory of AI systems
• Conducting gap analyses to spot discrepancies between approved and actual AI usage
• Implementing ways to detect unauthorized AI wares
• Establishing effective access controls
• Deploying monitoring techniques

“By focusing on these key areas, organizations can significantly reduce the risks associated with shadow AI, ensuring that all AI systems align with organizational policies, security standards, and regulatory requirements,” the white paper reads.

For example, to create an inventory that offers the required visibility into AI assets, the document explains different elements each record should have, such as:

• The asset’s description
• Information about its AI models
• Information about its data sets and data sources
• Information about the tools used for its development and deployment
• Detailed documentation about its lifecycle, regulatory compliance, ethical considerations and adherence to industry standards
• Records of its access control mechanisms

Shadow AI is one of four topics covered in the publication, which also unpacks risk management; governance and compliance; and safety culture and training.

To get more details, read:

• The full “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper
• A complementary slide presentation
• The CSA blog “Shadow AI Prevention: Safeguarding Your Organization’s AI Landscape”

For more information about AI security issues, including shadow AI, check out these Tenable blogs:

• “Do You Think You Have No AI Exposures? Think Again”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach”
• “6 Best Practices for Implementing AI Securely and Ethically”
• “Compromising Microsoft's AI Healthcare Chatbot Service”

2 - Best practices for secure software updates

The security and reliability of software updates took center stage in July when an errant update caused massive and unprecedented tech outages globally.

To help prevent such episodes, U.S. and Australian cyber agencies have published “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers.”

“It is critical for all software manufacturers to implement a safe software deployment program supported by verified processes, including robust testing and measurements,” reads the 12-page document.

Although the guide is aimed primarily at commercial software vendors, its recommendations can be useful for any organization with software development teams that deploy updates internally.

The guide outlines key steps for a secure software development process, including planning; development and testing; internal rollout; and controlled rollout. It also addresses errors and emergency protocols.

“A safe software deployment process should be integrated with the organization’s SDLC, quality program, risk tolerance, and understanding of the customer’s environment and operations,” reads the guide, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Australian Cyber Security Centre.

To get more details, read:

• The “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers” guide
• The CISA alert “CISA, US, and International Partners Release Joint Guidance to Assist Software Manufacturers with Safe Software Deployment Processes”

For more information about secure software updates:

• “Tenable’s Software Update Process Protects Customers’ Business Continuity with a Safe, Do-No-Harm Design” (Tenable)
• “The critical importance of robust release processes” (Cloud Native Computing Foundation)
• “Software Deployment Security: Risks and Best Practices” (DevOps.com)
• “Software Updates, A Double-Edged Sword for Cybersecurity Professionals” (Infosecurity)
• “DevOps Best Practices for Faster and More Reliable Software Delivery” (DevOps.com)

3 - Report: GenAI, attack variety, data security drive cyber strategies

What issues act as catalysts for organizations’ cybersecurity actions today? Hint: They’re fairly recent concerns. The promise and peril of generative AI ranks first. It’s closely followed by the ever growing variety of cyberattacks; and by the intensifying urgency to protect data.

That’s according to CompTIA’s “State of Cybersecurity 2025” report, based on a survey of almost 1,200 business and IT pros in North America and in parts of Europe and Asia. 

These three key factors, along with others like the scale of attacks, play a critical role in how organizations currently outline their cybersecurity game plans.

“Understanding these drivers is essential for organizations to develop proactive and adaptive cybersecurity strategies that address the evolving threat landscape and safeguard their digital assets,” reads a CompTIA blog about the report.

Organizations are eagerly trying to understand both how generative AI can help their cybersecurity programs and how this technology is being used by malicious actors to make cyberattacks harder to detect and prevent.

Meanwhile, concern about data protection has ballooned in the past couple of years. “As organizations become more data-driven, the need to protect sensitive information has never been more crucial,” reads the blog.

Not only are organizations focused on securing data at rest, in transit and in use, but they’re also creating foundational data-management practices, according to the report.

“The rise of AI has accelerated the need for robust data practices in order to properly train AI algorithms, and the demand for data science continues to be strong as businesses seek competitive differentiation,” the report reads.

To get more details, read:

• The report’s announcement “Cybersecurity success hinges on full organizational support, new CompTIA report asserts”
• CompTIA’s blogs “Today’s top drivers for cybersecurity strategy” and “Cybersecurity’s maturity: CompTIA’s State of Cybersecurity 2025 report”
• The full “State of Cybersecurity 2025” report

For more information about data security posture management (DSPM) and preventing AI-powered attacks, check out these Tenable resources:

• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “The Data-Factor: Why Integrating DSPM Is Key to Your CNAPP Strategy” (blog)
• “Mitigating AI-Related Security Risks” (on-demand webinar)
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)

4 - CISA lists software dev practices most harmful for security

Recommended best practices abound in the cybersecurity world. However, CISA and the FBI are taking the opposite tack in their quest to improve the security of software products: They just released a list of the worst security practices that software manufacturers ought to avoid.

Titled “Product Security Bad Practices,” the document groups the “no-nos” into three main categories: product properties; security features; and organizational processes and policies.

“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop,” CISA Director Jen Easterly said in a statement.

“These product security bad practices pose unacceptable risks in this day and age, and yet are all too common,” she added.

Here are some of the worst practices detailed in the document, which is part of CISA’s “Secure by Design” effort:

• Using programming languages considered “memory unsafe”
• Including user-provided input in SQL query strings
• Releasing a product with default passwords
• Releasing a product with known and exploited vulnerabilities
• Not using multi-factor authentication
• Failing to disclose vulnerabilities in a timely manner

Although the guidance is aimed primarily at software makers whose products are used by critical infrastructure organizations, the recommendations apply to all software manufacturers.

If you’re interested in sharing your feedback with CISA and the FBI, you can submit comments about the document until December 16, 2024 on the Federal Register.

To get more details, check out:

• CISA’s announcement “CISA and FBI Release Product Security Bad Practices for Public Comment”
• The full document “Product Security Bad Practices”

For more information about how to develop secure software:

• “Tenable Partners with CISA to Enhance Secure By Design Practices” (Tenable)
• “Ensuring Application Security from Design to Operation with DevSecOps” (DevOps.com)
• “What is application security?” (TechTarget)
• “Guidelines for Software Development (Australian Cyber Security Centre)

5 - New EU law focuses on cybersecurity of connected digital products

Makers of digital products — both software and hardware — that directly or indirectly connect to networks and to other devices will have to comply with specific cybersecurity safeguards in the European Union.

A newly adopted law known as the “Cyber Resilience Act” outlines cybersecurity requirements for the design, development, production and lifecycle maintenance of these types of products, including IoT wares such as connected cars.

For example, it specifies a number of “essential cybersecurity requirements” for these products, including that they:

• Aren’t shipped with known exploitable vulnerabilities
• Feature a “secure by default” configuration
• Can fix their vulnerabilities via automatic software updates
• Offer access protection via control mechanisms, such as authentication and identity management
• Protect the data they store, transmit and process using, for example, at-rest and in-transit encryption

“The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components (...) are made secure throughout the supply chain and throughout their lifecycle,” reads a statement from the EU’s European Council.

The law will “enter into force” after its publication in the EU’s official journal and will apply and be enforceable 36 months later, so most likely in October 2027 or November 2027. However, some of its provisions will be enforceable a year prior.

For more information and analysis about the EU’s Cyber Resilience Act:

• “Cyber Resilience Act Requirements Standards Mapping” (ENISA)
• “The Cyber Resilience Act, an Accidental European Alien Torts Statute?” (Lawfare)
• “EU Cybersecurity Regulation Adopted, Impacts Connected Products” (National Law Review)
• “Open source foundations unite on common standards for EU’s Cyber Resilience Act” (TechCrunch)
• “The Cyber Resilience Act: A New Era for Mobile App Developers” (DevOps.com)

VIDEO

The EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software (Linux Foundation) 

6 - UK cyber agency: CISOs must communicate better with boards

CISOs and boards of directors are struggling to understand each other, and this is increasing their organizations’ cyber risk, new research from the U.K.’s cyber agency has found.

For example, in one alarming finding, 80% of respondents, which included board members, CISOs and other cyber leaders in medium and large enterprises, confessed to being unsure of who is ultimately accountable for cybersecurity in their organizations.

“We found that in many organisations, the CISO (or equivalent role) thought that the Board was accountable, whilst the Board thought it was the CISO,” reads a blog about the research titled “How to talk to board members about cyber.”

As a result, the U.K. National Cyber Security Centre (NCSC) has released new guidance aimed at helping CISOs better communicate with their organizations’ boards titled “Engaging with Boards to improve the management of cyber security risk.”

“Cyber security is a strategic issue, which means you must engage with Boards on their terms and in their language to ensure the cyber risk is understood, managed and mitigated,” the document reads.

Here’s a small sampling of the advice:

• Understand your audience, including who are the board’s members and their areas of expertise; and how the board works, such as its meeting formats and its committees.
• Talk about cybersecurity in terms of risks, and outline these risks concretely and precisely, presenting them in a matter-of-fact way.
• Don’t limit your communication with board members to formal board meetings. Look for opportunities to talk to them individually or in small groups outside of these board meetings.
• Elevate the discussions so that you link cybersecurity with your organization’s business challenges, goals and context.
• Aim to provide a holistic view, and avoid using technical jargon.
• Aim to advise instead of to educate.

Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.

Dive into six things that are top of mind for the week ending Nov. 1.

1 - Securing OT/ICS in critical infrastructure with zero trust

As their operational technology (OT) computing environments become more digitized, converged with IT systems and cloud-based, critical infrastructure organizations should beef up their cybersecurity by adopting zero trust principles.

That’s the key message of the Cloud Security Alliance’s “Zero Trust Guidance for Critical Infrastructure,” which focuses on applying zero trust methods to OT and industrial control system (ICS) systems.

While OT/ICS environments were historically air gapped, that’s rarely the case anymore. “Modern systems are often interconnected via embedded wireless access, cloud and other internet-connected services, and software-as-a-service (SaaS) applications,” reads the 64-page white paper, which was published this week.

The CSA hopes the document will help cybersecurity teams and OT/ICS operators enhance the way they communicate and collaborate.

Among the topics covered are:

• Critical infrastructure’s unique threat vectors
• The convergence of IT/OT with digital transformation
• Architecture and technology differences between OT and IT

The guide also outlines this five-step process for implementing zero trust in OT/ICS environments:

• Define the surface to be protected
• Map operational flows
• Build a zero trust architecture
• Draft a zero trust policy
• Monitor and maintain the environment

A zero trust strategy boosts the security of critical OT/ICS systems by helping teams “keep pace with rapid technological advancements and the evolving threat landscape,” Jennifer Minella, the paper’s lead author, said in a statement.

To get more details, read:

• The report’s announcement “New Paper from Cloud Security Alliance Examines Considerations and Application of Zero Trust Principles for Critical Infrastructure”
• The full report “Zero Trust Guidance for Critical Infrastructure”
• A complementary slide presentation

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “Tenable Cloud Risk Report 2024” (white paper)

2 - Five Eyes publish cyber guidance for tech startups

Startup tech companies can be attractive targets for hackers, especially if they have weak cybersecurity and valuable intellectual property (IP).

To help startups prevent cyberattacks, the Five Eyes countries this week published cybersecurity guides tailored for these companies and their investors.

“This guidance is designed to help tech startups protect their innovation, reputation, and growth, while also helping tech investors fortify their portfolio companies against security risks," Mike Casey, U.S. National Counterintelligence and Security Center Director, said in a statement.

These are the top five cybersecurity recommendations from Australia, Canada, New Zealand, the U.S. and the U.K. for tech startups:

• Be aware of threat vectors, including malicious insiders, insecure IT and supply chain risk.
• Identify your most critical assets and conduct a risk assessment to pinpoint vulnerabilities.
• Build security into your products by managing intellectual assets and IP; monitoring who has access to sensitive information; and ensuring this information’s protection.
• Conduct due diligence when choosing partners and make sure they’re equipped to protect the data you share with them.
• Before you expand abroad, prepare and become informed about these new markets by, for example, understanding local laws in areas such as IP protection and data protection.

“Sophisticated nation-state adversaries, like China, are working hard to steal the intellectual property held by some of our countries’ most innovative and exciting startups,” Ken McCallum, Director General of the U.K.’s MI5, said in a statement.

To get more details, check out these Five Eyes’ cybersecurity resources for tech startups:

• The announcement “Five Eyes Launch Shared Security Advice Campaign for Tech Startups”
• The main guides: 
  • “Secure Innovation: Security Advice for Emerging Technology Companies”
  • “Secure Innovation: Security Advice for Emerging Technology Investors”
• These complementary documents:
  • “Secure Innovation: Scenarios and Mitigations”
  • “Secure Innovation: Travel Security Guidance”
  • “Secure Innovation: Due Diligence Guidance”
  • “Secure Innovation: Companies Summary”

3 - Survey: Unapproved AI use impacting data governance

Employees’ use of unauthorized AI tools is creating compliance issues in a majority of organizations. Specifically, it makes it harder to control data governance and compliance, according to almost 60% of organizations surveyed by market researcher Vanson Bourne.

“Amid all the investment and adoption enthusiasm, many organisations are struggling for control and visibility over its use,” reads the firm’s “AI Barometer: October 2024” publication. Vanson Bourne polls 100 IT and business executives each month about their AI investment plans.

To what extent do you think the unsanctioned use of AI tools is impacting your organisation's ability to maintain control over data governance and compliance?

^{(Source: Vanson Bourne’s “AI Barometer: October 2024”)}

Close to half of organizations surveyed (44%) believe that at least 10% of their employees are using unapproved AI tools.

On a related front, organizations are also grappling with the issue of software vendors that unilaterally and silently add AI features to their products, especially to their SaaS applications.

While surveyed organizations say they’re reaping advantages from their AI usage, “such benefits are dependent on IT teams having the tools to address the control and visibility challenges they face,” the publication reads.

For more information about the use of unapproved AI tools, an issue also known as “shadow AI,” check out:

• “Do You Think You Have No AI Exposures? Think Again” (Tenable)
• “Shadow AI poses new generation of threats to enterprise IT” (TechTarget)
• “10 ways to prevent shadow AI disaster” (CIO)
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach” (Tenable)
• “Shadow AI in the ‘dark corners’ of work is becoming a big problem for companies” (CNBC)

VIDEO

Shadow AI Risks in Your Company

4 - NCSC explains nuances of multi-factor authentication

Multi-factor authentication (MFA) comes in a variety of flavors, and understanding the differences is critical for choosing the right option for each use case in your organization.

To help cybersecurity teams better understand the different MFA types and their pluses and minuses, the U.K. National Cyber Security Centre (NCSC) has updated its MFA guidance.

“The new guidance explains the benefits that come with strong authentication, while also minimising the friction that some users associate with MFA,” reads an NCSC blog.

In other words, what type of MFA method to use depends on people’s roles, how they work, the devices they use, the applications or services they’re accessing and so on.

Topics covered include:

• Recommended types of MFA, such as FIDO2 credentials, app-based and hardware-based code generators and message-based methods
• The importance of using strong MFA to secure users’ access to sensitive data
• The role of trusted devices in boosting and simplifying MFA
• Bad practices that weaken MFA’s effectiveness, such as:
  • Retaining weaker, password-only authentication protocols for legacy services
  • Excluding certain accounts from MFA requirements because their users, usually high-ranking officials, find MFA inconvenient

To get more details, read:

• The NCSC blog “Not all types of MFA are created equal”
• The NCSC guide “Multi-factor authentication for your corporate online services”

For more information about MFA:

• “Multifactor Authentication Cheat Sheet” (OWASP)
• “Deploying Multi Factor Authentication – The What, How, and Why” (SANS Institute)
• “How MFA gets hacked — and strategies to prevent it” (CSO)
• “How Multifactor Authentication Supports Growth for Businesses Focused on Zero Trust” (BizTech)
• “What is multi-factor authentication?” (TechTarget)

5 - U.S. gov’t outlines AI strategy, ties it to national security 

The White House has laid out its expectations for how the federal government ought to promote the development of AI in order to safeguard U.S. national security.

In the country’s first-ever National Security Memorandum (NSM) on AI, the Biden administration said the federal government must accomplish the following:

• Ensure the U.S. is the leader in the development of safe, secure and trustworthy AI
• Leverage advanced AI technologies to boost national security
• Advance global AI consensus and governance

“The NSM’s fundamental premise is that advances at the frontier of AI will have significant implications for national security and foreign policy in the near future,” reads a White House statement.

The NSM’s directives to federal agencies include:

• Help improve the security of chips and support the development of powerful supercomputers to be used by AI systems.
• Help AI developers protect their work against foreign spies by providing them with cybersecurity and counterintelligence information.
• Collaborate with international partners to create a governance framework for using AI in a way that is ethical, responsible and respects human rights. 

The White House also published a complementary document titled “Framework To Advance AI Governance and Risk Management in National Security,” which adds implementation details and guidance for the NSM.

6 - State CISOs on the frontlines of AI security

As the cybersecurity risks and benefits of AI multiply, most U.S. state CISOs find themselves at the center of their governments' efforts to craft AI security strategies and policies.

That’s according to the “2024 Deloitte-NASCIO Cybersecurity Study,” which surveyed CISOs from all 50 states and the District of Columbia.

Specifically, 88% of state CISOs reported being involved in the development of a generative AI strategy, while 96% are involved with creating a generative AI security policy.

However, their involvement in AI cybersecurity matters isn’t necessarily making them optimistic about their states’ ability to fend off AI-boosted attacks.

None said they feel “extremely confident” that their state can prevent AI-boosted attacks, while only 10% reported feeling “very confident.” The majority (43%) said they feel “somewhat confident” while the rest said they are either “not very confident” or “not confident at all.”

Naturally, most state CISOs see AI-enabled cyberthreats as significant, with 71% categorizing them as either “very high threat” (18%) or “somewhat high threat” (53%).

At the same time, state CISOs see the potential for AI to help their cybersecurity efforts, as 41% are already using generative AI for cybersecurity, and another 43% have plans to do so by mid-2025.

Other findings from the "2024 Deloitte-NASCIO Cybersecurity Study" include:

• 4 in 10 state CISOs feel their budget is insufficient.
• Almost half of respondents rank cybersecurity staffing as one of the top challenges.
• In the past two years, 23 states have hired new CISOs, as the median tenure of a state CISO has dropped to 23 months, down from 30 months in 2022.
• More state CISOs are taking on privacy protection duties — 86% are responsible for privacy protection, up from 60% two years ago.

For more information about CISO trends:

• “What’s important to CISOs in 2024” (PwC)
• “The CISO’s Tightrope: Balancing Security, Business, and Legal Risks in 2024” (The National CIO Review)
• “State of CISO Leadership: 2024” (SC World)
• “4 Trends That Will Define the CISO's Role in 2024” (SANS Institute)

TORONTO – The Canadian Securities Administrators (CSA) is providing an update to interested parties on the status of its work to introduce binding authority for an independent dispute resolution service.

Here is a Storify collating the online conversation around the Open, Portable, Decoupled – How should

"Nothing about Saitama passes the eyeball test when it comes to superheroes, from his lifeless expression to his bald head to his unimpressive physique. However, this average-looking guy has a not-so-average problem— he just can't seem to find an opponent strong enough to take on! An emergency summons gathers Class S heroes at headquarters … and Saitama tags along. There, they learn that the great seer Shibabawa left the following prophecy: "The Earth is in danger!" What in the world is going to happen?!" -- Description provided by publisher.

Nothing about Saitama passes the eyeball test when it comes to superheroes, from his lifeless expression to his bald head to his unimpressive physique. However, this average-looking guy has a not-so-average problem-he just can't seem to find an opponent strong enough to take on! When aliens invade Earth, a group of Class-S heroes finally finds a way to fight back and go on the offensive. Inside the enemy mother ship, Saitama fights Boros. Faced with the alien's frightful power, he decides to get serious! What is the Earth's fate?!

"Hero hunter Gato intensifies his onslaught, so of course Saitama decides now is the perfect time to join a combat tournament. Meanwhile, Class-S hero Metal Bat takes an assignment guarding a Hero Association executive and his son, and before long trouble appears!" -- Description provided by publisher.

"A deadly typhoon, a mysterious creature and a girl who won't quit. In 2020, a large creature rampages through Tokyo, destroying everything in its path. In 1959, Asa Asada, a spunky young girl from a huge family in Nagoya, is kidnapped for ransom— and not a soul notices. When a typhoon hits Nagoya, Asa and her kidnapper must work together to survive. But there's more to her kidnapper and this storm than meets the eye. When Asa's mother goes into labor yet again, Asa runs off to find a doctor. But no one bats an eye when she doesn't return— not even as a storm approaches Nagoya. Forgotten yet again, Asa runs into a burglar and tries to stop him on her own, a decision that leads to an unlikely alliance." -- Provided by publisher.

"Asa and Kasuga see the tail of a giant creature rise from the water. In a jungle, explorers discover massive claw marks in a tree trunk. And years later in 1964, a mysterious military man appears asking all the wrong questions." -- Provided by publisher.

"France spirals towards a civil war, as nobles continue to ignore the people of France. Noblewoman Oscar Fraṅois de Jarjayes is forced to reconsider her life as a soldier and a woman, her loyalties and her love. Marie Antoinette and the royal family seek escape, while Robespierre and the National Assembly take up arms and demand democracy." -- Provided by publisher.

At this year’s SpotOn London, one of the most popular and widely tweeted sessions organised

TORONTO – The Canadian Securities Administrators (CSA) warns Canadians about fraudulent “investment groups” promoted on social media like Facebook and Instagram. These groups could be running a scam called a “pump and dump.”How the scam works:

https://www.youtube.com/watch?v=UHhFYrwJjow

https://www.youtube.com/watch?v=Ata12_CZy4A

"At Mt. Natagumo, Tanjiro, Zenitsu and Inosuke battle a terrible family of spider demons. Taking on such powerful enemies demands all the skill and luck Tanjiro has as he and his companions fight to rescue Nezuko from the spiders' web. The battle is drawing in other Demon Slayers but not all of them will leave Mt. Natagumo alive— or in one piece!" -- Page [4] of cover.

"In Taisho-era Japan, kindhearted Tanjiro Kamado makes a living selling charcoal. But his peaceful life is shattered when a demon slaughters his entire family. His little sister Nezuko is the only survivor, but she has been transformed into a demon herself! Tanjiro sets out on a dangerous journey to find a way to return his sister to normal and destroy the demon who ruined his life … After their initial confrontation with Kokushibo, the most powerful of Muzan's demons, Tokito is severely wounded and Genya has been cut in half— but is still alive! Can his regenerative power heal even this fatal wound? Then the Hashira Himejima and Sanemi square off against Kokushibo and unleash all the skill they have against him. Himejima is blind, but if he can see into the Transparent World, he might have a chance. Who will survive this whirlwind of flashing blades?"-- Provided by publisher.

"After centuries of preparation and training, the Demon Slayer Corps has come face-to-face with their nemesis, Muzan Kibutsuji. It is a desperate battle and several Demon Slayers have already been killed. Tanjiro himself has engaged Muzan, and, despite giving it everything he has, is taken out of the fight! Although severely injured and near death, he sees a vision of his ancestor that may hold the key to finally destroying Muzan! Can Tanjiro recover enough strength to fight Muzan to the finish?" -- Provided by publisher

"In Taisho-era Japan, Tanjiro Kamado is a kindhearted boy who makes a living selling charcoal. But his peaceful life is shattered when a demon slaughters his entire family. His little sister Nezuko is the only survivor, but she has been transformed into a demon herself! Tanjiro sets out on a dangerous journey to find a way to return his sister to normal and destroy the demon who ruined his life … Tanjiro finally chases down the main body of the upper-rank demon Hantengu. However, dawn is approaching, and the rising sun is a threat to Nezuko. Tanjiro's concern for his sister is a distraction from the focus he needs to fight Hantengu, and if he hesitates it could be the last mistake he ever makes! Elsewhere, Tamayo ponders the nature of Nezuko's curse and how she could be so different from other demons." -- Provided by publisher

"In order to free the port town of Awa from an evil tyrant, Yona and her friends team up with Jaeha, the Green Dragon, and his fellow pirates. While Hak and the others are fighting Yang Kum-ji's forces, Yona and Yun infiltrate a human trafficking operation! When the enemy closes in and things look dire, what will Yona do?" -- Page [4] cover.

"Nate Adams is just an average kid until the mysterious Whisper gives him the Yo-kai Watch. Now he can see what others cannot: Yo-kai of all shapes and forms! … A mysterious door opens, causing Nate to run into weird and wacky Yo-kai from the past, present and future. Watch as they participate in a battle royale to decide which Yo-kai is the strongest!" -- Provided by publisher.

"Sun dreams of money. Moon dreams of scientific discoveries. When their paths cross with Team Skull, both their plans go awry … Lost in an alternate dimension, Sun and Moon battle to help their new friends defend the eternally dark city of Ultra Megalopolis. But then a betrayal deprives them of their transportation home! Meanwhile, what surprising news does Lillie receive?" -- Provided by publisher

"Magic turned Aster's life upside-down— and it's not over! Get ready for more family, more fun, and even more magic in this graphic novel adventure. Moving to the middle of nowhere has been less of a disaster than Aster expected. Her mom's science experiments are actually pretty cool; her dad's cooking has gotten much better; her new dog is possibly the best canine companion anyone could ask for. And she's gotten to save the day— and her family— and the whole valley she lives in— from various magical calamities in what even she has to admit were extremely fun adventures. So now she can have a break, right? Guess what? Oh no; things get even more interesting." -- Description provided by publisher.