Top Stories of the Week: 1/4/2025-1/10/2025
From major healthcare cybersecurity updates to new federal initiatives and global treaties, this week’s Friday Five spotlights evolving efforts to combat cybercrime and data breaches.
Massive Healthcare Breaches Prompt Us Cybersecurity Rules Overhaul
The U.S. Department of Health and Human Services (HHS) has proposed updates to HIPAA to strengthen healthcare cybersecurity after a rise in data breaches, underscoring the urgency of improved safeguards. New rules would require encrypting protected health information, implementing multifactor authentication, and network segmentation to thwart attackers. Anne Neuberger, White House cybersecurity adviser, noted the updates respond to recent large-scale ransomware and breaches affecting hospitals. These changes—the first since 2013—aim to protect critical infrastructure and patient safety. Initial implementation costs are estimated at $9 billion.
Forthcoming Executive Order Seeks to Plug Holes in Federal Cyber Practices
by Natalie Alms, David DiMolfetta, & Alexandra Kelley
The Biden administration is set to issue a comprehensive cybersecurity executive order focusing on stricter software procurement, endpoint detection and response (EDR), post-quantum cryptography (PQC), and artificial intelligence (AI) for cyber defense. The order builds on lessons from the 2021 Colonial Pipeline and SolarWinds hacks and recent breaches by Chinese hackers. Key measures include securing software supply chains, adopting PQC to future-proof encryption, and integrating AI for threat detection. Agencies must enhance internet routing security, encrypt communications, and bolster space systems' defenses. The directive emphasizes international collaboration on PQC and advancing digital identity verification. While praised for its technical focus, the order’s future under a potential Trump administration remains uncertain.
Hundreds of Organizations Were Notified of Potential Salt Typhoon Compromise
Chinese-backed hacking group Salt Typhoon has infiltrated tens to hundreds of U.S. telecommunications systems, targeting major firms and multiple high-profile political figures, including those connected to President-elect Trump. Investigations reveal the breaches exploited long-patched vulnerabilities in systems like Microsoft Exchange and Ivanti, with inadequate cybersecurity measures, such as weak passwords, aiding the attacks. The campaign, linked to China's Ministry of State Security, has lasted up to two years, compromising sensitive systems like wiretap databases. The FCC and Congress are pushing for stricter cybersecurity regulations, including mandatory annual testing and secure handling of CALEA systems, but experts warn addressing vulnerabilities will be costly and complex. Meanwhile, officials debate whether U.S. cyber defenses should take a more offensive approach to counter foreign threats.
Microsoft Moves To Disrupt Hacking-As-A-Service Scheme That’s Bypassing AI Safety Measures
Microsoft has filed a lawsuit in Virginia against ten unidentified individuals accused of exploiting stolen credentials and custom software to misuse its Azure OpenAI services for generating harmful content. The group allegedly stole API keys from U.S. companies and reverse-engineered safety protocols to bypass restrictions, enabling the creation of unauthorized AI-generated media and stripping metadata from outputs. Microsoft obtained a court order to seize domains used in the scheme and redirect communications for investigation. The defendants, operating a hacking-as-a-service model, sold unauthorized access to generative AI tools. The case highlights ongoing efforts to combat the misuse of AI technology, with Microsoft and OpenAI implementing guardrails to prevent exploitation. Despite challenges, U.S. companies' protections have hindered malicious actors, including foreign nations, from fully leveraging generative AI for disinformation campaigns.
After UN Adoption, Controversial Cybercrime Treaty’s Next Steps Could Prove Vital
by Tim Starks
The United Nations' newly adopted cybercrime treaty aims to combat crimes like human trafficking and money laundering through international cooperation, but it has drawn criticism for potential human rights risks, with some critics warning that nations with poor rights records could misuse the treaty to target journalists and dissidents. The treaty requires 40 ratifications to take effect, which could face delays, particularly in the U.S., where Senate approval and presidential endorsement are needed. While critics highlight flaws like vague definitions of "serious crime," supporters argue it can standardize laws and bolster enforcement globally. Provisions emphasize alignment with human rights laws, but implementation and accountability remain contentious. U.S. and European leaders vow to push for rights-aligned applications, while U.N. Secretary-General António Guterres praised the treaty as a step toward safer cyberspace.
