Author: leaf

Cybersecurity

Artificial Intelligence: DOD Needs Department-Wide Guidance to Inform Acquisitions

Source: www.gao.gov.

The Department of Defense is developing artificial intelligence capabilities—computer systems that can do tasks that normally require human intellect.

The private sector has been acquiring AI for years. Thirteen private companies told us about their AI acquisition practices. For example, some companies mentioned the importance of considering intellectual property and data rights when negotiating contracts for AI projects.

Although parts of DOD are already using AI, DOD hasn’t issued department-wide AI acquisitions guidance needed to ensure consistency. We recommended it develop such guidance—considering private company practices as appropriate.

What GAO Found

The Department of Defense (DOD) designated artificial intelligence (AI) a top modernization area and is allocating considerable spending to develop AI tools and capabilities. AI refers to computer systems designed to replicate a range of human functions and continually get better at their assigned tasks. DOD AI capabilities could be used in various ways, for example in identifying potential threats or targets on the battlefield.

GAO obtained information from 13 private sector companies about how they successfully acquire AI capabilities. Elements of these categories, shown below, are also reflected in GAO’s June 2021 AI Accountability Framework report (GAO-21-519SP).

Categories of Factors Selected Companies Reported Considering When Acquiring Artificial Intelligence Capabilities

Categories of Factors Selected Companies Reported Considering When Acquiring Artificial Intelligence Capabilities

Although numerous entities across DOD are acquiring, developing, or already using AI, DOD has not issued department-wide guidance for how its components should approach acquiring AI. DOD is in the process of planning to develop such guidance, but it has not defined concrete plans and has no timeline to do so. The military services also lack AI acquisition-specific guidance, though military officials noted that such guidance would be helpful to navigate the AI acquisition process. Without department-wide and tailored service-level guidance, DOD is missing an opportunity to ensure that it is consistently acquiring AI capabilities in a manner that accounts for the unique challenges associated with AI.

Various DOD components and military services have individually developed or plan to develop their own informal AI acquisition resources. Some of these resources reflect key factors identified by private companies for AI acquisition. For example, DOD’s Chief Digital and AI Officer oversees an AI marketplace known as Tradewind, which is designed to expedite the procurement of AI capabilities. Several Tradewind resources emphasize the need to consider intellectual property and data rights concerns when negotiating contracts for AI capabilities, a key factor identified by the companies GAO interviewed.

Why GAO Did This Study

DOD has begun to pursue increasingly advanced AI capabilities. DOD has historically struggled to acquire weapon systems software, and AI acquisitions pose additional challenges. In February 2022, GAO described the status of DOD’s efforts to develop and acquire AI for weapon systems.

Senate Report 116-236 accompanying the National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to review DOD’s AI acquisition efforts. This is the second report in response to that provision. This report examines (1) key factors that selected private companies reported considering when acquiring AI capabilities, and (2) the extent to which DOD has department-wide AI acquisition guidance and how, if at all, this guidance reflects key factors identified by private sector companies.

GAO analyzed information provided by 13 private companies with expertise in designing, developing, and deploying AI systems in various sectors to determine the key factors. GAO also analyzed DOD documentation and compared it with the key factors, and interviewed DOD officials.

Recommendations

GAO is making four recommendations for DOD and the three military departments to develop guidance on acquiring AI capabilities, leveraging private company factors as appropriate. DOD concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense The Secretary of Defense should ensure that the Chief Digital and AI Officer, in conjunction with other DOD acquisition policy offices as appropriate, prioritize establishing department-wide AI acquisition guidance, including leveraging key private company factors, as appropriate. (Recommendation 1)
Open 
 
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Army After DOD issues department-wide AI acquisition guidance, the Secretary of the Army should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 2)
Open 
 
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Navy After DOD issues department-wide AI acquisition guidance, the Secretary of the Navy should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 3)
Open 
 
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Air Force After DOD issues department-wide AI acquisition guidance, the Secretary of the Air Force should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 4)
Open 
 
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

 

Data & Artificial Intelligence

AI and Public Policymaking: Understanding the Impact of the Presidential Executive Order

By Broadleaf Services

The intersection of Artificial Intelligence (AI) and public policymaking marks a pivotal moment in the evolution of governance. The recent Presidential Executive Order on AI has set a new precedent for how federal agencies approach and integrate AI technologies. This blog post investigates the influence of AI on public policymaking, focusing on the implications of this Executive Order and how AI’s capabilities in data analysis, trend forecasting, and public engagement are reshaping the policy landscape.

A White House fact sheet on the order can be found here.

The Presidential Executive Order on AI: A Game Changer

The Executive Order serves as a catalyst for widespread AI adoption across federal agencies. It mandates the development and implementation of AI strategies, focusing on:

  1. Enhancing AI Competency: Federal agencies are encouraged to advance their understanding and capabilities in AI to improve efficiency and effectiveness in their operations.
  2. Ethical and Responsible Use: The Order emphasizes the ethical deployment of AI, ensuring that AI systems are fair, transparent, and accountable.
  3. Collaboration and Sharing of Best Practices: It promotes collaboration between agencies, sharing knowledge and resources to foster a unified approach to AI integration.

AI’s Role in Data-Driven Policymaking

The rapid speed at which AI capabilities are advancing compels forward-thinking federal organizations to boldly lead in this moment for the sake of our joint security, economy, and society. Determining the extent to which the Executive Order affects an organization will involve careful assessment of not only an entity’s own use of AI, but also the extent to which its products and services incorporate or are reliant on third-party vendors’ AI-enabled capabilities. Below are some considerations:

Informed Decision-Making:

  AI’s ability to process and analyze vast datasets offers an unprecedented advantage in policy formulation. By leveraging AI, agencies can gain deeper insights into complex issues, enabling more informed decision-making. This data-driven approach can lead to policies that are more effective and targeted to the specific needs of the populace.

Forecasting Trends:

  AI excels in identifying patterns and predicting future trends. In the context of public policy, this means being able to anticipate societal needs, economic shifts, and environmental changes. Such predictive capabilities allow for proactive policy-making, which can be instrumental in areas like public health, environmental protection, and economic planning.

Enhancing Public Engagement:

AI can transform how the public interacts with government and participates in the policy-making process. Tools like AI-powered chatbots and analysis of public opinion through social media data can provide real-time insights into public sentiment. This not only makes policy-making more inclusive but also helps in aligning policies more closely with public needs and expectations.

Challenges and Considerations:

While the potential of AI in policy-making is immense, it’s not without challenges. Ensuring data privacy, addressing biases in AI algorithms, and maintaining transparency are critical. Moreover, there’s a need for continuous monitoring and evaluation of AI systems to ensure they align with public interests and ethical standards.

Conclusion

The Presidential Executive Order on AI marks a significant step forward in integrating AI into the fabric of federal operations and policymaking. By harnessing AI’s capabilities for informed decision-making, trend forecasting, and enhancing public engagement, we can expect more responsive, effective, and forward-thinking policies. However, as we navigate this new era, it’s crucial to remain vigilant about the ethical and practical challenges that come with these advanced technologies.

As we embark on this journey of AI-driven policymaking, it’s essential for policymakers, technologists, and citizens to engage in an ongoing dialogue. We must work together to ensure that AI is used responsibly and effectively, always prioritizing the public good. Share your thoughts, participate in discussions, and contribute to shaping a future where AI not only advances government operations but also upholds the values of our democratic society.

Cloud

Cloudflare Points Finger at Hyperscalers Holding Cloud Data Captive

Source:  www.cloudcomputing-news.net.

Cloudflare says organizations are losing control over their IT and security environments – and the big cloud providers are holding all the keys to the castle.

The web performance and security provider released a study alongside Forrester which polled almost 450 IT decision makers globally, and found that while organizations had seen a dramatic increase in application adoption – predominantly SaaS-based – challenges have resulted.

Two in five firms polled (40%) agreed that they were losing control over their IT and security environments, while just under a third (30%) of respondents noted that managing and securing public cloud environments, as well as data in SaaS environments, was ‘significantly more complex’ today than ever before.

This is not the only thing which has changed in recent years either. Almost half of organizations polled said one of their top five challenges was the growing number of users they had to manage, as well as type; not just human, but machine and third-party. IT managers are also experiencing problems with maintaining or improving their team’s productivity – cited by 44% of respondents – as well as addressing growing attack surface areas (44%).

Organizations cited an increase in the number of applications they manage as the biggest factor contributing to the loss of control, cited by 66% of respondents. An increase in locations for applications was also popular, according to 62% of those polled, as well as the shift from on-premises to cloud (54%) and the shift towards remote and hybrid workforces (49%).

Who is to blame for these challenging conditions? For Cloudflare, the answer is obvious. “Today, the big clouds have built business models on capturing your data, making it hard to move your data,” said Matthew Prince, CEO of Cloudflare. “These captivity clouds will lure you in with one product, and make it near impossible to mix and match competitive offerings across the cloud space.”

The company claims that it has a solution, and is introducing what it calls the ‘connectivity cloud.’ It is described as a ‘unified platform of cloud-native services designed to help enterprises regain control over their increasingly complex and sprawling technology and data.’

This means, in principle, four key factors. The first is deep, native integration with the internet and enterprise networks for low-latency and infinitely scalable connectivity across users, applications, and infrastructure. The second is limitless interoperability and customizable networking, while the third is a single pane of glass. The last factor is the ability to analyse extremely high volumes and varieties of traffic in order to provide ‘platform intelligence’, which can be seen as a key strength for Cloudflare.

This appears to be a serious outlay for Cloudflare, who introduced itself in the press release as ‘the leading connectivity cloud company’, which might be a safe bet considering it is thus far a category of one.

“Fundamentally, we are a network that makes it easy for you to connect and protect everything,” added Prince. “We sit atop everything else and connect anything that’s online – whether it’s a cloud, a device, a database, or on-premises hardware – so businesses can escape the grasp of the cloud captors.”

 

Data & Artificial Intelligence

The Importance of Continuous AI Innovation in Banking

Source: www.thefinancialbrand.com.

Despite all of the talk about AI in financial services, banks and credit unions struggle to know where to start and where best to deploy resources at a time of continued economic uncertainty. Few would argue against the premise that adopting new AI technologies is essential for financial institutions to keep pace with changing customer expectations, to defend business against fintech, big bank and non-financial challengers, and to operate more efficiently.

The key is to maximize AI maturity across the entire organization, reimagining and improving products, services, and processes, hyper-personalizing communication and recommendations to customers, automating manual workflows, and proactively identifying and mitigating emerging risks.

What is “AI maturity”? The term represents the level of commitment, deployment and success of artificial intelligence initiatives in an organization.

Failing to innovate with AI is increasingly putting banks and credit unions at existential risk of falling behind the competition. The AI Innovation Report from Evident Insights found that focusing on AI innovation enables the complete transformation of banks into data-centric organizations. AI innovation also enables leading banks and credit unions to envision the future of financial services, and take the necessary steps to remain dominant players going forward. The report maintains that organizations that fail to make AI innovation core to their strategy risk being left behind in what is increasingly, at least among the largest players, becoming an AI-first industry.

Breaking Down AI Maturity in Banking

Evident Insights’ report examines AI innovation across major banks in North America and Europe. The report analyzes AI maturity across key pillars including research, patents, ecosystems, investments and lessons for leaders.

The overarching finding is clear: a handful of North American banks have sprinted ahead in the race for AI maturity, staking out early leadership positions that will be extremely difficult for lagging competitors to overcome. JPMorgan Chase, Capital One, Wells Fargo and Royal Bank of Canada stand out for aggressive, holistic pursuit of cutting-edge AI innovation.

top-banks-across-key-AI-innovation-metrics

The value to other financial institutions is that the AI leaders share common attributes and strategies that other banks and credit unions can learn from. At the core, AI leaders have made innovation in this technology an urgent strategic priority by visibly demonstrating their support. They have committed substantial financial resources and talent to AI progress.

Read More: 3 Strategies for Enterprise AI Success That Are Tried and ‘Truist’

Establishing centralized AI research teams is a hallmark of the most advanced financial organizations, tasked with both pure and applied research. Many firms that don’t spend on such projects may wonder why creating research on AI solutions matters. Leading firms recognize that research teams power innovation, attract top talent and speed reaction to AI advances. The report reaffirms North America’s expanding advantage, with US and Canadian banks accounting for 80% of publications.

Number_of research papers published 2017_2022 by region of_bank headquarters

Leaders were also aggressive at filing patents to protect intellectual property and gain competitive advantage. Again, North American banks prevailed, with 99% of patents in the most recent years tracked residing in the US and Canada. Of special note, Capital One’s streamlined patent approval process demonstrates the cultural focus leaders can instill. While regulations differ, European banks must overcome cultural gaps to compete on patents. Similar to creating research, while patents don’t guarantee success, they do appeal to AI talent looking for progressive financial institutions.

No institution can deliver AI maturity single handedly. Tapping into shared innovation through diverse collaborations is essential. Savvy banks are building web-like networks spanning open source communities, universities, accelerators and third-party solution providers. This cooperation with outside expertise gives access to greater flows of ideas, technologies and partnerships. Active open source participation also signals engineering strength, according to Evident Insights.

Finally, the report finds that banks have been ramping up their AI startup investments, with deal volume growing 15% annually from 2017-2022. However, there are pronounced regional differences. Historically, US banks dominated, accounting for 89% of deals in 2015. But while still leading, their share has fallen to 61% by 2022 as European banks, especially French institutions, increase their focus in this area.

Number_of banking investments made into AI companies_2010_2022

Overall, the top five US banks – Wells Fargo, Goldman Sachs, First Citizens, Citi and JPMorgan Chase – account for over 50% of all AI startup investments. Wells Fargo leads, having made 157 deals. Goldman Sachs has broad exposure through over 100 deals across various subsidiaries. (First Citizens entered the top ranks after acquiring Silicon Valley Bank.)

In terms of recipients, 60% of AI startups backed by banks are US-based. However, US banks are more globally diversified, deploying substantial capital in Asia and Europe. In contrast, European banks concentrate domestically, with French institutions heavily backing local AI startups.

 

Cybersecurity

Why Personal Cyber Coverage is Becoming a Must-Have

Source: www.insurancebusinessmag.com.

Cyber attacks against businesses, including some of America’s largest companies, regularly fill the headlines. But it’s not just businesses, it’s also individuals who are affected by cyber attacks and looking for insurance coverage.

Nearly half (47%) of American adults have had their personal information exposed by cyber criminals, while one in three homes with computers are infected with malicious software, according to the Cybersecurity & Infrastructure Security Agency (CISA).

For Kareen Boyadjian, the growing cyber threat has made personal coverage a must-have.

“Attacks will happen to individuals, it’s a matter of whether they can sustain the impact of when they happen,” she said.

“Having cyber insurance is as important as an auto or homeowners’ policy. If things happen, you have the protection you need.”

Pandemic played a role in personal cyber coverage

Interest in cyber insurance policies for individuals started growing during the COVID-19 pandemic, according to Boyadjian. This period coincided with a huge surge in ransomware attacks and extortion claims in commercial cyber worldwide.

“When commercial cyber losses started coming with frequency and severity, it wasn’t just the businesses who were hit by extortion demands and suffered business interruption costs, but the consumers whose information was compromised in the process. Boyadjian said.

“It got people thinking, ‘how does this affect me? How do I protect myself if my information is at risk of being corrupted, stolen, or sold on the dark web?’ Since 2020 and 2021, that concern has continued to increase substantially.”

The collective shift to working from home also kickstarted interest in personal cyber coverage.

“All of a sudden, we were all in a position where the lines between an individual’s business exposure and personal exposure started to get a little blurry,” said Boyadjian.

Cyber criminals getting more sophisticated

Cybercrime is the most common cause of claims in personal cyber, followed by cyber extortion, according to Boyadjian.

Cyber criminals have become increasingly sophisticated in their tactics, particularly in social engineering schemes, to prey on individuals, making personal cyber coverage much more relevant.

“In the past, they would send one generic spoof email out to thousands of people in hopes a few would fall victim, which inevitably would happen,” Boyadjian said.

“But now we’re seeing that hackers are getting much more creative about how they target their victims. They’re studying what kind of language you use, who you email most frequently, who has authorization to wire money, who your money manager or attorney are, even what kind of emojis you send out.”

Comprehensive personal cyber coverage

To help individuals safeguard themselves and their loved ones from cyber threats, Tokio Marine HCC – Cyber & Professional Lines Group has created the a comprehensive standalone cyber solution in the marketplace.

NetGuard® Select is designed to protect individuals from emerging cyber threats, including cyber extortion, ransomware, cybercrime, breach event costs, data recovery, cyber bullying, and identity and privacy theft.

“Individuals may have some semblance of cyber coverage in their homeowners’ policy or in a related group policy, but it often doesn’t extend coverage to cybercrime, data recovery or other significant exposures. Additionally, the cyber endorsement coverage shares a limit with the homeowner’s policy, and if that carrier decides to non-renew or exit a state, it can leave that policyholder without cyber coverage,” said Boyadjian.

In contrast, NetGuard® Select offers extensive protection and also extends coverage to the insured’s family members.

But what makes the offering truly special is that it gives policyholders access to expert services in identity protection, fraud detection, and dark web monitoring services.

“It’s not just the comprehensive insurance solution, 24/7 claims services, and the decades of cyber claims experience we offer, it’s also proactive cyber monitoring services that comes with the policy for no additional premium that makes this product unique. It’s truly the full package,” Boyadjian said.

Though NetGuard® Select is targeted towards high-net-worth individuals, anyone can apply for coverage.

“Most people think that because they’re not a celebrity or a professional athlete, no one is going to benefit stealing their personal information and selling it on the dark web,” said Boyadjian.

“That’s precisely what the hackers are preying on. They’re relying on you to think that way so your guard will be down. Having this important coverage in place will help keep peace of mind for our policyholders and get them back up and running when they need it most.”

Cybersecurity

Major Cyber Attack Could Cost the World $3.5 Trillion -Lloyd’s of London

Source: www.reuters.com

LONDON, Oct 18 (Reuters) – A major cyber attack on a financial services payments system could lead to global losses of $3.5 trillion, with much of it not covered by insurance, commercial insurance market Lloyd’s of London (SOLYD.UL) said on Wednesday.

The United States would suffer losses of $1.1 trillion over a five-year period from such an attack, which would cause widespread disruption to global business, according to a systemic risk scenario developed by Lloyd’s and the Cambridge Centre for Risk Studies.

China would face $470 billion in losses and Japan $200 billion over the same period, Lloyd’s said.

“The global interconnectedness of cyber means it is too substantial a risk for one sector to face alone and therefore we must continue to share knowledge, expertise and innovative ideas across government, industry and the insurance market to ensure we build society’s resilience against the potential scale of this risk,” Lloyd’s chairman Bruce Carnegie-Brown said.

Cyber insurance saw over $9 billion in gross written premiums in 2022 and is forecast to grow to $13 billion to $25 billion by 2025, Lloyd’s said.

Concern about the cost of such insurance and whether it will provide cover in the case of war are deterring some potential customers, brokers say.

Over 20% of the world’s cyber premium is placed in the Lloyd’s market, Lloyd’s said.

Major cyber insurers Beazley (BEZG.L) and Hiscox (HSX.L) are among more than 50 insurance companies in the Lloyd’s market.

 

Data & Artificial Intelligence

Four Health IT Experts Point to Impactful Trends in 2024

Source: www.healthcareitnews.com.

“Forward-thinking provider organizations will … augment their EHRs through fully integrated, consumer-friendly tools that help reduce call volume and alleviate repetitive, manual workflows.”

“There is a renewed and intensified focus on economics, efficiencies and automation, and a cautious approach to limited application of AI to leverage less skilled and tedious tasks such as medical scribing.”

“Healthcare organizations … should lean into the proven measurable results from applications such as machine learning and natural language processing.”

These are some of the predictions from four healthcare information technology experts Healthcare IT News rounded up to offer readers thoughts on the year ahead.

Patty Riskind, CEO, Orbita

“The industry must show demonstrable progress in making healthcare as self-service as possible for patients,” said Patty Riskind, CEO of Orbita, a vendor of smart virtual assistants and workflow automation for healthcare. “This will not only benefit patients but also help alleviate the administrative burden on clinicians and staff.

“While EHR vendors have long said they will incorporate digital tools within their systems, their development priorities, by necessity, must focus on compliance and regulatory updates.

“Forward-thinking provider organizations will more aggressively seek partners to augment their EHRs through fully integrated, consumer-friendly tools that help reduce call volume and alleviate repetitive, manual workflows, resulting in more efficient operations and enhanced staff and patient engagement.”

Dr. David J. Sand, chief medical officer, ZeOmega

“Healthcare organizations across the care delivery spectrum are reckoning with the continued fallout from COVID, including staff burnout and staffing shortages, striking healthcare workers, and shifts in their revenue base,” said Dr. David J. Sand, chief medical officer at ZeOmega, an enterprise healthcare management organization.

“There is a renewed and intensified focus on economics, efficiencies and automation, and a cautious approach to limited application of AI to leverage less skilled and tedious tasks such as medical scribing.

“Last year, I predicted we would see an increase in M&A activity involving highly leveraged healthcare tech companies, many of which, while having impressive intellectual capital, had yet to create margins or revenue streams to substantiate their valuations.

“We are now seeing these companies, from insurtechs to AI-driven vendors, simply shuttering their operations, leaving others in the field to ‘hold the bag.'”

Dr. Emad Rizk, chairman, president and CEO, Cotiviti

“Healthcare is under significant pressure and change following the COVID-19 public health emergency, specifically a workforce shortage and increasing costs from wage increases and inflation,” said Dr. Emad Rizk, chairman, president and CEO of Cotiviti, a vendor of advanced technology and data analytics for healthcare organizations. “The industry is responding to these pressures by looking at ways technology can improve productivity and the quality of care delivery.

“As healthcare organizations look at these new technologies, they should take a measured approach while leaning into the proven measurable results from other applications such as machine learning and natural language processing.

“These technologies must be guided by human medical and investigative expertise, and nationally accepted guidelines by medical societies and academies. Technology can never work in a vacuum without human judgement and clinical expertise.

“In 2024, as the industry continues to explore and adopt various forms of new technologies presented to them, health plans must weigh the opportunities and risks as they develop a rigorous approach to their application, focusing on how they can help to maximize effectiveness – and always deploying them alongside human expertise, with appropriate safeguards to ensure compliance while improving value.”

Rajesh Subramaniam, managing director and CEO, ResultsCX

“The healthcare landscape is undergoing a significant transformation driven by the growing emphasis on patient engagement and empowerment,” said Rajesh Subramaniam, managing director and CEO of ResultsCX, a vendor of customer experience management systems. “Research cited in Forbes indicates 80% of consumers are inclined to connect with and remain loyal to brands that offer personalized experiences.”

 

Cybersecurity

U.S. Government Issues Stark Warning, Calling Firmware Security a ‘Single Point of Failure’

Source: www.securityweek.com

The U.S. government, at the very highest levels, is calling attention to major weaknesses in the firmware supply chain, warning that the layer below the operating system is fertile ground for devastating hacker attacks.

A new joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” for malicious hackers to subvert the core of modern computing.

“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two agencies said following a one-year assessment of the supply chains for critical IT infrastructure deployed in the United States.

“Firmware can also be a lucrative target with a relatively low cost of attack. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

The 96-page report (PDF), published to support the Biden Executive Order on securing America’s supply chains, warned that firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.

Despite its essential role in electronic devices, the agencies insisted that firmware security “has not traditionally been a high priority for manufacturers or users and is not always well protected.” 

During the assessment, the agencies found that firmware on items such as network cards, Wi-Fi adapters, and USB hubs are often not properly signed with public or private keys. 

“These devices have no way to verify that the operating firmware is authentic and can be trusted.”

Even worse, the agencies called special attention to the fact that OEMs and computer makers outsource firmware development to third party suppliers.  “[This] introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”

The government’s warning comes as threat hunters spot signs that nation-state APT actors are using UEFI firmware implants to maintain stealthy infections and survive reboots and OS reinstallations.  The notorious FinSpy surveillance spyware toolkit was also fitted with a bootkit to conduct stealthy infections.

In the report, the agencies also warned of “complex supply chains” that compound the problems securing firmware deployments.

“In PC production, for example, the OEMs are typically responsible for firmware and the rest of the PC platform elements. However, many OEMs outsource firmware development to third-party suppliers where OEMs may not have visibility into their cybersecurity hygiene. Even if OEMs establish security standards, they may not be able to enforce supplier security protocols across a wide range of components and sub-suppliers,” the government agencies warned.

The report also noted that individual OEM vendors may modify the firmware based on device needs once the firmware has been delivered to the OEM. “This can lead to confusion about what party is ultimately responsible for firmware integrity and who is to supply customer updates.” 

“In addition, as devices and firmware change, OEMs often contract with different firmware developers, which can lead to delays or a lack of any update when older devices require updating and the original developer is not available. All of these factors can leave firmware open to malicious attacks,” the report said.

The agencies also called attention to the pain-point of applying firmware updates. “A firmware’s update process and capability vary by device. Some devices receive regular firmware updates. Some may only receive one update over their lifetimes, while others may never receive an update.”

Even worse, the process to install firmware updates is not simple, leading to skipped patches for critical-level vulnerabilities. 

“Firmware updates present a major logistical challenge for many enterprises,” the agences said. “In many instances, device firmware is never updated or may only be updated in an emergency. In addition, vendors may only supply firmware updates if driven by an incident or identified vulnerability.”