LONDON – Britain’s media regulator Ofcom said on Oct 17 that it would detail what action it expected social media companies to take over illegal content on their platforms in December, saying it expected swift action or they would face consequences.

Ofcom, which is responsible for implementing the government’s Online Safety Bill, said the platforms would have three months to complete their own illegal harms risk assessments after the publication of its demands.

“The time for talk is over,” Ofcom’s Chief Executive Melanie Dawes said on Oct 17. “From December, tech firms will be legally required to start taking action, meaning 2025 will be a pivotal year in creating a safer life online.”

She said the regulator had already seen positive changes, but expectations were going to be high.

“We’ll be coming down hard on those who fall short,” she said.

Ofcom said better protections had already been introduced by Meta, the owner of Instagram and Facebook, and Snapchat which have brought in changes to help prevent children being contacted by strangers.

Britain’s new online safety regime, which became law last year, requires social media companies to tackle the causes of harm, particularly for children, by making their services safer.

If companies do not comply with the new law, they could face significant fines and, in the most serious cases, their services could be blocked in Britain. REUTERS

WASHINGTON – Chinese hackers are positioning themselves in US critical infrastructure in the event of a clash with the United States, a top American cybersecurity official said on Nov 22.

Ms Morgan Adamski, the executive director of US Cyber Command, said ongoing Chinese-linked cyber operations are aimed at gaining “an advantage in the event of a major crisis or conflict with the US.”

Ms Adamski made the comments to researchers at the Cyberwarcon security conference in Arlington, Virginia.

On Nov 21, US Senator Mark Warner told the Washington Post that a suspected China-linked hack on US telecommunications firms was “the worst telecom hack in our nation’s history – by far.”

That cyberespionage operation, dubbed “Salt Typhoon,” has included stolen call records data, the compromise of communications of top officials of both major US presidential campaigns before the Nov 5 election, and telecommunications information related to US law enforcement requests, the FBI said, in a recent statement.

Beijing routinely denies cyber operations targeting US entities.

The Chinese Embassy in Washington did not immediately respond to a request for comment. REUTERS

SINGAPORE– The Cyber Security Agency (CSA) is starting a study aimed at raising the productivity and professionalism of cyber-security workers.

It may result in an outline of the competencies required of chief information security officers – known by the acronym Cisos – and their teams of security executives who are in high demand, given their key role amid surging cyber attacks.

Ms Veronica Tan, CSA’s director at safer cyberspace division, told The Straits Times: “For organisations, clarity in standards and desired skills at various roles will mean greater improvements in workforce competency and productivity.”

The study will involve industry players, training institutions and certification bodies, she added.

CSA’s plan comes as companies warm to the idea of designated cyber-security personnel, but sometimes find themselves hindered by limited budgets and a shortage of skilled talent.

Mr Nyan Yun Zaw, the first Ciso at Singapore cyber security advisory firm Athena Dynamics, said: “The industry turnover rate for Cisos is unfortunately pretty high because it is a highly challenging and stressful job.

“When the organisation faces a security incident, this is the first person everyone looks to.”

Chief information security officer, a title that arose up in the 1990s after Citibank appointed one following a cyber attack, have risen in prominence in recent years as some countries made mandatory disclosures of material cyber breaches or attacks.

There have also been high-profile cases of criminal charges taken against such officers, such as at Uber and SolarWinds.

Mr Zaw took on the job at Athena Dynamics just over a year ago when his company expanded it beyond IT infrastructure and support.

His background was a string of roles ranging from engineering, cyber security, programming, to business development and sales in the firm since its set-up in 2014.

He added to his expertise by becoming a Certified Information Systems Security Professional, a label granted by the International Information System Security Certification Consortium, also known as ISC2.

He said: “We felt that there is a need to have a dedicated Ciso since we are also part of a listed company.”

Cisos spend their time securing their companies’ assets, learning new threats and technologies, and working with cross-functional teams, he said.

He added: “Ciso is a management position, so it is important for a Ciso to be knowledgeable in various aspects of cyber ranging from governance, risk and compliance to network security architectures.”

In the 12 months leading up to September, job portal Indeed recorded 48 per cent of its postings in Singapore seeking communication skills in cyber security leaders, compared to 38 per cent specifying expertise in IT, and 16 per cent in information security.

Around the same time, the number of postings for such roles on its portal dropped 36 per cent, suggesting that firms might be filling positions through internal promotions or team restructuring, said Mr Saumitra Chand, Indeed’s career expert.

“This decline may be due to the demanding nature of leadership positions like Cisos, which require high levels of expertise and specialisation,” he said.

To help small and medium-sized enterprises (SMEs) or non-profit organisations that cannot afford designated security personnel, CSA launched its CISO-as-a-Service (CISOaaS) scheme in February 2023.

It has received about 200 applications so far.

Organisations tapping the scheme can use CSA’s panel of 19 vendors to audit their cyber health and guide them to attain CSA’s Cyber Essentials and Cyber Trust marks, with up to 70 per cent subsidies.

CSA is planning updates to the two marks to reflect new risks in cloud, operational technology and Artificial Intelligence (AI), said Ms Tan.

Digital agency Digipixel, which has used CISOaaS, said achieving both trust marks helped it gain trust from customers.

Its director, Mr Leon Tan, said: “Pooled services can sometimes lack industry-specific context, but our collaboration with CSA has been a productive exchange.”

Mr Dave Gurbani, chief executive at CyberSafe, an appointed vendor, said: “We start by conducting a cyber-security health plan, like a doctor’s check-up.”

The firm then helps its mostly SME clients work through their internal controls, configurations, policies, and training to pass the audits for CSA’s marks.

“Many SMEs still think of cyber security in terms of anti-virus tools or maybe a firewall. To put it simply, that’s like thinking you’re ready for the day just because you have your socks and shoes on,” Mr Gurbani said.

Gaps that frequently show up include outdated systems, misconfigurations from third-party vendors, and weak access controls like shared passwords and lack of Multi-Factor Authentication.

“Without guidance, these vulnerabilities can be hard to recognise and fix,” Mr Gurbani added.

Another vendor, Momentum Z, takes firms calling on the CISOaaS service through a three-pronged assessment of employees’ cyber-security basics, company’s processes and policies, and cyber-security infrastructure such as firewall, antivirus, back-up data use and endpoint security.

Chief executive Shane Chiang said he has had clients that have not changed passwords for six years, or who had been granting external vendors remote access to their network with no inkling.

He said: “’Clients are often surprised to learn the vulnerabilities in their systems, which reinforces the importance of having a Ciso to bring structure and foresight into cyber security.”

CSA’s 2023 cyber security health survey released in March noted that only one in three organisations have fully implemented at least three of CSA’s five categories of recommended measures.

More organisations need help with knowing what data they have, where the data is stored and how to secure the data, CSA’s Ms Tan said. Businesses are also weak at safeguarding their systems and networks against malicious software, as well as guarding access to data and services.

She urged more organisations to tap CSA’s tools to up their game, adding: “Unless all essential measures are adopted, organisations are still exposed to unnecessary cyber risks, especially as they accelerate digitalisation and adopt fast-evolving technologies such as AI.

“Partial adoption of measures is inadequate.”

WASHINGTON – Russian hackers are going after US government officials, defence workers and others in a new email phishing campaign targeting thousands of people, according to Microsoft Corp.

The hackers have sent “a series of highly targeted spearphishing emails” to thousands of people in more than 100 organisations since Oct 22, according to a blog post from Microsoft Threat Intelligence published on Oct 29. 

The latest campaign will add to mounting concerns over US failures to outwit suspected Russian and Chinese hackers.

The FBI said on Oct 25 it is investigating unauthorised access by Chinese state-affiliated hackers targeting the commercial telecommunications sector.

In some of the emails that were part of the latest campaign, the senders impersonated Microsoft employees, according to the blog.

Spearphishing involves sending tailored emails to individuals, including links to malicious websites that can then steal information.

It wasn’t immediately clear how many of the attacks, if any, were successful.

Microsoft has said the attacks are perpetrated by a sophisticated Russian nation-state group it calls Midnight Blizzard, which US and UK governments have connected to the SVR, the Russian foreign intelligence service. 

The company said in January that the group attacked its corporate systems, getting into a “small number” of email accounts, including senior leadership and employees who work in cybersecurity and legal.

In April, US federal agencies were ordered to analyse emails, reset compromised credentials and work to secure Microsoft accounts.

At the time, the Cybersecurity and Infrastructure Security Agency (Cisa) said the incident represented a “grave and unacceptable risk” to agencies, according to the April directive. 

Cisa and US State Department didn’t immediately respond to requests for comment.

The Russian Embassy in Washington didn’t immediately respond to a request for comment. BLOOMBERG