View as Webpage

Volume 5, Issue 3

Welcome


Welcome to the third issue of 2024 of Decoded - our technology law insights e-newsletter.


We are very pleased to announce that Spilman recently received the Empowering Women Award from Virginia Lawyers Weekly. The Empowering Women Award is designed to showcase tangible and innovative efforts by law firms to advance women attorneys in the workplace and community. “We are honored to be included in the inaugural class of Empowering Women honorees,” said Lori D. Thompson, Member in Charge of Spilman’s Roanoke office and the firm’s DEI Committee Chair. “Spilman has shown a strong commitment to supporting and elevating women and other minorities in the legal field, not only in our Virginia office, but throughout the firm’s nine-office footprint.” To learn more, click here.


Thank you for reading!


Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group


and


Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group

Using AI to Build Cyber Resilience for Critical Infrastructure

"Cyber resilience serves as a literal survival strategy, offering a framework to detect threats, understand attacks, recover swiftly, and adapt to ever-evolving risks."


Why this is important: The article discusses critical infrastructure, which is essential for public safety and comfort, being a prime target for threat actors. Its status as a target is enhanced because some aspects of our nation’s infrastructure have limited IT budgets and departments as well as a complex web of stakeholders which results in larger attack surfaces. The article argues that our nation’s critical infrastructure can strengthen its defenses by harnessing the power of AI. For example, AI can be used to more rapidly detect anomalies, validate the integrity of vast quantities of data, determine the scope of attacks, more quickly implement recovery strategies. The article makes the point that organizations seeking to fortify their defenses against cyberattacks should consider incorporating AI into those defenses. Companies that are not in the critical infrastructure space nonetheless should consider how they can implement AI into their cyber defenses. If you would like to discuss your company’s defenses to cyberattacks, contact a member of Spilman’s data privacy team. --- Nicholas P. Mooney II

Actor's Union Contract Says Only Humans Can be Voice Actors in Animations, Resisting AI Tech

“The nuanced document that SAG-AFTRA released to explain its new contracts makes a number of references to the way voice-actor roles are different from on-screen actor roles.”


Why this is important: In the television animation space, the recent ratifications of the 2023 Television Animation Agreement and the 2023 Basic Cable Animation Agreement between the Screen Actors Guild-American Federation of Television and Radio Artists (SAG-AFTRA) and the Alliance of Motion Picture and Television Producers (AMPTP) are monumental stop-gaps against the encroachment of generative artificial intelligence into the name image and likeness (NIL) rights of voice actors. The recent 118-day labor strike of SAG-AFTRA members regarding the negotiations with AMPTP partially stemmed from concerns about the capacity and intention of studios to artificially reproduce the voices of human performers without their consent or fair compensation. This SAG-AFTRA animation voiceover contract is the inaugural joint stance against the potentially rampant misappropriation of intellectual property rights of individuals via the use of artificial intelligence. --- Sophia L. Hines

AI’s Copyright Problem will Soon Slow Adoption, Gartner Says

“The analyst firm said efforts to mitigate intellectual property leaks and copyright infringement will diminish ROI.”


Why this is important: The fast road to implementing generative artificial intelligence (AI) tools may be facing rockier terrain up ahead. Procter & Gamble and American Honda implemented internal AI tools, chatPG and Microsoft's Copilot respectively, with strong safeguards to prevent intellectual property (IP) leakage and copyright infringement. However, the surge in copyright lawsuits against big tech companies, including OpenAI and Microsoft, raises concerns about IP violations in AI-generated content. The recent approval of the AI Act by the European Union aims to regulate AI systems and models, requiring vendors to disclose training data and comply with copyright laws. Vendors like OpenAI, Microsoft, Google, and AWS are pledging to protect customers from legal claims related to copyright infringement. Despite these efforts, there remains ambiguity and growing regulatory scrutiny surrounding generative AI adoption, making it challenging for enterprise tech leaders to navigate. Businesses implementing these services should be careful to read the fine print in their vendor contracts when it comes to copyright indemnification. The best and safest route is to only use products trained on closed data sets that have been cleared of copyright issues. --- Shane P. Riley

Biden $13 Billion Cybersecurity Budget Request would Provide Major Boosts to CISA, AI Research

“The request is close to the administration’s original plan for $12.7 billion for 2024, something that was waylaid by a contentious bipartisan budget debate that has left the government operating on a temporary resolution and faced with an imminent shutdown as a broad assortment of bills are negotiated.”


Why this is important: The Biden administration recognizes the need to strengthen our cybersecurity infrastructure and preparedness. To assist with hardening the U.S. economy and infrastructure against cyberattacks and the malicious use of AI, the White House included $13 billion for cybersecurity in its 2025 fiscal plan. If approved, this would be approximately a 10 percent increase in the federal government’s current cybersecurity budget. A large part of the budget increase would go to the Cybersecurity and Infrastructure Security Agency (CISA), increasing its budget by $103 million to total of $3 billion budget. This increase in funding will assist CISA with improving the Joint Collaborative Environment, which centralizes data on known cybersecurity threats. This will also provide additional funding to allow CISA to assist state and local governments to bolster their cybersecurity preparedness. With worries about cyberattacks on critical infrastructure, the proposed increase in cybersecurity funding includes funding for the Cyber Incident Reporting for Critical Infrastructure Act, which established a unified reporting standard for critical infrastructure sectors. The DOJ will also get additional funding for addressing cybersecurity threats, and HHS will get additional funding for new cybersecurity initiatives for hospitals. The increase in the proposed cybersecurity budget also includes more money for AI research. However, with funding for 2024 still held-up in Congress, it is unknown whether this proposed increase in cybersecurity funding for 2025 will become a reality. --- Alexander L. Turner

FBI 2023 Internet Crime Report: Cybercrime Rose to $12.5 Billion, Record Number of Complaints Logged as Ransomware Roars Back

“The FBI’s annual summary of the previous year’s cybercrime activity shows just about everything trending in the wrong direction: incidents are up, costs and damages are up, and ransomware is returning to the heights it hit during the depths of the Covid-19 pandemic.”


Why this is important: The FBI's annual summary of cybercrime activity in 2023 reveals concerning trends: incidents are on the rise, costs and damages are up, ransomware is surging, and there was a sharp spike in cryptocurrency fraud. The costs of ransomware attacks were up by 74 percent, reaching $59.6 million. Notably, critical infrastructure companies were frequently targeted, with healthcare facilities being the primary victims, followed by manufacturing and government entities.


One significant shift observed is that ransomware gangs increasingly focus on data extortion rather than just ransomware attacks, exploiting vulnerabilities in organizations' defenses to steal sensitive data for extortion purposes. The report also highlights demographic-specific cybercrime patterns, such as elderly individuals being prime targets for tech support and government impersonation scams, while investment fraud schemes primarily affect younger Gen X and older Millennial demographics.


Accurately assessing the full extent of cybercrime is challenging, given underreporting and the evolving tactics of cybercriminals. Given the growing threat posed by cybercrime, robust cybersecurity measures are paramount, especially for critical infrastructure sectors and smaller organizations with limited resources. Legal professionals and policymakers need to prioritize strategies to enhance cybersecurity defenses, improve reporting mechanisms, and strengthen law enforcement efforts to combat cybercrime effectively. --- Alison M. Sacriponte

More Warnings Emerge About State-Linked Cyber Threats to Water Infrastructure

“The White House and EPA set an urgent virtual meeting with state homeland security and other top officials, citing efforts to boost the resiliency of drinking and wastewater treatment systems.”


Why this is important: In late 2023, threat actors linked to the Iran-backed Islamic Revolutionary Guard Corps (IRGC) hacked into various U.S. water systems. In January, cyber and national security officials warned a House of Representative’s panel about an ongoing threat from cyber attackers embedding themselves in critical infrastructure sectors. In February, the Office of Foreign Asset Control issues sanctions against six members of the IRGC’s Cyber Electronics Command in connection with the 2023 attack. More recently, the White House and the Environmental Protection Agency sent a letter to U.S. governors warning about attacks targeting U.S. water and wastewater systems. It is unclear whether there was recent specific intelligence that prompted the letter; however, what is certain is threat actors are viewing the nation’s critical infrastructure as prime targets. Decoded has reported in multiple issues that critical infrastructure remains a target for threat actors. Other articles in this issue report on the growing use of AI in a variety of use cases. Readers should be aware that threat actors also are deploying AI to increase the success rates of their attacks. If you would like to discuss how you can fortify your cyber defenses, contact a member of Spilman’s data privacy team. --- Nicholas P. Mooney II

3 Months Into Cyber Disclosure Rules, What’s Material to the SEC?

“As attacks become more sophisticated and destructive, companies are struggling to find conclusive estimates of the financial impact of cyberattacks.”


Why this is important: Cyberattacks, breaches, leaks, and otherwise are a major concern for reporting companies and the SEC. The new rules on cyber security risk management seek to provide investors with a more accurate understanding of the qualitative and quantitative impacts of cyberattacks by requiring reporting companies to disclose material cyber security incidents. However, the determination of materiality must be made and described within four days of the incident being detected. Though some major companies have made disclosures under the new rules, many fear that hasty disclosures can significantly negatively impact their reputation, on the one hand, while resulting penalties and consequences from the SEC could do the same, on the other. Compliance with the new rule appears to be either untimely or incomplete. Therefore, strategic rapid cyber incident materiality assessments will need to do the heavy lifting for many companies unless and until the new rules are amended or clarified. --- Sophia L. Hines

CRISPR could Disable and Cure HIV, Suggests Promising Lab Experiment

“The gene-editing technique CRISPR disabled HIV that lay dormant in immune cells in a lab experiment, raising hopes for an eventual cure.”


Why this is important: CRISPR has already led to approved treatments of the genetic disease sickle cell anemia, and now scientists are working on its ability to target HIV genes in viral DNA. Researchers successfully used CRISPR to remove HIV DNA from the genomes of infected human cells in a lab setting. This breakthrough raises hopes for developing a future therapy to eradicate HIV from infected individuals. Currently, modern medications have made it possible for those living with HIV to have normal, healthy lives, but this sustained remission requires complete adherence to life-long treatments. A genetic cure could finally free those individuals from this burden and provide hope to those struggling to access or afford the medications. However, further research is needed to determine the safety and efficacy of this approach before it can be applied clinically. --- Shane P. Riley

The Path to Stronger Cyber Defenses: A Blueprint for State and Local Governments

“For agency leaders and other state and local employees across various lines of business, prioritizing risk management isn’t just about securing data; it’s about preserving public trust and ensuring the uninterrupted delivery of essential services.”


Why this is important: All sectors of the economy are under attack by cybercriminals. This includes your state and local governments. They are a juicy target for bad actors because of the information they maintain on state and local citizens, and the critical infrastructure they operate. However, because of limited funding, state and local governments are not always able to prioritize necessary funding for cybersecurity. As discussed above, the White House recognizes this shortfall in state and local government cybersecurity preparedness and has proposed additional funding to assist state and local governments bolster their cybersecurity preparedness.  


The question is, what does cybersecurity preparedness look like for state and local governments? With limited funds, prioritizing the approach to cybersecurity is critical. State and local governments can do this by adopting a five-pillar approach to cybersecurity. The five pillars are:


  • Transitioning to a trusted cloud service. This allows the state and local governments to benefit from up-to-date hardware, and state of the art cybersecurity software;
  • Phasing out legacy risk, like outdated hardware and unsupported software that are more vulnerable to attack;
  • Investing in event response before a cybersecurity incident occurs. This means that the state and local government should assemble a team with members from all departments, have a plan in place, and practice implementing that plan so that in the event of a cyberattack, they can respond quickly and effectively;
  • Educating all government employees about not only the importance of cybersecurity, but also how to recognize a cyberattack when it happens. This requires at least annual training to keep up with evolving threats. This also creates a culture that prioritizes cybersecurity and is comfortable reporting possible threats; and
  • Focusing on critical controls, like multi-factor identification for emails and network access, and utilizing AI-powered cybersecurity tools to streamline the process and lessen the burden on critical cybersecurity infrastructure and personnel.


A focused and concentrated approach to cybersecurity is more effective than a scattershot defense. If your state or local government would like assistance in implementing the five-pillar approach to cybersecurity, please contact a member of Spilman’s Technology Practice Group. --- Alexander L. Turner

Phishing Remains Top Route to Initial Access

“Tricking individuals to reveal sensitive information or grant access to systems doesn’t require technical expertise.”


Why this is important: Over 70 percent of cyber incidents use phishing links or attacks to gain initial access. The enduring threat of phishing attacks emphasizes their effectiveness at exploiting human behavior and trust. Scattered Spider, a group of threat actors proficient in social engineering tactics, was responsible for significant attacks against companies like MGM Resorts, Caesars Entertainment, and Clorox, using AlphV ransomware in some instances. The group leveraged social engineering techniques to trick a help-desk employee into resetting credentials, enabling multi-factor authentication (MFA) attacks. These attacks enabled Scattered Spider to gain access to the victim organization's environment, manipulate configurations in Microsoft Azure, and reset master passwords for CyberArk and LastPass credentials via email verification. This information underscores the importance of implementing robust authentication techniques, such as biometrics and reducing session token lifetimes, to enhance resilience against phishing and social engineering attacks. --- Alison M. Sacriponte

Pennsylvania Social Media Bill Raises Hackles of Big Tech

“House Bill 2017, drafted by Rep. Brian Munroe and three high school students, would prevent kids younger than 16 from creating a social media account without parental consent and compel social media companies to better monitor group chats with minors.”


Why this is important: Pennsylvania is introducing a law to prevent children younger than 16 from creating a social media account without parental approval. According to HHS statistics, 95 percent of teenagers, and 40 percent of children 8-12 are on social media. While there is no current data regarding whether social media is safe for children’s brain development, there are known risks associated with the use of social media by children, including exposure to predators. Lesser known risks include the perpetuation of poor body image that may lead to eating disorders, exposure to hate-based or extremist content, and depictions of self-harm. This becomes more problematic as screen time increases through the use of social media.  


The proposed Pennsylvania bill, which was in part drafted by three high school students, would require greater parent involvement in their kids’ online behavior. However, the bill has met with industry pushback, and industry groups allege that the bill will inhibit a child’s First Amendment rights. Similar legislation in other states have been met with legal challenges from industry groups. Similar bills in Arkansas, Utah, and Ohio have all been struck down on First Amendment grounds. Even with possible legal battles on the horizon if the bill is passed, legislators believe that it is their duty to protect Pennsylvania children from cyberbullying and to protect their mental health. Moreover, the proposed bill goes beyond just requiring parental consent, it also prevents additional protections against social media companies from data mining, selling, or profiting off the data of children under 16, and allows children to ask social media companies to remove personal information. --- Alexander L. Turner

Is AI the Future of School Safety?

“All upgrades must be considered in collaboration with existing personnel so school security can be supported — not replaced — with automated technology.”


Why this is important: Methods of student monitoring may be changing from traditional practices to advanced technology solutions. Campuses across the country are experimenting with the use of expertly programmed metal detectors, digital hall passes, online activity monitoring programs, and artificial intelligence (AI) video tracking systems to address various safety concerns in schools. While these technologies offer efficiency in detecting risks, they also have shortcomings compared to manual methods, and their implementation requires careful consideration of financial and social implications. 


It is important for all stakeholders to understand the limitations of AI safety technology and the need for collaboration between technology and human monitoring. Ultimately, advocates of the new technologies call for a balanced approach that prioritizes student safety without disregarding privacy concerns or incurring unnecessary financial burdens. --- Shane P. Riley

X Share This Email
LinkedIn Share This Email

This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.



Responsible Attorney: Michael J. Basile, 800-967-8251