Category: Homeland Security

Source: US Department of Homeland Security

From May 6-7, Senior Official Performing the Duties of the Deputy Secretary Kristie Canegallo joined Secretary of State Antony Blinken, White House National Security Council’s Marcela Escobari, and USAID Acting Assistant Administrator for Latin America and the Caribbean Michael Camilleri in Guatemala City, Guatemala to represent the United States Government at the third Los Angeles Declaration on Migration and Protection Ministerial. Over the course of the last two years, the Los Angeles Declaration has provided a framework for its signatories throughout the Americas to take action on shared goals including strengthening border enforcement, expanding lawful pathways, and addressing the root causes of migration.

On the margins of the ministerial, Senior Official Performing the Duties of Deputy Secretary Canegallo participated in bilateral and trilateral meetings with counterparts from several countries, including Guatemala, Costa Rica, Belize, Ecuador, and Mexico, to continue enhancing hemispheric cooperation across several areas including information sharing, coordinating enforcement measures, and attacking transnational criminal organizations. During a bilateral meeting with Costa Rican Foreign Affairs Minister Arnoldo André, the Department of Homeland Security signed an agreement establishing a Biometric Data Sharing Partnership and the Department of State signed a separate agreement on countering human trafficking—measures that will boost security for both our nations and for the hemisphere. Senior Official Performing the Duties of the Deputy Secretary Canegallo also participated in a Labor Mobility event, where she highlighted this Administration’s work to boost temporary worker visas, noting that the United States issued a record number of H-2B visas to workers from Central and South America in 2023. Ms. Canegallo emphasized that the United States will continue to work with foreign partners to advance hemispheric efforts that expand labor opportunities, safeguard human rights, and contribute to bolstering the national and regional economy.  The following is a detailed fact sheet outlining achievements of the Los Angeles Declaration and the work the region is leading on.

Fact Sheet: Third Ministerial Meeting on the Los Angeles Declaration On Migration and Protection in Guatemala

Nearly two years ago, in response to the historic challenge of migration and forced displacement, President Biden launched the Los Angeles Declaration on Migration and Protection, with 20 leaders from across the Western Hemisphere. The Los Angeles Declaration is a first-of-its-kind framework to promote coordinated action under three core pillars: (1) addressing root causes and supporting the integration of migrants to foster long-term stabilization; (2) expanding lawful pathways; and (3) strengthening humane enforcement.

On May 7, 2024, Guatemala hosted the third Los Angeles Declaration Ministerial with foreign ministers and senior representatives from 21 endorsing countries. Secretary of State Antony Blinken led the U.S. delegation, alongside White House Coordinator for the Los Angeles Declaration Marcela Escobari, Department of Homeland Security Senior Official Performing the Duties of the Deputy Secretary Kristie Canegallo, and USAID Acting Assistant Administrator for Latin America and the Caribbean Michael Camilleri. The United States is grateful for President Arévalo’s leadership in hosting the Ministerial.

On behalf of the United States, Secretary Blinken announced $578 million in humanitarian, development, and economic assistance to support partner countries and host communities in responding to urgent humanitarian needs, expanding lawful pathways, and supporting the regularization and integration of migrants. The United States also announced expanded enforcement partnerships to deter irregular migration, including increased consequences for the smuggling networks that prey on vulnerable migrants. The U.S. Government reiterated its commitment to work alongside partners to establish a permanent, regionally-driven Secretariat to ensure that coordinated progress is sustained under the Los Angeles Declaration.

The endorsing countries presented progress toward their commitments under the Los Angeles Declaration and announced the following new initiatives.

Strengthening Humane Enforcement

• The United States took steps on May 6 to impose visa restrictions on executives of several Colombian maritime transportation companies for facilitating irregular migration to the United States. These are part of a broader set of U.S. actions targeting owners, executives, and senior officials of companies providing transportation by land, sea, or charter air designed for use primarily by persons intending to irregularly migrate to the United States. Earlier restrictions were placed on individuals in the charter air sector.
• The International Air Transport Association and several of its member airlines committed to concerted action to limit the use of commercial flights for irregular migration.
• The United States and Costa Rica announced the establishment of a new Biometric Data Sharing Partnership to enhance Costa Rica’s biometric collection and matching, and strengthen its border management, thereby increasing safety and security in the region. The United States and Costa Rica also signed a memorandum of understanding outlining bilateral cooperation in countering trafficking in persons.
• The United States is deploying additional resources to Guatemala to increase security at land, air, and sea ports throughout the country, increasing screening and vetting in the region.
• The United States will expand public awareness of the CBP One™ mobile app among migrants seeking to enter the United States. From January 2023 through the end of March 2024, more than 547,000 individuals have used CBP One™ and presented themselves to a port of entry for processing, instead of risking their lives at the hands of smugglers.
• The United States leads the Countering Human Trafficking and Migrant Smuggling Action Package Committee under the Los Angeles Declaration, coordinating international efforts to target, investigate, arrest, and prosecute human smuggling organizations that are preying on vulnerable migrants.
• Partner countries reaffirmed their commitment to stem extracontinental irregular migration through increased use of transit visas, passenger vetting, and enforcement measures against entities and individuals that profit from irregular migration.

Expanding Lawful Pathways for Migration and Protection

• President Biden rebuilt our refugee resettlement program and led a historic expansion of lawful pathways to the United States and partner countries.  Under the President’s Safe Mobility Offices initiative to deter irregular migration and expand lawful pathways in the Western Hemisphere, we are on track to increase six-fold the number of approved refugees from the region.  Already, over 21,000 individuals have been approved to resettle safely and legally in the United States through the Safe Mobility Offices in Guatemala, Costa Rica, Colombia, and Ecuador.
• Guatemala and the United States announced that the Safe Mobility Offices in Guatemala will expand eligibility to include Hondurans, Salvadorans, and Nicaraguans present in Guatemala.
• Costa Rica and the United States announced that the Safe Mobility Offices in Costa Rica will expand eligibility to accept Ecuadorians.
• The United States reaffirmed its commitment to strengthening lawful pathways. Under the Cuba, Haiti, Nicaragua, Venezuela (CHNV) parole process, flows of irregular migrants from these four countries have been reduced significantly, while 435,000 vetted and cleared individuals of these nationalities have been approved to lawfully enter the United States. Applicants must have a U.S.-based financial supporter, pass vetting and background checks, and meet other established criteria to receive advanced travel authorization. Once paroled on a case-by-case basis, CHNV nationals are eligible to apply for work authorization and start work immediately.
• USAID announced plans to launch a new regional labor mobility initiative — “Alianza de Movilidad Laboral para las Américas” or “Labor Neighbors” — to increase access to lawful temporary labor pathways for new migrant-source and destination countries. The initiative will work with international organizations and other partners to provide technical assistance to countries across the region to identify eligible workers to meet pressing labor needs.
• The Department of Labor launched a $3 million project to strengthen protections for workers participating in U.S. temporary foreign worker programs. The United States also announced it is joining the International Labor Organization’s Fair Recruitment Initiative and its Advisory Committee. The initiative seeks to ensure that domestic and cross-border recruitment practices are grounded in international labor standards, promote gender equality, and prevent human trafficking and forced labor. These steps reinforce the Biden Administration’s Presidential Memorandum on Advancing Worker Empowerment, Rights, and High Labor Standards Globally and its steadfast commitment to protecting worker rights at home and around the world.
• Mexico announced that, since 2022, it has issued over 17,500 temporary visas to individuals seeking international protection to address labor shortages in the country. Additionally, Mexico has launched a pilot program in collaboration with the Haitian Embassy, International Organization for Migration, and the Tent Partnership to expand labor pathways, offering job opportunities and work permits to Haitian migrants.
• Costa Rica committed to continue modernizing its asylum system through digitalization, data-driven solutions, and adopting practices to streamline refugee status determination with support from UNHCR and the international community.  
• Canada confirmed it will take UNHCR referrals from the Safe Mobility Offices, as part of Canada’s ongoing commitment to this important initiative. Canada has also made significant progress on its commitment to welcome 15,000 migrants from the Americas region. Canada is also investing $75 million Canadian dollars over six years to fund capacity building projects to strengthen migration and protection systems in the region.

Addressing Root Causes and Supporting the Integration of Migrants to Foster Long-term Stabilization

• The United States reaffirmed its commitment to addressing the root causes of irregular migration. The U.S. International Development Finance Corporation is announcing the approval of a $20 million direct loan to Cosami, a savings and loan cooperative, for low-income mortgages in rural Guatemala. Cosami’s assistance will help finance the construction of borrowers’ first homes, helping to improve living conditions, create jobs, and promote economic growth in lower-income communities.
• With initial support from the U.S. Government, the International Organization for Migration launched a new online platform and data portal for the Los Angeles Declaration, which enables endorsing countries to obtain, share, and disseminate best practices and data.
• Ecuador announced that, under a new regularization program, those who have already registered will be able to complete their process to obtain a temporary resident visa and more migrants will be able to apply for a temporary visa.
• Colombia announced a plan for regularization of irregular migrants through special permits for parents and legal guardians of children with valid Temporary Protective Status. Colombia also announced a new special permanent visa for Latin American and Caribbean migrants without regular status in the country. The Colombian government estimates these actions will benefit up to 600,000 individuals.
• Costa Rica committed to expand the Special Temporary Category regularization pathway and reduce barriers to access with continued assistance from the international community.

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced voluntary commitments by 68 of the world’s leading software manufacturers to CISA’s Secure by Design pledge to design products with greater security built in.

“More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation. I am glad to see leading software manufacturers recognize this by joining us at CISA to build a future that is more secure by design,” CISA Director Jen Easterly said. “I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box.”

A list of the 68 companies, including leading software manufacturers, participating in the pledge can be found at the Secure by Design Pledge page, and statements of support for the pledge can be read here.

By catalyzing action by some of the largest technology manufacturers, the Secure by Design pledge marks a major milestone in CISA’s Secure by Design initiative. Participating software manufacturers are pledging to work over the next year to demonstrate measurable progress towards seven concrete goals. Collectively, these commitments will help protect Americans by securing the technology that our critical infrastructure relies on.

“A more secure by design future is indeed possible. The items in the pledge directly address some of the most pervasive cybersecurity threats we at CISA see today, and by taking the pledge software manufacturers are helping raise our national cybersecurity baseline,” CISA Senior Technical Advisor Jack Cable said. “Every software manufacturer should recognize that they have a responsibility to protect their customers, contributing to our national and economic security. I appreciate the leadership of those who signed on and hope that every technology manufacturer will follow suit.”

The seven goals of the pledge are:

• Multi-factor authentication (MFA). Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
• Default passwords. Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
• Reducing entire classes of vulnerability. Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
• Security patches. Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
• Vulnerability disclosure policy. Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
• CVEs. Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
• Evidence of intrusions. Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

Each goal has core criteria which manufacturers are committing to work towards, in addition to context and example approaches to achieve the goal and demonstrate measurable progress. To enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal, but progress should be demonstrated in public.

CISA’s global Secure by Design initiative, launched last year, implements the White House’s National Cybersecurity Strategy by shifting the cybersecurity burden away from end users and individuals to technology manufacturers who are most able to bear it. CISA urges software manufacturers to review CISA’s Secure by Design guidance and Secure by Design alerts to build security into their products.

To date, the following 68 companies have signed the pledge: 1touch.io, Akamai, Amazon Web Services, Apiiro, Armis, Automox, BigID, BlackBerry, Bugcrowd, Chainguard, Cisco, Claroty, Cloudflare, CrowdStrike, Cybeats, Resilience, ESET, Everfox, Finite State, Forescout, Fortinet, Gigamon, GitHub, GitLab, Google, Hewlett Packard Enterprise, HiddenLayer, HP, Huntress, IBM, Infoblox, InfoSec Global, Ivanti, Kiteworks, Lasso Security, Lenovo, Manifest, Microsoft, N-able, NetApp, Netgear, Okta, Palo Alto Networks, Pangea, Proofpoint, Qualys, Rapid7, Red Queen Dynamics, Scale AI, Secureworks, Securin, Security Compass, SentinelOne, Socket, Sonatype, Sophos, Tenable, ThreatQuotient, ThriveDX, Tidelift, Trellix, Trend Micro, Vanta, Veracode, Veritas Technologies LLC, Wiz, Xylem, and Zscaler.

Learn more about this voluntary pledge and sign it today by visiting: cisa.gov/securebydesign/pledge.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) is pleased to launch We Can Secure Our World, the second PSA in its Secure Our World cybersecurity public awareness program. The PSA will be promoted widely across the U.S. on television, radio, digital ads, retail centers, social media platforms, and billboards throughout 2024. We Can Secure Our World builds on the success of CISA’s first ever public service announcement (PSA) which launched in September 2023.

A Pew Research Center survey conducted last year shows that 95% of American adults use the internet, 90% have a smartphone and 80% subscribe to high-speed internet at home. Additionally, the survey also reported nearly 70% of children and adolescents have been exposed to at least one cyber risk in the past year. With cyber threats increasing among Americans of all ages, CISA is working to empower all Americans to protect themselves from hackers getting into their devices through easy steps that anyone can do anywhere and anytime.

The Secure Our World cybersecurity public awareness program, initially launched in September 2023, with its first PSA receiving nearly 20,000 views on YouTube, and educational materials including “How to” videos and tip sheets, were downloaded approximately 50,000 times. CISA also had a video that aired at the NFL Experience in the week leading up to the Super Bowl. CISA had a Super Bowl-related social media campaign that garnered more than 200,000 views and reached audiences spanning America’s diverse population.

The Secure Our World program is designed to educate and empower individuals to take proactive steps in safeguarding their digital lives. Tapping into the nostalgia of beloved musical cartoon series from the 1970s and 1980s, the new PSA features lovable character Max from the first PSA and introduces “Joan the Phone” who teaches us how to stay safe online. Through engaging messaging encouraging simple steps to protect ourselves online, the program aims to raise awareness about the importance of cybersecurity and empower individuals to adopt best practices to mitigate online risks.

“Basic cyber hygiene prevents 98% of cyber attacks—why we’re on a mission to make cyber hygiene as common as brushing our teeth and washing our hands. BUT(!) “cyber” anything can seem overly technical and complicated to the vast majority of Americans from K through Gray—why we’re also on a mission to make such information more accessible,” said CISA Director Jen Easterly. “As someone who grew up with Saturday morning cartoons, I am super excited about what we’ve done with our new Secure Our World PSA to leverage a recognizable educational medium to promote cybersecurity best practices. We’re really excited to take public awareness of cyber safety to a whole new level of creativity.”

We encourage organizations large and small to join forces with CISA today to bolster cybersecurity awareness, empower individuals to take action, and drive adoption of critical behaviors, Together, let’s champion the cybersecurity basics: encourage the use of strong passwords and multi-factor authentication, recognize and report phishing attempts, and prioritize software updates. Our collaboration can have a far-reaching effect to protect individuals, businesses and critical infrastructure from cyber threats, promoting trust, resilience and security in the digital realm.

View the We Can Secure Our World PSA on CISA.gov.

Source: US Department of Homeland Security

WASHINGTON – Today, the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) announced changes to the Cyber Safety Review Board (CSRB) membership. With deep gratitude, four current members of the CSRB will depart and four new members will join the board. 

Departing members include:

• Katie Moussouris, Founder and CEO, Luta Security
• Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
• Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security, and
• Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks

Joining the CSRB:

• Jamil Jaffer, Venture Partner Paladin Capital Group and Founder and Executive Director, National Security Institute, George Mason University Scalia Law School
• David Luber, Director, Cybersecurity Directorate, NSA
• Katie Nickels, Senior Director of Intelligence Operations, Red Canary
• Chris Krebs, Chief Intelligence and Public Policy Officer, Sentinel One

David Luber will serve as the Federal CSRB representative from the NSA, replacing Rob Joyce upon his retirement. Joyce has been asked to continue to serve on the board as a private sector member.

“I can’t thank Katie, Chris, Tony, and Wendi enough for the outstanding contributions they’ve made as CSRB members. I am truly grateful for their service on the Board,” said CISA Director Jen Easterly.  “I am also very pleased to welcome Jamil, Dave, Katie, and Chris to the Board. I know their cybersecurity expertise and experience will be instrumental in the continuing evolution of the CSRB as a catalyst for positive change in the cybersecurity ecosystem.”

Robert Silvers, DHS Under Secretary for Policy, and Heather Adkins, Vice President for Security Engineering at Google, have been re-appointed as the Chair and Deputy Chair respectively for a second term by Easterly. 

“I send my sincere thanks to the departing members and welcome those who are beginning their service,” said Under Secretary Silvers. “The Cyber Safety Review Board will continue in its charge to conduct fact finding and develop lessons learned from the most serious cyber incidents.”

“It has been an honor to serve on the CSRB and I am looking forward to seeing the Board continue to evolve its important role in the cybersecurity ecosystem as we increase the security of the nation,” said Deputy Chair Adkins.  

Other returning members include:

• Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator and Co-Founder and former CTO of CrowdStrike, Inc.
• Harry Coker, Jr., National Cyber Director, Office of the National Cyber Director
• Jerry Davis, Founder, Gryphon X
• Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
• Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency
• Marshall Miller, Principal Associate Deputy Attorney General, Department of Justice
• John Sherman, Chief Information Officer, Department of Defense
• Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation

The CSRB conducts fact-finding and issues recommendations in the wake of major cyber incidents. The Board is made up of cybersecurity luminaries from the private sector and senior officials from DHS, CISA, the Department of Defense, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation, the Office of the National Cyber Director, and the Office of Management and Budget.

As directed by President Biden through Executive Order 14028 Improving the Nation’s Cybersecurity, Secretary Mayorkas established the CSRB in February 2022. The Board is administered by CISA on behalf of the Secretary. The Board’s reviews are conducted independently, and its conclusions are independently reached. DHS and the CSRB are committed to transparency and will, whenever possible, release public versions of CSRB reports, consistent with applicable law and the need to protect sensitive information from disclosure.  

The Board’s reviews and other information about the CSRB can be found on the CSRB website.

###

Source: US Department of Homeland Security

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement on Microsoft’s announcement of security updates following recommendations from the Department of Homeland Security’s Cyber Security Review Board:

“We applaud Microsoft for its commitment to strengthen its security by embracing and acting upon the recommendations of the Cyber Safety Review Board and further advancing the company’s Secure Future Initiative. Microsoft’s full cooperation with the Board’s review helped create the tangible recommendations that will benefit not only Microsoft’s customers, but also the public at large that depends on the security of cloud services.  We look forward to continuing our work with Microsoft and other partners to strengthen the security of the cyber ecosystem on which we all depend.” 

###

Source: US Department of Homeland Security

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Delta Electronics
• Equipment: CNCSoft-G2 DOPSoft
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics CNCSoft-G2, a Human-Machine Interface (HMI) software, are affected:

• CNCSoft-G2: Versions 2.0.0.5 (with DOPSoft v5.0.0.93) and prior

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-4192 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ).

A CVSS v4 score has also been calculated for CVE-2024-4192. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends users update to CNCSoft-G2 v2.1.0.4 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• April 30, 2024: Initial Publication

Source: US Department of Homeland Security

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement on the National Security Memorandum (NSM) to secure and enhance the resilience of U.S. critical infrastructure, signed today by President Biden:

“Our nation’s critical infrastructure consists of the systems and services upon which Americans rely in their daily lives. From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the safety and defense of our critical infrastructure as a matter of homeland and national security. President Biden’s new National Security Memorandum empowers the Department of Homeland Security to lead our government’s efforts, alongside our Administration partners, to better confront the increasingly complex and frequent threats facing our critical infrastructure.  Together, we will ensure America remains vigilant, secure, and resilient.”

###

Source: US Department of Homeland Security

WASHINGTON, DC – Today, the Department of Homeland Security (DHS) received a grade of “A+,” the highest grade possible on the Small Business Administration’s Fiscal Year (FY) 2023 Small Business Procurement Scorecard and was the largest federal agency to exceed all ten of the Scorecard’s small business prime and subcontracting goals. The Scorecard is an assessment tool that measures how well federal agencies meet their small business and socioeconomic prime contracting and subcontracting goals. This is the fifteenth consecutive fiscal year DHS has earned a grade of “A” or higher, starting in FY 2009.

“America’s small businesses are essential partners in equipping the Department’s workforce with the tools to fulfill our mission of protecting the homeland,” said the Senior Official Performing the Duties of the Deputy Secretary Kristie Canegallo. “We are proud of DHS’s 15 year record and are committed to ensure that it continues. This year’s “A+” rating achievement is the result of modernizing and streamlining our processes to meet our contracting goals.”

In FY 2023, DHS obligated $9.9 billion, the highest amount in the Department’s history, to small businesses. Over $4.7 billion was awarded to small, disadvantaged businesses– a result of the Department’s increased targeted small business outreach efforts, which include a focus on undeserved vendor communities. Notably, DHS awarded 38.21% of its total eligible contracting dollars to small businesses, greatly exceeding the government-wide prime goal of 23%.

“Our achievements are the result of collaboration between DHS leadership and the acquisition workforce,” said E. Darlene Bullock, DHS Executive Director, Office of Small and Disadvantaged Business Utilization. “DHS will continue to implement various programs and policies to support small business participation.”

For the second time in the Department’s history, DHS exceeded all ten small business prime and subcontracting goals, making it the largest federal agency with this record of achievement. “DHS’s sustained accomplishments on the SBA scorecard for the past 15 years truly highlight the Department’s efforts to partner with small businesses. We are proud of our efforts and look forward to continued excellence in this area,” said Paul Courtney, DHS Chief Procurement Officer.

Small businesses play an instrumental role in strengthening the capabilities of the Department and helping us protect our homeland. DHS is committed to maximizing opportunities for small businesses and will continue to partner with industry to increase diversity in our contractor community.

For more information about the Department’s small business program, visit Office of Small and Disadvantaged Business Utilization | Homeland Security (dhs.gov).

Source: US Department of Homeland Security

Announcements Follow Six Months of Progress to Leverage AI Responsibly Across the Homeland Security Enterprise and Recent Establishment of AI Safety and Security Board

The Department, in Coordination with CISA and CWMD, Releases New Guidelines to Protect Against AI Risks to Critical Infrastructure; Submits Report on Chemical, Biological, Radiological, and Nuclear Threats

WASHINGTON – Today, the Department of Homeland Security (DHS) marked the 180-day mark of President Biden’s Executive Order (EO) 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI)” by unveiling new resources to address threats posed by AI: (1) guidelines to mitigate AI risks to critical infrastructure and (2) a report on AI misuse in the development and production of chemical, biological, radiological, and nuclear (CBRN).

These resources build upon the Department’s broader efforts to protect the nations’ critical infrastructure and help stakeholders leverage AI, which include the recent establishment of the Artificial Intelligence Safety and Security Board. This new Board, announced last week, assembles technology and critical infrastructure executives, civil rights leaders, academics, state and local government leaders, and policymakers to advance responsible development and deployment of AI.

“AI can present transformative solutions for U.S. critical infrastructure, and it also carries the risk of making those systems vulnerable in new ways to critical failures, physical attacks, and cyber attacks. Our Department is taking steps to identify and mitigate those threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “When President Biden tasked DHS as a leader in the safe, secure, and reliable development of AI, our Department accelerated our previous efforts to lead on AI. In the 180 days since the Biden-Harris Administration’s landmark EO on AI, DHS has established a new AI Corps, developed AI pilot programs across the Department, unveiled an AI roadmap detailing DHS’s current use of AI and its plans for the future, and much more. DHS is more committed than ever to advancing the responsible use of AI for homeland security missions and promoting nationwide AI safety and security, building on the unprecedented progress made by this Administration. We will continue embracing AI’s potential while guarding against its harms.”

Guidelines to Mitigate AI Risks to Critical Infrastructure

DHS, in coordination with its Cybersecurity and Infrastructure Security Agency (CISA), released new safety and security guidelines to address cross-sector AI risks impacting the safety and security of U.S. critical infrastructure systems. The guidelines organize its analysis around three overarching categories of system-level risk:

• Attacks Using AI:  The use of AI to enhance, plan, or scale physical attacks on, or cyber compromises of, critical infrastructure.
• Attacks Targeting AI Systems: Targeted attacks on AI systems supporting critical infrastructure.
• Failures in AI Design and Implementation: Deficiencies or inadequacies in the planning, structure, implementation, or execution of an AI tool or system leading to malfunctions or other unintended consequences that affect critical infrastructure operations.

  
“CISA was pleased to lead the development of ‘Mitigating AI Risk: Safety and Security Guidelines for Critical Infrastructure Owners and Operators on behalf of DHS,” said CISA Director Jen Easterly. “Based on CISA’s expertise as National Coordinator for critical infrastructure security and resilience, DHS’ Guidelines are the agency’s first-of-its-kind cross-sector analysis of AI-specific risks to critical infrastructure sectors and will serve as a key tool to help owners and operators mitigate AI risk.”

To address these risks, DHS outlines a four-part mitigation strategy, building upon the National Institute of Standards and Technology’s (NIST) AI Risk Management Framework (RMF), that critical infrastructure owners and users can consider when approaching contextual and unique AI risk situations:

• Govern: Establish an organizational culture of AI risk management – Prioritize and take ownership of safety and security outcomes, embrace radical transparency, and build organizational structures that make security a top business priority.
• Map: Understand your individual AI use context and risk profile – Establish and understand the foundational context from which AI risks can be evaluated and mitigated.
• Measure: Develop systems to assess, analyze, and track AI risks – Identify repeatable methods and metrics for measuring and monitoring AI risks and impacts.
• Manage: Prioritize and act upon AI risks to safety and security – Implement and maintain identified risk management controls to maximize the benefits of AI systems while decreasing the likelihood of harmful safety and security impacts.

Countering Chemical, Biological, Radiological, and Nuclear Threats

The Department worked with its Countering Weapons of Mass Destruction Office (CWMD) to analyze the risk of AI being misused to assist in the development or production of CBRN threats, and analyze and provide recommended steps to mitigate potential threats to the homeland. This report, developed through extensive collaboration across the United States Government, academia, and industry, furthers long-term objectives around how to ensure the safe, secure, and trustworthy development and use of artificial intelligence, and guides potential interagency follow-on policy and implementation efforts.

“The responsible use of AI holds great promise for advancing science, solving urgent and future challenges, and improving our national security, but AI also requires that we be prepared to rapidly mitigate the misuse of AI in the development of chemical and biological threats,” said Assistant Secretary for CWMD Mary Ellen Callahan. “This report highlights the emerging nature of AI technologies, their interplay with chemical and biological research and the associated risks, and provides longer-term objectives around how to ensure safe, secure, and trustworthy development and use of AI.  I am incredibly proud of our team at CMWD for this vital work which builds upon the Biden-Harris Administration’s forward-leaning Executive Order.”

A Department-Wide Effort to Address AI Risks and Opportunities

In the 180 days since President Biden issued his landmark EO on AI, Secretary Mayorkas has led a sustained effort to expand DHS’s leadership on AI and made progress on a number of initiatives geared towards protecting critical infrastructure and ensuring the safe implementation of AI technology.  Most recently, the Secretary established the Artificial Intelligence Safety and Security Board (AISSB) to advise DHS, the critical infrastructure community, private sector stakeholders, and the broader public on the safe and secure development and deployment of AI in our nation’s critical infrastructure. This diverse range of leaders on the Board will provide recommendations to help critical infrastructure stakeholders more responsibly leverage AI and protect against its dangers.

In March, DHS unveiled a detailed AI roadmap for using AI technologies to deliver meaningful benefits to the American public and advance homeland security while protecting individuals’ privacy, civil rights, and civil liberties. Within the roadmap, the Department announced three innovative pilot projects that deploy AI in specific mission areas, including pilots housed in Homeland Security Investigations (HSI), the Federal Emergency Management Agency (FEMA), and United States Citizenship and Immigration Services (USCIS). CISA completed an operational pilot of AI cybersecurity systems to aid in the detection and remediation of vulnerabilities in critical United States Government software, systems, and networks, pursuant to the EO.

In February, DHS launched the DHS AI Corps, an accelerated hiring initiative to better leverage AI responsibly across strategic areas of the homeland security enterprise. DHS immediately saw a strong response and received thousands of applicants interested in AI technology experts looking to further the Department’s AI work across strategic areas of the homeland security enterprise.  

To read the DHS safety and security guidelines for critical infrastructure owners and operators, please visit: Safety and Security Guidelines for Critical Infrastructure Owners and Operators | Homeland Security (dhs.gov).

To read the DHS report on Chemical, Biological, Radiological, and Nuclear (CBRN) threats, please visit: FACT SHEET: DHS Advances Efforts to Reduce the Risks at the Intersection of Artificial Intelligence and Chemical, Biological, Radiological, and Nuclear (CBRN) Threats | Homeland Security.

To learn more about how DHS uses AI technologies to protect the homeland, visit Artificial Intelligence at DHS.

Source: US Department of Homeland Security

Group Chaired by Secretary Mayorkas Will Consider Ways to Promote Safe and Secure Use of AI in our Nation’s Critical Infrastructure 

WASHINGTON, D.C. – Today, the Department of Homeland Security announced the establishment of the Artificial Intelligence Safety and Security Board (the Board). The Board will advise the Secretary, the critical infrastructure community, other private sector stakeholders, and the broader public on the safe and secure development and deployment of AI technology in our nation’s critical infrastructure. The Board will develop recommendations to help critical infrastructure stakeholders, such as transportation service providers, pipeline and power grid operators, and internet service providers, more responsibly leverage AI technologies. It will also develop recommendations to prevent and prepare for AI-related disruptions to critical services that impact national or economic security, public health, or safety.  

President Biden directed Secretary Alejandro N. Mayorkas to establish the Board, which includes 22 representatives from a range of sectors, including software and hardware companies, critical infrastructure operators, public officials, the civil rights community, and academia.  The inaugural members of the Board are:  

• Sam Altman, CEO, OpenAI; 
• Dario Amodei, CEO and Co-Founder, Anthropic; 
• Ed Bastian, CEO, Delta Air Lines; 
• Rumman Chowdhury, Ph.D., CEO, Humane Intelligence; 
• Alexandra Reeve Givens, President and CEO, Center for Democracy and Technology  
• Bruce Harrell, Mayor of Seattle, Washington; Chair, Technology and Innovation Committee, United States Conference of Mayors; 
• Damon Hewitt, President and Executive Director, Lawyers’ Committee for Civil Rights Under Law; 
• Vicki Hollub, President and CEO, Occidental Petroleum; 
• Jensen Huang, President and CEO, NVIDIA; 
• Arvind Krishna, Chairman and CEO, IBM; 
• Fei-Fei Li, Ph.D., Co-Director, Stanford Human-centered Artificial Intelligence Institute;  
• Wes Moore, Governor of Maryland; 
• Satya Nadella, Chairman and CEO, Microsoft; 
• Shantanu Narayen, Chair and CEO, Adobe; 
• Sundar Pichai, CEO, Alphabet;  
• Arati Prabhakar, Ph.D., Assistant to the President for Science and Technology; Director, the White House Office of Science and Technology Policy; 
• Chuck Robbins, Chair and CEO, Cisco; Chair, Business Roundtable; 
• Adam Selipsky, CEO, Amazon Web Services; 
• Dr. Lisa Su, Chair and CEO, Advanced Micro Devices (AMD); 
• Nicol Turner Lee, Ph.D., Senior Fellow and Director of the Center for Technology Innovation, Brookings Institution;  
• Kathy Warden, Chair, CEO and President, Northrop Grumman; and 
• Maya Wiley, President and CEO, The Leadership Conference on Civil and Human Rights. 

DHS is responsible for the overall security and resilience of the nation’s critical infrastructure, which hundreds of millions of Americans rely on every day to light their homes, conduct business, exchange information, and put food on the table. Critical infrastructure encompasses sixteen sectors of American industry, including our defense, energy, agriculture, transportation, and internet technology sectors. The Board will advise DHS on ensuring the safe and responsible deployment of AI technology in these sectors in the years to come, and it will look to address threats posed by this technology to these vital services.

“Artificial Intelligence is a transformative technology that can advance our national interests in unprecedented ways. At the same time, it presents real risks— risks that we can mitigate by adopting best practices and taking other studied, concrete actions,” said Secretary Mayorkas.  “I am grateful that such accomplished leaders are dedicating their time and expertise to the Board to help ensure our nation’s critical infrastructure—the vital services upon which Americans rely every day—effectively guards against the risks and realizes the enormous potential of this transformative technology.” 

Secretary Mayorkas selected these experts to develop multifaceted, cross-sector approaches to pressing issues surrounding the benefits and risks of this emerging technology. It will convene for the first time in Early May with subsequent meetings planned quarterly. At the outset, the Board will: 1) provide the Secretary and the critical infrastructure community with actionable recommendations to ensure the safe adoption of AI technology in the essential services Americans depend upon every day, and 2) create a forum for DHS, the critical infrastructure community, and AI leaders to share information on the security risks presented by AI. 

The Board will help DHS stay ahead of evolving threats posed by hostile nation-state actors and reinforce our national security by helping to deter and prevent those threats. The DHS Homeland Threat Assessment of 2024 warns the public of the threat AI-assisted tools pose to our economic security and critical infrastructure, including how these technologies “have the potential to enable larger scale, faster, efficient, and more evasive cyber attacks—against targets, including pipelines, railways, and other US critical infrastructure.” It also concludes that nation states, including the People’s Republic of China, are developing “other AI technologies that could undermine U.S. cyber defenses, including generative AI programs that support malicious activity such as malware attacks.” 

Shantanu Narayen, Chair & CEO, Adobe: “Adobe is honored to be a part of the Artificial Intelligence Safety and Security Board to share learnings and recommendations with Secretary Mayorkas and key stakeholders across the public and private sectors. This Board holds enormous potential to advance AI technology, establishing guidelines that will help AI enhance and secure our nation’s critical infrastructure while mitigating any risks it could pose.” 

Dr. Lisa Su, Chair and CEO, Advanced Micro Devices: “The widespread use of AI has the potential to improve every aspect of our daily lives. It is critical that we work across the public and private sectors to adopt a collaborative and responsible approach that will ensure we harness the incredible power of AI for good.  I am honored to work alongside such an esteemed group of colleagues on this important issue.” 

Adam Selipsky, CEO, Amazon Web Services: “As one of the world’s leading developers and deployers of AI tools and services, AWS supports fostering the safe, secure, and responsible development of AI technology. We appreciate the opportunity to serve as an inaugural member of the Artificial Intelligence Safety and Security Board, and we are committed to continued collaboration with policymakers, industry, researchers, critical infrastructure providers, and the AI community to advance the responsible and secure use of AI.” 

Dario Amodei, CEO and Co-Founder, Anthropic: “AI technology is capable of offering immense benefits to society if deployed responsibly, which is why we’ve advocated for efforts to test the safety of frontier AI systems to mitigate potential risks. We’re proud to contribute to studying the implications of AI on protecting critical infrastructure with other leaders in the public and private sectors. Safe AI deployment is paramount to securing infrastructure that powers American society, and we believe the formation of this board is a positive step forward in strengthening U.S. national security.”  

Chuck Robbins, Chair and CEO, Cisco; Chair, Business Roundtable: “AI must be as safe, secure, and responsible as it is revolutionary. This collective effort underscores the importance of deploying AI innovations in a manner that safeguards our nation’s critical infrastructure. I look forward to working with Secretary Mayorkas and other members of the Board to strengthen American resilience in today’s rapidly evolving threat landscape.” 

Ed Bastian, CEO, Delta Air Lines: “By driving innovative tools like crew resourcing and turbulence prediction, AI is already making significant contributions to the reliability of our nation’s air travel system, and it promises to further transform the travel experience in the years ahead. I’m honored to serve on this board, which will help ensure that this technology is developed and deployed safely and securely without disrupting vital transportation infrastructure or millions of critical transportation jobs nationwide.” 

Rumman Chowdhury, Ph.D., CEO, Humane Intelligence: “Grappling with the implications of Artificial intelligence on critical infrastructure is necessary to ensure equitable and tangible benefits of this technology to all Americans. Humane Intelligence is looking forward to engaging on these timely issues.” 

Arvind Krishna, Chairman and CEO, IBM: “Artificial intelligence is a game-changing technology that is making businesses smarter, stronger, and safer. AI’s ability to analyze threat information at scale can help protect the nation’s critical infrastructure from cyberattacks, an imperative that I look forward to advancing as a member of the AI Safety and Security Board.” 

Maya Wiley, President and CEO, The Leadership Conference on Civil and Human Rights: “It is critical to have a civil rights perspective on any board with the mission to responsibly deploy artificial intelligence in our nation’s infrastructure. Critical infrastructure plays a key role ensuring everyone has equal access to information, goods, and services. It also poses great threats, including the spread of bias and hate speech online, stoking fear, distrust, and hate in our communities of color. I am looking forward to joining my colleagues as we discuss the ethical deployment of AI across our critical infrastructure to promote and protect the civil and human rights of every person in the United States.” 

Satya Nadella, Chairman and CEO, Microsoft: “Artificial Intelligence is the most transformative technology of our time, and we must ensure it is deployed safely and responsibly. Microsoft is honored to participate in this important effort and looks forward to sharing both our learnings to date, and our plans going forward. We thank Secretary Mayorkas for including us in this important endeavor and look forward to the continued partnership.” 

Fei-Fei Li, Ph.D., Co-Director, Stanford Human-centered Artificial Intelligence Institute: “I’m honored to join this group of interdisciplinary leaders to steward this world-changing technology responsibly and in a human-centered way. Ultimately AI is a tool, a potent tool, and it must be developed and applied with an understanding of how it will impact the individual, community, and society at large.” 

Bruce Harrell, Mayor of Seattle, Washington and Chair, Technology and Innovation Committee, United States Conference of Mayors: “Advancement in artificial intelligence and machine learning technologies offer significant opportunities to transform our society and world. Civic, business, academic, and philanthropic partners have a responsibility to foster this innovation in a way that ensures the development, deployment, and use of these technologies is safe, secure, and ethical. I am honored to serve alongside leaders who share a commitment to leverage technological advancements to address our greatest challenges and capitalize on our greatest opportunities. Together, this Board will advance critical work to safeguard critical infrastructure from real threats and to meet the dynamic needs of today and the future.” 

Arati Prabhakar, Assistant to the President for Science and Technology; Director, the White House Office of Science and Technology Policy: “AI is one of the most powerful technologies of our time. President Biden has made clear that we must manage AI’s risks so that we can seize its benefits. Thanks to Secretary Mayorkas for taking action to protect America’s critical infrastructure—our energy system, banking, health care, and communications—from AI risks and harms.” 

The launch of the Board is a keystone of wide-ranging efforts within DHS to respond to the rapid emergence of AI technology. In March 2024, DHS debuted its first “Artificial Intelligence Roadmap,” which details the Department’s 2024 plans to responsibly leverage AI to advance homeland security missions while protecting individuals’ privacy, civil rights, and civil liberties; promote nationwide AI safety and security; and, continue to lead in AI through strong cohesive partnership. 

The Department’s latest efforts follow President Biden’s Executive Order (EO), “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” signed in October 2023. In the EO, the President directed Secretary Mayorkas to establish the AI Safety and Security Board to support the responsible development of AI. The President also directed DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the United States attract and retain skilled talent, among other missions. 

To accelerate the deployment of AI and machine learning technologies throughout the Department, Secretary Mayorkas announced in February the Department’s first-ever hiring sprint to recruit 50 experts to better leverage these technologies across strategic areas of the homeland security enterprise. These include efforts to counter fentanyl, combat child sexual exploitation and abuse, deliver immigration services, secure travel, fortify our critical infrastructure, and enhance our cybersecurity. DHS has received over 4,000 applications to date and is in the process of reviewing and hiring AI technologists to support mission-enhancing initiatives.  

The Department continues to accept applications at https://www.dhs.gov/ai/join. 

In April 2023, DHS established the Department’s first AI Task Force and named Eric Hysen its first Chief AI Officer. The Task Force’s focus is on DHS’s entire mission space. For example, it is working to enhance the integrity of our supply chains and the broader trade environment by helping deploy AI to improve cargo screening, the identification of imported goods produced with forced labor, and risk management. Secretary Mayorkas also charged the Task Force with using AI to better detect fentanyl shipments, identify and interdict the flow of precursor chemicals around the world, and disrupt key nodes in criminal networks. 

To learn more about how DHS uses AI technologies to protect the homeland, visit Artificial Intelligence at DHS at https://www.dhs.gov/ai.  

###