M3AAWG actively seeks to provide the necessary technical and strategic guidance to protect end-users’ online experience as government, Internet and public policy agencies worldwide develop new Internet policies and legislation. Working to reduce the spread of spam, bots and malware, M3AAWG has submitted comments on these proposals:
M3AAWG has submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Request for Comment on Product Security Bad Practices Guidance. M3AAWG generally supports the stated goals of reducing customer risk by prioritizing security throughout the product development process and discouraging the use of bad security practices, particularly where critical infrastructure and national critical functions are potentially impacted. However, the document lacks clarity on its role and purpose in relation to other CISA publications and comments. The draft guidance does not specify who is responsible for taking action, what specific actions are required, and which level of the security management stack this document is meant to address. These elements should be clarified throughout. Merely avoiding bad practices will not be sufficient to meet security standards. Avoiding bad practices must be supplemented with industry-standard security best practices. In addition, since CISA has previously issued advice on many of the areas covered, it would be helpful to clarify the objectives of this new draft guidance, the context for its release, and how it modifies or complements past guidance. For example, if the intent is to reinforce or summarize existing recommendations, this should be stated explicitly. Conversely, if the document introduces new recommendations or updates, those changes should be clearly highlighted.
M3AAWG has submitted comments to the Department of Homeland Security's (DHS) Proposed Rulemaking on “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements”. M3AAWG recognizes the key role effective cyber incident reporting can have in addressing the impacts of cybersecurity incidents and combating online abuse. Cyber incident reporting can minimize consequences to victims, capture lessons learned, and improve cybersecurity nationwide, thereby increasing the likelihood that perpetrators will be held accountable. However, overly broad cyber incident reporting rules often do not, on balance, yield benefits commensurate with the significant costs those rules impose on both reporting entities and the government.
We generally support CISA’s efforts to craft a proposed rule that seeks to achieve the intended goals of the CIRCIA mandates. However, M3AAWG urges CISA to consider the following suggestions to clarify or modify its proposed rule, as detailed below. We note that our comments today are focused on certain critical areas of concern to our members and do not represent a comprehensive discussion of all issues covered in the expansive CIRCIA NPRM.
M3AAWG has submitted Comments on the NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. With the growing importance of AI in society and the challenges of AI-related security and abuse issues, appropriate management of AI risk is becoming ever more pertinent, which is why M3AAWG welcomes the opportunity to submit comments.
Comments Submission Date: May 29, 2024
M3AAWG has submitted Comments on NIST AI 100-5, A Plan for Global Engagement on AI Standards. AI is a global phenomenon which impacts various countries and a number of industry sectors at high risk of abuse by cybercriminals and other threat actors. Thus, international and cross-sector engagement and involvement in standard-setting is of paramount importance.
Comments Submission Date: May 29, 2024
M3AAWG has submitted Comments on the NIST AI 100-4, Reducing Risks Posed by Synthetic Content: An Overview of Technical Approaches to Digital Content Transparency. Synthetic content is already a concern in areas such as profit-oriented cybercrime, fake news, and election interference. It therefore represents a risk to national security as a whole. M3AAWG welcomes the opportunity to comment on the current version of NIST AI 100-4 from our perspective as security and anti-abuse specialists.
Comments Submission Date: May 29, 2024
