INTERNATIONAL FOUNDATION FORCULTURAL PROPERTY PROTECTION
News
Reposted from CISA
As valued community members, we want to share an exciting development. We are thrilled to announce the launch of our brand-new Commercial Facilities Sector Management Team (SMT) Update, Arenas to Zoos!
Arenas to Zoos is a publication designed to bring you the latest updates, exclusive insights, and engaging content in one place. Whether you're a long-time sector partner, a new subscriber, or someone interested in Cybersecurity and Infrastructure Security Agency (CISA) bulletins, this update is designed to keep you informed.
What can you expect from Arenas to Zoos?
Our update will be sent monthly, ensuring you receive valuable content without feeling overwhelmed. Please share this news with colleagues who might also find Arenas to Zoos helpful.
Your feedback and suggestions are always appreciated as we strive to make this update an enriching experience for you. Should you have any questions or need assistance, please don't hesitate to contact us at CommercialFacilitiesSector@cisa.dhs.gov
Discussions of artificial intelligence (AI) often swirl with mysticism regarding how an AI system functions. The reality is far more simple: AI is a type of software system.
And like any software system, AI must be Secure by Design. This means that manufacturers of AI systems must consider the security of the customers as a core business requirement, not just a technical feature, and prioritize security throughout the whole lifecycle of the product, from inception of the idea to planning for the system’s end-of-life. It also means that AI systems must be secure to use out of the box, with little to no configuration changes or additional cost.
The specific ways to make AI systems Secure by Design can differ from other types of software, and some best practices for safety and security practices are still being fully defined. Additionally, the manner in which adversaries may choose to use (or misuse) AI software systems will undoubtedly continue to evolve – issues that we will explore in a future blog post. However, fundamental security practices still apply to AI software.
AI is software that does fancy data processing. It generates predictions, recommendations, or decisions based on statistical reasoning (precisely, this is true of machine learning types of AI). Evidence-based statistical policy making or statistical reasoning is a powerful tool for improving human lives. Evidence-based medicine understands this well. If AI software automates aspects of the human process of science, that makes it very powerful, but it remains software all the same.
CEOs, policymakers, and academics are grappling with how to design safe and fair AI systems, and how to establish guardrails for the most powerful AI systems. Whatever the outcome of these conversations, AI software must be Secure by Design.
AI software design, AI software development, AI data management, AI software deployment, AI system integration, AI software testing, AI vulnerability management, AI incident management, AI product security, and AI end-of-life management – for example – all should apply existing community-expected security practices and policies for broader software design, software development, etc. AI engineering continues to take on too much technical debt where they have avoided applying these practices. As the pressure to adopt AI software system increases, developers will be pressured to take on technical debt rather than implement Secure by Design principles. Since AI is the “high interest credit card” of technical debt, it is particularly dangerous to choose shortcuts rather than Secure by Design.
Some aspects of AI, such as data management, have important operational differences with expected practices for other software types. Some security practices will need to be augmented to account for AI considerations. The AI engineering community should start by applying existing security best practices. Secure by Design practices are a foundation on which other guardrails and safety principles depend. Therefore, the AI engineering community should be encouraged to integrate or apply these Secure-by-Design practices starting today.
Secure by Design “means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.” Secure by Design software is designed securely from inception to end-of-life. System development life cycle risk management and defense in depth certainly applies to AI software. The larger discussions about AI often lose sight of the workaday shortcomings in AI engineering as related to cybersecurity operations and existing cybersecurity policy. For example, systems processing AI model file formats should protect against untrusted code execution attempts and should use memory-safe languages. The AI engineering community must institute vulnerability identifiers like Common Vulnerabilities and Exposures (CVE) IDs. Since AI is software, AI models – and their dependencies, including data – should be capturedinsoftware bills of materials. The AI system should also respect fundamental privacy principles by default.
CISA understands that once these standard engineering, Secure-by-Design and security operations practices are integrated into AI engineering, there are still remaining AI-specific assurance issues. For example, adversarial inputs that force misclassification can cause cars to misbehave on road courses or hide objects from security camera software. These adversarial inputs that force misclassifications are practically different from standard input validation or security detection bypass, even if they’re conceptually similar. The security community maintains a taxonomy of common weaknesses and their mitigations – for example, improper input validation is CWE-20. Security detection bypass through evasion is a common issue for network defenses such as intrusion detection system (IDS) evasion.
See Original Post
Over the last decade, unmanned aircraft systems (UAS or “drones”) have become a regular feature of American life. We use them for recreation, research, and commerce, and we look forward to realizing the benefits of future drone innovation. But the proliferation of this new technology has also introduced new risks to public safety, privacy, and homeland security. Malicious actors increasingly use UAS domestically to commit and enable crimes, conduct illegal surveillance and industrial espionage, and thwart law enforcement efforts at the local, state and Federal level.
To meet this evolving threat, the Biden Administration has released the attached 2023 updates to its counter-UAS legislative proposal from last year. This comprehensive proposal strengthens existing authorities to address the current and future threat while protecting the airspace, the communications spectrum, and the privacy, civil rights, and civil liberties of the American people. Teams of security professionals from the Departments of Homeland Security, Justice, Defense, Energy, and State, as well as the Intelligence Community and regulatory professionals from the Federal Aviation Administration, Federal Communications Commission, and National Telecommunications and Information Administration, collaborated on this proposal. Through this proposal and the Administration’s Domestic Counter-Unmanned Aircraft Systems National Action Plan, we are working to expand where we can protect against nefarious UAS activity, who is authorized to take action, and how it can be accomplished lawfully. We seek measured expansions of authority while safeguarding the airspace, communications spectrums, individual privacy, civil rights, and civil liberties. To promote all of these ends, we urge Congress to adopt legislation to close critical gaps in existing law and policy that currently impede government and law enforcement from protecting the American people and our vital security interests.
With respect to the authorities requested for the Department of Homeland Security and Department of Justice, the Administration’s 2023 Legislative Proposal is nearly identical in substance to S. 1631, championed by Senators Peters, Johnson, Sinema, and Hoeven. Both call for a measured expansion of Department of Homeland Security and Department of Justice counter-UAS authorities. Built into the architecture of both are critical First and Fourth Amendment protections designed to harness the good applications of drones while guarding against misuse.
We fully support S. 1631 and applaud the leadership of its sponsors. However, the Administration’s comprehensive legislative proposal highlights additional counter-UAS needs across other federal departments and agencies. Please let us know if you have any questions or feedback on the proposal, and thank you for your continued support.
CISA will coordinate updates on the national plan and legislative proposal at future partnership engagements to allow for direct discussions. In the interim, if you have any questions, please reach out to the CISA sUAS Security Branch at sUASsecurity@cisa.dhs.gov.
Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the FY2024-2026 Cybersecurity Strategic Plan, which guides CISA’s efforts through 2026 and outlines a new vision for cybersecurity, a vision grounded in collaboration, in innovation, and in accountability.
Aligned with the National Cybersecurity Strategy and nested under CISA’s 2023–2025 Strategic Plan, the Cybersecurity Strategic Plan provides a blueprint for how the agency will pursue a future in which damaging cyber intrusions are a shocking anomaly, organizations are secure and resilient, and technology products are safe and secure by design. To this end, the Strategic Plan outlines three enduring goals:
Learn more about CISA’s Cybersecurity Strategic Plan at https://www.cisa.gov/cybersecurity-strategic-plan
As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA) published the Remote Monitoring and Management (RMM) Cyber Defense Plan, the first proactive plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of its 2023 Planning Agenda. This plan provides a clear roadmap to advance security and resilience of the RMM ecosystem, expands specific lines of effort in the National Cyber Strategy to increase public-private collaboration, and drives adoption of the most impactful security measures in the CISA Cybersecurity Strategic Plan.
RMM is a software that is installed on an endpoint to continuously monitor a machine or system’s health and status. It also enables remote unattended administration functions including modification to the endpoint’s security configuration, installed applications, and local accounts.
Organizations across sectors leverage RMM products to gain efficiencies and benefit from scalable services. These same products and services, however, are increasingly targeted by adversaries – from ransomware actors to nation-states – to compromise large numbers of downstream customer organizations. By targeting RMM products, threat actors attempt to evade detection and maintain persistent access through a technique known as “living off the land.”
JCDC worked with key partners for several months to develop the JCDC RMM Cyber Defense Plan to help cyber defense leaders in government and the private sector collectively mitigate threats to the RMM ecosystem. The plan is built on two foundational pillars, operational collaboration and cyber defense guidance, and contains four subordinate lines of effort:
(1) Cyber Threat and Vulnerability Information Sharing: Expand the sharing of cyber threat and vulnerability information between U.S. government and RMM ecosystem stakeholders.
(2) Enduring RMM Operational Community: Implement mechanisms for an enduring RMM operational community that will continue to mature scaled security efforts.
(3) End-User Education: Develop and enhance end-user education and cybersecurity guidance to advance adoption of strong best practices, a collaborative effort by CISA, interagency partners and other RMM ecosystem stakeholders.
(4) Amplification: Leverage available lines of communication to amplify relevant advisories and alerts within the RMM ecosystem.
Reposted from Allied Universal Risk Advisory and Consulting Services
Allied Universal® Risk Advisory and Consulting Services produces risk intelligence bulletins and special reports to recap key situations that may have an impact on businesses and individuals such as civil disorder, global geopolitical issues, natural disasters, and other threats. We publish these reports to provide insights and advice for dealing with potential risks/threats. Please take a moment to download your free report. EXECUTIVE SUMMARY: The retail sector faces a wide range of interconnected crime risks, with many on the rise. These threats are expected to increase in both frequency and severity in the coming year, jeopardizing business continuity and financial assets. Retailers can expect challenges like reduced employee retention, investigations, lawsuits, asset loss, and facility damage, all leading to decreased customer and investor trust. In this intelligence report, we examine the impact of crime on the retail industry associated with cybercrime, fraud, insider threats, organized crime, supply chain crime, theft, and violent crime involving firearms.
Reposted From CISA
CISA urges users to remain on alert for malicious cyber activity following natural disasters, such as hurricanes, as attackers target disaster victims and concerned citizens by leveraging social engineering tactics, techniques, and procedures (TTPs).
Social engineering TTPs include phishing, in which threat actors pose as trustworthy persons/organizations—such as disaster-relief charities—to solicit personal information via email or malicious websites. CISA recommends exercising caution in handling emails with disaster-related subject lines, attachments, or hyperlinks to avoid compromise. In addition, be wary of social media pleas and texts messages related to severe weather events.
CISA encourages users to review the Federal Trade Commission’s Staying Alert to Disaster-related Scams and Before Giving to a Charity, Consumer Financial Protection Bureau's Frauds and scams, and CISA’s Using Caution with Email Attachments and Tips on Avoiding Social Engineering and Phishing Attacks to avoid falling victim to malicious cyber activity.
Reposted from Museums Association
A majority of people believe that museums, galleries and heritage sites should take a stance on the climate crisis, according to new research.
In an online survey by the Audience Agency, 51% of people agreed with the statement that these venues “should take a stance” on climate change.
Forty-seven per cent of people took this view in relation to live cultural venues, and 53% about visitor attractions.
Large proportions of people also believe that cultural organisations should take a stance on other social issues, according to the research – with just under half saying this about each of the three categories of venue.
In addition, 51% of all respondents said that they prefer to go to cultural venues “which I know share my values”.
The Audience Agency said that while this result may seem close-run, there were far more people for whom organisations sharing their own values was “a positive driving attendance factor”.
Younger generations were much more likely to believe that organisations should take a stance.
Within generation Z (those aged between 16 and 24), 52% said organisations should take a stance on climate change, along with 57% of millennials (aged between 25 and 44). In contrast, only 21% of people aged over 44 believed this.
An even stronger generational divide was apparent for “other social issues”. Here, 62% of generation Z respondents, and 58% of millennials, wanted to see organisations taking a stance – compared to 19% of respondents aged over 44.
There was also a clear generational difference around which behaviours people would like to see permitted at live cultural events. Generation Z respondents were more likely to say that being allowed to do things like eat or drink, take photos or talk to others would encourage them to attend.
Overall, being allowed to take photos, eat or drink and move around made people more likely to want to attend live events, while permission to smoke or vape, talk on the phone or make other noise made people less likely to want to go.
The Audience Agency said that the preferences of younger audiences for more relaxed behavioural regulations “raises interesting questions about the increasingly different experiential tastes and expectations that venues may need to be prepared to cater to in the not so distant future”.
The survey results also suggest falling rates of cultural attendance. Among all respondents, 38% said they were attending less than they were before the pandemic, with only 12% increasing attendance.
Reported rates of attendance were also down compared to 12 months ago (with 35% attending less and 13% attending more).
Oliver Mantell, director of insight and evidence at the Audience Agency, commented: “Younger people are more likely to want organisations to align with their values and to take a stand on social and climate issues, as well as to prefer a wider range of permitted behaviours when attending cultural venues of all kinds. These groups will form an increasing share of audiences in the future (as they are already, given shifts in audience profiles since the pandemic).
“This suggests we are likely to see a shift in expectations on cultural venues, with pressure for more informal experiences (including more digital and social interaction), and for venues to be more value-led and outspoken about those values.”
Anne Torreggiani, chief executive of The Audience Agency, said: “These insights point to a changed role for organisations – we need to think about amplifying our social values, becoming a community resource, being prepared to join the conversation, creating opportunities for debate.”
The Audience Agency surveyed a nationally representative sample of 2,463 people for the summer 2023 wave of its Cultural Participation Monitor.
Reposted From AAM
Today, the School for Advanced Research (SAR) and the American Alliance of Museums (AAM) announced the release of the Standards for Museums with Native American Collections (SMNAC), a comprehensive document to help museums clarify and strengthen their roles as stewards, and improve the museum field as a whole with regard to Native American peoples, communities, and cultural items.
SMNAC grew out of a presentation made by Dr. Deana Dartt, a Coastal Band Chumash museum scholar, curator, and principal at Live Oak Consulting, at the Association of Tribal Archives, Libraries, and Museums (ATALM) conference in 2017. Her presentation pointed out the need for change and resulted in the development of these standards by a core group of individuals in collaboration with SAR, in consultation with AAM, and with input from 70 museum professionals working with Native collections.
“Shifts within the museum field need to happen at multiple levels,” said Elysia Poon, director of the Indian Arts Research Center (IARC) at SAR. “This document provides a pathway for how these changes might occur. It has been a privilege to have the opportunity to guide the development of this document with Deana Dartt, and work with so many passionate individuals who are committed to making museums a better place.”
Adds Dr. Dartt, “Historically, it has been daunting for even those who earnestly want to be collaborative with and inclusive of Indigenous perspectives—this document is a game-changer. The SMNAC can help all institutions be better allies to the people of the land, no matter their size or capacity.”
“The SMNAC is the result of years of work from experts who are guiding a field-wide effort to take the Native American Graves Protection and Repatriation Act (NAGPRA) several steps further,” said Brooke Leonard, Interim CEO at AAM. “It provides a new level of support for institutions to become community partners, further enabling them to connect collections with descendent communities for more meaningful, relevant and culturally sensitive interpretation and documentation.”
The SMNAC will serve to guide all aspects of work within museums holding Native collections, making recommendations grouped around the seven function areas as identified by AAM’s Core Standards: Mission and Planning, Collections Stewardship, Facilities and Risk Management, Education and Interpretation, Leadership and Organizational Structure, Financial Stability, Public Trust and Accountability. The document has been added to AAM’s Framework for Museum Excellence and will be used as guidance to inform Museum Assessment Program and Accreditation reviews for museums with Native American collections.
The SMNAC provides case studies from several institutions that exemplify meaningful collaboration and inclusion and a list of resources for further exploration and research.
The specific goals of SMNAC are to:
The development of the SMNAC is generously supported by the Anne Ray Foundation with additional support by the Smithsonian’s National Museum of the American Indian.
The SMNAC is currently available for download at https://sarweb.org/smnac
Reposted From The Art Newspaper
The British Museum was evacuated Tuesday morning after a man was stabbed close to the London institution’s main entrance at 10am, just as the museum opened to the public.
Police confirmed that a man had been arrested on suspicion of grievous bodily harm. The victim’s injuries are not thought to be life-threatening, while the incident is not thought to be terrorism-related.
The Evening Standard newspaper claimed the man was stabbed while queuing to enter the museum, although this has not been corroborated.
Speaking to The Art Newspaper, eye-witnesses close to the scene reported seeing a man estimated to be in his 30s in the process of being arrested, while a large knife was taken from the scene of the crime in an evidence bag. Another eye-witness reported seeing a large amount of blood pooled on the pavement where the incident took place.
George Osborne, the chairman of the British Museum and the UK’s former chancellor, said in a post on X (formerly Twitter): “Disturbing news of a knife attack near the gates of the British Museum this am. Much thanks to our security team and other BM staff, who reacted quickly, with the police. Museum has now reopened; everyone’s thoughts at the BM are with the victim and we wish him the best recovery.”
The incident prompted a significant police response and an arrest was made soon after the attack took place, close to the corner of Great Russell Street and Museum Street. A significant police presence assisted in evacuating the museum while cordoning off the adjoining street, which was kept in lockdown for around two hours after the incident took place. Staff at nearby businesses said they weren’t allowed to leave their premises throughout this time.
Photographs shared on social media showed a police tent erected close to the railings of the museum while they tended to the victim. The victim was stabbed in the arm, police confirmed, and was later transferred to a major trauma unit at a local hospital via ambulance.
Speaking to The Art Newspaper, a British Museum spokesperson said: “The museum was closed this morning due to an incident following a member of the public being attacked nearby. The Museum’s security team supported at the scene until the emergency services arrived. Visitors were evacuated from the museum as a precaution and we wish the victim a full and swift recovery.”
The museum reopened to the public at around 12.30pm, but with a heightened security protocol. Long queues of people were seen waiting to gain access to the museum, with extensive searches being conducted by museum staff on a condition of entry. Armed police were also visible close to the museum. A museum spokesperson confirmed to The Art Newspaper: "As a precaution, the museum raised security including a heightened search operation."
The British Museum is one of the most popular cultural attractions in the UK, with around two million people visiting the institution between April 2021 and March 2022.
In a statement released by Scotland Yard, London’s Metropolitan police said a man was being treated for a stab wound to his arm and that his condition was being assessed. “This was an isolated incident and there is no outstanding risk to the public,” the statement said. “It is not being treated as terror-related.”
QUICK LINKS
ConferenceMembershipTraining & CertificationDonate to IFCPP
TRAINING & EVENTS
1305 Krameria, Unit H-129, Denver, CO 80220 Local: 303.322.9667 Copyright © 1999 International Foundation for Cultural Property Protection. All Rights Reserved
Contact Us