One of the leading AI companies says virtual employees could pose security risks Within a year, Microsoft rolls out security agents to combat analyst burnout and workforce gaps, and the common vulnerability and exposures programs. CVE gets an 11th hour stay of execution. This is cybersecurity today, and I'm your host, Jim Love.
Anthropic, one of the leading artificial intelligence companies anticipates that AI powered virtual employees could begin operating within corporate networks as soon as next year, and that's according to Chief Information Security Officer Jason Clinton. This development raises significant cybersecurity concerns as organizations will need to reevaluate how they manage digital identities and access controls to prevent potential breaches.
Clinton emphasized that securing AI employee accounts, determining appropriate access levels and assigning accountability for their actions. Are major challenges that enterprises will face. There's a risk that AI employees could be exploited or even act dangerously, such as interfering with critical systems like continuous integration platforms. With current IT teams already overwhelmed by credential management and cyber threats. The addition of AI agents complicates the landscape further.
The growing importance of non-human identity management has spurred cybersecurity firms to develop solutions in this emerging area, which Clinton identifies as a priority for future AI investments. As integrating AI into corporate settings becomes more prevalent, managing virtual employees securely will become a pressing issue. Microsoft is adding 11 AI powered agents to its security co-pilot platform in a move aimed squarely at easing the strain on overworked cybersecurity teams.
Unlike traditional AI copilots that offer suggestions, these agents can take autonomous actions, flagging alerts, initiating investigations, and even closing incidents, freeing analysts to focus on higher priority threats. According to US federal data, the country currently has only enough trained professionals to fill 83% of available cybersecurity roles.
At the same time, security teams are inundated with alerts more than 4,400 per day in some organizations, And they spend up to three hours daily triaging and responding according to research from Vectra ai.
While other cybersecurity vendors have launched AI assistance, most stop short of full autonomy, Microsoft's agents by contrast, are designed to handle routine and repetitive tasks, such as identifying false positives in phishing detection, or investigating suspicious login patterns The company claims they continuously learn from user feedback and can adapt their behavior over time.
Each agent focuses on a particular task and a wide range of activities ranging from looking for phishing emails to even crafting the letters needed to be sent out after a data breach. Microsoft promises the ability to configure each agent's level of access and autonomy, making them totally independent or an addition to a user's account, whichever you need as well for greater control.
Each agent will provide what they refer to as a map of its thinking so that humans can review it and if necessary, correct or override their decisions. The company says the agents have been extensively red teamed to identify risks before deployment, and early users report significant time savings. If adoption scales, Microsoft's approach could transform how AI shifts from assistant to active responder in enterprise security.
A US Appeals Court has reinstated a proposed data privacy class action against Canadian e-commerce company Shopify, allowing the case to proceed in California the ninth US Circuit Court of Appeals ruled 10 to one that Shopify could be held accountable in California for collecting personal data via tracking cookies without user consent.
Plaintiff Brandon Briskin, a California resident, alleges that Shopify installed tracking software on his iPhone during a purchase using his data to build a customer profile that they sold to other merchants. Shopify contended. It should not be sued in California because it operates nationwide and did not specifically target the state. However, the court found that the company's actions deliberately targeted Californians.
The court's decision could have broader implications for the jurisdiction of US courts over internet companies, a coalition of 30 states and Washington. DC supported Briskin citing the need to uphold state consumer protection laws. Shopify back. By the US Chamber of Commerce argued that the ruling could unfairly subject global service providers to lawsuits in unrelated jurisdictions.
And finally, in a dramatic 11th hour decision, the US Cybersecurity and Infrastructure Security Agency, CISA A extended the funding for the common vulnerabilities and exposures or CVE program averting a potential crisis in global cybersecurity coordination. The program managed by the nonprofit Mitre Corporation serves as a critical resource for identifying and cataloging software vulnerabilities.
Until the last minute notice, the federal contract was set to expire on April 16th, 2025, without a renewal in place. The CVE system is essentially a way to manage records of vulnerabilities. It assigns unique identifiers to publicly disclosed cybersecurity vulnerabilities, enabling organizations worldwide to prioritize security patches effectively, the program's sudden funding uncertainty prompted concerns across the cybersecurity community.
. Yosry Barsoum, MIT's, vice President and Director of the Center for Securing the Homeland, warned that a service interruption could lead to deterioration of national vulnerability, databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure In response to the potential lapse CISA announced the execution of an 11 month contract extension to ensure the program's continuity.
a CISA spokesperson stated the CVE program is invaluable to the cyber community and a priority of CISA. Despite this temporary reprieve, the incident has sparked discussions about the program's long-term sustainability. Some members of the CVE Board have proposed transitioning the program into an independent entity to reduce reliance on government funding and enhance its global neutrality.
A CVE program near shutdown underscores the importance of stable funding for critical cybersecurity infrastructure. As the digital landscape continues to evolve, ensuring the resilience and independence of such programs remains a priority for stakeholders worldwide. That's our show for today. Love to hear what you think. You can contact me at [email protected]. You can find me on LinkedIn. Many people do. Or if you're watching on YouTube, just drop a comment under the video.
I'm your host, Jim Love. Thanks for listening.