Rules Navigator

CFTC’s Johnson highlights cyber collaboration amid NIST, CISA cuts

Montage with the CFTC entrance and Kristin N. Johnson.
Montage: CFTC

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Staff reductions at NIST and CISA raise some concerns about cohesive cybersecurity collaboration.

In a recent speech delivered to the GAIM Ops AI Summit, Commodities and Futures Trading Commission (CFTC) Commissioner Kristin N Johnson highlighted strategies to fight AI-based fraud, manipulation, and cyberattacks.

Noting the increasing sophistication of malicious actors, Johnson highlighted the need for inter-agency and industry participant collaboration. But that potential might be diminishing amid significant cuts to the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA), two federal agencies at the forefront of cyber resiliency strategic formulation.

The scope of Johnson’s speech aligns with the CFTC’s recent “back-to-basics” shift in priorities, which involves a heightened focus on targeting fraud and manipulation.

Risks

Citing a Treasury report, Johnson addressed several pressing AI-related cybersecurity and fraud risks. These included “lower barriers for [AI fraud] entry, increasingly sophisticated automation, and decreasing time-to-exploit.”

She also noted AI systems’ vulnerability to malicious manipulation through data poisoning, model evasion, and model extractions that can be used to corrupt or steal from AI-driven processes.

Another risk factor was the potential for social engineering created by increasingly sophisticated generative AI models. And she highlighted the need for increased competition among cloud-based technology vendors, noting the high barriers of entry to enter the field and the heightened risks created by a high concentration of industry participants.

Need for collaboration

Johnson addressed the need for interagency collaboration to tackle AI-driven threats, noting that a major industry concern was the possibility of fragmented regulations from various federal, state, and international regulators. Part of that effort will involve creating a common lexicon of AI-related terms, she stated.

Johnson further encouraged AI data sharing between large and small industry participants to prevent fraud, noting that the former often have more data on which to train their models than the latter.

Shift in focus?

In a 2024 address to the New York City Bar Association, Johnson highlighted the need for stiff penalties to combat the use of AI-driven fraud and the importance of preventing AI-based discrimination.

Her appeal to cross-agency collaboration in that speech also specifically named NIST’s AI Safety Institute, which has been the subject of recent staff reductions.

The absence of these points from her recent address might signal a change of agency priorities.

Cuts to NIST and CISA

Cuts continue at NIST and CISA under the direction of the Department of Government Efficiency (DOGE). According to a report by Forbes, CISA is expected to reduce their headcounts by thousands of employees, either through layoffs or retirement incentives.

Department of Homeland Security Secretary Kristi Noem, who oversees CISA, explained that the cuts were aimed at making CISA more mission focused. This will likely involve rolling back the agency’s recent expansion into anti-misinformation initiatives and requirements for reporting cyber breaches.

NIST also suffered employee reductions last month, with more foreseen in the future. That included headcount reductions in NIST’s AI Safety Institute, which prompted a complaint by House Democrats.

The cuts could also affect how other agencies prosecute cyber fraud cases and develop cyber resiliency recommendations.

CISA often works alongside other agencies, including the CFTC and SEC, to coordinate their responses to cyberattacks, as well as provide guidance to promote consistent cybersecurity systems.

Gold standard

And NIST cybersecurity and risk management standards, which are regularly updated to adapt to evolving technology and threats, are the gold standard for generally accepted practices in the industry.

While voluntary, these standards help firms meet their cybersecurity regulatory requirements under SEC Reg S-P, Reg S-ID (as well as their CFTC counterparts), and other relevant regulations. But the necessity of formulating comprehensive internal policies might be deprioritized as enforcement of those cyber requirements is scaled back at the SEC and CFTC.

The CFTC also relied on NIST standards to formulate its cyber resilience requirements for derivative clearing organizations (DCOs), which mandated regular vulnerability testing, cybersecurity response and recovery plans, and cybersecurity detection processes and procedures.

State regulators take guidance from NIST as well, with New York’s landmark 2017 cybersecurity legislation substantially modelled after NIST’s Cybersecurity Framework.

The CFTC’s 2023 Proposed Rule on Cyber and Operational Resilience would further require US swap dealers and futures commission merchants (FCMs) to adopt elements of NIST’s Cybersecurity Framework. At the time, CFTC Commissioner Goldsmith Romero called the NIST framework a “clear set of cybersecurity expectations that are risk- and outcome- based rather than prescriptive.”

The latter rule will likely be shelved as both the CFTC and SEC have signaled that they will roll back cybersecurity disclosure rule proposals and enforcement.

, , , , , , , ,

You may also like