NTSC Technology Security Roundup

Weekly News Roundup: March 20, 2017

Federal Agencies Improving Cybersecurity But Still Vulnerable

On Friday, March 10, the Office of Management and Budget (OMB) released cybersecurity data about incidents at federal agencies during fiscal year 2016. Using new metrics (which means no direct comparison to fiscal year 2015), the OMB only reported incidents that affected operations. CyberScoop reported “Of the 30,899 incidents that agencies reported, only 16 were determined by agency heads to be ‘major information security incidents.’” Out of those 16 incidents, 10 took place at the FDIC. Federal agencies did improve their cybersecurity monitoring, multi-factor authentication, and anti-phishing / anti-malware efforts, but Bloomberg noted “The [30,899] incidents included thousands of email phishing attacks; “improper usage” that violates acceptable policies by an authorized user; loss or theft of a computing device or media; or an attack executed from a website or a web-based application…”

FTC Backing Off, For Now, On Internet of Things Regulation

Despite increasing cybersecurity vulnerabilities related to the Internet of Things (IoT), acting FTC head Maureen Ohlhausen does not currently support any regulation. At a recent National Cyber Security Alliance (NCSA) and Nasdaq Cybersecurity Summit, she said that IoT cybersecurity isn’t currently causing major problems and that the use of data analytics from these devices encourages competition. A Yahoo Finance article reports said, “Some analysts argue that [harm to consumers has been demonstrated], highlighting the DDOS attack against internet management firm Dyn in late 2016, which leveraged millions of IoT-connected devices, such as smart cameras, to bombard its DNS servers with traffic. The attack caused the very foundations of many of the most popular internet services to shake and in some cases cease working.”

A Cybersecurity National Guard? Idea Offered Up by Congressman Ruben Gallego

Congressman Ruben Gallego (D-Arizona) recently offered up the idea of a cybersecurity reserve system similar to how the National Guard supplements the United States Armed Forces. Because of increased budget cuts and problems recruiting cybersecurity talent at the federal level, this cybersecurity reserve may work to bridge the gap between the public and private sectors. According to CNN, “A cybersecurity reservist group could occasionally be called on to protect the country against cyber threats, and strengthen national security on the digital level. That could include finding and patching bugs, upgrading outdated systems, and auditing current technology.”

Details About iPhone Hacking Tool to Remain Classified by the FBI

The FBI has decided to keep information classified about an iPhone hacking tool that helped them break into a phone owned by the San Bernardino shooter. Despite several news organizations asking for the release of the third party vendor’s name that created the hacking tool along with the tool’s cost, the FBI argues that the classified information is still useful to them and risks national security if released. According to ZDNet, “…the vulnerability used to break into the phone is still not known. It's long been believed that the hack targeted a weakness in iPhone 5c devices, namely that it didn't come with a secure enclave processor, a key part in the phone's full-disk encryption that even Apple wasn't supposed to be able to break.”

National Cybersecurity Preparedness Consortium Act Reintroduced in Congress

Senators John Cornyn (R-Texas), Patrick Leahy (D-Vermont), and Ted Cruz (R-Texas) have reintroduced the National Cybersecurity Preparedness Consortium Act to Congress. According to a press release, the Act would “authorize the U.S. Department of Homeland Security to work with the National Cybersecurity Preparedness Consortium (NCPC) to address cybersecurity preparedness at the state and local level and respond to potential cybersecurity risks.” Such activities would include training, technical assistance, information sharing, and operational planning.