NTSC Technology Security Roundup

Weekly News Roundup: May 1, 2017

Trump Still Yet to Sign Long-Awaited Executive Order on Cybersecurity

Many insiders thought he would sign it on Friday but President Trump ended up not signing a long-awaited executive order on cybersecurity that has floated around in draft form since January 2017. The cybersecurity industry generally approved of the draft executive order’s content and Trump has taken time to solicit feedback from experts (including a task force led by Rudy Giuliani). The executive order focuses on agency accountability with existing cybersecurity standards and ensuring that critical infrastructure is protected. The Hill notes how crucial this executive order is for upcoming legislation.

“…House Homeland Security Chair Michael McCaul (R-Texas) said the exec order might lead to congressional action on updating antiquated technology and the reintroduction of Rep. Will Hurd's (R-Texas) bill to fund that initiative. […] Rep. John Ratcliffe (R-Texas) made similar comments about waiting on the order before moving forward on certain legislation. Though both agreed that getting it right was more important than getting it signed fast, whatever is in the executive order will be a building block for many ambitious legislative moves.”

In the final version, sources say that President Trump may remove a section about modernizing IT systems. However, IT modernization may be addressed by the Office of American Innovation along with an upcoming bill.

DHS Creates Cyber Incident Data Repository to Help with Cybersecurity Insurance Accuracy

Accurately quoting premiums for cybersecurity insurance is imprecise, plagued by a lack of data. The Department of Homeland Security seeks to alleviate this difficulty with a repository of cybersecurity data voluntarily submitted by enterprises to help with benchmarking and the actuarial side of cybersecurity insurance. According to GCN, “The data will be anonymized, but users will see basic information—like number of employees and revenue—so they can compare similar organizations. Other data points CIDAR is considering include information on what standards family an enterprise follows or if it has a dedicated security staff and an incident response plan in place.”

U.S. Department of Defense Pushing to Innovate Cybersecurity at the Hardware Level

Through the Defense Advanced Research Projects Agency (DARPA), the U.S. Department of Defense is pushing for cybersecurity innovation at the hardware level to prevent attacks. According to DARPA, “The System Security Integrated Through Hardware and firmware (SSITH) program addresses the use of hardware security architectures to help protect systems against classes of hardware vulnerabilities, rather than focusing on single instances of software weaknesses that exploit those vulnerabilities.” Cyberscoop reported that “Pentagon scientists say they could stop 40 percent of current cyberattacks by producing secure computer chips.”

Communications Security, Reliability and Interoperability Council to Help Clarify FCC’s Cybersecurity Roles and Responsibilities

After years of conflict, uncertainty, and Congressional pressure, the FCC plans to clarify its roles and responsibilities related to cybersecurity with a new council. Called the Communications Security, Reliability and Interoperability Council, the FCC says the council will “make recommendations to the Commission to promote the security, reliability, and resiliency of the Nation’s communications systems.” Over the next few months, the FCC will solicit members and hopes to debut the council in early summer 2017. According to MeriTalk, “The council will discuss the reliability of communications systems and infrastructure, Internet protocol-based 911 systems, emergency alerting systems, and national security and emergency preparedness communications systems.”

Reports from Symantec and Verizon Highlight Increasing Numbers and Sophistication of Cyberattacks in 2016

Both Symantec and Verizon recently released anticipated reports about the state of data breaches and cybersecurity in 2016. Symantec noted that cyberattacks grew bolder in areas such as sabotage, financial heists, malicious emails (which experienced a resurgence), ransomware, and both IoT and cloud attacks. Verizon reported that cyberespionage and ransomware increased, phishing and insiders were two main root causes of data breaches, and lack of a strong password policies and two-factor authentication contributed to weak security.