NTSC Technology Security Roundup

Weekly News Roundup: May 15, 2017

President Trump Signs Long-Awaited Cybersecurity Executive Order

Long-awaited for months, President Trump finally signed his cybersecurity executive order on Thursday. While drafts had leaked along the way, the final version only contained a few minimal surprises while the content mostly aligned with cybersecurity best practices. A few highlights include:

  • A requirement for federal agencies to modernize their IT systems and follow the NIST Cybersecurity Framework. Agency heads will also be held accountable for the success or failure of an agency’s cybersecurity.
  • A request for a cybersecurity risk assessment from federal agencies within 90 days.
  • A request for a cybersecurity risk assessment of the nation’s critical infrastructure within six months.
  • More involvement from the United States military in the nation’s cybersecurity (a sharp contrast from the Obama administration).
  • Various federal departments addressing the cybersecurity talent shortage at agencies.

Ransomware Worm Leads to Massive, Ongoing Worldwide Cyberattack

Last week, a ransomware worm called WannaCry affected over 200,000 organizations in over 150 countries—with repercussions still felt today (especially in Asia). Derived from the Shadow Brokers hack of the NSA, the ransomware worm starts with a person clicking on a phishing email and then affects more machines in an organization without any user interaction. Affecting critical organizations from hospitals to financial institutions, the ransomware worm especially exploits those who rely on legacy systems, fail to regularly patch their operating systems, and still use unsupported operating systems such as Windows XP.

Cybersecurity Experts Say Government Must Help Private Sector More, But Differ on How

At a US Senate Committee on Homeland Security & Governmental Affairs meeting on Wednesday, a panel of private sector cybersecurity executives told Senators that the US government needs to offer more cybersecurity help to the private sector. According to Cyberscoop, the panel “unanimously agreed and told lawmakers that the U.S. government must do more to curb malicious cyber-activity. The follow-up question, however, of how exactly the country should advance such a broad effort, was met with widely different answers.” One key issue is the notion of “hacking back,” and both the US government and the private sector have conflicting ideas about how private companies should respond to cyberattacks—and what role the US government plays.

The Hill Highlights Five Important Cybersecurity Influencers in the Trump Administration

The Hill, in a recent article, highlighted five important cybersecurity influencers in the Trump administration. Those people include:

1. Rob Joyce: “President Trump has put Rob Joyce, the former leader of an elite hacking group at the National Security Agency, in charge of overseeing the federal government’s cybersecurity policy efforts at the White House.”

2. Jared Kushner: “In his leadership role at the White House’s Office of American Innovation, Jared Kushner has been tasked with spearheading the federal government’s IT modernization efforts.”

3. Chris Liddell: “Chris Liddell, an adviser to Trump on strategic initiatives, is playing a large role in coordinating policy for the federal government’s use of IT. Not only does Liddell, a former executive at Microsoft and General Motors, have a spot in Kushner’s Office of American Innovation, he is also now running the related American Technology Council.”

4. John Kelly: “As the leader of the Department of Homeland Security, Secretary John Kelly is responsible for a broad agenda, from securing the southern border to protecting critical infrastructure to evolving threats.”

5. James Mattis: “Defense Secretary Jim Mattis will also have the power to make key decisions on cyber in his leadership of the Pentagon, which is developing its own defense and offensive cyber capabilities.”

Next Iteration of NIST Guidelines to Modernize Password Best Practices

After public input about the new NIST guidelines closed this month, Quartz reports that the revised guidelines will include modernized password best practices that align with the recommendations of cybersecurity experts. The password guidelines will discourage “periodic password changes,” “allow at least 64 characters in length to support the use of passphrases,” and “[not imposing] other composition rules (e.g. mixtures of different character types) on memorized secrets.” NIST will also recommend that organizations find a way to check passwords to make sure they are not particularly vulnerable to hackers.

NSA Director Warns of Constant Threat of Attacks to Critical Infrastructure from Nation States

Admiral Michael Rogers, Director of the National Security Agency (NSA) and Commander of the U.S. Cyber Command (USCYBERCOM), testified to the US Senate Committee on Armed Forces about the threat to critical infrastructure from nation states. According to ZDNet, Rogers said, “Infiltrations in US critical infrastructure […] can look like preparations for future attacks that could be intended to harm Americans, or at least to deter the United States and other countries from protecting and defending our vital interests." His fear, and why we need better proactive cybersecurity defense, is that this nation state reconnaissance may be in preparation for future attacks.

The United States and Japan Sign Agreement to Share More Cybersecurity Information

On Thursday, the United States and Japan agreed to share more cybersecurity information with each other when Japan joined the Department of Homeland Security’s Automated Indicator Sharing (AIS) program. According to The Hill, “Tokyo has signed on to participate in the DHS’s Automated Indicator Sharing (AIS), a platform that allows two-way sharing of cyber threat indicators between the U.S. government and the private sector as well as other organizations worldwide.”