NTSC Technology Security Roundup

Weekly News Roundup: May 30, 2017

Representative Tom Graves (R-GA) Releases Second Draft of Active Cyber Defense Certainty Act

After collecting feedback from cybersecurity experts since the release of the first draft in March, Representative Tom Graves (R-GA) released a second version of the Active Cyber Defense Certainty Act. According to Tom Graves’s office, the revisions include:

  • A mandatory reporting requirement for entities that use active-defense techniques, which will help federal law enforcement ensure defenders use these tools responsibly;
  • A specific exception in the Computer Fraud and Abuse Act (CFAA) for beaconing technology;
  • A sunset clause to ensure that Congress revisits the changes made by the bill after two years to make any further updates or modifications;
  • An exemption allowing the recovery or destruction of one’s own data if it’s located using the active-defense techniques permitted by this bill and does not result in the destruction of data belonging to another person;
  • Adds to the definition of ‘active cyber defense’ actions taken to monitor an attacker in order to help develop better cyber defense techniques;
  • A clarification that the bill forbids financial injury;
  • Additional safeguards for intermediary computers, which will further protect against collateral damage.

Revisions to this draft were partially influenced by the NTSC’s input at a May 1 meeting at Georgia Tech that included NTSC Policy Council member Peter Swire.

States Proposing Additional Cybersecurity Laws in Wake of WannaCry Attacks

Reacting to the WannaCry ransomware attacks and an overall increasing number of cyberattacks, more states are passing cybersecurity laws with the intent of protecting citizens. Texas House Bills 8 and 9 are circulating through the state’s House and Senate and show strong signs of passing. According to the Star-Telegram, the bills “update state law to account for the use of malware and upgrade public-sector cyber capabilities.” In Delaware, House Bill 180 amends current state law by tightening rules around businesses protecting personal information, updating the definition of a data breach, and adding definitions for encryption. Such laws are indicators that states will continue to pass new cybersecurity regulations in the absence of a national, comprehensive federal law.

Reports Indicate Microsoft Will Acquire Israeli-Based Hexadite for $100 Million

While not formally announced by either company, many recent news reports indicated that Microsoft will acquire Israeli-based Hexadite for $100 million. According to the Hexadite website, “Hexadite AIRS connects to existing security detection systems to investigate every threat, leveraging artificial intelligence to apply targeted mitigation to stop security breaches in their tracks.” Providing some context around this acquisition, CNBC reported that “Microsoft had announced earlier this year that it would continue spending $1 billion in 2017 on cybersecurity research and development, excluding acquisitions it might make in the field. The company also maintains three R&D centers in Israel.”

Ponemon Institute and Synopsys Release Medical Device Cybersecurity Study

A recent study released by the Ponemon Institute and Synopsys entitled “Medical Device Security: An Industry Under Attack and Unprepared to Defend” revealed that cyberattacks on medical devices may be more immanent than we think. The study’s results included:

  • 67 percent of medical device manufacturers and 56 percent of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organizations is likely to occur over the next 12 months.
  • Roughly one third of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent such attacks.
  • Only 9 percent of manufacturers and 5 percent of HDOs say they test medical devices at least once a year, while 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.

Focused on the North America market, the study surveyed approximately 550 individuals from manufacturers and HDOs, whose roles involve the security of medical devices, including implantable devices, radiation equipment, diagnostic and monitoring equipment, robots, as well as networking equipment designed specifically for medical devices and mobile medical apps.

US Government Explores Ways to Serve Warrants on Information Stored in the Cloud Across the World

The Hill reported that the Department of Justice is exploring ways to serve warrants on information stored in the cloud across the world to alleviate problems with national jurisdictions. For example, mixed messages have been sent by US courts pertaining to warrants involving information stored outside the United States on Microsoft and Google servers, leading to confusion about how law enforcement may legally access this information. The Department of Justice wants to consider bilateral agreements with other countries, which led to the UK’s Deputy National Security Advisor Paddy McGuiness becoming “the first sitting UK official to appear in a hearing before Congress, something he said was a sign of how seriously the country takes the issue.”