NTSC Technology Security Roundup

Weekly News Roundup: June 12, 2017

PATCH Act and New Cyber Agency Top Congress’s Summer Cybersecurity Priorities

The Washington Examiner reported last week that the Protecting Our Ability to Counter Hacking (PATCH) Act of 2017 and Rep. Mike McCaul’s (R-Texas) proposed legislation to create a new DHS cybersecurity agency will top Congress’s summer cybersecurity agenda. According to The Washington Examiner, the WannaCry ransomware attack has helped heighten the urgency for passing these bills during the summer session and “McCaul argues that getting the government's structure right — and clarifying DHS's prime role on cyber — is one of the most important things policymakers can do right now to strengthen both deterrence and the response to cyberattacks.”

Health Care Industry Cybersecurity (HCIC) Task Force Presents Sobering Report

The Health Care Industry Cybersecurity (HCIC) Task Force, created as part of the Cybersecurity Act of 2015, finally released its report—a sobering report that details cybersecurity vulnerabilities that most threaten the healthcare sector. The most critical weakness appears to be a lack of cybersecurity talent combined with lack of budget and resources to access existing talent. Other weaknesses include issues related to decades-old medical equipment, medical devices, and security assessments. The six imperatives in the report are:

1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
2. Increase the security and resilience of medical devices and health IT.
3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
4. Increase health care industry readiness through improved cybersecurity awareness and education.
5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
6. Improve information sharing of industry threats, weaknesses, and mitigations.

According to The Hill, “The task force convened 21 wide-ranging stakeholders in medical cybersecurity, ranging from device manufacturers to hospitals to consumer advocates.”

Number of Organizations with CISOs Increases 15% Compared to Last Year

According to ISACA’s third annual State of Cyber Security study, the number of organizations with a CISO increased from 50% in 2016 to 65% in 2017. However, a Dark Reading article cautions against reading too much into this increase because many of these CISOs may really just be directors—CISOs in name only. The ISACA report also indicated that the number of organizations increasing security budgets is decreasing, the biggest security professional skill gap is the ability to understand business, and only “53% of enterprises have a formal process to deal with ransomware attacks.”

Reports Show Seriousness of Cybersecurity Talent Shortage

Two recent reports indicate that the cybersecurity talent shortage will increase sharply over the next few years, making the job of a CISO that much harder. Wednesday saw the release of the Global Information Security Workforce Study by the Center for Cyber Safety and Education (Center) and (ISC)². The report says “the cybersecurity workforce gap is on pace to hit 1.8 million by 2022 – a 20% increase since 2015.” Another recent report by Cybersecurity Ventures estimates 3.5 million cybersecurity job openings by 2021—a tripling of open positions compared to today. Whether 1.8 or 3.5 million, CISOs will face a severe talent shortage unless steps are taken to alleviate this problem.

Insider Threat Training Section Added to National Industrial Security Program Operating Manual

Security Week reported that an insider threat training section was recently added to the National Industry Security Program’s operating manual. According to Security Week, “The effect of the new requirements has been summarized by Bay Dynamics federal systems engineer Thomas Jones as threefold: to ensure contractors understand the consequences of breaking the rules; to teach contractors how to spot indications of insider threat behavior in others; and to make it clear who should be contacted if anything is spotted.” According to the DoD, “The National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts.”