NTSC Technology Security Roundup

Weekly News Roundup: August 7, 2017

Internet of Things (IoT) Cybersecurity Improvement Act of 2017 Introduced in Senate

On Tuesday, a bipartisan group of senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. According to a press release, “Vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements.” The group of senators included Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-OR) and Steve Daines (R-MT). According to Bruce Schneier, Fellow and Lecturer at the Harvard Kennedy School of Government, “The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests.”

Department of Justice Releases “A Framework for a Vulnerability Disclosure Program for Online Systems”

On Tuesday, the Department of Justice released “A Framework for a Vulnerability Disclosure Program for Online Systems” that seeks to help organizations create programs that do not run afoul of the law. Currently, organizations run into frustrating legal problems when bug bounty programs lead to good hackers getting punished under the Computer Fraud and Abuse Act (18 U.S.C. § 1030). According to Cyberscoop, “The eight-page government-produced advisory, which provides general tips and a list of factors to consider when launching such a program, is the first of its kind. The release underscores a broader belief by the federal government that, if properly managed, programs of this sort can offer a cost-effective way for organizations to improve their security posture.”

Symantec Acquisition Updates

When it comes to both acquiring and selling businesses, Symantec has recently been very active. On Wednesday, DigiCert announced it will acquire Symantec’s Website Security and related PKI solutions. DigiCert, a security solutions provider, says the acquisition will help them gain capabilities to take advantage of growth opportunities in IoT and bring new approaches to the SSL market. Forbes also reported that Symantec’s “net revenues jumped 11% to just over $4 billion” and credits that growth to the company’s recent acquisitions of Blue Coat, Lifelock, and FireGlass.

Federal Government Cybersecurity Leadership Updates

With new FBI Director Christopher Wray officially beginning his job on Wednesday, it’s natural to wonder about his take on cybersecurity compared to James Comey. Cyberscoop reports that many of Wray’s associates say he will “build on many of the same priorities that James Comey was known for, including efforts to strengthen the FBI’s cybercrime fighting mission.” Bloomberg also reports that former DHS officials are assured that Acting Homeland Security Secretary Elaine Duke will keep cybersecurity a strong focus after John Kelly became Chief of Staff. According to Bloomberg, “Duke must strengthen relationships with owners and operators of critical infrastructure to combat rising cybersecurity risks, [Charles Allen, homeland security principal at The Chertoff Group in Washington and former under secretary for intelligence and analysis at DHS] said. Duke’s experience in the private sector as an acquisitions and business consultant will help.”

Federal Times Reports on Unfilled Federal Cybersecurity Positions

The Federal Times recently reported on the numerous unfilled cybersecurity positions at the federal level and the impact it has on national cybersecurity. The unfilled positions have resulted from a combination of Obama-era departures and Trump’s slow progress in selecting nominees. According to the Federal Times, “many positions have been filled, especially at the very top, but several agencies either have acting heads leading critical cyber positions or no one at all.” Unfilled positions include:

  • State Department Coordinator for Cyber Issues (The Federal Times notes that “the State Department’s top cyber diplomat is leaving his post. Additional media reports indicate the State Department might be consolidating his office — called the Coordinator for Cyber Issues — into another office at the department.”)
  • Department of Justice Assistant Attorney General of the National Security Division
  • Homeland Security Secretary
  • Homeland Security National Protection and Programs Directorate
  • Department of Defense Undersecretary for Defense Policy
  • Department of Defense Deputy Assistant Secretary of Defense for Cyber Policy
  • Department of Defense CIO