NTSC Technology Security Roundup

Weekly News Roundup: August 21, 2017

Governor Signs Delaware Bill Extending Cybersecurity Protections

On Thursday, Governor John Carney signed legislation that requires additional protections for Delawareans whose personal information may be compromised in a computer breach, including additional notifications and free credit monitoring services. According to a press release, “The new law requires businesses to safeguard information, and requires businesses to provide free credit monitoring services for customers whose sensitive personal information is compromised in a cybersecurity breach. With Governor Carney’s signature on Thursday, Delaware became just the second state to require businesses to provide those services, after Connecticut.”

NIST News Updates

Quite a few NIST-related news stories appeared last week. A few highlights include:

  • NIST Cybersecurity Framework proposed as part of NAFTA talks: According to Cyberscoop, “Ten major cybersecurity companies have written to the U.S. Trade Representative Robert Lightheizer to urge that alignment of cybersecurity standards — and the use of risk management tools like the NIST Cybersecurity Framework — should become part of the re-negotiation of the North America Free Trade Agreement that started this week.”
  • NIST deemphasizes federal-only aspect of cybersecurity controls: Cyberscoop also reported that NIST “changed the name of the catalogue, known as NIST SP-800-53, from Security and Privacy Controls for Federal Information Systems and Organizations, by cutting the word federal.” This makes these controls more inclusive not only of all levels of government but also the private sector.
  • NIST Revises Security and Privacy Controls for Information Systems and Organizations: According to NextGov, this draft revision “aims to better clarify the relationship between security and privacy to help government agencies and other organizations better understand the scope of privacy concerns.” The public may make comments to this draft revision until September 12.

Uber Settles with FTC over Misleading Public Over May 2014 Data Breach

Uber recently settled FTC allegations that the company made deceptive privacy and data security claims in late 2014 many months after a data breach earlier that year. The FTC claimed that Uber failed to monitor access to and provide reasonable security for consumer data. According to a press release, Uber “agreed to implement a comprehensive privacy program and obtain regular, independent audits [for 20 years] to settle Federal Trade Commission charges that the ride-sharing company deceived consumers by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.”

United States Cyber Command Elevated to Status of Unified Combatant Command

In a statement from the White House on Friday, President Trump ordered the elevation of the United States Cyber Command to the status of a Unified Combatant Command focused on cyberspace operations. According to the President’s statement, “United States Cyber Command’s elevation will […] help streamline command and control of time-sensitive cyberspace operations by consolidating them under a single commander with authorities commensurate with the importance of such operations. Elevation will also ensure that critical cyberspace operations are adequately funded.” The United States Cyber Command may also eventually separate itself from the National Security Agency.

US State Department Established Cyber and Technology Security (CTS) Directorate in May

Although the US State Department established the Cyber and Technology Security (CTS) Directorate in May, this fact was not known publicly until a few weeks ago. Federal News Radio broke the story on August 7, and a spokeswoman from the State Department said, “CTS facilitates the conduct of global diplomacy by protecting life, property, and information with advanced cybersecurity programs and risk-managed technology innovation. CTS provides advanced cyber threat analysis, incident detection and response, cyber investigative support and emerging technology solutions.” The Hill added “The new directorate does not appear to have a place on the department’s website and was not accompanied by an official press release at the time of its establishment.”