NTSC Technology Security Roundup

Weekly News Roundup: January 13, 2020

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • House lawmakers introduce bill to protect children's privacy online: According to The Hill, “A pair of bipartisan lawmakers [last] Thursday introduced a bill to protect children's privacy online, responding to growing concern that minors are being manipulated and exploited on the internet without any recourse in existing law. The Preventing Real Online Threats Endangering Children Today (PROTECT) Kids Act, introduced by Reps. Tim Walberg (R-Mich.) and Bobby Rush (D-Ill.), would strengthen a decades-old children's online privacy law to account for new innovations in technology and close loopholes that leave teenagers exposed.”
  • Chamber of Commerce urges Congress to fight California’s regulatory push: According to the Los Angeles Times, “Like an array of business groups, the chamber has pushed Congress to pass a privacy law overruling state laws in order to smooth compliance and extend protections across the United States. Many consumer groups worry, though, any law that gets bipartisan support in Washington would fail to provide the robust protections available in individual states. California’s new privacy law took effect Jan. 1. Lawmakers on key congressional committees released a number of proposals for privacy legislation at the end of 2019, which revealed divisions between Democrats and Republicans over the role of state laws.”
  • House passes bills to gain upper hand in race to 5G: According to The Hill, “The House [last] Wednesday passed a slew of bills aimed at giving the U.S. a leg up over China in the race to implement the super-fast next-generation wireless networks known as 5G. The trio of bipartisan bills, which passed the House near-unanimously, would funnel U.S. government resources into steering international wireless policy while securing the burgeoning networks against cyberattacks and foreign influence.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Bryan Ware Named CISA Assistant Director for Cybersecurity: According to MeriTalk, “President Trump appointed Bryan Ware as new assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) on Jan. 8. While the position is new for Ware, he is already a familiar face at CISA, having served as assistant secretary for cyber, infrastructure, and resilience policy since early last year. Before that he was CEO at Haystax.”
  • White House offers guidelines for artificial intelligence regulations: According to The Hill, “The White House [last] Tuesday proposed 10 principles for federal agencies to consider when developing laws and regulations for the use of artificial intelligence (AI) in a variety of fields. Regulations created by agencies should encourage ‘fairness, non-discrimination, openness, transparency, safety, and security,’ the memo distributed by the Office of Science and Technology Policy (OSTP) recommended. The advisory agency stressed that new rules should be preceded by ‘risk assessment and cost-benefit analyses,’ and must incorporate ‘scientific evidence and feedback from the American public.’”
  • Cyber Solarium to back CISA as the lead response agency: According to FCW, “In their upcoming report, the Cyberspace Solarium Commission will recommend strengthening authorities of existing U.S. cyber agencies, improving deterrence and bridging the divide between the government and private sector on digital security. Co-chair Rep. Mike Gallagher (R-Wis.) said the final report and recommendations will reflect the ‘unanimous’ belief by the commission's members that deterrence in cyberspace is possible but not working in its current form. […] [While] the Solarium's report will recommend restructuring the federal government's cybersecurity mission in some areas, it still envisions the Cybersecurity and Information Security Agency as the lead entity protecting critical infrastructure.”
  • New ways Homeland Security wants to attack cyber breach reporting: According to Fifth Domain, “The cybersecurity agency within the Department of Homeland Security is extending a public comment deadline on its intent to update reporting documents, according to a Jan. 6 notice in the Federal Register. The Cybersecurity and Infrastructure Security Agency, charged with protecting federal networks and the nation’s critical infrastructure from cyberattacks, will give stakeholders until Feb. 5 to comment on updates to its forms through which entities can report ‘major incidents, breaches, and events under investigation.’ The extension comes after a 60-day [period] during which CISA received no comments.”
  • NIST Releases Second Draft of Recommendations for IoT Device Manufacturers: According to Security Magazine, “NIST has released the second public draft of NISTIR 8259, ‘Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline.’ An incredible variety and volume of Internet of Things (IoT) devices are being produced. According to NIST, manufacturers can help their customers by improving how securable the IoT devices they make are, meaning the devices provide functionality that their customers need to secure them within their systems and environments. Manufacturers can also help their customers by providing them with the cybersecurity-related information they need, NIST says.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • FBI, Homeland Security warn of Iranian terror and cyber threat in new intelligence bulletin: According to CNN, “The FBI and Department of Homeland Security warned of the terror threats Iran poses to the US in a joint intelligence bulletin sent to law enforcement throughout the country [last] Wednesday. In the bulletin, which was obtained by CNN, the agencies predicted Iran could take immediate steps to attack the US in cyberspace, and noted that Iran has a history of attempting assassinations and planting operatives in the US to conduct surveillance for terror attacks. The bulletin does not name any specific or credible threat, and an FBI spokesperson reiterated [last] Wednesday that the agency was not aware of one.”
  • Hacking groups are eyeing power grids, says security company: According to ZDNet, “At least three hacking groups have the capability to interfere with or disrupt power grids across the US – and the number of cyber-criminal operations targeting electricity and other utilities is on the rise, according to a new report on the state of industrial control systems. Cyber security company Dragos said that political and military tensions in the Gulf appear to coincide with a rise in interest in hacking groups targeting electricity grids, power companies and other systems related to utilities in the US.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Forrester: To stay secure, employers must balance insider threat protection and employee rights: Reported in CIO Dive, “The survey showed that in 2015, workers caused 26% of the data breaches in the respondents' organizations, a statistic that rose to 48% in 2019, according to previous surveys from the organization. Insider threat protection programs ‘must account for the growing protections for employee privacy.’”
  • SIM Study Points to Lax Focus on Cybersecurity: Reported in InformationWeek, “The study shows the percent of organizations paying attention to cybersecurity has more than doubled to about 36%, [Leon Kappelman, lead author of the report] says, but he still sees that as too low given the collective track record on big breaches. […] There seem to be gaps in leadership in cybersecurity where it may be most needed. Of the responding organizations that generate $1 billion to $5 billion in revenue, about 29.7% indicated they do not have chief information security officers.”
  • Consumer Adoption of Health Tech Slowed by Privacy, Security Concerns: Reported in Health IT Security, “While more than half of American consumers believe that technology can shed light on their healthcare and foster strong relationships with their providers, privacy and security concerns have a direct impact on their willingness to use health technology, according to a recent Kantar study.”
  • Developers Still Don't Properly Handle Sensitive Data: Reported in Dark Reading, “Open-source software projects continue to struggle with handling sensitive information, according to automated scans of hundreds of millions of commits to code repositories. Software-security toolmaker DeepCode found that four of the seven vulnerabilities classes with the greatest impact on the security of software projects had to do with failures to protect data.”
  • Where Healthcare IT Security Falls Short: Reported in HealthTech, “Seventy-eight percent of organizations have experienced a significant security incident in the past 12 months, according to the latest HIMSS Cybersecurity Survey. The good news: Many IT leaders are taking action. The report, released last year, found that 38 percent of respondents plan to spend more to protect their devices, systems and infrastructure. Although all but 4 percent conduct some form of security risk assessment, 37 percent said they perform a comprehensive, end-to-end risk assessment — an 11 percent increase over 2018.”
  • INSIGHT: In-House Legal Teams Not Ready for Privacy Regs, Survey Reveals: Reported in Bloomberg Law, “In-house legal teams are not prepared for the launch of privacy and cybersecurity regulations. So says the surprising findings of Exterro’s annual In-House Legal Benchmarking Report, along with a few new and interesting revelations regarding in-house legal teams, their processes, and their outlook on coming privacy regulations. The report explores how e-discovery team growth has expanded—and continues to expand—across organizational business units, and where teams are focusing their growth and spend efforts.”

Cybersecurity Acquisitions

News about seven major cybersecurity company acquisitions was reported last week:

  • Rockwell Automation acquires Avnet Data Security to grow cybersecurity portfolio: Reported in ZDNet, “Rockwell Automation has signed a deal to acquire Israeli-based cybersecurity firm Avnet Data Security as part of growth plans for the information solutions and connected services category.”
  • Accenture makes another cybersecurity deal, as it will buy Symantec's cybersecurity business from Broadcom: Reported in MarketWatch, “Accenture announced [last] Tuesday a deal to buy Symantec's cybersecurity business from Broadcom Inc. for an undisclosed amount.”
  • Insight Partners to buy cybersecurity firm Armis at $1.1 billion valuation: Reported in Reuters, “U.S.-based private equity firm Insight Partners will buy cybersecurity firm Armis at a valuation of $1.1 billion, the companies said on Monday. Armis will continue to operate independently and will be fully managed by its two co-founders and executive team.”
  • Mimecast Acquires Segasec: Reported in MSSP Alert, “Email security provider Mimecast has acquired Segasec, a cybersecurity software provider that protects against fake websites, phishing scams, credential harvesting and impersonation attempts on the Web. Financial terms of the deal were not disclosed.”
  • Cloudflare Acquires S2 Systems Corporation for Next-Gen Browser Isolation: According to a press release, Cloudflare announced last Tuesday that it has acquired S2 Systems Corporation (S2), a company based in Kirkland, Washington, that has developed browser isolation technology that executes browser code on cloud servers rather than on a user’s device.
  • Synopsys acquires Tinfoil Security, DAST and API testing solutions provider: According to a press release, Synopsys last Thursday completed the acquisition of Tinfoil Security, an innovative provider of dynamic application security testing (DAST) and application programming interface (API) testing.
  • Kroll Expands Cyber Risk Practice in APAC with Acquisition of RP Digital Security: According to a press release, Kroll, a division of Duff & Phelps, announced last Friday that it has expanded its cyber security offerings with the acquisition of RP Digital Security, a Singapore-headquartered leader in computer forensic investigations, digital security and eDiscovery services.