NTSC Blog

Weekly News Roundup: January 27, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• Lawmakers set to move on subpoena-power issue topping CISA priority list: According to Inside Cybersecurity, “After months of encouragement from the leadership of the Cybersecurity and Infrastructure Security Agency, lawmakers appear ready to move on a bill giving CISA subpoena power related to cyber vulnerabilities detected on the networks of Internet Service Providers, with a House panel marking up the measure [last] Wednesday.”
• US Could Appoint a Cybersecurity Leader for Each State: According to Infosecurity Magazine, “[Congress is] considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state. Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack. Under the legislation, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator.”
• Presidential Advisers Expected to Push Software-Defined Networking for Secure Comms: According to NextGov, “An upcoming meeting of presidential advisers promises an update on the importance of software-defined networking to national security and emergency preparedness as pressure builds for the administration to support coordinated investment in the technology. The Cybersecurity and Infrastructure Security Agency is inviting public comment through Feb. 18 on the issue in advance of a Feb. 20 meeting of [the] National Security Telecommunications Advisory Committee, according to a Federal Register notice. […] NSTAC put the need for investment and coordination in the context of the oodles of money China is spending on fifth-generation networking and other emerging technologies. Since then, senior members of Congress from both sides of the aisle have taken up the mantle and bills calling for greater coordination and investments in technology are starting to pile up in the Senate Commerce Committee.”
• DSAR fulfillment inconsistent in early days of CCPA: According to IAPP, “The Washington Post reports data subject access request fulfillment has been inconsistent since the California Consumer Privacy Act went into effect. While some organizations acknowledge a request with a text message or an email, others have failed to produce receipts for inquiries. In terms of carrying out the request, companies have been withholding certain information either by mistake or for unknown reasons. Observers believe these inconsistencies will continue until enforcement actions come from the Office of the Attorney General of California. ‘Compliance is all over the map and will be until the rules are clear and there are actual penalties for noncompliance,’ said Electronic Privacy Information Center Associate Director Mary Stone Ross, one of the co-architects of the CCPA.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• Secret Service to launch private-sector cybercrime council: According to CyberScoop, “The Secret Service has recently hand-picked a small group of private-sector cybersecurity experts to advise the agency’s investigations team on how it can better take down cybercriminals, CyberScoop has learned. The council, which will be known as the ‘Cyber Investigations Advisory Board’ (CIAB), will aim to ‘provide Secret Service’s Office of Investigations with outside strategic input for the agency’s investigative mission, including insights on the latest trends in cybercrime, financial crime, technology, and investigative techniques,’ according to an internal Secret Service Electronic Crimes Task Force Bulletin.”
• NIST's Romine cites need for guidance on artificial intelligence security, interoperability: According to Inside Cybersecurity, “National Institute of Standards and Technology IT laboratory Director Charles Romine says the agency will be developing guidance on the security and interoperability of emerging artificial intelligence technologies, as part of its broader role within the Trump administration on the federal government's use of AI which includes both defending against cyber attacks and enhancing cyber offensive capabilities.”
• CISA 'tiger team' will coordinate implementation of federal supply-chain security requirements: According to Inside Cybersecurity, “The Cybersecurity and Infrastructure Security Agency is forming a ‘tiger team’ of industry and government officials, including from the departments of Defense and Commerce, to coordinate implementation of various emerging federal rules and requirements for securing the nation's IT and communications supply chain.”
• Space industry group focused on cybersecurity to begin operations in spring 2020: According to SpaceNews, “A space industry organization created to share intelligence on cyber threats is holding its first meeting this week with representatives from government agencies to discuss cybersecurity concerns across the national security, civil and commercial space sectors. The Space Information Sharing and Analysis Center, or Space ISAC, was formally established in April 2019 as a 501(c)(6) nonprofit organization. It plans to start operations this spring with the launch of an unclassified portal where companies can share and analyze cybersecurity information.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• Treasury Wants Better Information on Financial Entities’ Cybersecurity Practices: According to NextGov, “Two documents published in the Federal Register within the last week highlight how the Treasury Department is embracing a more active role for itself in protecting critical infrastructure in the financial sector from cybersecurity attacks, including by promoting industry’s perspective. Treasury’s Office of Cybersecurity and Critical Infrastructure Protection will take comments through March 23 on a proposal issued Wednesday toward identifying ‘cybersecurity and operational risks to and interdependencies within U.S. financial services sector critical infrastructure and to work collaboratively with industry and interagency partners to develop risk management and operational resilience initiatives.’”
• Ryuk Ransomware Hit Multiple Oil & Gas Facilities, ICS Security Expert Says: According to Dark Reading, “More signs that the industrial control system (ICS) sector has become one of the latest favorite targets of ransomware attacks: The head of an operational technology (OT) cybersecurity services firm says at least five organizations in the oil and gas industry were recently hit by Ryuk. […] [The] tactics, techniques, and procedures (TTPs) used against all five oil and gas victims were similar, indicating that the Ryuk attackers were specifically targeting the sector - possibly in a coordinated campaign.”
• Idaho National Lab researcher shines a light on the market for ICS zero-days: According to CyberScoop, “[Sarah Freeman, an analyst at the Department of Energy’s Idaho National Laboratory] argues that current tallies of zero-day exploits with ICS implications are undercounted. In the first quarter of 2019, for example, Crowdfense categorized just 2% of the zero-days it bought as ICS exploits. But that figure doesn’t account for how exploits targeting various technology and operating systems can affect ICS, she said. ‘The market for [software exploits], writ large, is growing,’ she said [last] Tuesday during a presentation of her research at S4, an ICS security conference in Miami Beach. And within that market, there are signs that ICS-relevant exploits are growing, too.”
• Design Weaknesses Expose Industrial Systems to Damaging Attacks: According to Security Week, “An analysis of industrial control systems (ICS) has shown that many products contain features and functions that have been designed with no security in mind, allowing malicious hackers to abuse them and potentially cause serious damage. PAS, which provides industrial cybersecurity and operations management solutions, has analyzed data collected over the past year from over 10,000 industrial endpoints housed by organizations in the oil and gas, refining and chemicals, power generation, pulp and paper, and mining sectors. The company’s researchers discovered that many of the industrial control systems used by these organizations are affected by design flaws and weaknesses that could be leveraged by malicious actors for a wide range of purposes, including to cause disruption and physical damage.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• New Data Reveals that 40 Million Americans were Affected by Health Data Breaches in 2019: Reported in Cyware, “New data gathered by Fortified Health Security has revealed that 40 million Americans have been affected by healthcare data breaches that occurred in 2019. This is an increase of 65% when compared to 14 million individuals affected in 2018.”
• Cloud Usage Drives Cybersecurity Spending in SANS 2020 Survey: According to a press release, “Slightly more than 50% of respondents ranked the increased use of public cloud infrastructure-as-a-service (IaaS) implementations as the biggest disrupter to security programs in the next 12 months. Based on that, 71% of respondents reported seeing a need to increase spending on cloud security monitoring, followed by cloud access security broker cloud-specific tools (53%), staff skills training (52%) and strong authentication (46%).”
• Survey: Financial-Sector Agencies’ Policies for Sharing Cyber Threats Inconsistent: Reported in NextGov, “Four years after the enactment of the Cybersecurity Information Sharing Act of 2015, a joint inspectors general survey of seven financial-sector agencies’ efforts to implement the law reflects significant irregularities in steps taken to share cyber threat indicators and defensive measures with their fellow federal agencies and non-federal entities. The Office of the Chief Information Officer ‘does not have the resources, fiscal funds, or technical capabilities to implement a sharing of CTIs and DM program,’ the National Credit Union Administration told the Council of Inspectors General on Financial Oversight in a Jan. 15 memo.”
• FTI Consulting Survey Finds Business Resilience Remains Low Despite Persistent Risks: According to a press release, “Despite cyber-attacks being identified as having the most negative impact on revenue, less than half of all executives surveyed are managing cyber-attacks proactively, and only 10% believe they have no cybersecurity gaps at all. Companies said their largest gaps were in employee awareness, security culture and training (28%), followed by threat monitoring and detection and IT patching and technology stress testing (25%).”
• Respond Software and Ponemon Institute Find Half of SOCs Ineffective: According to a press release, “[Almost] half (49%) are dissatisfied with the effectiveness of their SOC in detecting attacks. Of those who turned to a managed security service provider (MSSP), 58% rated their MSSP as ineffective. Part of this dissatisfaction stems from the high cost of MSSPs, often twice the cost of staffing and managing a SOC in-house.”
• Proofpoint’s State of the Phish Report Stresses the Need for User Training and Email Reporting as Targeted Attacks Climb: According to a press release, “[Nearly] 90 percent of global organizations surveyed were targeted with business email compromise (BEC) and spear phishing attacks, reflecting cybercriminals’ continued focus on compromising individual end users. Seventy-eight percent also reported that security awareness training activities resulted in measurable reductions in phishing susceptibility.”

Cybersecurity Acquisitions

News about two major cybersecurity company acquisitions was reported last week:

• FireEye scoops up cloud security startup Cloudvisory: Reported in ZDNet, “FireEye has announced the acquisition of Texas-based Cloudvisory, hoping its new addition will boost the cloud security capabilities of FireEye Helix. The company said it would give customers with a single operations platform to monitor multi-cloud environments, hybrid-cloud firewalls, and integrate container security.”
• Wind River Picks Up Star Lab to Advance Embedded Security for Mission Critical Systems: Reported in IoT Evolution, “Wind River’s acquisition of Star Lab broadens the Wind River portfolio with software for Linux cybersecurity and anti-tamper, virtualization, and cyber resiliency applications. Star Lab, a leading provider of embedded cybersecurity products for aerospace and defense systems which increase the survivability of mission-critical systems operating in hostile threat environments, addresses a growing trend where Linux cybersecurity and anti-tamper capabilities are becoming requirements across industries such as aerospace, automotive, defense, and industrial.”