NTSC Blog

Weekly News Roundup: January 6, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• The California Consumer Privacy Act officially takes effect: According to TechCrunch, “California’s much-debated privacy law officially [took effect last Wednesday], a year and a half after it was passed and signed — but it’ll be six more months before you see the hammer drop on any scofflaw tech companies that sell your personal data without your permission. The California Consumer Privacy Act, or CCPA, is a state-level law that requires, among other things, that companies notify users of the intent to monetize their data, and give them a straightforward means of opting out of said monetization.”
• Election security, ransomware dominate cyber concerns for 2020: According to The Hill, “Headed into 2020, with a presidential election on the horizon, cyber concerns are certain to be in the spotlight in Washington. Atop the list of cyber issues will be persistent questions about election security. Officials at the federal, state and local levels say they will be vigilant to any efforts to interfere in the election after 2016, even as lawmakers weigh additional actions to safeguard the vote. But lawmakers will also be looking to tackle other issues as well, such as the ransomware attacks spreading across the country and the growing concerns over companies with foreign ties accessing Americans' data.”
• Lawmakers close to finalizing federal strategy to defend against cyberattacks: According to The Hill, “A federal strategy for defending the U.S. government against cyberattacks is one step closer to completion, with lawmakers saying they have a draft form that could be finalized as early as March. The report has been in the works since 2018 after the National Defense Authorization Act created a commission, consisting of lawmakers and industry leaders, to draw up recommendations.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• NIST renews call for industry comments on identifying counterfeit computer components: According to Inside Cybersecurity, “The National Institute of Standards and Technology is seeking public comment until [today] on a project for identifying counterfeit computer components, adding to a plethora of federal efforts for securing the nation’s IT supply chain.”
• DHS, GSA propose centralized vulnerability disclosure platform: According to FCW, “The Department of Homeland Security and the General Services Administration want to know what it would take to develop a cloud-based centralized vulnerability disclosure platform for the federal government. In a request for information released late December, the agencies asked industry for feedback on how to set up a system that could serve as a primary point of entry for security researchers warning about bugs in their internet-accessible systems. While the platform would be managed by the Cybersecurity and Infrastructure Security Agency at DHS, agencies might have to kick in some of their own funding and participation would be voluntary.”
• Government Makes Strides Sharing Cyber Threat Information: According to NextGov, “Most federal agencies continue to improve the cyber threat data they share but several barriers remain, according to a joint report submitted to Congress in December. The report was compiled by the inspectors general of seven agencies legally responsible for executing the Cybersecurity Information Sharing Act of 2015, which created a framework for the voluntary sharing of cyber threat indicators and defensive measures between federal agencies and the private sector. […] ‘The OIGs determined that sharing of cyber threat indicators and defensive measures has improved over the past two years and efforts are underway to expand accessibility to information. Sharing cyber threat indicators and defensive measures increases the amount of information available for defending systems and networks against cyber attacks,’ the report said.”

Threat of Iranian Cyberattacks Increases

As military tensions escalate between the US and Iran, the chance of cyber-retaliation against the US by Iran has increased. According to The Hill, “Senior government officials and lawmakers warned [last] Friday that Iran may attempt to carry out cyberattacks against the U.S. in retaliation for the killing of Quds Force commander Qassem Soleimani. ‘The Iranians have a deep and complex cyber capability, to be sure. Know that we have certainly considered that risk,’ Secretary of State Mike Pompeo said on Fox News. His remarks came the same day that Iranian Supreme Leader Ayatollah Ali Khamenei said a ‘harsh retaliation is waiting’ for the U.S. after President Trump ordered a drone strike in Baghdad that killed Soleimani. Lawmakers said the strike has raised the odds of possible attacks from Iran, long-identified as one of the top international cyber threats to the U.S.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Survey Finds Cybersecurity Salaries Constrained: Reported in Security Boulevard, “Despite a global shortage of cybersecurity expertise that is often described as nothing less than chronic, a global salary survey of 1,324 cybersecurity professionals finds nearly half the respondents (48%) earn less than $50,000 a year. Only 36% earn more than $70,000 a year, the survey finds.”
• Half of CISOs Might Quit Their Jobs in 2020 if Budgets, Cybersecurity Staff Remain Tight: Reported in Security Boulevard, “72% of infosec professionals agree that the lack of proper security tools and knowledge are huge obstacles preventing rapid incident detection and response. Furthermore, more than half of C-suite security pros are considering leaving their job if things don’t change in 2020 and beyond.”
• Ransomware may have cost the US more than $7.5 billion in 2019: Reported in MIT Technology Review, “The potential cost of ransomware in the United States last year was over $7.5 billion, according to a recent report from the cybersecurity firm Emisoft that attempted to estimate the impact of a very opaque set of incidents.”
• Healthcare Facilities Need More Cybersecurity Pros: Reported in Campus Safety Magazine, “[In] 2019, healthcare providers [were] the most targeted for industry cybersecurity breaches, making up about four out of every five breaches. Data breaches are expected to cost the industry about $4 billion [in 2019], and [2020] will be even worse, Black Book Market Research said.”

Cybersecurity Acquisitions

News about two major cybersecurity company acquisitions was reported last week along with an industry analysis from The Wall Street Journal.

• AI Offers an Edge as Cybersecurity Sector Consolidates: According to The Wall Street Journal, “The cybersecurity-vendor sector is set to trim some of its fat in 2020, venture-capital executives say, and companies that weave sophisticated technologies such as artificial intelligence into their products are the ones likely to succeed. A number of high-profile acquisitions in 2019 presage further consolidation in 2020, they say. Among the banner deals last year were VMware Inc. ’s acquisition of Carbon Black for $2.3 billion, announced in August, and Broadcom Inc. ’s $10.7 billion deal to buy Symantec Corp. ’s enterprise security business.”
• Broadcom Scoops Up Software Player to Expand Security Business: According to Yahoo! Finance, “Broadcom AVGO has apparently acquired New York, NY-based cyber risk analytics software provider, Bay Dynamics, per the equity incentive plan filed with the SEC or Securities and Exchange Commission. However, there has been no official announcement from either side on the development. Nevertheless, the SEC filing notes that after the merger, Bay Dynamics will continue ‘as the surviving corporation and a wholly owned subsidiary of Broadcom.’ Bay Dynamics offers [a] cyber risk analytics platform to enterprises which empowers them with data-driven actionable risk inference and [enhances] business value.”
• VMware completes Pivotal acquisition: According to ZDNet, “VMware has announced it has completed the acquisition of cloud-native platform provider Pivotal Software, following a $2.7 billion deal that was sealed last August. As part of completing the acquisition, Pivotal will now operate as a wholly-owned subsidiary of VMware. It has also set up the Modern Applications Platform Business unit, which will be responsible for VMware's cloud-native applications offerings.”