NTSC Technology Security Roundup

Weekly News Roundup: October 1, 2018

Productive Cybersecurity Bill Activity Last Week by U.S. Senate Committee on Homeland Security and Governmental Affairs

Security Week reported on five bills approved last Wednesday by the U.S. Senate Committee on Homeland Security and Governmental Affairs:

  • DHS Cyber Incident Response Teams Act of 2018: Sponsored by Rep. Michael McCaul (R-Texas), this bill would allow the DHS to “maintain cyber hunt and incident response teams for the purpose of providing, as appropriate and upon request, assistance, including the following: (A) assistance to asset owners and operators in restoring services following a cyber incident; (B) the identification of cybersecurity risk and unauthorized cyber activity; (C) mitigation strategies to prevent, deter, and protect against cybersecurity risks.”
  • Federal Rotational Cyber Workforce Program Act of 2018: Sponsored by Sen. Gary Peters (D-Michigan), this bill’s goal is “to establish a federal rotational cyber workforce program for the federal cyber workforce.”
  • Federal Acquisition Supply Chain Security Act of 2018: Sponsored by Sen. Claire McCaskill (D-Minnesota), this bill’s goal is “to establish a Federal Acquisition Security Council and to provide executive agencies with authorities relating to mitigating supply chain risks in the procurement of information technology…”
  • Federal Information Systems Safeguards Act of 2018: Sponsored by Sen. Ron Johnson (D-Wisconsin), Security Week summarizes this bill as “[allowing] federal agencies to make decisions related to securing IT and information systems. The bill allows the head of an agency to restrict or prohibit access to a website, and deploy or update cybersecurity measures.”
  • Advancing Cybersecurity Diagnostics and Mitigation Act: Sponsored by Rep. John Ratcliffe (R-Texas), this bill’s goal is “to amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to establish a continuous diagnostics and mitigation program at the Department of Homeland Security.”

Two House Representatives Publish “Rise of the Machines: Artificial Intelligence and its Growing Impact on U.S. Policy” Whitepaper

Last Tuesday, Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Illinois) published a whitepaper titled “Rise of the Machines: Artificial Intelligence and its Growing Impact on U.S. Policy.” Representing the Subcommittee on Information Technology, which is part of the Committee on Oversight and Government Reform, the whitepaper makes three key recommendations:

  • “Chief among the Subcommittee’s recommendations is for the federal government to increase federal spending on research and development to maintain American leadership with respect to AI.”
  • “In response to concerns about privacy, the Subcommittee recommends federal agencies review federal privacy laws and regulations to determine how they may already apply to AI technologies within their jurisdiction, and, where necessary, update existing regulations to account for the addition of AI.”
  • “Finally, any regulatory approach to AI should consider whether the risks to public safety or consumers already fall within any existing regulatory frameworks and, if so, whether those existing frameworks can adequately address the risks.”

Cybersecurity News from the White House

Several cyber-related news stories emerged last week from the White House:

  • Reactions to the White House’s New Cybersecurity Strategy: According to The Hill, “Cyber experts and Obama-era officials said they agree that a fresh policy is needed, but they also have reservations about the Trump administration putting an emphasis on the offense component. They warned against the dangers of taking this new approach too far: Federal government actions could set a precedent for what is considered to be acceptable behavior. And while the U.S. already faces cyberattacks on a daily basis, the new aggressive posture means it could end up the victim of the same kinds of attacks it ends up carrying out.”
  • Weighing in on Data Privacy: Reported in Security Week, “The US administration called [last] Tuesday for public comments on a ‘new approach to consumer data privacy’ that could trigger fresh regulations of internet companies. The Commerce Department said the announcement is part of an effort to ‘modernize US data privacy policy for the 21st century.’ The move follows the implementation this year of ramped up data protection rules imposed by the European Union, and a new privacy law enacted in California.”
  • Weighing in on Quantum Computing: Reported in Yahoo!, “Federal officials and industry leaders — including representatives from Microsoft and Google — met [last Monday] at a White House summit to spark new initiatives in quantum information science. Among the recommendations contained in a newly released strategic overview: setting up a U.S. Quantum Consortium, modeled after past efforts such as the non-profit, industry-led Semiconductor Research Corp.; and establishing a set of Grand Challenges to focus quantum computing research.”

Department of Energy Brings Public and Private Sector Together for Ideas on Better Protecting Energy Grid

The US energy grid is about 85 percent privately owned, making its cyber defense challenging. Many cybersecurity experts have warned it is vulnerable, and so the Department of Energy is bringing the public and private sector together to solicit ideas about better protecting the energy grid. According to The Washington Examiner, “Energy Secretary Rick Perry's cybersecurity office has convened the first meeting of a new ‘tri-sector’ federal task force with industry to find gaps in defending the nation's energy grid against cyberattacks… […] The tri-sector group brings together the Energy Department with the Departments of Transportation and Homeland Security, together with the utility, banking, and telecom sectors to better coordinate a federal response…”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Cyber criminals increasingly target cryptocurrency, research finds: Reported in The Hill, “Cybersecurity firm McAfee found that the use of cryptocurrency mining malware increased by 86 percent during the second quarter of 2018. The increase continues a trend that has already escalated over the past few months.”
  • Your Web Applications Are More Vulnerable Than You Think: Reported in SecurityIntelligence, “44 percent of web applications are vulnerable to data leakage and security problems. In other words, threat actors have easy access to the personal customer data those applications handle across a variety of verticals such as banking, e-commerce and communications. In addition, 48 percent of the applications were found to be vulnerable to unauthorized access, with 17 percent having exploits that could result in a full takeover by a threat actor.”
  • An investigation into how cyber ready businesses really are: Reported in Help Net Security, “Vodafone’s Cyber Ready Barometer notes 48% of cyber ready businesses are reporting more than 5% increases in annual revenue as well as high stakeholder trust levels. Despite this, the research also shows that only 24% of businesses globally could reasonably call themselves cyber ready. Cyber readiness, according to the report, is a mix of different measures including cyber operations, cyber strategies, cyber resilience, an understanding of risk and employee awareness.”
  • Replication won’t protect VMs against ransomware: Reported in ComputerWeekly.com, “44% of organizations rely or some form of replication as part of their backup and/or disaster recovery (DR) strategy. However, 24% have experienced data corruption or a ransomware attack, according to a survey of 300 companies.”
  • Cloud Biometrics Use to Soar in Two Years: Report: Reported in Infosecurity Magazine, “Over half a billion customers worldwide will be using cloud-based biometrics to securely authenticate with their banks within two years, according to a new analyst report.”
  • Payment Security Compliance drops for the first time in six years, states Verizon’s 2018 Payment Security Report: According to a press release, “Data gathered by Verizon’s PCI DSS qualified security assessors (QSAs) during 2017 demonstrates that PCI compliance is decreasing amongst global businesses, with only 52.4 percent of organizations maintaining full compliance in 2017, compared to 55.4 percent in 2016.”
  • Government Data Says Millions Of Health Records Are Breached Every Year: Reported in Forbes, “The number of annual health data breaches increased 70% to 344 over the past seven years, with 75% of the breached, lost, or stolen records – 132 million – being breached by a ‘hacking or IT incident,’ a nebulous category created by the government that doesn’t appear to distinguish malicious theft from accidental loss.”