NTSC Technology Security Roundup

Weekly News Roundup: November 13, 2017

Active Cyber Defense Certainty Act Gains Momentum in Congress

Despite some heated opposition from the security community, the Active Cyber Defense Certainty Act—introduced earlier this year by Rep. Tom Graves (R-Ga.)—is gaining momentum in Congress with more supporters. According to Cyberscoop, “In addition to the original co-authors Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Ariz., now Reps. Buddy Carter, R-Ga. Henry Cuellar, D-Texas, Trey Gowdy, R-S.C., Walter Jones, R-N.C., Barry Loudermilk, R-Ga, Stephanie Murphy, D-Fla., and Austin Scott, R-Ga., all now co-sponsor the bill.” Opponents to the bill include many security and legal experts, the U.S. Chamber of Commerce, and former NSA Director Keith Alexander.

Rep. Blaine Luetkemeyer Working with Financial Services and Retail Industries to Create National Data Breach Notification Law

According to The Washington Examiner, “Rep. Blaine Luetkemeyer, R-Mo., chairman of the House Financial Services institutions and consumer credit subcommittee, revealed last week that he is drafting a data security and breach notification bill.” The details of the bill have not been shared publicly, but The Washington Examiner notes that Luetkemeyer has been working on the bill with the financial services and retail industries. The article goes on to summarize Luetkemeyer’s rationale that “the Equifax breach pointed up the need for timely notice when consumers' information is hacked, and he criticized the patchwork of 48 different state notification requirements that companies must navigate.”

Committee on Homeland Security Fusion Center Report Highlights Cyberthreat and Intelligence Sharing Issues

Problems with information sharing between the DHS and the private sector have been ongoing, and some of the root causes were highlighted in a recent Committee on Homeland Security report titled “Advancing the Homeland Security Information Sharing Environment: A Review of the National Network of Fusion Centers.” Fusion centers help disseminate information to the private sector in addition to federal, state, local, tribal, and territorial partners. Yet, issues with too much information labeled classified, the inability of fusion centers to handle classified information, and backlogs of security clearance requests hamper intelligence from getting to these partners. According to Cyberscoop in a summary of the report, “Fewer than one-in-four Homeland Security fusion centers across the country receive cyberthreat reporting or other intelligence products from DHS’ National Protection and Programs Directorate, hampering their nascent efforts to help defend the country against online attacks…”

Four Recent Research Reports Highlight Data Breaches, IoT, GDPR, and Digital Transformation

Cybersecurity surveys and reports abound this month, and we’ve summarized four of them below:

  • Risk Based Security released its Q3 2017 Data Breach QuickView report, showing there have been 3,833 publicly disclosed data compromise events through September 30. The number of records exposed due to data breaches in the first nine months of 2017 is up 305% compared to the same period in 2016.
  • According to Help Net Security, “A new survey conducted by Forrester Consulting unveiled that security and LoB leaders are experiencing high levels of anxiety due to IoT/OT security concerns, largely due to the negative business ramifications a security failure can have on critical business operations. The majority of these organizations (82%) struggle to identify all of their network-connected devices, and when asked who is primarily responsible for securing IoT, IT and LoB leaders did not have a clear answer or delineation of ownership.”
  • The International Association of Privacy Professionals (IAPP) recently released a report titled “Getting to GDPR Compliance: Risk Evaluation and Strategies for Mitigation.” IAPP says the number one action item to mitigate GDPR compliance risk is “Investment in training. Training employees on data protection and privacy tops the list for 10 of 11 GDPR compliance risks. The only risk training doesn’t mitigate is appointing a data protection officer, which obviously requires taking other steps.”
  • “In Frost & Sullivan’s recent survey covering end-user perspectives on navigating digital transformation, 54 per cent of IT professionals cited cybercrime and espionage as their top challenges, followed by systems integration.” (Source: Help Net Security)

Symantec and Proofpoint Acquisitions

Two major acquisitions by Symantec and Proofpoint occurred last week. Symantec acquired SurfEasy, a Virtual Private Network (VPN) provider that delivers easy-to-use solutions for online privacy and security on smartphones, tablets, and computers. SurfEasy will become part of Symantec’s Consumer Business Unit, which includes the Norton and LifeLock brands, bringing VPN to the portfolio of Consumer Digital Safety solutions, which help consumers to protect their information, privacy and identities. Proofpoint entered into a definitive agreement to acquire Cloudmark, a leader in messaging security and threat intelligence for Internet Service Providers (ISPs) and mobile carriers worldwide. With visibility spanning ISPs and mobile carriers, Cloudmark correlates email threat telemetry data into its Global Threat Network, including intelligence derived from malware campaigns and targeted attacks like spear phishing and business email compromise (BEC).