NTSC Technology Security Roundup

Weekly News Roundup: November 18, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • Retirements pose threat to cybersecurity expertise in Congress: According to The Hill, “Rep. Pete King’s (R-N.Y.) planned retirement after the 2020 elections is the latest in a string of House departures that look likely to deal a blow to Republican cybersecurity expertise on Capitol Hill. […] His resignation comes on the heels of announcements by almost two dozen other House Republicans that they will not run for reelection, with several of these members having become key players in the cybersecurity debate on Capitol Hill, including Rep. Will Hurd (R-Texas).”
  • NIST cyber bills moving on down the road: According to Politico, “The Senate Commerce, Science and Transportation Committee [marked] up a measure (S. 2775) [last Wednesday] that would direct NIST to develop standards and guidelines for shoring up cybersecurity awareness of federal employees and contractors. It would also seek to improve national initiatives for cybersecurity education by identifying cybersecurity workforce skill gaps in public and private sectors and leading interagency efforts of federal cybersecurity programs, including the National Science Foundation's Federal Cyber Scholarship for Service program.”
  • U.S. SAFE WEB Act Extended: According to Politico, “The House Energy and Commerce Subcommittee on Consumer Protection and Commerce [marked] up legislation [last Thursday] that would extend a law on cross-border spyware, spam and online fraud. The bill (H.R. 4779) would extend for seven years the Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders (U.S. SAFE WEB) Act that expires next September. The FTC got several powers under that 2006 law, such as the authority to share information and cooperate on investigations with foreign governments.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • DHS wants better coordination on ICS security: According to FCW, “A top cyber official at the Department of Homeland Security said the agency wanted to think ‘more strategically’ about how it interacts with other federal agencies and private industry when it comes to protecting the nation's industrial control systems from cyber and physical threats. […] [Operational] and tactical support must be paired with a broader reorientation of how the government coordinates its outreach efforts among different agencies and its engagement with industry, [Rick Driggers, deputy assistant director at the Cybersecurity and Infrastructure Security Agency] said.”
  • Senior official describes cyber workforce shortage as national security threat: According to The Hill, “A senior cybersecurity official at the Department of Homeland Security (DHS) [last] Tuesday described challenges with recruiting cybersecurity workers to government as a ‘national security issue.’ ‘From my perspective, this is going to be a national security issue, if it isn’t already,’ Richard Driggers, the deputy assistant director for Cybersecurity at DHS’s Cybersecurity and Infrastructure Security Agency, said during Fifth Domain’s CyberCon event. Driggers added that ‘we have a major deficit across the nation with regards to our cybersecurity workforce, and we need to figure out how we can build and sustain a cybersecurity workforce as a national asset for America.’”
  • CISA Wants Feedback on Its Vulnerability Assessments: According to NextGov, “The Homeland Security Department is looking for feedback on a program that lets critical infrastructure operators see how their cyber defenses stack up against one another. The vulnerability assessment program, run by the Cybersecurity and Infrastructure Security Agency, also helps participants spot specific weaknesses in their digital infrastructure and develop strategies to close those gaps. After launching the initiative roughly a year ago, CISA wants to know whether industry finds it effective and how it might be improved.”
  • Don’t Rush Quantum-Proof Encryption, Warns NSA Research Director: According to Defense One, “When it comes to fighting quantum-enabled threats, timing is of the essence, according to Dr. Deborah Frincke, director of the National Security Agency’s research branch. […] Frincke noted it’s important cryptographers don’t rush their work. Quantum computers may pose a substantial threat to digital security, she said, but deploying new encryption schemes too quickly could create additional own risks.”
  • US Govt Recommends Vendor System Configs To Block Malware Attacks: According to Bleeping Computer, “The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) [last Friday] reminded users and system administrators to properly configure their systems to defend against malware that can exploit improper configurations. The reminder was published by the cyber-security agency through the US National Cyber Awareness System designed to provide users with information on current security topics and threats.”
  • Cyber Command flags North Korean-linked hackers behind ongoing financial heists: According to CyberScoop, “The Department of Defense has once again called out North Korean hackers by exposing malware samples researchers say are linked to regime-backed financial heists, including past attacks on the interbank messaging system known as the Society for Worldwide Interbank Financial Telecommunication (SWIFT), CyberScoop has learned.”

MITRE Establishes Engenuity, a Foundation to Foster Private Sector Collaboration on Critical Infrastructure

According to a press release, “MITRE has launched a tech foundation to advance its mission of solving problems for a safer world by working with the private sector to strengthen critical infrastructure. The foundation provides MITRE a new pathway to work with industry, academia, and other organizations beyond its work with the federal government. MITRE Engenuity is a distinct, not-profit company with a separate board of directors and private funding. […] MITRE Engenuity will drive collaborative research and development for cyber defense building on MITRE’s ATT&CK™ knowledge base and develop and invest in other areas such as encryption solutions and standards to enhance the resilience and integrity of 5G networks. MITRE Engenuity will also apply data analytics to improve healthcare effectiveness, transportation safety and security, and other areas of critical infrastructure.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • How to navigate cybersecurity in a 5G world: Reported in TechRepublic, “AT&T Cybersecurity released a report on Monday identifying the major security gaps organizations must address with the rise of 5G networking. While 72.5% of security professionals worldwide rated their level of concern for the 5G's impact on security as high or medium-high, only 22% said they believed their current policies are ready for 5G, the report found.”
  • Global Cybersecurity Job Gap Surpasses 4 Million Mark: Reported in MeriTalk, “The global shortage for cybersecurity professionals reached 4.07 million and the U.S. gap nears 500,000, according to last week’s report by the non-profit membership association for information security leaders, (ISC)2.”
  • New Study Shows Financial Loss from Multi-Party Cyber Incidents Is 13X Larger than Single-Party Incidents: According to a press release, “[Multi-party] loss events that impact thousands of downstream organizations, otherwise known as ‘ripple events,’ result in 13X larger financial loss than traditional single-party incidents.”
  • New Verizon report highlights declining compliance in Payment Security: Reported in Cyware, “According to the Verizon 2019 Payment Security Report, payment security compliance has slumped for the second year in a row, with organizations based in the Americas lagging behind worldwide counterparts. Only one in five American companies meet compliance requirements.”
  • ThreatList: Data Breaches Batter Stock Prices at Public Companies, For Months: Reported in Threatpost, “A recent study from Comparitech shows that share prices for large breached companies will hit a low point approximately 14 market days after an incident becomes public. Share prices fall 7.27 percent on average to reach that low, and they underperform the NASDAQ by -4.18 percent.”
  • Scammers favor malicious URLs over attachments in email phishing attacks: Reported in TNW, “Emails containing malicious URLs made up 88 percent of all messages with malware-infested links and attachments, underscoring the dominance of URL-based email threats.”
  • Survey Finds Nearly 3 in 4 Retailers Have Been Attacked by Cybercriminals: According to a press release, “61% of retailers experienced a cyberattack within the past year, with 72% being attacked in their organization's lifetime, [and] 50% of retailers reported having no response plan for a data breach, 11% higher than the all-industry average.”

Cybersecurity Acquisitions

Three major cybersecurity company acquisitions were reported last week:

  • Carbonite To Be Acquired by OpenText: According to a press release, Carbonite announced last Monday that it has entered into a definitive agreement to be acquired by OpenText for $23.00 per Carbonite share in cash. The transaction values Carbonite at an enterprise value of approximately $1.42 billion.
  • Mimecast Announces Acquisition of DMARC Analyzer: According to a press release, Mimecast Limited (MIME), an email and data security company, announced last Thursday that it has acquired DMARC Analyzer, a SaaS-based solution provider that offers user-friendly Domain-based Message Authentication, Reporting and Conformance (DMARC) setup, management and analysis.
  • EY acquires Sydney security consultancy Aleron: According to a press release, EY furthered its push in the cybersecurity sector with the acquisition of the business and assets of Sydney-based cyber consultancy, Aleron. Aleron specializes in cybersecurity strategy, architecture design and implementation across a broad range of industry sectors including financial services, retail and government.