NTSC Technology Security Roundup

Weekly News Roundup: November 20, 2017

Vulnerabilities Equities Policy and Process Charter Released by White House

Accompanied by a statement from Rob Joyce, White House Cybersecurity Coordinator, the White House released a Vulnerabilities Equities Policy and Process charter that made transparent some aspects of the program that have been shrouded in secrecy since it began. According to Joyce, “Our public release of the unclassified portions Charter will shed light on aspects of the VEP that were previously shielded from public review, including who participates in the VEP’s governing body, known as the Equities Review Board. We make it clear that departments and agencies with protective missions participate in VEP discussions, as well as other departments and agencies that have broader equities, like the Department of State and the Department of Commerce. We also clarify what categories of vulnerabilities are submitted to the process and ensure that any decision not to disclose a vulnerability will be reevaluated regularly.” Security Week notes “That transparency is valuable, but there remain numerous concerns. One is that the VEP continues to be an administrative exercise not enshrined in law. It can be changed at any time without public or legislative overview.”

Congressional Testimony Highlights Major Public-Private Sector Information Sharing Problems

Cyberscoop recently summarized Congressional testimony about the critical issues surrounding information sharing between the federal government and the private sector about cyberattacks, threats, and other intelligence. Problems for companies include red tape that slows down the onboarding process to receive information, overclassification (which limits the amount of information shared), and clearance issues. According to the article, “Subcommittee Ranking Member, Rep. Jim Langevin, D-R.I., called the level of private sector participation in the [Automated Indicator Sharing] program ‘frankly unacceptable.’ In part, he blamed the department [of Homeland Security]. The attack indicators it shared, he said, were ‘often late and lack important context.’ ‘I look forward to hearing insights and recommendations … that we can take back to DHS to help them improve,’ noted Chairman Rep. John Ratcliffe, R-Texas.”

IBM Resilient Systems CTO Bruce Schneier Makes Case for Regulating IoT

At the recent SecTor Security Education Conference in Toronto, IBM Resilient Systems CTO Bruce Schneier argued for IoT regulations during his keynote speech. According to eWeek, “As internet connected devices move into regulated industries, Schneier expects that computer software which has largely been regulation-free, will need to change. There are also historical precedents for new technology usage leading to new government agencies and regulations. For example, the emergence of cars, airplanes, radio and television have all led to government agencies and regulation. […] Schneier added that there are a lot of problems that markets can not solve on their own, since markets are typically short-term profit motivated and can't solve collective action problems. Additionally, Schneier said that there is a need to have a counter-balancing force for corporate power.”

Forrester Releases “Predictions 2018: IoT Moves From Experimentation To Business Scale” Report

Forrester recently released a report titled “Predictions 2018: IoT Moves From Experimentation To Business Scale” that includes some predications about IoT information security. Network World provided an excellent summary of the highlights: “Forrester predicts even more damaging cyber attacks across a wide swath of IoT implementations. The report is not optimistic about improvements in IoT security, predicting more — and more successful — attacks on IoT devices, as well as the platforms they run on. Interestingly, IoT cybersecurity also plays a big role in another recent Forrester report. The firm’s 2018 cybersecurity predictions see money-oriented IoT attacks on the rise, taking precedence over attempts to cause damage or sow chaos for political, social or military causes.”

Security Acquisition Updates

A few acquisitions occurred last week that included:

  • Cloudflare Acquiring Mobile VPN Company Neumob: According to a press release, “Neumob's mobile software development kit (SDK) is aimed at app developers who can embed their software within a mobile application. […] By joining Neumob’s technology with Cloudflare’s scale, the performance, security, and cost of moving data are improved at every stage across the network, from origin to desktop, and now to mobile.”
  • Optiv Security Acquiring Security and Networking Solutions Provider Conexsys: According to a press release, “The transaction allows Optiv to serve private and public entities in Canada with more local resources and immediate access to Optiv’s comprehensive service offerings that help remove complexity, align the right technology and process to business needs, and optimize security investments to minimize cost and maximize protection.”
  • Continental Acquiring Automotive Cyber Security Company Argus: According to a press release, “Together, the companies will offer multi-layered, end-to-end security solutions and services including intrusion detection and prevention, attack surface protection and fleet cyber security health monitoring and management via a security operations center (SOC) to protect vehicles in the field over their entire lifespan.”