NTSC Technology Security Roundup

Weekly News Roundup: November 25, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • Senate Democrats unveil priorities for federal privacy bill: According to The Hill, “A group of top Democratic senators from four key committees [last] Monday unveiled their priorities for the nation's first comprehensive privacy bill, reinvigorating a debate that had stalled for months on Capitol Hill. Legislation built on the Democrats' stated priorities would limit how much sensitive information tech companies are allowed to collect on their millions of U.S. users, require companies to audit whether their algorithms result in unintended discrimination against minorities and vulnerable populations, and allow users to sue companies that do not protect their privacy rights. Some of the proposals set out by the Democrats could be non-starters for Republicans, including the clause that would allow users to sue companies over privacy violations and the fact that it does not override state privacy legislation. The Democratic proposal would allow states to enact their own tough privacy laws, which Republicans and the tech industry have largely opposed.”
  • Senators press federal officials for ISAC funding, national 5G strategy: According to SC Magazine, “Key lawmakers in the U.S. Senate [last Tuesday] called for increased funding of the Multi-State Information Sharing and Analysis Center and Election Infrastructure Information Sharing and Analysis Center, while others demanded the development of a national 5G strategy. [Last] Tuesday, Senate Democratic Leader Chuck Schumer, D-N.Y.; Sen. Maggie Hassan, D-N.H.; and Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters, D-Mich. published an open letter, addressed to Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs, asking that the Department of Homeland Security (CISA’s parent agency) boost the budget for MS-ISAC and EI-ISAC. Operated by the Center for Internet Security, the two ISAC organizations are responsible for gathering and distributing timely cyber threat information, best practices recommendations and defense tools to relevant local, state and federal government bodies and officials – specifically election officials in the case of EI-ISAC.”
  • Senate Committee Approves $250 Million to Fund the Electric Grid Security: According to NextGov, “The Senate Energy and Natural Resources Committee [last] Tuesday advanced legislation that would devote hundreds of millions of dollars to securing the nation’s power grid. The Protecting Resources on the Electric Grid with Cybersecurity Technology, or PROTECT, Act, would create a federal grant program to help small utilities companies strengthen the cyber protections on their infrastructure and more actively participate in information sharing efforts. Spearheaded by the Energy Department, the program would also offer participants technical assistance in detecting, responding to and recovering from cyberattacks.”
  • Rep. Langevin Says Lack of Data ‘Baselines’ Hinders U.S. Cybersecurity Efforts: According to MeriTalk, “Rep. Jim Langevin, D-R.I., a co-chair of the House Cybersecurity Caucus and one of the few widely acknowledged experts in Congress on cybersecurity, said on Nov. 14 that a lack of data ‘baselines’ on security issues continues to hamper efforts in Congress – and the nation as a whole – to improve security. […] The congressman said he subsequently ‘wanted some data on how many people were using the NIST framework,’ but said his effort to do that ‘was knocked down almost immediately.’ The potential for finding constructive cybersecurity solutions at the Federal level has been dampened by a lack of such ‘baseline’ data on security, he said.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Jeanette Manfra, senior DHS cybersecurity official, to leave government: According to TechCrunch, “Jeanette Manfra, one of the most senior and experienced U.S. cybersecurity officials, is leaving government after more than a decade in the public sector. Manfra, who served as assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), will join the private sector in the New Year.”
  • Too Many CISOs Delay Cyber Response, DHS Official Says: According to NextGov, “An overabundance of cybersecurity leaders across federal agencies is hindering the government’s ability to adapt to the changing digital landscape, according to a top Homeland Security Department official. Agencies must be able to act swiftly to keep their tech ecosystems secure against a constantly evolving array of digital threats, but excessive bureaucracy within the federal cyber community is impeding that quick action, according to Mark Bristow, director of the hunt and incident response team within Homeland Security’s National Cybersecurity and Communications Integration Center.”
  • VA Released Millions of People's Personal Data Despite Known Risks: According to NextGov, “The Veterans Affairs Department knowingly disclosed sensitive information on millions of veterans’ doctors, spouses and dependents despite warnings that the practice ‘could cause those individuals significant harm,’ an internal watchdog found. For more than three years, the Veterans Benefits Administration intentionally stopped redacting names, Social Security numbers and other personally identifiable information on third-party individuals in claims records provided to veterans, according to the VA Inspector General. The practice not only left countless people vulnerable to identity theft but it also potentially broke the law, auditors found.”
  • DHS OIG Annual Report Flags Leadership, Cyber Issues: According to MeriTalk, “An annual report issued by the Department of Homeland Security’s (DHS) Office of Inspector General (OIG) flags leadership stability and cybersecurity issues among the ‘most serious management and performance challenges’ facing the agency currently.”
  • Federal CISO: Better Info Sharing Will Lead to More Secure Supply Chain: According to NextGov, “Supply chain security threats will receive more direct attention in 2020, culminating with guidance from the newly-created Federal Acquisition Supply Chain Council, according to the federal government’s top cyber official. The council, created in late 2018 under the SECURE Technologies Act, is comprised of various high-level officials from the intelligence community, civilian agencies and the Pentagon, and charged with collecting supply chain threat data from agencies and providing them guidance in addressing such threats.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • Pentagon’s next cyber policy guru predicts more collective responses in cyberspace: According to CyberScoop, “State-sponsored cyberattacks against just one victim nation at a time could soon provoke a global response, if a growing number of officials around the world have their way. As the Pentagon has experimented with new authorities allowing U.S. Cyber Command to be more offensive in cyberspace, key officials have suggested there is a groundswell of support for multi-nation countermeasures in the digital age. Thomas Wingfield, the incoming deputy assistant secretary of Defense for cyber policy, told CyberScoop that alliances could be a more successful way to deter hackers and strike back when they infiltrate sensitive networks.”
  • A Notorious Iranian Hacking Crew Is Targeting Industrial Control Systems: According to Wired, “Iranian hackers have carried out some of the most disruptive acts of digital sabotage of the last decade, wiping entire computer networks in waves of cyberattacks across the Middle East and occasionally even the US. But now one of Iran's most active hacker groups appears to have shifted focus. Rather than just standard IT networks, they're targeting the physical control systems used in electric utilities, manufacturing, and oil refineries.”
  • 1.19 billion confidential medical images available on the internet: According to Help Net Security, “1.19 billion confidential medical images are now freely available on the internet, according to Greenbone’s research into the security of Picture Archiving and Communication Systems (PACS) servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans. That’s a 60% increase from the finding between July and September 2019, and includes details of patient names, reason for examination, date of birth, and ID cards in some cases.”
  • Password data for ~2.2 million users of currency and gaming sites dumped online: According to Ars Technica, “Password data and other personal information belonging to as many as 2.2 million users of two websites—one a cryptocurrency wallet service and the other a gaming bot provider—have been posted online, according to Troy Hunt, the security researcher behind the Have I Been Pwned breach notification service.”
  • NSA Publishes Advisory Addressing Encrypted Traffic Inspection Risks: According to Bleeping Computer, “The National Security Agency (NSA) published an advisory that addresses the risks behind Transport Layer Security Inspection (TLSI) and provides mitigation measures for weakened security in organizations that use TLSI products. TLSI (aka TLS break and inspect) is the process through which enterprises can inspect encrypted traffic with the help of a dedicated product such as a proxy device, a firewall, intrusion detection or prevention systems (IDS/IPS) that can decrypt and re-encrypt traffic encrypted with TLS.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Americans Mistrust Companies with Personal Data, Study Shows: Reported in National Law Review, “According to a new survey by the Pew Research Center, most Americans believe that companies are tracking their activities on and offline, and that this activity is unavoidable. Not only that, but many also believe that they have little control over who can access an array of personal details, such as their location and online activity, including purchases they have made online or in person.”
  • Report: Retail Sector Under Cybersecurity Siege: Reported in Security Boulevard, “A report issued this week in advance of the holiday season by IntSights, a provider of a cybersecurity service that surfaces threats on the Dark Web, estimates that organized retail crime (ORC) is now costing retailers approximately $30 billion each year.”
  • Cybersecurity remains the top concern for middle market companies: Reported in TechRepublic, “Nearly half of organizations (47%) said they believe risk in their industry will increase in the next year, and almost the same number (48%) said they believe risk for their company will also grow, the report found.”
  • Cybersecurity tops state administrators' risk-management list: Reported in StateScoop, “A survey released this week by the National Association of State Chief Administrators, the group representing cabinet-level officials in charge of managing government services, found that its members named cybersecurity as their top focus area when it comes to managing risk. More than three-quarters of respondents to NASCA’s survey, which was compiled by the consulting firm McKinsey & Company, said cybersecurity was a leading priority for their risk-management strategies, far outpacing the next two most common responses, employee safety and security of physical security.”
  • Survey: Most HR managers aren't taking employee data security seriously: Reported in HR Dive, “41% of employers don't train all their HR personnel in protecting employee data and just 19% revise their policy quarterly.”
  • Attackers Outrunning, Outsmarting Healthcare Defenses: Reported in Security Boulevard, “In 2019, so far, nearly four out of five breaches in the industry struck health care providers. And 53% of those attacks were at the hands of external attackers, respondents to a new survey said.”
  • Most Companies Lag Behind '1-10-60' Benchmark for Breach Response: Reported in Dark Reading, “[Only] 33% of respondents thought their companies could contain a breach within an hour, with 31 hours as the average time to close a breach once it is discovered. In total, the average company would need 162 hours to detect, triage, and contain a breach, according to the CrowdStrike survey. The reality of businesses' cybersecurity response falls far short of what the cybersecurity firm considers the best practice: 1 minute to detect, 10 minutes to triage, and 60 minutes to contain.”
  • ThreatList: Admin Rights for Third Parties is the Norm: According to Threatpost, “61 percent of respondents in a recent survey said they’re unsure if partners, contractors, suppliers and others are accessing or attempting to access unauthorized data.”

Vista Equity Partners Acquires Sonatype

According to TechCrunch, “Private equity firm Vista Equity Partners has acquired Sonatype, a cybersecurity-focused open-source automation company. Terms of the deal were not disclosed, but Sonatype said the acquisition will help to build out its Nexus platform, an enterprise-ready repository manager and library with access to analysis on 65 million open-source components. The platform helps enterprises to keep track of open-source code to ensure software in the DevOps pipeline remains up-to-date with the latest bug and security fixes.”