NTSC Blog

Weekly News Roundup: November 4, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

• Senators introduce bill to strengthen cybersecurity of local governments: According to The Hill, “A bipartisan group of senators [last] Wednesday introduced legislation intended to shore up cybersecurity for local governments by providing resources for them to switch to secure internet domains administered by the federal government. The bill, dubbed the DOTGOV Online Trust in Government Act, would not require local governments to switch their domains to .gov, but would require the Department of Homeland Security to provide resources and assistance to local governments that do intend to make the switch.”
• Lieu seeks answers from White House about cybersecurity purge: According to FCW, “In an Oct. 25 letter, Rep. Ted Lieu (D-Calif.) references an Oct. 17 memo from Dimitrios Vastakis, former Branch Chief of White House Computer Network titled ‘Cyber Security Personnel Leaving Office of the Administration at an Alarming Rate.’ […] The memo, obtained and first reported on in Axios, claimed that these tactics included revoking incentives, reducing the scope of duties, reducing access to programs and buildings and revoking positions with strategic and tactical decision-making authorities. It notes that these tactics have ‘forced the majority of GS-14 and GS-15 OCISO staff to resign.’”
• Congress should make it easier for companies to report suspicious suppliers: According to Politico, “Congress could help the Cybersecurity and Infrastructure Security Agency and the private sector protect the U.S. supply chain from cyber threats by empowering companies to report suspicious suppliers, CISA Director Chris Krebs told lawmakers Thursday. ‘Make it easier for companies to share information on risky vendors that they come across, and make it similarly easy for me to share that information,’ Krebs said when asked for his legislative wish list at a Senate Homeland Security and Governmental Affairs Committee hearing on supply chain and 5G security.”
• Bill to enhance regulators’ cybersecurity passes HFSC: According to the Credit Union National Association, “The House Financial Services Committee passed the Cybersecurity and Financial System Resilience Act (H.R. 4458) by voice vote [last] Wednesday. […] H.R. 4458 would require NCUA and other sectors’ regulators to each issue an annual report to Congress describing measures the respective agency has taken to strengthen cybersecurity with respect to its functions as a regulator, including the supervision and regulation of financial institutions and, where applicable, third-party service providers.”
• Rip and repay?: According to FCW, “The federal government is pushing U.S. telecoms to take out gear from Huawei and other Chinese companies that may threaten their networks. Lawmakers at an Oct. 31 Senate hearing wanted to know how the government and network operators planned to share the costs of gear replacement ahead of 5G adoption. Senator Ron Johnson (R-Wis.), chair of the Homeland Security and Governmental Affairs Committee, pressed a panel of Trump administration officials to provide lawmakers with a simplified definition of the problem facing U.S. networks, saying the global transition from 4G to 5G telecommunications will encompass trillions of dollars of economic activity but warning that it would be fraught with both promise and pitfalls.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• White House Tech Chiefs Preview 2020 Cyber Initiatives: According to NextGov, “The government is three weeks into fiscal 2020, and as Congress works to finalize the federal budget, the White House is locking down its cybersecurity priorities for the next year. IT modernization will remain a major focus of the Trump administration’s tech agenda in 2020, and cybersecurity is going to factor into every one of those efforts, according to Federal Chief Information Officer Suzette Kent. Leaders are particularly interested in identity management strategies, enhanced security measures for citizen-facing services, and automated network monitoring for agency cyber shops, Kent said [last] Thursday.”
• FCC proposal targeting Huawei garners early praise: According to The Hill, “The Federal Communications Commission (FCC) is moving aggressively to ban companies from using federal subsidies for equipment from Chinese telecommunications groups Huawei and ZTE, and earning initial praise from lawmakers and industry groups. […] The proposed rules, rolled out by Pai on Monday, would bar U.S. telecom groups from using funds from the FCC’s Universal Services Fund (USF) to buy equipment from companies deemed national security threats, and would designate Huawei and ZTE as such.”
• Civilian Vendor Cybersecurity Certification Would Look Very Different From DOD: According to NextGov, “The Defense Department is working on a new policy that will require its vendors to obtain a certification confirming the contractor’s own systems have strong enough cybersecurity to protect the department’s secrets. A civilian agency counterpart to that would look very different than what the Pentagon is developing, according to the second-ranking civilian IT official.”

15 Major US Companies Take Action to Close the Cybersecurity Skills Gap

According to a press release, the Aspen Cybersecurity Group last Wednesday announced commitments from fifteen industry representatives, including AIG, Apple, Cloudflare, Cyber Threat Alliance, Duke Energy, Facebook, Google, IBM, IronNet, Johnson & Johnson, Northrop Grumman, Symantec, Unisys, Verizon, and PwC, to address the mounting shortfall in the nation’s cybersecurity workforce. Fifteen senior industry representatives in the Aspen Cybersecurity Group are committing to adopt three of the Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce:

1. Widen the aperture of candidate pipelines, for example by expanding recruitment focus beyond applicants with four-year degrees or using non-gender biased job descriptions.

2. Revitalize job postings to be engaging and to focus on the core requirements; don’t “over-spec” the requirements.

3. Make career paths understandable and accessible to current employees and job seekers, referencing models like the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework where applicable.

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• China-backed hackers stole text messages and phone records in push for intelligence, report says: Reported in CNBC, “State-backed Chinese hackers were able to hack into telecommunications firms and steal the contents of text messages of ‘geopolitical interest’ to Beijing, according to a new report. The group, known as APT41, used a malicious piece of software or malware dubbed ‘Messagetap’ to access servers responsible for sending and storing text messages, cybersecurity firm FireEye said. The company did not disclose the name of the telecom company.”
• Research finds 2019 increase in breaches and cybersecurity spending: Reported in TechRepublic, “Annual spending on vulnerability management activities increased to $1.4 million, an increase of an average of $282,750 from 2018. This year also saw an increase in the number of companies affected by attacks. Nearly half of organizations in the survey had been hit by at least one cyberattack in the last two years. More than 60% of respondents said they were unaware their organizations were vulnerable before the breach while another 60% said the attacks were caused by a patch that was available for a known vulnerability but not applied.”
• Study Finds Companies May Be Wise to Share Cybersecurity Efforts: According to NC State University, “Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors. However, companies that are open about their cybersecurity risk management fare significantly better than peers that don’t disclose their cybersecurity efforts.”
• Cybersecurity Trumps Political, Reputational Concerns for Companies: Reported in Dark Reading, “According to its annual ‘State of Enterprise Risk Management’ report, ISACA found that 29% of the 4,625 risk managers polled identify cybersecurity as the top threat to their business, while 15% consider reputational risks and 13% name financial dangers as most critical.”
• U.S. Universities Get Failing Grades for DMARC Adoption: Reported in Threatpost, “The U.S. higher education system is lagging when it comes to implementing email security – even though the segment remains a top target for phishing and spam campaigns. According to an analysis from Red Sift shared with Threatpost, only 3 percent of the top 200 schools in the 2020 WSJ/THE College Rankings have the DMARC protocol configured at its fullest protection level.”
• Data breach causes 10 percent of small businesses to shutter: Reported in SC Media, “A report issued by the National Cyber Security Alliance, based on a Zogby Analytics survey of 1,008 small businesses with up to 500 employees, found that after suffering a data breach 10 percent went out of business, 25 percent had to file for bankruptcy and 37 percent experienced a financial loss.”
• ThreatList: Most Retail Hardware Bug Bounty Flaws Are Critical: Reported in Threatpost, “Overall, across all retail programs, more than 18 percent of all bug bounty submissions are critical in severity, a new Bugcrowd report found. Almost all of hardware vulnerabilities – 90 percent – that were submitted to retail bug bounty programs so far this year were categorized as critical, showing that Point of Sale systems and other retail hardware assets remain a serious security issue.”
• IT Professionals Reveal Scanning Endpoints for Vulnerabilities as Their Top Cybersecurity Challenge: According to a press release, “Just 17% of companies have enough staff to handle security appropriately [and] only 29% of companies will have completed Windows 10 migration before deadline.”
• Many Businesses Fail to Use Data Security Software: Reported in Business News Daily, “[While] most business owners said they understood the importance of cybersecurity, 27% reported not using any type of software-based preventative measure to thwart potential data breaches.”
• More than 1 in 3 Enterprises Say Cloud Apps Are the Most Vulnerable to Insider Threat: According to a press release, “In the newly released 2019 Insider Threat Report, thirty-nine percent of cybersecurity professionals identified cloud storage and file sharing apps as the most vulnerable to insider attacks. In addition, 56 percent believe detecting insider attacks has become significantly to somewhat harder since migrating to the cloud. Despite this risk, only 40 percent of organizations say they monitor user behavior across their cloud footprint.”
• IT Security Leaders, Board Members Need to Accept More Responsibility for Cybersecurity Risk: Reported in CPO Magazine, “According to a new AttackIQ report based on Ponemon Institute research, 63% of IT security leaders do not report to the board of directors on a regular basis, and 40% do not report to the board at all.”

Cybersecurity Acquisitions

Three major cybersecurity company acquisitions were reported last week:

• Fortinet Buys Cybersecurity Startup enSilo To Boost Endpoint Defenses: Reported in CRN, “Fortinet has purchased early-stage endpoint security player enSilo to strengthen its real-time automated detection and response capabilities around endpoint and edge data. The Sunnyvale, Calif.-based platform security vendor said it plans to integrate San Francisco-based enSilo’s endpoint detection and response (EDR) technology with Fortinet’s Network Access Control (NAC), Security Information and Event Management (SIEM) and User Entity Behavior Analytics (UEBA) offerings to provide better visibility into the endpoint and control over network, user, and host activity.”
• ConnectWise to Buy Continuum in Mega-Deal for MSPs: Reported in Channel Futures, “ConnectWise delivered some big news Wednesday to kick off its IT Nation Connect conference, announcing the acquisitions of Continuum and ITBoost, as well as a strategic partnership with Webinfinity. […] Essentially, snapping up these companies is designed to put more problem-solving resources, tools for efficiency, and fuel for growth in the hands of partners while transforming ConnectWise into a technology and services platform for the entire technology channel.”
• DLT Solutions to be Acquired by Tech Data: According to a press release, “DLT Solutions, the premier government solutions aggregator, announced [last Wednesday] that it has entered into a definitive agreement to be acquired by Tech Data (Nasdaq: TECD). Upon closing of the transaction, DLT will become a wholly owned subsidiary of Tech Data. DLT has experienced continued growth through sales of next-generation technologies, including cloud and cybersecurity, to the public sector since its acquisition by Mill Point Capital in 2015.”