NTSC Blog

Weekly News Roundup: December 16, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

• Senate bill would give DHS cyber agency subpoena powers: According to The Hill, “Two senators unveiled bipartisan legislation [last] Thursday that would give the Department of Homeland Security’s (DHS) cyber agency the ability to subpoena internet service providers to increase transparency about cyber vulnerabilities. The bill from Sens. Ron Johnson (R-Wis.) and Maggie Hassan (D-N.H.), gives the DHS Cybersecurity and Infrastructure Security Agency (CISA) the power to issue subpoenas to obtain information about potential cyber vulnerabilities related to critical infrastructure, such as in the electric grid or dams. CISA would then be able to warn the critical infrastructure companies targeted of the potential dangers found by internet service providers.”
• U.S. Senate Approves National Cybersecurity Preparedness Consortium: According to Security Magazine, “The U.S. Senate passed legislation to formally charter a National Cybersecurity Preparedness Consortium (NCPC), which includes Norwich University. The legislation was introduced by Senator Patrick Leahy (D-Vt.) and Senator John Cornyn (R-Texas). According to a press release, Norwich University is a key player in NCPC, a cooperative effort of universities with expertise in cybersecurity that work with the Department of Homeland Security (DHS) to develop and carry out training and other activities focused on preparedness among state and local governments and first responders for cyber emergencies.”
• Lawmakers give Big Tech an ultimatum on encryption: According to The Washington Post, “Lawmakers are giving big tech firms an ultimatum: Give police access to encrypted communications or we'll force you. That warning, delivered by senator after senator during a Senate Judiciary Committee hearing [last Tuesday], reflects the fierce anti-encryption mood now reigning on Capitol Hill -- and how the Justice Department's warnings about how the digital protection allows child sex traffickers and other criminals to act with impunity seem to be moving the needle.”
• King slips legislation protecting grid from cyberattacks into 2020 Defense Authorization Bill: According to SC Magazine, “Sen. Angus King, I-Maine, tucked legislation to protect the U.S. energy grid from cyberattacks into the finalized 2020 Defense Authorization Bill. The Securing Energy Infrastructure Act, which King introduced with Sen. Jim Risch, R-Idaho, aims to safeguard the grid by facilitating partnerships with private industry through engineering to eliminate vulnerabilities that allow hackers access via hole-plagued software systems.”
• How Congress wants to help sync military cyber: According to Defense News, “The government’s annual defense policy bill, if signed into law by President Donald Trump, will create several new cyber positions within the military. The fiscal year 2020 National Defense Authorization Act outlines the roles the Department of Defense must fill — at the Pentagon and within the services. The first position is a senior military advisory for cyber policy — who will also serve as the deputy principal cyber adviser and be at least a two-star general — within the Office of the Under Secretary of Defense for Policy.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• DHS’s Jeanette Manfra to join Google's cloud division: According to CyberScoop, “One of the U.S. government’s most influential cybersecurity officials is heading to Google. Jeanette Manfra will take a job at the tech giant’s cloud division in January after leaving her post as assistant director for cybersecurity at the Department of Homeland Security. Manfra will be global director of security and compliance as part of a new security team at Google Cloud, the company said in a statement to CyberScoop. She will help lead a new ‘Office of the CISO’ initiative at Google Cloud to bolster security with Cloud customers, the company said.”
• DHS chooses Bryan Ware, former AI entrepreneur, as assistant director for cybersecurity: According to CyberScoop, “Department of Homeland Security officials have selected Bryan S. Ware, a tech-savvy entrepreneur and holder of multiple patents, to be the department’s most senior official focused exclusively on cybersecurity, according to multiple people familiar with the matter. For the last 10 months, Ware has been a DHS assistant secretary working on policies to make critical infrastructure more resilient to hacking threats. Now, pending White House approval, Ware is set to have an even more pronounced impact on DHS’s cybersecurity work.”
• Cybersecurity Requirements for US Defense Contracts Expected in 2020: According to Infosecurity Magazine, “The US Department of Defense (DoD) is planning to protect its supply chain from threat actors by introducing a cybersecurity certification program for its contractors. Undersecretary of defense for acquisition and sustainment, Ellen Lord, said the new cybersecurity maturity model certification program will play a vital role in ensuring that the companies seeking to win DoD contracts meet stringent cybersecurity requirements.”
• Current encryption algorithms still strong, NIST official says: According to GCN, “There's no near-term danger that modern tools will be able break current encryption methods, according to Matthew Scholl, chief of the Computer Science Division at the National Institute of Standards and Technology. NIST is currently working on a number of initiatives to develop more-modern cryptographic algorithms – ones that resist codebreaking efforts from quantum computers as well as new standards for smaller ‘lightweight’ and internet-of-things devices.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• Advisory group looks to redesign federal cyber response: According to FCW, “A government advisory group is warning that escalating cyber threats to critical infrastructure represent ‘an existential threat to continuity of government, economic stability, social order and national security.’ While this conclusion is not novel -- U.S. policymakers have known for years that the nation's infrastructure contains massive targets for hackers and foreign governments -- a new draft report released this week by the National Infrastructure Advisory Council argues that current efforts have fallen short. […] With that warning comes a recommendation to create a new Critical Infrastructure Command Center to improve real-time information sharing efforts, a dedicated push by intelligence agencies to prioritize the collection and dissemination of intelligence about threats against critical infrastructure from state and non-state actors, an all-inclusive one-day top-secret briefing to critical infrastructure CEOs and a national exercise in 2020 to pilot the new structure.”
• Report: aviation industry playing catch up on cybersecurity: According to FCW, “[A] new report from the Atlantic Council argues that these highly complex, ‘flying data centers’ are increasingly at risk for technical problems or cyberattacks that can lead to accidents and loss of life. The aviation industry still has to figure out how to incorporate cybersecurity into governance accountability frameworks for flight safety, security and enterprise IT, according to the report. Supply chain risk management also presents multiple challenges.”
• Leaks of NSA, CIA Tools Have Leveled Nation-State Cybercriminal Capabilities: According to Dark Reading, “The public leaks of classified NSA and CIA hacking tools in 2016 and 2017 appear to have leveled the playing field for nation-state cybercriminals to some extent, new research shows. Threat intelligence firm DarkOwl recently analyzed Dark Web data gathered from public and proprietary sources and found the leaked cyber weapons have strengthened the ability of emerging nation-state actors to attack rivals and project attribution to others.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• PwC: Cybersecurity and privacy top barriers for monetizing data: Reported in Fierce Healthcare, “94% of payer executives and 85% of provider leaders listed ensuring cybersecurity and privacy as major barriers to digital strategies.”
• Ransomware’s Toll Laid Bare: Over 100 US Gov’t Agencies Now Hit: Reported in CBR, “Nearly 1,000 US government agencies, educational establishments and healthcare providers have been hit by ransomware attacks in 2019, with attacks reaching epidemic proportions, security firm Emsisoft warned [last Thursday], saying it had tracked attacks on 103 federal, state and municipal governments and agencies, a stunning 759 healthcare providers and 86 universities, colleges and school districts.”
• Survey: DevSecOps Progress Remains Elusive: Reported in DevOps.com, “75% of developers worry about the security and 85% rank security as being a very important element of the coding and development process. However, nearly half of the respondents said their development teams lack a dedicated cybersecurity expert. Only 30% of respondents said they have achieved security certifications in their current or prior roles.”
• Abundance of cybersecurity tools puts enterprises at risk: Reported in TechRadar, “Of those surveyed, almost three quarters (70%) of respondents said their organization has invested in more than five new technologies in the last year while 19 percent said they've invested in more than 20. Teams are struggling to implement these new tools and 71 percent said that they are adding security technologies faster than they are adding the capacity to proactively use them.”

Possible Acquirers Interested in NortonLifeLock

Multiple potential acquirers are expressing interest in NortonLifeLock, according to several sources last week. Reported in MarketWatch, “NortonLifeLock Inc., the $16 billion consumer-software company, has attracted deal interest from a handful of companies including rival McAfee LLC, people familiar with the matter said. Among the options being considered, according to the people, is a combination with the consumer business of McAfee, the antivirus-software company owned by Intel Corp. and private-equity firms TPG and Thoma Bravo LLC. McAfee and its owners join Permira and Advent International Corp. as potential suitors for NortonLifeLock. The Wall Street Journal previously reported that those private-equity firms had made a bid for the business.”