NTSC Blog

Weekly News Roundup: December 17, 2018

Democrats Address Privacy Through Introducing the Data Care Act

Last Wednesday, Senator Brian Schatz (D-Hawaii) introduced a bill titled the Data Care Act of 2018. Co-sponsored by 14 other Democratic Senators, the bill would “establish duties for online service providers with respect to end user data that such providers collect and use.” According to a press release, “The Data Care Act would require websites, apps, and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data.” The bill gives the FTC new rulemaking authority and enhanced abilities to impose fines on offenders. Reported in SC Media, “The bill tasks the Federal Trade Commission with creating a set of ground rules for how companies which gather and digitally store sensitive personal information on their customers must protect that data.”

GOP and Democrats Offer Scathing Yet Different Reports About Equifax Breach

According to a press release, House Oversight and Government Reform Committee Republicans released a staff report after the Committee’s 14-month investigation into the Equifax data breach, one of the largest data breaches in U.S. history. Through the investigation, the Committee reviewed over 122,000 pages of documents, conducted transcribed interviews with three former Equifax employees directly involved with IT, and met with numerous current and former Equifax employees, in addition to Mandiant, the forensic firm hired to conduct an investigation of the breach.

The GOP report concluded that the breach was entirely preventable and that Equifax had a lack of accountability within its management structure, maintained complex and outdated IT systems, failed to implement responsible security measurements, and were unprepared to support affected consumers. The Democratic report, by contrast, argued that the GOP report merely repeated known information without proposing solutions. Democrats proposed to “hold federal financial regulatory agencies accountable for their consumer protection oversight responsibilities; require federal contractors to comply with established cybersecurity standards and guidance from the National Institute of Standards and Technology (NIST); establish high standards for how data breach victims should be notified; and strengthen the ability of the Federal Trade Commission (FTC) to levy civil penalties for private sector violations of consumer data security requirements.”

Cybersecurity Threats to National Security: A Roundup

Last week, multiple reports and statements from the federal government discussed ongoing and emerging cybersecurity threats to national security. Some of these items included:

• US intelligence community says quantum computing and AI pose an ’emerging threat’ to national security: Reported in TechCrunch, “Agnostic technologies like encryption, autonomous and unmanned systems, AI and quantum computing rank at the top of the agencies’ ‘worry list’ for fears that they could be used to cause harm, rather than advance society. While all can be used for good — to secure data, to survey a dangerous area or simply to save time and effort — the government says that all can have disastrous effects if used by an adversary.”
• Top FBI official calls Chinese cyberespionage ‘most severe’ threat to American security: Reported in SC Media, “FBI counterintelligence division head E.W. ‘Bill’ Priestap [last] Wednesday said Chinese cyberespionage poses the ‘most severe’ threat to American security at a Senate Judiciary Committee hearing on ‘Non-Traditional Espionage Against the United States.’”
• Secure Critical Infrastructure Top of Mind for U.S.: Reported in Threatpost, “Rob Joyce, senior advisor of cybersecurity strategy for the National Security Agency (NSA), said that while attacks targeting the systems that power the manufacturing, power and water plants, the oil and gas industry, and many other sectors have been around for awhile, the trend ‘is going the wrong way.’”
• House Releases Cybersecurity Strategies Report: Reported in SecurityWeek.com, “The U.S. House of Representatives’ Committee on Energy and Commerce has released a report identifying strategies for the prevention and mitigation of cybersecurity incidents. Designed to summarize the work of the Subcommittee on Oversight and Investigations, the report (PDF) includes conclusions drawn from tens of briefings, hearings, letters, reports, and roundtables. It also provides six priorities that should improve protection against vulnerabilities.”
• U.S. must prep for a cyberattack that coincides with a natural disaster, industry council says: Reported in CyberScoop, “A presidential advisory council has warned the White House and Department of Homeland Security in no uncertain terms that a catastrophic months-long power outage represents a ‘profound threat [that] requires a new national focus.’ The president’s National Infrastructure Advisory Council, a group of executives from the public and private sectors tasked with issuing advice on protecting critical infrastructure, in a December report calls on the government to enhance its efforts to prevent widespread electrical failures in the event of a natural disaster.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Palo Alto Networks Unit 42 Cloud Security Trends: Reported in The Hill, “Palo Alto Networks’s threat research team Unit 42 found that 29 percent of vendors it worked with had potential account compromises in their cloud services. And 32 percent of the groups had set up their networks in a way that publicly exposed at least one cloud storage system, according to the research team.”
• New secured phishing site goes up every two minutes: Reported in SC Media, “Researchers discovered over 1,150 new HTTPS phishing sites over the course of one day, not including the plethora of the malicious HTTP phishing URLs that we already know exist meaning a new secure phishing site goes up every two minutes.”
• Cyberattacks are the fastest growing crime and predicted to cost the world $6 trillion annually by 2021: According to a press release, “Cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.”
• Holiday ID Fraud Report Shows 2018 Fraud Reaches 5 Year High: Reported in Security Magazine, “New data from Jumio reveals that online ID fraud attempts on government-issued IDs increased 22 percent worldwide during the 2018 Black Friday to Cyber Monday period compared to the non-holiday full-year average.”
• Data breach attack surfaces to expand in 2019: Reported in SecurityInfoWatch.com, “According to Experian’s 2019 Data Breach Industry Forecast, cyber criminals are expected to double-down on their efforts to compromise sensitive information and will likely use several different threat vectors to do so.”

Arctic Wolf Acquires Cybersecurity Vulnerability Assessment Firm RootSecure

According to a press release, Arctic Wolf Networks (AWN), a security operations center (SOC)-as-a-service company, announced last Wednesday the acquisition of RootSecure Corp., an advanced cybersecurity risk assessment company. RootSecure provides risk-based vulnerability assessment solutions that continuously probe networks, discover connected devices, and test an organization’s social engineering resilience. Founded in 2017 and based in Canada, RootSecure quantifies cyber and data risk, arming information technology and security teams with real-time, actionable insight from comprehensive and continuous vulnerability assessment of networks, devices, and people.