NTSC Blog

Weekly News Roundup: December 2, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

• Senate Passes State and Local Government Cybersecurity Act: According to Fifth Domain, “The Senate unanimously passed a bill Nov. 21 directing the Department of Homeland Security to assist state and local governments with cybersecurity. The bill, called the State and Local Government Cybersecurity Act, would improve better cybersecurity coordination between states and DHS through the department’s National Cybersecurity and Communications Integration Center (NCCIC). The bill would allow the NCCIC to provide state and local officials with access to security tools and procedures, as well as participation in joint cybersecurity exercises.”
• Senate Passes National Cybersecurity Preparedness Consortium Act: According to a press release, “U.S. Senator John Cornyn (R-TX) released the following statement after the National Cybersecurity Preparedness Consortium Act, legislation that would authorize the U.S. Department of Homeland Security to work with the National Cybersecurity Preparedness Consortium (NCPC) to help prepare for and respond to cybersecurity risks at the national, state, and local levels, passed the Senate [November 21]. ‘Cyber threats are evolving at an alarming rate, and we need to be sure our infrastructure to combat them is ready for the challenge,’ said Sen. Cornyn. ‘Universities like UTSA and Texas A&M are a boon to our state as Texas works to ensure governments at all levels can prevent and take action on cyberattacks.’”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• Commerce Secretary Proposes ‘Case-by-Case’ Enforcement Of Telecom Ban: According to NextGov, “The Commerce Department is set to publish a proposed rule giving the Commerce Secretary ‘case-by-case’ authority to enforce an executive order banning transactions with suspect foreign telecommunications companies.”
• DHS issues draft order requiring agencies to bolster cybersecurity: According to The Hill, “The Department of Homeland Security’s (DHS) cybersecurity agency [last] Wednesday issued a draft order that would require federal agencies to increase protections against cyber vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) asked for public comment on a draft directive requiring government agencies to develop and publish cyber vulnerability disclosure policies.”
• Intel Community IG Highlights Cybersecurity, AI in Semiannual Report: According to MeriTalk, “In a new semiannual report, the Intelligence Community Inspector General (ICIG) within the Office of the Director of National Intelligence (ODNI) says that ODNI must upgrade cybersecurity controls going forward to improve management and risk mitigation of trusted privileged users inappropriately accessing, modifying, destroying, or exfiltrating classified data.”
• Watchdog Finds DOE Falling Short on Cybersecurity: According to BankInfoSecurity, “The U.S. Department of Energy is routinely failing to secure unclassified IT systems in the nation's critical infrastructure, including nuclear facilities, leaving them open to outside attacks and hacking, an annual audit from the agency's Inspector General finds. And while the Energy Department is capable of fixing these cybersecurity deficiencies, the federal agency continues to make the same mistakes and security errors year-after-year, the report shows.”
• Murky contractor ownership masks national security threats to IT: According to FedScoop, “The Department of Defense should investigate contractor ownership during fraud risk assessments to catch national security threats to IT systems, according to a new watchdog report. Shell companies the government mistakenly contracts with could sabotage or spy on systems containing sensitive information, according to intelligence officials the Government Accountability Office consulted for its report released [last] Monday.”
• With U.S. cyber policy, clear lanes still hard to come by: According to FCW, “At a Nov. 22 discussion hosted by George Mason University’s National Security Institute, FBI Chief of Cyber Policy Steven Kelly said outlining clearer guidance for how the Departments of Justice, Defense, Homeland Security and the intelligence community engage with the private sector and adapting bureaucratic processes for speed are the subject of ongoing conversation among agencies.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• FBI Probing Hack of US Electricity Providers: Reported in PYMNTS.com, “The FBI is investigating a hacking campaign that targeted more than a dozen U.S. utilities, some of which are located near critical infrastructure. According to The Wall Street Journal, researchers at a Silicon Valley cybersecurity company discovered the cyberattack attempts. The FBI has contacted some of the utilities and provided information so that they can scan their computer networks to see if firewalls have been breached.”
• U.S., Russia And Israel Show Little Appetite For Cyber Destruction: Reported in Forbes, “[A study recently published by The Atlantic Council], completed by Drs. Benjamin Jensen and Brandon Valeriano, takes note of the fact that states are increasingly using cyberspace as a tool for advancing their interests and coercing their rivals. As a result, policymakers, academics, and activists have all worried about whether cyber conflicts among states could spin out of control, escalating into more dangerous, physical confrontations. ‘The answer,’ Jensen and Valeriano write, ‘is surprising: no.’ In fact, just the opposite has been the case so far. They report that, ‘To date, cyber operations have tended to offer great powers escalatory offramps. They have provided signaling mechanisms that have let states shape an adversary’s behavior without engaging military forces and risking military escalation.’”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Cryptocurrency crime surges, losses hit $4.4 billion by end-September: CipherTrace report: Reported in Reuters, “Losses from digital currency crime soared to $4.4 billion in the first nine months of the year, up more than 150% from $1.7 billion in all of 2018.”
• Oil and Gas Cybersecurity Price Tag Could Top $20B: Reported in Rigzone, “Oil and gas companies will spend more than $20 billion on cybersecurity by 2023, according to a survey conducted by the consulting firm BDO.”
• The Cybersecurity Landscape in Healthcare: Reported in Managed Healthcare Executive, “70% of healthcare IT management respondents report their operations are not aware of the full variety of cybersecurity solution sets that exist. Last year, 57% reported not having a good understanding of the cybersecurity product and service landscape.”
• An Alarming Number of Software Teams Are Missing Cybersecurity Expertise: Reported in Dark Reading, “In data published on Nov. 21, software security firm WhiteHat Security found that three-quarters of developers are worried about the security of their applications, and about seven out of eight consider security to be an important development consideration, but only half of these teams have a dedicated cybersecurity expert.”
• Over 38 Million Healthcare Records Exposed in Breaches Over 2019: Reported in Bleeping Computer, “The count of exposed, lost, or stolen health records until the end of October this year passed the 38 million mark, HIPAA Journal reports.”

Cybersecurity Acquisitions

News about two major cybersecurity company acquisitions was reported last week:

• Dell Exploring Sale of RSA Cybersecurity Unit – Report: According to TheStreet, “Dell Technologies (DELL) is reportedly exploring a sale [of] its cybersecurity business, RSA Security, which it expects could fetch at least $1 billion including debt, Bloomberg reported just ahead of the release of the company's fiscal third-quarter earnings. Citing people familiar with the discussions, Bloomberg said that Dell was considering selling the division, which helps companies detect and respond to security risks as well as reduce intellectual property theft, fraud and cybercrime.”
• Palo Alto Networks Announces Intent to Acquire Aporeto: According to a press release, Palo Alto Networks announced last Monday that it has entered into a definitive agreement to acquire Aporeto Inc., a machine identity-based microsegmentation company. Under the terms of the agreement, Palo Alto Networks will pay approximately $150 million in cash to acquire Aporeto, subject to customary adjustments. The acquisition is expected to close during Palo Alto Networks fiscal second quarter, subject to the satisfaction of customary closing conditions.”