NTSC Blog

Weekly News Roundup: February 11, 2019

2018’s “DHS Cyber Hunt and Incident Response Teams Act” Reintroduced in the Senate

Recently, a bill that would strengthen the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) to help better protect the private sector was reintroduced in the Senate. Titled the “DHS Cyber Hunt and Incident Response Teams Act,” this bipartisan bill is sponsored by Senators Maggie Hassan (D-New Hampshire) and Rob Portman (R-Ohio). According to Security Week, “The bill requires the DHS to create permanent incident response and so-called ‘cyber hunt’ teams tasked with mitigating and preventing cyberattacks on private sector organizations and federal agencies. Initially introduced by Senators Hassan and Portman last year as the ‘DHS Cyber Incident Response Teams Act of 2018,’ the bill authorizes the DHS’s National Protection and Programs Directorate to create teams for assisting owners and operators with restoring services following a cyber incident, detecting intrusions, creating mitigation strategies, and providing recommendations for improving network security.”

Nation State Attribution Becoming More Difficult

For CISOs, nation state attacks are a major concern. These asymmetrical attacks can be nearly impossible to fight off and require heavy public-private sector cooperation as part of a cyber defense strategy. The bad news is that these nation state attacks are becoming harder to attribute. According to a recent Booz Allen Hamilton report (summarized in NextGov), “The uptick in unidentifiable incidents suggests state-sponsored hacking rings have gotten better at tricking researchers into assigning blame to the wrong group, [the report] said, which would undermine the government’s primary cyber deterrence strategy. Since 2014, the U.S. has relied on a strategy of ‘naming and shaming’ foreign governments for their misdeeds in cyberspace as a way to dissuade attacks. But as bad actors mask themselves by adopting ‘other groups’ ‘signature’ tools’ and exploiting other weaknesses in the attribution process, researchers said the government could lose its ability to identify and punish them.”

Public-Private Sector Cyber Collaboration Encouraged After 2018 Cyber Exercises

The recently released analysis from two cyber exercises last year reinforce the importance of strong public-private sector cybersecurity collaboration to fend off cyberattacks and improve national security.

• Report urges government, private firms collaborate to prevent fallout from major cyberattack: Reported in The Hill, “The Foundation for Defense of Democracies (FDD) and consultant firm The Chertoff Group hosted a table-top exercise in October [2018] to walk through what could happen in the event of a major cyberattack that impacted several critical U.S. functions like the power grid at once. ‘The most important finding from the discussion is that unless government and private sector decision makers begin developing [cyber-enabled economic warfare] specific procedures and trust now, the United States will find itself flat-footed during a major cyber event,’ the report states.”
• Cyber exercise shows need for closer federal-state coordination: Reported in FCW, “A drill last July dubbed Jack Voltaic 2.0, demonstrated gaps in operational and legal authorities as well as confusion about first response. […] The Cybersecurity and Infrastructure Security Agency at DHS is working to ‘create a visible logical, useful connection’ that state and local governments, as well as industry, can turn to for help, NCCIC Director John Felker said. The report on the exercise recommends closer coordination among federal civilian and defense agencies and state and local governments. One idea is to have the Federal Emergency Management Agency, the Department of Defense, the Department of Energy and DHS work together to develop a campaign to integrate the Jack Voltaic model into the exercise framework at the national level.”

Federal Cybersecurity News Roundup

Many federal cybersecurity news stories appeared last week. Here’s a roundup.

• Lawmakers put Pentagon's cyber in their sights: Reported in The Hill, “[Lawmakers] have indicated that they will use this upcoming Congress to look at the Pentagon's cyber preparedness, both in terms of carrying out and fending off cyberattacks. Rep. Jim Langevin (D-R.I.), the chair of the House Armed Services Committee’s intelligence subcommittee, which oversees cybersecurity for the Pentagon, said he is particularly concerned about the offensive cyberattacks that the U.S. could carry out.”
• Cyber defenses have improved, but DOD systems are still at risk: Reported in Defense Systems, “Although the Defense Department has enhanced its cyber capabilities, adversaries are improving their attacks faster than defenders are shoring up their systems, a Pentagon watchdog said. According to the results of 50 cybersecurity assessments of combatant commands and the military services by the Office of the Director, Operational Test and Evaluation, DOD missions and systems continued to be at risk of cyber intrusions, despite improvements in network defenses.” NextGov, referencing the same report, also said, “A lack of tough cyber operators to play the role of adversary is leaving U.S. cyber defenders unprepared for today’s real-world threats, according to the Pentagon’s Office of the Director of Operational Test & Evaluation. The service branches have too few red teams, the groups of U.S. troops, employees, and contractors who play the bad guys and test Defense Department networks for cyber vulnerabilities.”
• Agencies: We Have Enough Tech, We Need More Cyber Pros: Reported in NextGov, “Federal agencies have the tech they need to defend against cyberattacks but not enough staff to keep their networks and assets safe, according to a recent survey. […] While almost half of those polled said their agency isn’t ‘fully prepared’ for an attack, 84 percent said their tech is on par or more advanced than that used by Silicon Valley. That said, 48 percent of those polled said they don’t have the staff to protect their agencies.”
• Feds ahead in DMARC adoption: Reported in GCN, “Eighty percent of 1,300-plus U.S. federal domains now publish Domain-based Message Authentication, Reporting and Conformance records, considered a crucial first step in identifying false or impersonated email addresses, according to new research conducted by cybersecurity company VailMail…”
• NIST narrows field of post-quantum crypto contenders: Reported in GCN, “[NIST] plans to supplement or replace three standards considered most vulnerable to a quantum attack: FIPS 186-4 -- which specifies the suite of algorithms to use to generate digital signatures -- NIST SP 800-56A and NIST SP 800-56B – which both relate to establishing keys used in public-key cryptography.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Evaluating the biggest cyber threats to the electric power sector: Reported in Help Net Security, “A new Deloitte Global report, ‘Managing cyber risk in the electric power sector,’ evaluates the biggest cyberthreats to the electric power sector and suggests how companies can manage these risks. The electric power sector faces a rapidly evolving cyberthreat landscape – the sophistication and frequency of attacks are increasing, and the number of threat actors are growing. In fact, energy is one of the top three sectors targeted by cyberattacks in the United States.”
• You've been breached: Hackers stole nearly half a billion personal records in 2018: Reported on NBC News, “Hackers stole nearly 447 million consumer records containing sensitive personal information last year, according to the 2018 End-of-Year Data Breach Report from the Identity Theft Resource Center. That’s a jump of 126 percent from 2017 (when roughly 198 million sensitive records were stolen) and a new record for the number of compromised files in a single year.”
• The $5.2 Trillion Price Tag of Cybercrime: Reported in Entrepreneur, “[In] the next five years, companies across the world could incur US$5.2 trillion in additional costs and lost revenue owing to cyberattacks, according to a new report from management consulting company Accenture. The ‘Securing the Digital Economy: Reinventing the Internet for Trust’ report says dependency on complex Internet-enabled business models is outpacing the ability to introduce adequate safeguards that protect critical assets.”
• Over 90% Of Adults Put Their Personal Data At Risk, Increasing Chances Of Identity Theft: Reported in Forbes, “A recent study conducted by CreditCards.com found that more than 9 in 10 (92%) U.S. adults have been guilty of at least one risky data security behavior in the past year. […] More than 8 in 10 (82%) have reused online passwords, including 61% who use the same password at least half of the time and 22% who always do.”
• Malicious URLs outnumbered attachments in emails 3 to 1 last year: Reported in TechRepublic, “Hackers are relying substantially more on malicious URLs than email attachments in the course of committing crimes, according to ProofPoint's Quarterly Threat Report for Q4 2018, published Thursday. Despite that trend, Q4 2018 saw a jump in malicious attachments as well, particularly in late October, with a decline in URLs at the same time.”
• Auto engineers warn your car might be easier to hack than you think: Reported in CNBC, “Some 84 percent of security professionals and auto engineers surveyed worry that automakers aren't keeping pace with the rapidly changing security threats. Some 63 percent of respondents said they test less than half of hardware, software and other technologies for vulnerabilities.”