NTSC Technology Security Roundup

Weekly News Roundup: February 17, 2020

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • House Committee Passes two Bills to Strengthen Energy Grid Cybersecurity: According to MeriTalk, “The House Science, Space, and Technology Committee approved two bills on Feb. 12 to harden the U.S. electric grid against cyberattacks. By unanimous voice vote, the committee passed H.R. 5760, the Grid Security Research and Development Act. The legislation, sponsored by Rep. Ami Bera, D-Calif., increases research, development, and demonstration into the capacity of the energy sector to prepare for and withstand cyber attacks.”
  • $400 Million for State and Local Governments to Secure Their Networks: According to Security Magazine, “Legislation introduced by representatives from the House Committee on Homeland Security would authorize a new grant program at DHS to address cybersecurity vulnerabilities on state and local government networks. Rep. John Katko (R-NY), Rep. Michael McCaul (R-TX) and Rep. Mike Rogers (R-AL) introduced the State and Local Cybersecurity Improvement Act (H.R. 5823) that establishes a $400 million DHS grant program that incentivizes states to increase their own cybersecurity funding.”
  • CISA and states tell Senate more cybersecurity resources needed: According to StateScoop, “State IT officials and the federal government’s top civilian cybersecurity official told members of the U.S. Senate Tuesday that the federal government needs to provide state and local governments with more assistance and expertise in protecting their networks and other critical infrastructure. […] [Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency,] acknowledged his agency was not built to support state and local governments when it became the Department of Homeland Security’s newest branch in late 2018. But with ongoing threats to election security and a spike in ransomware attacks against local governments, he said, ‘we have had to build out our support to states.’”
  • Gillibrand proposes creating new digital privacy agency: According to The Hill, “Sen. Kirsten Gillibrand (D-N.Y.) wants to create an entirely new federal agency dedicated to protecting online privacy, she said in a proposal released [last Thursday]. In her first major policy proposal since dropping out of the 2020 presidential race, Gillibrand is calling for the creation of a ‘Data Protection Agency’ tasked with creating new rules around how tech companies are allowed to collect and use personal information about their users. Gillibrand's legislation would empower the agency to investigate, subpoena and go after companies accused of violating online privacy.”
  • Booker, Merkley propose federal facial recognition moratorium: According to The Hill, “Two Democratic senators [last] Wednesday introduced a bill that would place a moratorium on federal government use of facial recognition technology until Congress passes legislation regulating it. The Ethical Use of Facial Recognition Act, proposed by Democratic Sens. Cory Booker (N.J.) and Jeff Merkley (Ore.), would also prohibit state and local governments from using federal funds for the controversial technology, which scans faces for the purpose of identification. It would create a commission tasked with providing recommendations to Congress for future federal government use of facial recognition 18 months after the bill's passage.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Budget request emphasizes cyber, network security efforts: According to FCW, “The Trump administration's proposed budget for fiscal year 2021 would spend $18.8 billion on cybersecurity programs across the federal government, with approximately $9 billion dedicated to civilian agencies for network security, protecting critical infrastructure, boosting the cybersecurity workforce and other priorities. The overall cybersecurity funding at the Department of Homeland Security is listed at $2.6 billion.”
  • Coming Cyber Commission Report Loaded with 75 Ways to Improve Security: According to NextGov, “Come March 11 the Congressionally chartered Cyberspace Solarium Commission will issue an estimated 75 recommendations—including to streamline Congressional oversight and for industry to provide incident reporting—most of which will be accompanied by legislative language, according to the commission’s top staffer. The 14-member commission includes the four lawmakers—from the House and Senate— private-sector leaders, executive-branch agency heads and cybersecurity thinkers working on a strategy to blunt the harm of cyberattacks. They are required by the latest National Defense Authorization Act to issue their recommendations by April.”
  • Trump signs executive order to guard critical infrastructure that relies on GPS: According to The Hill, “President Trump [last] Wednesday signed an executive order that directs federal agencies to take steps to reduce the disruption of critical infrastructure that relies on positioning, navigation and timing (PNT) services like GPS. The executive order is aimed at strengthening the resilience of critical infrastructure that relies on PNT services, including systems involved in transportation, electricity delivery and communications.”
  • Homeland Security wants a new cyber coordination group: According to Fifth Domain, “The Department of Homeland Security wants to establish an internal organization dedicated to coordinating cybersecurity efforts across DHS and identifying joint priorities. In its fiscal 2021 budget request, DHS asked Congress to allocate it $2.6 million to create the Joint Cyber Coordination Group. The group would have six full-time employees and be housed under the Office of Policy, Strategy and Plans (PLCY). DHS’ congressional justification says that it needs the group because expanding technological and cyberthreats make it difficult for any one component to manage ‘all aspects of associated risk.’”
  • NIST seeks comment on plan to ease updates to National Vulnerability Database: According to Inside Cybersecurity, “The National Institute of Standards and Technology is seeking comment on a plan to leverage technical expertise and ‘formalize’ the process for submitting updates to the National Vulnerability Database, a move made necessary by the continued increase in reported vulnerabilities and staffing constraints of the current manual process.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • New federal strategy prioritizes defending US against foreign threats to elections, critical systems: According to The Hill, “The National Counterintelligence and Security Center (NCSC) on Monday unveiled the new National Counterintelligence Strategy, which emphasizes the need to defend against foreign operations aimed at democratic systems and at taking down critical infrastructure. […] The new strategy identifies five areas of focus for the nation to defend against, including protecting critical infrastructure systems from attacks by foreign actors, defending against the theft of American intellectual property and protecting against influence campaigns designed to undermine American democratic institutions such as elections.”
  • FBI warns about ongoing attacks against software supply chain companies: According to ZDNet, “The FBI has sent a security alert to the US private sector about an ongoing hacking campaign that's targeting supply chain software providers, ZDNet has learned. The FBI says hackers are attempting to infect companies with the Kwampirs malware, a remote access trojan (RAT). […] Besides attacks against supply chain software providers, the FBI said the same malware was also deployed in attacks against companies in the healthcare, energy, and financial sectors.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • FBI: BEC Losses Totaled $1.7 Billion in 2019: Reported in GovInfoSecurity, “Cybercrime led to $3.5 billion in losses in the U.S. last year, with a sharp uptick in business email compromise scams - which accounted for nearly half those losses, according to a newly released FBI Internet Crime Report, which is based on complaints the FBI received.”
  • Ransomware Attacks Predicted to Occur Every 11 Seconds in 2021 with a Cost of $20 Billion: Reported in The National Law Review, “[Cybersecurity] firm Cybersecurity Ventures has predicted that, globally, businesses in 2021 will fall victim to a ransomware attack every 11 seconds, down from every 14 seconds in 2019. That figure is based on historical cybercrime figures. It is estimated that the cost of ransomware to businesses will top $20 billion in 2021 and that global damages related to cybercrime will reach $6 trillion.”
  • Apps Remain Favorite Mobile Attack Vector: Reported in Dark Reading, “Cybercriminals targeting mobile devices most frequently use apps to break in, as seen in 79% of mobile-focused attacks in 2019 and 76% of those in 2020 so far, Pradeo Labs researchers found.”
  • Ransomware Costs May Have Hit $170bn in 2019: Reported in Infosecurity Magazine, “There were nearly half a million ransomware infections reported globally last year, costing organizations at least $6.3bn in ransom demands alone, according to estimates from Emsisoft.”
  • Ransomware Attacks Cost US Healthcare Organizations Over $157 Million Since 2016: Reported in Cyware, “A new report from Comparitech reveals that US healthcare organizations have lost over $157 million due to 172 ransomware attacks that occurred since 2016. These 172 security breaches affected a total of 1446 hospitals, clinics, and other medical organizations.”
  • Credential exposure report: Poor password habits still pose a serious threat: Reported in Help Net Security, “Almost a third of internet users affected by data breaches last year had reused a password in some form. 94% of those who recycled passwords reused the exact same password, while the other 6% made minor changes such as capitalizing the first letter or adding numbers to the end of their typical password.”
  • Total Number of Breached Records Increased by 284% to Cross 15 Billion in 2019: Reported in Cyware, “According to a report from Risk Based Security, the total number of records exposed due to data breaches has increased by 284% in 2019. In total, there were over 15.1 billion records exposed due to 7,098 breaches reported last year.”