NTSC Blog

Weekly News Roundup: February 25, 2019

CSO Online Summarizes 116^th Congress Cybersecurity Legislation

In a recent article, CSO Online provided a summary of significant cybersecurity legislation proposed by the 116^th Congress that includes many proposed bills the NTSC is tracking in 2019. The article notes: “A key problem in grappling with such a complex issue as cybersecurity in Congress — and in Washington in general — is the diffused responsibility spawned by the wide-ranging, interconnected nature of the topic. […] Noting that around 80 groups within the legislative branch claim some jurisdiction over cybersecurity matters, [Representative Jim Langevin (D-RI), a member of the Armed Services and Homeland Security Committees, and one of the founders of the Congressional Cybersecurity Caucus] said, ‘We as a Congress are going to have to move with greater agility to respond to the cybersecurity threats we face going forward, and we can’t do it under the current construct.’ Langevin wants the House Homeland Security issue to take the lead on all matters related to cybersecurity.”

The legislation includes:

• Critical infrastructure
  • H.R.359 — Enhancing Grid Security through Public-Private Partnerships Act
  • H.R.360 — Cyber Sense Act of 2019
  • H.R.362 — Energy Emergency Leadership Act
  • H.R.370 — Pipeline and LNG Facility Cybersecurity Preparedness Act
  • H.R.680 — Securing Energy Infrastructure Act
• Workforce cybersecurity
  • S.3437 — The Federal Rotational Cyber Workforce Act
  • H.R.334 — The New Collar Jobs Act of 2019
• Supply chain cybersecurity
  • S.29 — A bill to establish the Office of Critical Technologies and Security
• Election cybersecurity
  • H.R. 1 — For the People Act of 2019
  • H.R.52 — the SAFETi Act
  • The Global Electoral Exchange Act
  • H.R.598 — the Georgia Support Act
• Bug bounty
  • H.R.328, Hack Your State Department Act

California Data Breach Notification Law May Get Strengthened to Close Passport Loophole

Under current California data breach notification laws, an organization does not have to report a data breach if only consumers’ passport numbers have been improperly accessed. In the wake of the Marriott data breach that included passport numbers in the breached information, California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael) introduced legislation to close a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.

According to CNN, “The bill would require companies to notify California residents when their passport, passport card or green card numbers are compromised in data breaches. It would also require customers be notified of compromised biometric information such as fingerprints. The legislation goes further than the state's current consumer protections, which require companies to inform their customers of data breaches but provides an exception if only passport numbers were accessed.”

New York Times Report Indicates Increased Chinese and Iranian Cyberattacks on US Businesses

The New York Times reported that China and Iran have increased the number and severity of their cyberattacks against the United States—including cyberattacks against US businesses. According to The New York Times, “Recent Iranian attacks on American banks, businesses and government agencies have been more extensive than previously reported. Dozens of corporations and multiple United States agencies have been hit, according to seven people briefed on the episodes who were not authorized to discuss them publicly. […] The Iranian attacks coincide with a renewed Chinese offensive geared toward stealing trade and military secrets from American military contractors and technology companies, according to nine intelligence officials, private security researchers and lawyers familiar with the attacks who discussed them on the condition of anonymity because of confidentiality agreements.”

DHS Cybersecurity News Roundup

Last week, two key news items related to DHS and cybersecurity were reported by FCW.

• DHS looks to overhaul data centers, move to cloud: According to FCW, “The Department of Homeland Security is looking for industry advice about how to consolidate two main enterprise computing data centers and modernize with a more cloud-based infrastructure. According to a request for information released Feb. 19, the department is pursuing ‘a hybrid, multi-cloud, federated and vendor neutral’ cloud strategy and wants to make better use of automation, shared services and analytics while getting rid of fixed costs, such as data centers.”
• Congress bucks DHS on bid to move cyber research funding: According to FCW, “Congress rejected a bid to shift about $90 million in cybersecurity research funding to a newly formed agency at the Department of Homeland Security in the recent funding bill. The Science and Technology Directorate at DHS will retain that funding, which DHS sought to move to the Cybersecurity and Infrastructure Security Agency.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Survey: 83 Percent of U.S. Organizations Have Accidentally Exposed Sensitive Data: According to a press release, “83 percent of security professionals believe that employees have accidentally exposed customer or business sensitive data at their organization. The survey found that accidental data breaches are often compounded by an organizational failure to encrypt data prior to it being shared – both internally and externally – putting their organizations at risk of non-compliance with major data privacy regulations, such as NYDFS Cybersecurity Regulation 23 NYCRR 500, GDPR, HIPAA and the emerging California Privacy Act (AB375).”
• Cyber and Physical Convergence is Creating New Attack Opportunities for Cybercriminals: According to a press release, “While cyber adversary activity overall subsided slightly, the number of exploits per firm grew 10%, while unique exploits detected increased 5%. At the same time, botnets become more complex and harder to detect. Time for infection of botnets increased by 15%, growing to an average of nearly 12 infection days per firm.”
• Criminal groups promising salaries averaging $360,000 per year to accomplices: Reported in Help Net Security, “New research from Digital Shadows reveals that criminal groups are promising salaries averaging the equivalent of $360,000 per year to accomplices who can help them target high-worth individuals, such as company executives, lawyers and doctors with extortion scams. These salary promises can be higher still for those with network management, penetration testing and programming skills – with one threat actor willing to pay the equivalent of $768,000 per year, with add-ons and a final salary after the second year of $1,080,000 per year.”
• Supply Chain Attacks Spiked 78 Percent in 2018, Cyber Researchers Found: Reported in NextGov, “Supply chain attacks, which use loopholes in third-party services to strike a target, increased 78 percent between 2017 and 2018, and web attacks, which rely on malicious URLs and other online weapons, also spiked 56 percent.”
• Putting print security on the C-Level agenda: Reported in Computer Weekly, “[Print] security is becoming a greater concern to businesses with 59% reporting a print-related data loss in the past year and print-related incidents comprising 11% of security events overall.”
• Cyber espionage warning: The most advanced hacking groups are getting more ambitious: Reported in ZDNet, “A combination of new groups emerging and threat actors developing successful strategies for breaking into networks has seen the average number of organizations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.”