NTSC Technology Security Roundup

Weekly News Roundup: March 18, 2019

Cybersecurity Training and Disclosure Bills Introduced

On March 7, Congressmen Jim Langevin (D-RI) and Glenn ‘GT’ Thompson (R-PA), co-chairs of the Congressional Career and Technical Education (CTE) Caucus, introduced the Cybersecurity Skills Integration Act. According to a press release, this bill “will jumpstart the development of CTE curricula that incorporate cybersecurity skills training” and “authorizes $10 million to create a competitive grant program within the Department of Education to incorporate cybersecurity education into new or existing CTE programs.” And last Wednesday, Rep. Jim Himes (D-Conn.) introduced the Cybersecurity Disclosure Act of 2019 that requires public companies “to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other aspects of the reporting company’s cybersecurity were taken into account by any person, such as an official serving on a nominating committee, that is responsible for identifying and evaluating nominees for membership to the governing body.”

Proposed 2020 White House Budget Focuses on DoD, Critical Infrastructure, and Federal Cyber Workforce

According to the 2020 White House budget overview, “For cyber, the Budget continues to integrate efforts and operationalize U.S. cyber strategy, while scaling artificial intelligence throughout the Department. The Budget funds these advanced capabilities for the force needed to achieve the objectives in the National Defense Strategy.” It also says, “The Budget continues to place a high priority on cybersecurity and cyber operations by requesting more than $9.6 billion in 2020 to advance DOD’s three primary cyber missions: safeguarding DOD’s networks, information, and systems; supporting military commander objectives; and defending the Nation. This investment provides the resources necessary to grow the capacity of U.S. military cyber forces (including the recently elevated United States Cyber Command), invest in the cyber workforce, and continue to maintain the highest cybersecurity standards at DOD.” Additional cyber-related verbiage talks about defending critical infrastructure, boosting cybersecurity for the energy sector, and increasing the quantity and quality of the federal cybersecurity workforce.

Federal Cybersecurity News Roundup

Many federal cybersecurity news stories appeared last week. Here’s a roundup.

  • DHS to focus on cybersecurity basics ahead of 2020 election, cyber head says: According to The Hill, “The Department of Homeland Security’s top cyber official said [last] Wednesday that he will focus on ensuring election officials are using basic cybersecurity techniques to counter cyber threats to the 2020 presidential election. Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency (CISA), testified before the House Appropriations Committee’s subcommittee on homeland security that his agency’s new ‘Protect 2020’ initiative will focus on making sure that state and local officials are prepared for the upcoming presidential election.”
  • Congress steers clear of industrial control systems cybersecurity: According to CSO Online, “Although a number of cybersecurity-related bills have been introduced in the new Congress, only a handful of relatively non-controversial pieces of legislation, most reintroduced from the last Congress, deal primarily with critical infrastructure industrial control systems, a surprise given the stepped-up concerns over threats to the nation’s electric grids, gas and oil pipelines, transportation systems and dams and the rise of industrial supply chain issues that have grabbed headlines over the past few years.”
  • CYBERCOM Seeks Troops Who Can Unleash Artificial Intelligence: According to NextGov, “The Defense Department’s cyber warriors shouldn’t be too concerned about artificial intelligence taking their jobs, according to their commander, Gen. Paul Nakasone, who concurrently heads the National Security Agency. Instead, U.S. Cyber Command is looking for troops able to wield AI like a weapon. During a budget hearing [last] Wednesday held by the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, Rep. Anthony Brown, R-Md., asked the Pentagon’s cyber leadership whether AI could help reduce the demand for cyber talent. ‘AI and machine learning certainly has a place as we look at some of the activities that we are doing day in and day out,’ Nakasone told the subcommittee. ‘But I would offer, the people that make AI go, the people who make sure that our algorithms are right for machine learning, they’re the folks that I’m most focused on.’”
  • DOE cyber arm preps risk management tool: According to FCW, “The federal cybersecurity agency designated with protecting the energy sector is creating a tool that could help commercial electric critical infrastructure providers put a price tag on managing cybersecurity risk for their networks. […] Earlier this week, DOE officials said CESER would get $157 million for grid cybersecurity to support early-stage research and development to improve security and resilience that will help private infrastructure providers ‘harden and evolve’ their systems against man-made and natural events.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Cyber attackers favouring stealthier attacks, says Darktrace: Reported in Computer Weekly, “The data reveals that the incidence of banking Trojans, which harvest the credentials of online banking customers from infected machines, increased by a staggering 239% in 2018 compared with 2017. Darktrace also detected a 78% growth in the frequency of another under-the-radar threat, cryptojacking, within the same time period. These increases coincide with a significant decline in the popularity of ransomware, which decreased by 28% between 2017 and 2018.”
  • The Five Most Dangerous New Attack Techniques: Reported in eWeek, “In a session at the RSA Conference, experts from the SANS Institute outlined the five most dangerous new attack techniques that enterprises are likely to see in 2019.” These attack techniques are DNS manipulation, domain fronting, targeted individualized attacks, DNS information leakage, and hardware flaws in BMC.
  • Healthcare organizations are battling phishing: Reported in Reuters, “Many healthcare organizations remain vulnerable to phishing attacks, a new study finds. When researchers sent simulated phishing emails, nearly one in seven of the messages were clicked by employees of healthcare systems, according to the report published in JAMA Network Open.”

Mastercard Acquires Fintech Security Company Ethoca

According to a press release, Mastercard (NYSE: MA) announced last Tuesday that it entered into an agreement to acquire Ethoca, a global provider of technology solutions that help merchants and card issuers collaborate in real-time to quickly identify and resolve fraud in digital commerce. The press release says, “The Ethoca suite of products adds to Mastercard’s commitment to drive greater protection in the digital space, integrating with its robust suite of fraud management and security products. […] Mastercard intends to further scale these capabilities and combine Ethoca with its current security activities, data insights and artificial intelligence solutions to help merchants and card issuers more easily identify and stop potentially fraudulent purchases and false declines.”