NTSC Blog

Weekly News Roundup: March 16, 2020

U.S. Cyberspace Solarium Commission Releases Report to Congress

In a report to Congress on March 11, the U.S. Cyberspace Solarium Commission (CSC) released its comprehensive national strategy for improving the U.S. cybersecurity posture. Established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019, the CSC is a bicameral, bipartisan, intergovernmental body tasked to “develop consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” The final report consists of over 80 recommendations which are organized into six pillars.

We’ve collected some of the best news coverage and important announcements related to this report:

• Cyberspace Solarium Commission Report (Cyberspace Solarium Commission)
• U.S. Cyberspace Solarium Commission References NTSC in Report to Congress (National Technology Security Coalition)
• Cyber Solarium Commission proposes actions to strengthen nation’s defenses against foreign threats (Washington Post)
• Cyberspace Solarium Commission calls for strengthening CISA, greater White House cyber leadership (Inside Cybersecurity)
• Solarium report sees space for regulation, but strongly embraces innovation, collaboration as keys to cybersecurity (Inside Cybersecurity)
• Cyber Solarium to back CISA as the lead response agency (FCW)
• Congress, Warning of Cybersecurity Vulnerabilities, Recommends Overhaul (New York Times)
• Panel outlines massive federal cybersecurity overhaul (Politico)
• More Industry Regulations Are Needed to Improve US Cybersecurity, Congressional Report Says (Defense One)
• U.S. Lacks Key Abilities to Avert Cyberattacks, Commission Says (Wall Street Journal)
• U.S. ‘Dangerously Insecure’ in Preparing for Major Cyber-Attacks (Bloomberg)
• Government report offers guidelines to prevent nationwide cyber catastrophe (The Hill)
• A key commission recommends federal cyber needs to be reformed (Fifth Domain)

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• GOP senator introduces privacy legislation after bipartisan talks break down: According to The Hill, “[Sen. Jerry Moran (R-Kan.) last] Thursday introduced his privacy bill, the Consumer Data Privacy and Security Act, which would create new safeguards around how tech companies like Facebook, Google and Twitter are allowed to collect and use the personal information of their billions of users. And it would require those companies to protect that data from hacks and breaches.”
• Thune Bill Would Make Network Security an Official Objective of Trade Deals: According to NextGov, “A bipartisan proposal would take a second stab at convincing a key U.S. ally to shun Chinese telecommunications equipment provider Huawei in building out its fifth-generation mobile network. [Last] Thursday, Sen. John Thune, R-S.D., the majority whip, introduced the Network Security Trade Act. […] Thune’s Network Security Trade Act ‘would direct the executive branch to ensure that the equipment and technology that are used to create the global communications infrastructure are not compromised.’”
• Senate homeland panel approves bill granting CISA administrative subpoena power related to Internet Service Providers: According to Inside Cybersecurity, “The Senate Homeland Security and Governmental Affairs Committee has approved measures handing CISA authority to issue administrative subpoenas to Internet Service Providers for contact information when threats are detected on their networks, and requiring the DHS cyber agency to establish coordinators in each of the 50 states.”
• Senate floor action stalls on bipartisan energy bill to enhance electric grid cybersecurity: According to Inside Cybersecurity, “A dispute over climate policy hung up an energy bill with extensive cyber provisions in the Senate [last] Monday, leaving uncertain the next steps on a measure including provisions to encourage public utilities to invest in ‘advanced cybersecurity technology.’”
• Washington Privacy Act fails for second time: According to IAPP, “For the second year in a row, data privacy legislation has failed in Washington state. SB 6281, the Washington Privacy Act, would have given Washington residents the right to access, correct or delete data collected on them by commercial entities, as well as the right to opt out of certain forms of data processing. But on Thursday, lawmakers failed to reconcile differences around enforcement…”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• Lawmakers criticize Trump's slashed budget for key federal cyber agency: According to The Hill, “The bipartisan leaders of the House Homeland Security Committee [last] Wednesday sharply criticized the proposed drop in funding in President Trump’s budget for the Department of Homeland Security’s cyber agency. The lawmakers particularly took issue with the proposed funding cut due to the Cybersecurity and Infrastructure Security Agency (CISA) role as a key federal office tasked with defending the nation against cyber threats like those that can take place during an election.”
• Cyber Command requests budget boost amid Pentagon’s 'defend forward' operations; increases contracting actions: According to Inside Cybersecurity, “U.S. Cyber Command is seeking a $42 million increase to its budget in fiscal 2021 as it ramps up ‘defend forward’ operations for protecting critical networks from foreign adversaries such as China and Russia.”
• ICT task force zeroing in on challenges to info-sharing, will assess lingering legal barriers: According to Inside Cybersecurity, “The trust factor among participants in a CISA-led supply-chain task force, access to expertise and awareness of the high stakes involved are among the factors propelling a government-industry collaboration that's emerging as a key venue for advancing work on cyber information sharing among other issues.”
• NIST seeks comment on new tool for assessing impact of supply chain-related cyber incidents: According to Inside Cybersecurity, “The National Institute of Standards and Technology is offering the federal government’s cyber risk managers a way to assess the potential impacts of cyber supply-chain incidents, and is seeking input on a tool intended to benefit all types of organizations in measuring how hacks and disruptions within their supply chains could affect operations.”
• NIST proposes revisions to guidelines on 'keys' for encryption: According to Inside Cybersecurity, “The National Institute of Standards and Technology has issued draft revisions to guidelines on generating ‘keys’ for encrypted data, a move that comes as tech companies are increasingly relying on encryption to secure data both in transit and at rest.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Gender Equality in Cybersecurity Could Drive Economic Boost: Reported in Dark Reading, “A new study finds closing the gender and skills gaps could boost the US and UK economies by $30.4 billion and £12.6 billion, respectively.”
• SANS: Gender Still Biggest Challenge for Many Women in Cyber: Reported in Infosecurity Magazine, “Some 35% of respondents, who were all chosen from senior or leadership positions in their respective organizations, said that their gender was the number one challenge to career progression.”
• Most Medical Imaging Devices Run Outdated Operating Systems: Reported in Wired, “You'd think that mammography machines, radiology systems, and ultrasounds would maintain the strictest possible security hygiene. But new research shows that a whopping 83 percent of medical imaging devices run on operating systems that are so old they no longer receive any software updates at all.”
• Passwords still dominant authentication method, top cause of data breaches: Reported in Help Net Security, “The password is still the top attack vector for organizations of all sizes, with 42% of respondents indicating their organization had been breached as a result of a user password compromise. Poor password hygiene is also a top cause of data breaches, with 31% of respondents indicating their organization had been breached as a result of user credentials being shared with an unauthorized peer.”

Cybersecurity Acquisitions

News about two major cybersecurity company acquisitions was reported last week:

• WatchGuard Buys Panda Security for Endpoint Security Tech: Reported in Dark Reading, “WatchGuard Technologies, a global provider of network security, Wi-Fi security, and multifactor authentication, [last Monday] confirmed plans to acquire endpoint security provider Panda Security for an undisclosed amount. The deal is expected to close in the second quarter of this year. Panda Security, founded in 1990 and headquartered in Bilbao, Spain, has spent the past 30 years developing endpoint detection and response (EDR) technologies. It recently launched a new threat hunting service available to direct enterprise customers and MSSPs selling its services.”
• Aon acquires Willis Towers Watson in $30B deal: Reported in HR Dive, “Professional services firm Aon agreed to acquire rival firm Willis Towers Watson (WTW), the companies announced March 9, potentially creating a company with a combined equity value of around $80 billion. […] The soon-to-be combined companies aim to share their expertise in growing fields of risk, including cybersecurity, intellectual property, climate change and health solutions…”