NTSC Blog

Weekly News Roundup: March 25, 2019

Internet of Things (IoT) Cybersecurity Improvement Act of 2019 Introduced by House and Senate

After a stab at this bill in 2017, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 has resurfaced in both the House and Senate during the last two weeks. According to a press release, “The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements to keep Americans’ personal data safe from hackers. The bill was introduced in the House by Rep. Will Hurd (TX-23) and Rep. Robin Kelly (IL-02) and in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus.” Just Security notes: “Although the bill’s remit covers a seemingly pedestrian and limited area of government – IT procurement – it’s a shot at solving a much larger cybersecurity problem that neither Congress nor industry has yet to crack. […] By leveraging the power of government spending, these standards would both set a baseline for companies selling products to the government and, potentially indirectly and over time, shape the practices of IoT product vendors and developers that sell to consumers and enterprises.” The Ripon Advance reports that “H.R. 1668 has been referred for consideration to both the U.S. House Oversight and Reform Committee and the U.S. House Science, Space, and Technology Committee. S. 734 is under review by the U.S. Senate Homeland Security and Governmental Affairs Committee, where the same-named S. 1691 was considered during the 115th Congress.”

States Continue Introducing and Expanding Breach Notification and Data Privacy Laws

Both New Jersey and Utah recently expanded laws related to breach notification and data privacy:

• New Jersey bill would broaden PII requiring breach notification: According to SC Media, “If signed into law, a bipartisan bill sent by New Jersey legislators to Gov. Phil Murphy would expand data breach notification in the state, requiring companies to alert citizens to breaches of a wider range of personal identifiable information (PII), including user names, passwords, email addresses and security questions. […] Bill S-52 is one of a handful of initiatives that New Jersey lawmakers have proposed to bolster security and privacy. The legislature is also expected to mull A-3541, which will would require companies to alert customers to a breach within five days of discovering it. A GDPR-like bill, S-2834, also sponsored by Singleton, would compel companies to inform users of their data collection practices and how information is shared.”
• Utah’s H.B. 57 (Electronic Information or Data Privacy): In Utah, H.B. 57 Electronic Information or Data Privacy is in the hands of Governor Gary Herbert after moving through the state’s House and Senate across the last three months. According to the bill, it “modifies provisions related to privacy of electronic information or data.” Among its highlighted provisions, it “requires issuance of a search warrant to obtain certain electronic information or data; addresses notification that electronic information or data was obtained; provides for transmission of electronic information or data to a remote computing service, including restrictions on government entities; provides that the individual who transmits electronic information or data is the presumed owner of the electronic information or data; [and] provides for the exclusion of electronic information or data obtained without a warrant…”

Federal Government Notes Pace of Cyber Threats Becoming More Concerning

Both DHS and the Federal Reserve commented last week on the relentless pace of cyber attacks threatening the federal government.

• Cyber Threats Are Emerging Faster Than DHS Can Address Them, Secretary Says: According to NextGov, DHS Secretary Kirstjen Nielsen last Tuesday said, “The rate at which the threats and risks are emerging is outpacing our ability to identify and assess and address them. The discipline of understanding what is emerging is where I find we are lacking. Failure to look at the future or limiting our thinking based on what we’ve observed in the past, those in and of themselves are risks.”
• Defense Alone Won't Stop Cyber Threat To U.S. Finance: Summarized in Forbes, “Fed Chairman Jerome Powell told 60 Minutes correspondent Scott Pelley recently [that] there is the ongoing, escalating threat of cyberattacks [as a reason to lose sleep at night]. Which is a somewhat unusual admission. Fed chairs tend not to go looking for high-profile media interviews, and if they do consent to one, tend to speak in broad generalities. That’s mostly what Powell did. But while he didn’t get into specifics on the cyber threat, when Pelley asked if that was what ‘keeps you up at night,’ Powell said, ‘of the risks that we face, that certainly is the largest one.’”

Federal Cybersecurity News Roundup

Many federal cybersecurity news stories appeared last week. Here’s a roundup.

• Nielsen calls for greater public-private collaboration on cyber threats: According to The Hill, “Homeland Security Secretary Kirstjen Nielsen [last] Tuesday urged private companies to do more to help the federal government identify new cyber threats, saying the administration is unable to do it alone. ‘We need you to focus again on the future of cybersecurity,’ the Department of Homeland Security (DHS) chief said. […] ‘[That's] where we need our great minds to really help us spot the patterns and know what's coming at us,’ she added.”
• DHS pushes new cyber hiring authorities: According to FCW, “The Department of Homeland Security is seeking $11.4 million to support the addition of 150 new cybersecurity positions by the end of fiscal 2020. As part of the federal government's push to remain competitive with the private sector, Congress gave the department authority to exempt its cyber employees from certain hiring and compensation requirements.”
• White House Requests More Than $17.4 Billion for Federal Cyber Efforts: According to NextGov, “The Trump administration intends to allocate more than $17.4 billion to cybersecurity efforts across federal agencies in fiscal 2020, with the Pentagon and Homeland Security Department receiving the lion’s share of the funds. The White House [last] Monday published a breakdown of the president’s 2020 budget request, building on the broad spending outline officials released [the previous] week. […] The proposal [allocates] more than $1.9 billion to the Homeland Security Department, with more than half getting funneled to the Cybersecurity and Infrastructure Security Agency. The funds would allow the agency to increase the number of network risk assessments it conducts and support programs to protect the government’s IT infrastructure.”
• Here’s how DoD will invest in the cyber mission: According to C4ISR, “Unified Platform will provide the cyber mission force an infrastructure capable of mission planning, data analytics and decision support, according to Air Force budget documents released March 18. The Air Force is procuring the system on behalf of Cyber Command and the joint force.” Also, “Cyber forces currently lack a robust training environment similar to what forces in the physical world enjoy for either individual or collective training. A common parallel in the physical world are the Army’s combat training centers. [Persistent Cyber Training Environment] PCTE will fill this void allowing for individual and collective training, as well as mission rehearsal.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• SaaS Ecosystem Complexity Ratcheting Up Risk of Insider Threats: Reported in Dark Reading, “92% of organizations with more than a quarter of their mission-critical apps in the cloud feel vulnerable to insider threats. Of those SaaS vectors that open them up to insider issues, respondents overwhelmingly name cloud storage and email as the biggest challenges — 75% report these to be the breeding ground of the biggest insider threat risks.”
• Global security spending to top $103 billion in 2019, says IDC: Reported in ZDNet, “Global spending on security hardware, software and services will top $103 billion in 2019, up 9.4 percent from 2018, with large enterprises spending the most, according to IDC data. IDC projects that global spending on security will grow at a compound annual growth rate of 9.2 percent from 2018 to 2022. In 2022, IDC forecasts security-related spending till be $133.8 billion.”
• Proofpoint Research Reveals 65% Increase In Cloud Application Attacks In Q1 2019; 40% Of Attacks Originating From Nigeria: According to a press release, “Overall, targeting attempts increased by 65 percent [between September 2018 and February 2019] with 40 percent originating in Nigeria. China was the second most prevalent country of origin, with 26 percent of attacks originating from Chinese IP addresses.”
• New research finds hospitals are easy targets for phishing attacks: Reported in Malwarebytes, “New research from Brigham and Women’s Hospital in Boston finds hospital employees are extremely vulnerable to phishing attacks. […] The research was a multi-center exercise that looked at results of phishing simulations at six anonymous healthcare facilities in the US. Research coordinators ran phishing simulations for close to seven years and analyzed click rates for more than 2.9 million simulated emails. Results revealed that 422,052 (14.2 percent) of phishing emails were clicked, which is a rate of one in seven.”
• Current phishing defense strategies and execution are not hitting the mark: Reported in Help Net Security, “Only a slight majority (63 percent) regularly monitor and report on the effectiveness of their [phishing awareness] activities. 38 percent of respondents reported that their organizations develop security awareness collateral and anti-phishing materials internally. 85 percent of enterprises measure and regularly report on the effectiveness of their phishing awareness programs.”
• Fraudsters Band Together, Shift to Bot Attacks: Reported in Infosecurity Magazine, “Forter’s latest Fraud Attack Index found that attackers have been increasingly targeting e-commerce businesses with bot attacks resulting in an increase in fraud for the second year in a row. The year saw a 26% increase in fraud rings among bad actors, who are increasingly banding together to commit fraud. In addition, fraudsters are shifting from one-off attacks toward the use of bots, with which they are able to run automated scams, such as mass logins, performing upwards of 100 attacks per second.”
• Businesses Manage 9.7PB of Data but Struggle to Protect It: Reported in Dark Reading, “Organizations managed an average of 9.7 petabytes of data in 2018, a 569% spike compared with the 1.45 petabytes they handled in 2016. Most see the value of data, and more are monetizing it, yet very few are confident in their existing tools' ability to properly protect information.”