NTSC Blog

Weekly News Roundup: March 9, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• Justice Dept. drafting legislation for law enforcement notification in U.S. data-breach bill: According to Inside Cybersecurity, “The Justice Department is developing model legislation for lawmakers to consider in long-standing efforts to enact a national data-breach notification law, according [to] a senior DOJ official testifying before a Senate subcommittee. ‘The Department has been actively evaluating statutory data breach notification requirements,’ said Deputy Assistant Attorney General Adam Hickey in testimony before the Senate Judiciary crime and terrorism subcommittee [last] Wednesday.”
• Telecom Network Security Mandated in Trade Pacts By Thune Bill: According to Bloomberg Government, “Sen. John Thune (R-S.D.) [introduced] a bipartisan bill [last Thursday] that seeks to ensure that trade agreements protect the security of digital telecommunications systems, including next generation 5G equipment. While the legislation doesn’t name specific foreign-owned companies, its intended targets include Chinese-owned companies Huawei Technologies Co. and ZTE Corp., which President Donald Trump’s administration has said pose a security threat to the U.S. telecommunications sector.”
• CA legislators confront CCPA health and research dangers with 'urgency statute' proposal: According to IAPP, “Proposed CCPA amendment Assembly Bill 713 would harmonize the CCPA with the deidentification standards set forth in the Health Insurance Portability and Accountability Act and its implementing regulations and provide other important clarifications for health care providers and their vendors, research sponsors and other organizations engaged in health care delivery or research. With this proposal, California legislators have acknowledged the need to clarify the scope of the CCPA for health care and research data, declaring the bill an ‘urgency statute,’ meaning it would take effect immediately upon signature by the California governor.”
• Washington Privacy Act Update: Private Right of Action Added In House: According to JD Supra, “On Friday, February 28, the Washington House Innovation, Technology & Economic Development Committee (ITED) voted to pass a strengthened version of the Washington Privacy Act (WPA) out of committee. […] Ultimately, the ITED committee approved a number of amendments to the bill. Perhaps the most notable amendment was the creation of a private right of action to enforce the privacy rights granted in the WPA. By way of explanation, the Senate version of the WPA grants the state Attorney General with ‘exclusive authority to enforce’ the WPA. In comparison, the ITED committee version of the WPA allows Washington residents to bring claims under the state Consumer Protection Act, which authorizes litigants to seek an injunction, actual damages, treble damages, costs of suit, and attorney’s fees.”
• New Jersey Lawmakers Push Data-Privacy Bill: According to The Wall Street Journal, “New Jersey legislators are proposing a bill to strengthen data protections and impose tougher restrictions on the tech industry, potentially following in the footsteps of privacy laws passed in California and Europe. The bill would require companies to obtain permission from New Jersey consumers before they can collect and sell personal data to third parties.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• Bipartisan commission to make 75 recommendations to defend against cyberattacks: According to The Hill, “A new report by a bipartisan commission will include at least 75 recommendations for Congress and the executive branch on how to defend the nation against cyberattacks, including bipartisan recommendations for defending elections. Members of the Cyberspace Solarium Commission, which includes lawmakers, federal officials and industry leaders, highlighted the group’s focus on election security during an event at the Center for Strategic and International Studies [last] Tuesday, previewing some of the recommendations that will be among those released March 11.”
• DHS Acting Secretary Wolf Defends CISA Budget cut to Congress: According to MeriTalk, “[Last Tuesday’s] House Homeland Security Committee hearing on DHS’s Fiscal Year 2021 budget request covered a wide array of topics. However, Chad Wolf, acting secretary of the Department of Homeland Security (DHS), spent much of his time defending a budget cut to [the] Cybersecurity and Infrastructure Security Agency (CISA). Under the President’s FY21 budget request, CISA would receive $1.7 billion – a significant budget cut from the more than $2 billion the agency received from Congress in December 2019. Both sides of the aisle raised concerns over the decrease.”
• Cyber Command preps force assessment: According to FCW, “The head of Cyber Command is preparing to ask for more personnel as the organization's election security role expands and cybersecurity threats evolve. During a March 4 budget hearing of the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, Gen. Paul Nakasone, CYBERCOM commander, said the organization is ‘gathering data’ to determine whether it has the right number of personnel to match current responsibilities.”
• Justice Department Outlines Legal Considerations for Cyberthreat Intelligence Gathering: According to Lawfare, “The U.S. Department of Justice Cybersecurity Unit released a document outlining legal considerations for private practitioners gathering intelligence on cyberthreats, including through retrieving stolen data or obtaining malware samples.”
• OPM overhauls assessments for identifying cyber talent: According to FCW, “To address a critical need for cybersecurity personnel in the federal workforce, the Office of Personnel Management is overhauling its aptitude tests and other assessments used in recruiting needed IT talent. In a memo issued to agency heads on Feb. 27, OPM Director Dale Cabaniss highlighted five assessments that agencies should use when determining an applicant's technical abilities: cognitive ability, structured interviews, biodata tests, situational judgment tests, personality tests, and training and experience point methods.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• Lawmakers look for 5G competitors to Huawei: According to The Hill, “Lawmakers [last] Wednesday heard from executives at top telecommunications companies as the Senate Commerce Committee weighed measures to prevent Chinese giant Huawei from getting a foothold in the emerging U.S. 5G network. The hearing on ‘5G supply chain security’ featured executives from companies including Nokia and Ericsson, who touted their technology as a viable and secure alternative and offered their support for legislation to help American telecom providers replace Huawei equipment.”
• Report: Hackers target telecoms, defense contractors: According to FCW, “Intelligence gathering and espionage remained the primary motivation for state-sponsored cyber intrusions in 2019, according to a new report. In the latest version of its annual global threat report, cybersecurity threat intelligence firm CrowdStrike found that Advanced Persistent Threat groups [are] heavily targeting governments’ military sectors as well as their defense industrial base of contractors, while criminal groups are increasingly leveraging ransomware as a primary attack vector against the private sector and local governments.”
• Amid concerns over coordination, ICT supply-chain task force advances work including new ‘threat scenario’ paper: According to Inside Cybersecurity, “A working group of the CISA-led task force on information and communications technology supply-chain security has drafted a white paper on threat scenarios, as that body assumes an increasingly important role in coordinating various efforts related to 5G and ICT security, according to sources. Industry sources in recent days have expressed lingering concerns about how the strands of ICT security policy will come together, raising questions about whether the overall effort is appropriately coordinated among different departments and agencies.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Cybercriminals are taking advantage of coronavirus fears with fake websites and phishing schemes: Reported in Mashable, “The research arm of security firm Check Point has found that cybercriminals around the globe have launched phishing and other malware deployment schemes that ride on people's thirst for information about the coronavirus. In its most recent report, it found that coronavirus-related websites created in January and February of this year are ‘are 50% more likely to be malicious’ than other websites created in the same time period.”
• 54% of healthcare vendors have experienced a data breach of protected health information: Reported in Help Net Security, “[A Ponemon Institute and Censinet] report shows that 54 percent of healthcare vendors have experienced at least one data breach of protected health information belonging to patients of the healthcare providers they serve. Of those 54 percent of respondents, 41 percent experienced six or more data breaches over the past two years. The average breach costs $2.75 million and exposes nearly 10,000 records.”
• Survey: Despite new tactics, companies still face challenges implementing cybersecurity measures: Reported in ZDNet, “[Companies] still face challenges implementing their cybersecurity strategies. Employee training topped the list of challenges, at 47%, [and] following closely behind was constantly evolving threats requiring more complicated solutions, at 46%. Funding (39%) rounded out the top three biggest challenges. Other challenges mentioned included: not enough time for successful implementation; finding technically qualified IT staff; communication between IT and upper management; and getting company leadership on board. Only 10% of respondents have not faced any significant implementation challenges.”
• Hackers’ delight: Small businesses investing more in Internet of Things, less on cybersecurity: Reported in CNBC, “Investing in technology is top of mind for small business owners — with 44% saying they plan to invest in resources related to the Internet of Things, or IoT-connected devices, for their business in 2020, according to new research from the latest CNBC | SurveyMonkey Small Business Survey. That’s more than twice the number who say they plan to invest in cybersecurity software (20%).”

Cybersecurity Acquisitions

News about three major cybersecurity company acquisitions was reported last week:

• Thoma Bravo Acquires Sophos for $3.9bn: Reported in Infosecurity Magazine, “British cybersecurity company Sophos announced [last Monday] that its acquisition by Thoma Bravo is now complete. The private equity firm snapped up the company in a cash transaction that values Sophos at $3.9bn. Under the terms of the agreement, Sophos stockholders will receive $7.40 USD per share.”
• Accenture Completes Acquisition of UK-based Cybersecurity Consultancy: Reported in Digit, “Professional services company Accenture has acquired Context Information Security, a leading cyber defense consultancy, for an undisclosed fee. The acquisition of the London-headquartered firm will strengthen Accenture Security’s existing portfolio and enhance the organization’s cyber defense offerings. […] The company provides high-end cyber defense, intelligence-driven red team, vulnerability research and incident response services.”
• HelpSystems Acquires Cobalt Strike: According to a press release, “HelpSystems announced [last Wednesday] the acquisition of Cobalt Strike, a leading penetration testing (pen-testing) solution that enables companies to emulate the tactics and techniques of a cyberthief in an IT network to highlight weaknesses. This acquisition complements HelpSystems’ existing Core Security business unit by bringing together best-in-class tools and combining them with strong services to expand HelpSystems’ infrastructure protection offerings.”