NTSC Technology Security Roundup

Weekly News Roundup: April 1, 2019

NTSC Supports Bipartisan Legislation to Establish the Cybersecurity Advisory Committee

The National Technology Security Coalition (NTSC) supports bipartisan legislation introduced by Representatives John Katko (R-NY), Dan Lipinski (D-IL), Dan Newhouse (R-WA), and Brian Fitzpatrick (R-PA) to establish the Cybersecurity Advisory Committee (CSAC). The Cybersecurity Advisory Committee Authorization Act of 2019 will establish an advisory committee of 35 cybersecurity professionals from across industries to provide the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Secretary of the Department of Homeland Security (DHS) guidance on cybersecurity policy and rulemaking.

"As the only association solely representing the Chief Information Security Officer, we applaud Representatives Katko, Lipinski, Newhouse, and Fitzpatrick for their leadership to establish CSAC as the premier forum to advise CISA and DHS on cybersecurity threats," said NTSC Executive Director Patrick Gaul. "The Cybersecurity Advisory Committee will provide the Director of CISA and the Secretary of DHS access to cybersecurity professionals who are at the frontline of protecting billion-dollar enterprises from state and non-state actors around the globe. Our CISO community is precisely the organization to draw upon when DHS is looking for members. If asked, our members are prepared to serve on CSAC to help better protect the U.S. from cyberattacks. Congressman Katko continues to be a leader in bridging the cybersecurity gap between the public and private sectors. His work of protecting the U.S. from cyberattacks is critical to our national security.”

The introduction of this bill has received wide media coverage.

Rep. Katko Introduces Bipartisan Legislation to Improve America's Response to Cyber Threats, Coordinate Security Efforts Between Public and Private Entities (Congressman John Katko’s press release)

The Cybersecurity 202 (Washington Post)

Bipartisan bill would create cyber advisory panel at DHS (The Hill)

Morning Cybersecurity (March 29, 2019) (Politico)

Rep. Katko offers plan to create cybersecurity advisory committee at CISA (Inside Cybersecurity)

House bill would create panel of cyber experts to help DHS (Federal News Network)

FCW Insider: April 1 (FCW)

The Early Edition: March 29, 2019 (Just Security)

Rep. Katko introduces bill to create cybersecurity advisory committee (Homeland Preparedness News)

House Members Debut Bipartisan DHS Cyber Advisory Panel Legislation (MeriTalk)

House Bill Pushes DHS, Private Sector To Team Up On Cyber (Law360)

Zappos Lawsuit Sign of How Courts May Interpret Data Breaches and Data Privacy in Future

The definition of “harm” is one of the most ambiguous and contentious legal definitions related to data breaches and data privacy. Whether or not “harm” took place doesn’t seem to matter in the ongoing Zappos lawsuit pertaining to a data breach in 2012. Even though “harm” did not take place, the potential of “harm” is keeping Zappos’ lawsuit alive. According to Reuters, “The U.S. Supreme Court [last] Monday rejected a bid by online shoe retailer Zappos to throw out a class-action lawsuit by customers who said their personal information was stolen by hackers in 2012. […] The case hinges on whether customers whose data has been stolen can sue the company that was hacked even if that information was not used for nefarious purposes such as identity theft or fraudulent charges. Zappos said customers whose data is not used in those ways are not harmed to such a degree that can sustain a federal lawsuit. But the customers said that after a breach their information can be misused at any time, even years later, and long before the fraud is discovered.”

Federal Cybersecurity News Roundup

Here’s a roundup of several federal cybersecurity news stories that appeared last week.

  • DHS preps AWARE risk management tool for launch: Reported in GCN, “Over the next two years, the Department of Homeland Security's Continuous Diagnostics and Mitigation program will focus on deploying its new risk scoring algorithm to help agencies prioritize mitigation activities and improve their basic cybersecurity hygiene. The Agency-Wide Adaptive Risk Enumeration algorithm will have a ‘soft rollout’ in October, according to CDM Program Manager Kevin Cox.”
  • DHS Invests $5.9 Million into Cyber Training Tool for Energy Sector: Reported in NextGov, “The Homeland Security Department is funding a new immersive cyber-training platform equipped with simulation-based scenarios and exercises aimed at protecting the nation’s energy sector. The department’s Science and Technology Directorate announced it’s awarding $5.9 million to the Norwich University Applied Research Institute to expand a training tool used by the financial services sector to organizations in the energy sector. Distributed Environment for Critical Infrastructure Decision-Making Exercises, or DECIDE, is an interactive platform that allows players to practice cyber-threat response tactics in an immersive online environment before real-life crises occur.”
  • U.S. Federal Reserve System Exposed to Increased Risk of Unauthorized Access: Reported in Bleeping Computer, “Federal Reserve Bank (FRB) systems are exposed to an increased risk of unauthorized access because of security weaknesses found in the U.S. Treasury Department's computing systems according to a management report issued by the U.S. Government Accountability Office (GAO). […] As explained by GAO: ‘This year our audit found new weaknesses in the security of the information systems that the Treasury Department uses to keep track of and otherwise manage the debt—including one in a Federal Reserve Bank system that Treasury relies on. This new weakness, along with some unresolved earlier ones, could lead to an increased risk of unauthorized access to Federal Reserve Bank systems.’”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Front-line programmers default to insecure practices unless they are instructed to do otherwise: Reported in Boing Boing, “A new study conducted by University of Bonn researchers gives an inkling: front-line developers working as freelancers default to incredibly insecure practices unless their clients know enough to demand better ones. […] 15 of the 18 who were not given password security instructions stored passwords in plaintext; 3 of the group who were instructed to store passwords securely also stored passwords in plaintext. Moreover, even the programmers who encrypted the passwords used insecure methods to do so: 31 of the programmers used insecure methods like Base64 encoding (!), MD5, SHA-1, etc -- while only 12 used secure methods like bcrypt and PBKDF2. The programmers also overwhelmingly failed to implement basic security practices like salting their hashes.”
  • Competitors Flout Rules in a Digital Cold War: Reported in Infosecurity Magazine, “Emerging information security threats will continue to impact business, and the Threat Horizon 2021 published by Information Security Forum (ISF) forecasts nine major threats that organizations can expect to face over the next two years. Among the threats that will likely come from increased advancements in technology, ISF predicts the internet of things (IoT) will not only continue to proliferate but that digital connectivity resulting from IoT expansion will expose hidden dangers.”
  • Over 10 billion malware attacks detected in 2018: Reported in TechRadar, “New research from SonicWall has revealed that a record high of 10.52 billion malware attacks occurred in 2018 indicating an escalation in the volume of cyberattacks as well as new targeted threat tactics used by cybercriminals.”
  • Consumers willing to dump apps that collect private data, but can’t tell which are doing so: Reported in Help Net Security, “Two in three consumers are willing to dump data-collecting apps if the information collected is unrelated to the app’s function, or unless they receive real value – such as that derived through email or browsers, according to a consumer data privacy survey conducted in recent weeks for Anagog.”

Insurance Industry Offers a Cybersecurity Ratings System

According to a press release, Marsh launched Cyber Catalyst, a program that brings together cyber insurers to identify and evaluate solutions they consider effective in reducing cyber risk, giving organizations greater clarity in an increasingly complex cybersecurity marketplace. The initial group of insurers includes Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America, which collectively represent a substantial portion of gross written premiums in the $4 billion global cyber insurance market. Microsoft will be a technical advisor to the participating insurers, providing counsel on the products and services being evaluated. Reported in Dark Reading, “According to The Wall Street Journal, ‘Marsh will collate scores from participating insurers, which will individually size up the offerings, and identify the products and services considered effective in reducing cyber risk.’ Companies that choose security products from among the approved selection may find themselves qualified for improved insurance terms and conditions.”