NTSC Technology Security Roundup

Weekly News Roundup: April 22, 2019

House Homeland Security Committee Requests CISA Funding

In a letter to the House Appropriations Committee on April 10, the House Homeland Security Committee requested additional funding for the new Cybersecurity and Infrastructure Security Agency (CISA). According to the bipartisan letter, “Additional investments are necessary to ensure the United States is not only capable of responding to the global threat, but that we are preparing for future threats as well. […] It is imperative that the Homeland Security Subcommittee’s 302(b) allocation enable CISA to mature and grow the services it provides to secure federal and critical infrastructure networks.” In October 2018, the Cybersecurity and Infrastructure Security Agency Act redesignated the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA).

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Turmoil consumes White House team guiding feds’ tech strategy: According to Politico, “[Many Office of the Federal Chief Information Officer (OFCIO)] employees are overwhelmed by unclear and changing priorities, while others are simply checked out or feeling increasingly marginalized, according to an internal February staff survey that POLITICO obtained, along with data from an annual governmentwide report and interviews with a current [Office of Management and Budget (OMB)] employee, five former OFCIO employees and three former senior federal officials familiar with the office.”
  • Despite cuts, White House looks to agencies to advance AI priorities: According to FCW, “The White House is looking to agencies to both advance the administration's AI priorities and adapt their workforces. Building on the February executive order to accelerate AI development at agencies, the White House plans to issue more governmentwide guidance and is looking to agencies to implement its priorities as part of its IT modernization.”
  • Federal CISO floats potential for new supply chain regs: According to FCW, “The federal government's top IT security chief floated the possibility of new regulations to shore up protections and transparency in the technology supply chain and canvassed industry for feedback. While speaking at a cybersecurity event in Virginia hosted by the Intelligence National Security Alliance, Federal Chief Information Security Officer Grant Schneider questioned whether the U.S. government and suppliers have even worked out a successful model to weigh security risks in purchasing and acquisition. Such a model, he said, would naturally lead individuals, the private sector and federal agencies to discriminate against low-cost, low-security parts and components in favor of costlier, more secure ones.”

Congress Soliciting Feedback About AI for Future Proposed Legislation

Last year, members of the NTSC Advisory Council participated in a briefing on Artificial Intelligence in Washington D.C. where the panel addressed how threats and attacks surface and evolve, the security potential of the newest AI technologies at various stages, key challenges in terms of research and development gaps, and what experts believe is working/needed from a public policy standpoint. These kinds of discussions about AI-related issues continue to preoccupy lawmakers who are soliciting input about future proposed legislation. According to The Hill, “[Rep. Ro Khanna (D-Calif.)], who represents Silicon Valley, told The Hill that he and [Rep. Brenda Lawrence (D-Mich.)] are now working to assemble a group of stakeholders in the AI ethics debate — including academics, civil rights advocates and tech companies — to develop a framework that will guide any legislation he introduces on the issue. ‘Congress doesn’t have the expertise to address this within our own building,’ Khanna said. ‘We need to go outside to the academics, to thinkers in this space, to people who really understand what is happening and have their expertise. Then we can debate the appropriate framework.’” The Hill also notes that while tech companies are part of the dialogue, some of their ideas conflict with those of lawmakers.

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Report: Improving the Cybersecurity of the Electric Distribution Grid: According to a Vermont Law School report, “Utility commissions must press forward in key areas to build and strengthen relationships with their regulated and non-regulated utilities, to evaluate traditional cost recovery mechanisms to determine if they align with system security goals, and to consider what metrics are needed to evaluate utility investments and system performance.”
  • The Cybersecurity Automation Paradox: Reported in Dark Reading, “A new study out [last] week from Ponemon Institute on behalf of DomainTools shows that most organizations today are placing bets on security automation. Approximately 79% of respondents either use automation currently or plan to do so in the near-term future.”
  • Business cyber risk rating holding steady: Reported in PropertyCasualty360, “A new report from the U.S. Chamber of Commerce and FICO finds the risk of a data breach for U.S. businesses holding steady in the first quarter of 2019, with a national risk score of 687. ‘ABC: Assessment of Business Cyber Risk’ reveals that since the fourth quarter of 2018, small firms showed a slight improvement — up to 740 from 737 — while large firms moved from 646 to 643. These changes indicated relatively stable risk performance from quarter to quarter.”
  • Manufacturing sector most vulnerable to insider threats: Reported in Help Net Security, “Almost three quarters of the 650+ international IT professionals Gurucul canvassed said they are vulnerable to insider threats, and ranked user error (39%) and malicious insiders (35%) ahead of account compromise (26%) as their leading concern.”

Jacobs to Acquire KeyW

According to a press release, Jacobs (NYSE: JEC) announced that they have entered into a definitive merger agreement pursuant to which Jacobs will acquire KeyW for $11.25 per share in cash. The press release states: “This transaction directly aligns with Jacobs' Aerospace, Technology and Nuclear (ATN) transformational strategy of delivering innovative and unique, mission-oriented solutions for highly technical and high consequence government priorities, and further positions Jacobs as a leader in high-value Government Services. […] KeyW is a leading national security provider of advanced engineering and technology solutions for the Intelligence, Cyber and Counterterrorism communities.” Bloomberg notes, “While neither company is a household name, both have deep ties to Washington’s web of cyberintelligence specialists. Jacobs, a Dallas-based engineering firm with more than 80,000 employees, already gets about 23 percent of its $15 billion in annual revenue from the U.S. government. In the past three years, Jacobs has acquired two other cybersecurity firms in the greater Washington area -- Reston, Virginia-based Blue Canopy and Columbia, Maryland-based Van Dyke Technology Group Inc.”