NTSC Technology Security Roundup

Weekly News Roundup: April 23, 2018

Cybersecurity Legislation and Policy News Roundup

Here is a roundup of some important legislative and policy news from last week:

  • Republican lawmaker introduces new cyber deterrence bill: According to The Hill, “The bipartisan legislation, the Cyber Deterrence and Response Act of 2018, lays out a three-step process that would require the sitting president to identify who the aggressors are and designate them as ‘critical cyber threats,’ and then impose sanctions in response to the malicious cyber activity.”
  • Grid Cybersecurity Bills Advanced by House Energy Subcommittee: According to Roll Call, “Bipartisan bills that aim to improve the government’s response to cybersecurity attacks on the electric grid advanced out of a House Energy and Commerce panel [last] Wednesday. […] Four pieces of legislation — all focused on putting into statute coordination within the Department of Energy to prevent cyber attacks on the grid and other energy infrastructure — were advanced by the Energy Subcommittee by voice votes.”
  • DHS is Lukewarm on the Bug Bounty Programs Congress Keeps Pushing: According to NextGov, “The Senate, [last] Tuesday, passed the Hack DHS Act, which mandates a bug bounty contest in which ethical hackers earn cash rewards for spotting digital vulnerabilities in Homeland Security websites and web tools. […] According to a Homeland Security official, however, the bug bounty program would duplicate work the department’s own bug hunters are already doing.”
  • DHS floats “collective defense” model for cybersecurity: According to FCW, “DHS plans to directly offer additional cybersecurity services to private companies and critical infrastructure entities. DHS already shares threat information through programs like automated indicator sharing, but it is looking to more fully share DHS security tools with companies and infrastructure organizations.”

White House Cybersecurity News Update

Last week, the White House experienced significant cybersecurity staff turnover as it preps a national cyber strategy for a planned May release. According to The Hill, “President Trump’s cybersecurity coordinator, Rob Joyce, revealed [last] week that he would vacate his post and return to the National Security Agency (NSA), ending a 14-month stint at the White House. News of his planned departure came less than a week after the resignation of homeland security adviser Tom Bossert.” This shakeup comes at a time when the White House is developing a national cyber strategy. According to NextGov, “An updated national strategy that will guide how the Trump administration handles cyber defense and threats is being debated at the White House and ‘should be forthcoming in the near future,’ a Pentagon official told lawmakers [last] Wednesday. That strategy, in turn, will inform a Defense Department cyber posture document that will likely come out in August, Assistant Secretary of Defense Kenneth Rapuano said.”

US CERT: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

Last week, US-CERT released an alert that stated “Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals.” In an interview with The Cipher Brief, Robert Hannigan, former director of the UK’s Government Communications Headquarters, said, “The point about router and other network attacks is that they enable a wide range of cyber operations against a huge set of secondary targets, whether for intelligence gathering or the delivery of denial of service, or much more sophisticated destructive attacks. […] [The joint U.S.-UK attribution] may not stop [Russia], but it will now be part of their risk calculation.”

Expert Commentary Addresses Active Cyber Defense and Cyber Threat Intelligence

Last week, two excellent articles provided commentary about the issues of active cyber defense and cyber threat intelligence.

In The Hill¸ Dr. Irving Lachow, deputy director of cyber strategy and execution at The MITRE Corporation, said “While active defenses are promising, they also raise a range of issues that need to be addressed by policymakers. Two possible risks include collateral damage to third parties and inadvertent escalation of tension with other countries. To avoid such risks and realize the benefits of active defenses, Congress and the executive branch must begin providing guidance to companies that can both provide and consume active defense services.”

The Cipher Brief recapped a discussion with Tonya Ugoretz (who heads the Cyber Threat Intelligence Integration Center) and Marianne Bailey (deputy national manager of National Security Systems at NSA) at the publication’s annual Threat Conference in Sea Island, Ga. Ugoretz said, “The government doesn’t have a monopoly on threat intelligence […]. And so the broader challenge is how do I not only integrate all those varied pieces across the federal cyber community, but also think about how the federal government can partner with the private cybersecurity companies who have that very unique insight that the U.S. government is not going to have. But do so in a way that we protect privacy, protect civil liberties.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Organizations are becoming more resilient to focused cyber attacks: Reported in Help Net Security, “While the average number of focused cyberattacks per organization has more than doubled this year compared to the previous 12 months (232 vs 106), organizations are demonstrating far more success in detecting and blocking them. They are now preventing 87 percent of all focused attacks compared to 70 percent in 2017.”
  • Cryptominers Leaped Ahead of Ransomware in Q1 2018: According to a press release, “During the first three months of 2018, cryptominers surged to the top of detected malware incidents, displacing ransomware — which declined significantly in volume — as the number one threat.”
  • Hackers exploit human vulnerabilities more than software flaws: Reported in CBS News, “a recent report from Proofpoint, a cybersecurity firm, said most cyberattacks are designed to take advantage of human error instead of flaws in hardware or software.”
  • Americans want tougher rules for big tech amid privacy scandals: Reported in The Guardian, “83 percent of Americans call for companies like Facebook to face harsher penalties for breaches” and “84 percent of Americans say tech companies should be held responsible for content carried on their platforms.”
  • 94 Percent of Web Applications Suffer From High-Severity Vulnerabilities: Reported in Security Intelligence, “In addition to the 94 percent of applications that contained a high-severity flaw, 85 percent carried an exploitable vulnerability.”
  • Security Pros at Energy Firms Concerned About 'Catastrophic' Attacks: Reported in Security Week, “91% [of IT and OT security professionals in energy and oil and gas companies] say they are worried about the risk of attacks on [industrial control systems]. Nearly all respondents are very concerned or somewhat concerned about an attack leading to operational shutdowns or downtime that impacts customers.”