NTSC Technology Security Roundup

Weekly News Roundup: May 13, 2019

Senators Reintroduce Data Breach Prevention and Compensation Act

According to a press release, “United States Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.), along with Representatives Elijah E. Cummings (D-Md.), Chairman of the House Committee on Oversight and Reform, and Raja Krishnamoorthi (D-Ill.), reintroduced the Data Breach Prevention and Compensation Act to hold large credit reporting agencies (CRAs)—including Equifax—accountable for data breaches involving consumer data. The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs for data breaches to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.” This bill takes a punitive approach to data breach prevention limited to one industry rather than focusing on the protection of consumer data and establishing data security standards across all industries.

Senate Committee on Banking, Housing and Urban Affairs Holds Hearing on Federal Data Privacy Laws

Last Tuesday, the US Senate Committee on Banking, Housing and Urban Affairs held a hearing on data privacy, focusing especially on the pros and cons of GDPR and how the US might adopt certain aspects of it for a federal privacy law or adaptions to existing laws. Testifying were Peter Chase (Senior Fellow, The German Marshall Fund of the United States), Jay Cline (Privacy and Consumer Protection Leader, PwC US), and Maciej Ceglowski (Founder, Pinboard). According to U.S. Senator Mike Crapo (R-Idaho), Chairman of the Committee, “[The] way that an individual’s or groups of individuals’ data is used matters immensely. As its rightful owner, an individual should have real control over his or her data. A complete view of what data is collected, the sources of that data, how it is processed and for what purposes, and who it is being shared with is vital to individuals exercising their rights. People should also be assured that their data will be reflected accurately, and have the opportunity to opt out of it being shared or sold for marketing and other purposes.”

More Cyberattacks Attributed to China

Two stories appeared last week that illustrate the threat of China malicious cyber activity as a continuing national security threat:

  • Chinese spies acquired NSA tools, used them to attack US allies: Reported in The Hill, “Researchers with Symantec believe the Chinese government captured the code from an NSA attack on their own systems rather than stealing it, according to the article. The hacking group that repurposed the tools has committed several attacks on U.S. targets including space, satellite and nuclear propulsion tech manufacturers, according [to The New York Times], citing a classified agency memo.”
  • Chinese nationals charged for Anthem hack, “one of the worst data breaches in history”: According to Politico, “Federal prosecutors have charged two Chinese nationals for hacking Anthem and three other U.S. businesses as part of what the Justice Department called ‘an extremely sophisticated hacking group.’ An indictment unsealed Thursday charges Fujie Wang and an unnamed co-conspirator with four counts, including conspiracy to commit wire fraud and intentional damage to a protected computer, in connection with the intrusions. The Anthem hack, disclosed in February 2015, compromised the sensitive personal data of approximately 78.8 million Americans.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Verizon 2019 Data Breach Investigations Report: According to the executive summary of this year’s report, “C-level executives were twelve times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past,” “[there’s] been a corresponding increase in hacking cloud-based email servers via the use of stolen credentials,” and “payment card web application compromises are well on their way to exceeding physical terminal compromises in payment card-related breaches.”
  • C-Suite execs and policy makers find cybersecurity technology investments essential: Reported in Help Net Security, “[Over] the next 24 months, 44 percent of C-Suite executives and 33 percent of policy makers plan to purchase new software with enhanced security; and 37 percent and 25 percent, respectively, plan to invest in new infrastructure solutions to improve security.”
  • Cybersecurity Skills Shortage Worsening for Third Year In A Row, Sounding the Alarm for Business Leaders: According to a press release, “The cybersecurity skills shortage is worsening for the third year in a row and has impacted nearly three quarters (74 percent) of organizations, as revealed today in the third annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG).”
  • The State of Corporate Cybersecurity: Paranoia, Hopelessness: Reported in PYMNTS.com, “Only 2 percent of cybersecurity respondents said they have adequate funding for their security initiatives, and 23 percent said they believe it would take a successful cyberattack on their organizations to convince executives to invest more in cybersecurity.”

Cybersecurity Acquisitions

Two major cybersecurity company acquisitions were reported last week:

  • Orange signs an agreement to acquire SecureLink: According to a press release, “Orange entered into an agreement with Investcorp to acquire 100% of SecureLink on a €515m Enterprise Value basis. SecureLink, based in the Netherlands, is one of the largest independent cybersecurity services providers in Europe, with on-the-ground presences in Sweden, Belgium, the Netherlands, the UK, Germany, Denmark and Norway. Founded in 2003, SecureLink provides a full range of cybersecurity services to support its clients. Its offering includes specialized security consulting, security maintenance and support with 24/7 service desks (SOCs) as well as advanced managed detection and response capabilities (MDR).”
  • Proofpoint Enters into Definitive Agreement to Acquire Meta Networks: According to a press release, “Proofpoint intends to integrate Meta Networks’ ZTNA technology with its cloud access security broker (CASB) and web isolation product lines to offer customers a comprehensive cloud access and security platform. The acquisition of Meta Networks will add approximately 20 technical contributors to Proofpoint’s growing presence and team in Israel. […] The purchase price for the transaction is approximately $111 million in cash and approximately $9 million in Proofpoint common stock and options.”