NTSC Technology Security Roundup

Weekly News Roundup: May 14, 2018

White House Announces New Select Committee on Artificial Intelligence

On Thursday, the White House announced the creation of the Select Committee on Artificial Intelligence—a committee that will help explore and define AI opportunities, priorities, and issues. This committee was created in response to competitive pressures from China, concerns about AI’s development, and tech companies’ insistence that AI remain relatively unregulated to encourage innovation. According to The Hill, “The AI panel will include officials from the White House Office of Science and Technology Policy, the National Science Foundation and the Defense Advanced Research Projects Agency (DARPA). The committee’s representatives will also include officials from the National Security Council (NSC), the Office of the Federal Chief Information Officer and the Office of Management and Budget (OMB).”

Cybersecurity Legislation News Roundup

Here is a roundup of some important legislative news from last week:

  • House Panel Approves More Military Cyber Support for Critical infrastructure: According to NextGov, “A House panel approved legislative language Wednesday that would make it easier for military cyber defenders to pitch in when U.S. critical infrastructure, such as hospitals and financial firms, are under attack. […] The pilot program would essentially allow the Secretary of Defense to lend cyber troops to Homeland Security to help shore up critical infrastructure.”
  • House passes bill to help small businesses guard against hackers: According to The Hill, “Specifically, the legislation would require the Small Business Administration to establish a ‘cyber counseling certification program’ to provide cybersecurity training to employees at small business centers that receive federal grants. The idea is to ensure that these small business development centers can provide cybersecurity assistance to small businesses that ask for it.”
  • New law would stop Feds from demanding encryption backdoor: According to The Register, “The Secure Data Act [of 2018] forbids any government agency from demanding that ‘a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.’ It also prohibits courts from issuing orders to compel access to data.”

DOD and DHS News Update

Fifth Domain reported that US Cyber Command and the National Security Agency opened the Integrated Cyber Center and Joint Operations Center (ICC/JOC), which cost $500 million, on May 4. According to Congressional testimony from former NSA director Michael Rogers, “The facility is USCYBERCOM’s first dedicated building, providing the advanced command and control capabilities and global integration capabilities that we require to perform our missions.”

And according to Politico, DHS recently “outlined parameters for two high-profile initiatives under Secretary Kirstjen Nielsen. The documents shed light on Nielsen’s interest in approaching cybersecurity as an interconnected, systemic risk — defined for the first time by DHS as issues that cut across multiple sectors. DHS is consulting electric, financial services, IT and telecommunications sectors to get some feedback […] on what systemic risk means in their industries.”

NIST Updates Risk Management Framework to Incorporate Privacy Considerations

On Wednesday, NIST announced an update to its Risk Management Framework (RMF) that addresses various privacy issues. According to a NIST news story, “Previous versions of the RMF were primarily concerned with cybersecurity protections from external threats. The updated version adds an overarching concern for individuals’ privacy, helping to ensure that organizations can better identify and respond to these risks, including those associated with using individuals’ personally identifiable information.” CyberScoop also noted that “The provisional update includes measures to guard against untrusted suppliers and the possibility of hackers slipping malicious code into the supply chain.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Too many IT pros ignore critical security issues: Reported in Help Net Security, “A recent Outpost24 survey of 155 IT professionals […] revealed that 42 percent ignore critical security issues when they don’t know how to fix them (16 percent) or don’t have the time to address them (26 percent).”
  • Despite Major Data Breaches, Users’ Bad Password Security Habits Haven’t Improved: Reported in Security Intelligence, “Even though password security is a top priority for organizations, only 55 percent of users would change their credentials after a breach. The [LastPass] report also found that 59 percent of respondents use the same password across multiple accounts.”
  • iOS users are 18x more likely to be phished than to download malware: Reported in Help Net Security, “The Wandera’s Phishing Report 2018 shows that iOS users are 18x more likely to be phished than to download malware, and that 4000 new mobile phishing websites are launched every day. This shift to mobile is supported by data that reveals 48% of phishing attacks are on mobile, and research that shows users are 3x more vulnerable to phishing on mobile than on desktop.”
  • FBI: Number of Ransomware Complaints Went Down in 2017: According to Bleeping Computer, “During 2017, the FBI says it received only 1,783 complaints regarding ransomware infections, a number far smaller than the 2,673 complaints it received in 2016, and the 2,453 complaints received in 2015.”
  • Despite Last Year’s Surge, Ransomware Attacks on the Decline in 2018: Reported in Security Intelligence, “F-Secure’s ‘The Changing State of Ransomware’ report found that the lack of big paydays for even the most headline-worthy campaigns has led to a gradual decline in these types of attacks.”