NTSC Blog

Weekly News Roundup: May 18, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• Democrats propose Public Health Emergency Privacy Act: According to IAPP, “After Senate Republicans proposed the COVID-19 Consumer Data Protection Act April 30, Democrats from the Senate and House of Representatives offered their response [last] Thursday with the introduction of the Public Health Emergency Privacy Act. The Democrats’ bill aims to provide safeguards for health data during the pandemic and regulate the use of that data with contact tracing technologies. The bill was unveiled by Sens. Richard Blumenthal, D-Conn., and Mark Warner, D-Va., along with Reps. Anna Eshoo, D-Calif., Jan Schakowsky, D-Ill., and Suzan DelBene, D-Wash.”
• Senate panel tees up cyber legislation with expanded powers for CISA and a new White House role: According to FCW, “The Senate Homeland Security and Governmental Affairs Committee is moving closer to developing legislative proposals for a number of Cyberspace Solarium Commission recommendations, and Chair Ron Johnson (R-Wis.) signaled in a May 13 hearing that they could start with a proposal to create a new White House Cybersecurity Directorate.”
• Lawmakers move to boost federal cybersecurity in annual defense bill: According to The Hill, “Sen. Ron Johnson (R-Wis.) said [last] Wednesday that he was pushing for inclusion of measures meant to defend the United States against cyber threats in the upcoming annual National Defense Authorization Act (NDAA). Johnson, the chairman of the Senate Homeland Security and Governmental Affairs Committee, said during a virtual committee hearing on cyber threats that he hoped to include a provision creating a federal national cybersecurity leadership position in the NDAA.”
• Senators introduce bill to create more cyber grand challenges: According to Fifth Domain, “A trio of senators introduced legislation May 13 that would create several cyber grand challenges aimed at improving the overall cybersecurity of the United States. The bill, called the Cybersecurity Competitions to Yield Better Efforts to Research the Latest Exceptionally Advanced Problems Act of 2020, or CYBER LEAP Act, would direct the Secretary of Commerce to establish at least five public competitions that would allow participants to submit solutions for some of the most pressing cybersecurity challenges.”
• Senate privacy hawks score a win that delays surveillance renewal: According to Politico, “Congressional privacy hawks scored a critical victory [last] Wednesday that deepens the uncertainty about the fate of expired federal surveillance powers. Senators voted 77-19 — well over the 60-vote threshold — to adopt a bipartisan amendment bolstering legal protections for targets of federal surveillance. The move means that Congress' attempt to reauthorize key sections of the Foreign Intelligence Surveillance Act will detour back to the House, where it could face more delays or tinkering at the hands of privacy advocates and Republicans.”
• Minnesota Senate unanimously approves Limmer’s Data Privacy Bill: According to the Minnesota Senate Republican Caucus, “The Minnesota Senate recently passed a bill that protects Minnesotans’ data privacy rights and requires law enforcement agencies to be more accountable when tracking and monitoring individuals of interest. The bill regulates the circumstances under which law enforcement agencies must obtain search warrants before using a drone or accessing electronic communication like emails, social media accounts, and cell phone applications.”
• Study highlights data subject request volume, spending under CCPA: According to IAPP, “[A] Truyo study shows companies have already begun to receive a high volume of requests, numbers that may be heightened by the COVID-19 pandemic. […] A vast majority of those surveyed expressed a level of anxiousness about the requests, as 92% said they are concerned about honoring data subjects' rights under the CCPA. The study also found 51% said data subject request fulfillment is the most difficult part of CCPA compliance.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• Grenell announces creation of intelligence community 'cyber executive': According to The Hill, “Acting Director of National Intelligence (DNI) Richard Grenell on [May 8] announced the creation of an intelligence community (IC) ‘cyber executive’ as part of other organizational changes. According to the Office of the Director of National Intelligence (ODNI), the new position will ‘provide a single ODNI focus point for the cyber mission, which will strengthen the IC’s cyber posture to better defend U.S. national security interests.’ The cyber executive position will oversee four consolidated, previously separate ODNI cyber-focused organizations.”
• Solarium staff: State Dept. needs authority, resources to lead global effort on cybersecurity: According to Inside Cybersecurity, “Bolstering State Department authority and resources is essential to cyber deterrence efforts and ensuring the U.S. leads in international standards-setting organizations, but a key Cyberspace Solarium Commission recommendation on this point could be sidetracked by bureaucratic and jurisdictional disagreements.”
• Senate Homeland Security panel receptive to Solarium Commission proposals on strengthening CISA, creating national cyber director: According to Inside Cybersecurity, “The Senate Homeland Security and Governmental Affairs Committee heard from members of the Cyberspace Solarium Commission for the first time [last] Wednesday, on sweeping recommendations that range from giving the nation’s cyber agency more resources to creating a new Senate-confirmed cyber director position in the White House and investing in U.S. supply chain visibility.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Pandemic has spawned 'record-breaking' cybercriminal activity: Reported by Good Morning America, “In the first quarter of 2020, Bolster documented a massive spike in both phishing and website scams, detecting 854,441 confirmed phishing and counterfeit websites, 30% of which were COVID-19 related, in addition to another four million suspicious pages.”
• Almost all cybersecurity professionals more concerned in wake of Covid-19: Reported in ITProPortal, “Cybersecurity professionals are now more concerned about suffering a cyberattack than prior to the Covid-19 pandemic, according to a new report from cybersecurity firm Tripwire. Polling 345 IT security professionals, Tripwire found nine in ten companies have used Covid-19 as a stress test for their security control and policies. Respondents were most worried about home network security, a surge in ransomware, phishing and social engineering attacks and keeping remote systems securely configured.”
• U.S. Consumers Need to Better Protect Themselves When Banking Online: Reported in Security Magazine, “[Only] 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and four percent use a single password across all accounts. Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high-risk strategies such as writing their passwords down in a notebook.”
• COVID-19 blamed for 238% surge in cyberattacks against banks: Reported in ZDNet, “The coronavirus pandemic has been connected to a 238% surge in cyberattacks against banks, new research claims. […] [Financial] organizations experienced a massive uptick in cyberattack attempts between February and April this year -- the same months in which COVID-19 began to spread rapidly across the globe. […] 80% of firms surveyed have experienced more cyberattacks over the past 12 months, an increase of 13% year-over-year.”
• 2020 Cyber Report: Compliance Burdens Unsustainable: According to a press release, “51% of those surveyed are spending 40% or more of their IT security budgets on compliance” and “nearly 60% of companies view compliance as a barrier to enter new markets and prepare news services to meet compliance requirements.”
• DevOps needs to morph into DevSecOps to close security threats in the cloud: Reported in TechRepublic, “Everyone is having trouble keeping cloud deployments secure, according to a new report from Oracle and KPMG. The ‘Threat Report 2020: Addressing Security Configurations Amidst a State of Constant Change’ found that 92% of IT professionals do not think their organization is well prepared to secure public cloud services. Two of the biggest security risks are admin accounts with too many privileges and poor management of cloud secrets, like keys, account credentials, and passwords.”
• Survey Sees Accelerated Shift Toward Zero-Trust Architectures: Reported in Security Boulevard, “A shift toward zero-trust architectures appears to be gaining momentum, with a global survey of 500 senior cybersecurity executives published today showing that 40% of respondents have launched an initiative to achieve that goal. In North America, the survey finds there has been a 275% year-over-year growth in the number of organizations that have or plan to have a defined zero-trust initiative in place in the next 12 to 18 months.”
• Survey Finds 41% of Employees Use Personal Apps to Access Sensitive Company Data: Reported in CISO Mag, “Research by work management platform Wrike revealed that 41% of employees working remotely are accessing sensitive and confidential company information through unsecured personal applications, leaving valuable corporate data and trade secrets to cyber risks.”
• Survey: Data Sharing in the Cloud Puts Education Sector at Risk: Reported in Dark Reading, “82% of educational organizations don’t track data sharing at all or do it manually, and 50% of them suffered a data breach due to unauthorized data sharing last year. 63% of educational organizations don’t review permissions regularly, and 24% of system administrators admitted to granting direct access rights upon user request.”

Cybersecurity Acquisitions

News about three major cybersecurity company acquisitions was reported last week:

• VMware to Acquire Kubernetes Security Firm Octarine: Reported in Security Week, “VMware announced [last] Wednesday during its virtual Connect 2020 cybersecurity conference the acquisition of Kubernetes security company Octarine and a new Next-Gen Security Operations Center (SOC) Alliance. Octarine has developed a platform that provides continuous security and compliance for Kubernetes applications.”
• CyberArk Acquires Identity as a Service Leader Idaptive: According to a press release, “CyberArk (NASDAQ: CYBR), the global leader in privileged access management, [last Wednesday] announced it has acquired Santa Clara, California-based IDaptive Holdings, Inc. (Idaptive). Together, CyberArk and Idaptive will deliver the industry’s only modern identity platform with a security-first approach.”
• More cybersecurity consolidation: Venafi acquires Kubernetes startup Jetstack: Reported in Silicon Angle, “Venafi Inc., a major player in the so-called machine identity protection segment of the cybersecurity market, is acquiring Jetstack Inc., a small startup focused on Kubernetes security. […] Jetstack’s focus area overlaps with that of Venafi to a large extent. The British startup is best known as the maker of cert-manager, a pervasive open-source security certificate management tool for Kubernetes that boasts millions of downloads.”