NTSC Blog

Weekly News Roundup: May 20, 2019

President Trump Issues “Executive Order on Securing the Information and Communications Technology and Services Supply Chain”

While President Trump’s new executive order last Wednesday did not mention the Chinese telecom company Huawei, that is the company likely impacted most. By declaring a national emergency, the White House was able to point toward companies such as Huawei as a national security risk and either ban or strictly control how they do business in the United States. According to the Associated Press, “Democratic Sen. Mark Warner, vice chairman of the Senate Intelligence Committee and a former telecoms executive, called the order ‘a needed step’ because Chinese law compels Huawei to act as an agent of the state. […] All major U.S. wireless carriers and internet providers had already sworn off Chinese-made equipment after a 2012 report by the House Intelligence Committee said Huawei and ZTE, China’s No. 2 telecoms equipment company, should be excluded as enablers of Beijing-directed espionage.”

Congressional Cybersecurity Legislation Roundup

Last week saw a lot of cybersecurity-related activity on the Hill…

• DHS Cyber Incident Response Teams Act of 2019 Clears Homeland Security Committee: According to a press release, Congressman Michael T. McCaul (R-TX), the Lead Republican on the Foreign Affairs Committee and the Chairman Emeritus on the House Homeland Security Committee, spoke at the Homeland Security Committee mark up on his legislation, the DHS Cyber Incident Response Teams Act of 2019. At the hearing, McCaul said, “Specifically, my bill ensures that the Department of Homeland Security (DHS) has cyber incident response teams to aid federal agencies and the private sector in identifying, responding to, and mitigating cybersecurity threats. These teams assist compromised cyber-assets with response efforts and provide recommendations for improving networks.”
• Committee Approves Active Cyber Defense Language in Appropriations Funding Bill: According to a press release, “[Thursday] in the Appropriations Committee’s markup of the State and Foreign Operations funding bill, Rep. Tom Graves (R-GA-14) championed and passed an amendment to increase cybersecurity cooperation with our allies to defend against cyberattacks. The amendment was included in the manager’s package, which is significant because it reflects broad bipartisan support from senior members of the committee. The amendment offered by Rep. Graves contains the strongest language to battle cyber threats included across the entire funding package.”
• House Energy and Commerce Subcommittee Approves Four Cybersecurity Bills: According to Politico, “One (H.R. 362) would establish a new DOE assistant secretary position to oversee preparedness and response to cyber and physical attacks on energy infrastructure; another (H.R. 370) would require DOE to prepare for cyber or physical attacks on pipelines and LNG terminals; another (H.R. 360) would establish a ‘Cyber Sense’ program to identify and evaluate products that can bolster cybersecurity in the bulk-power system; and one (H.R. 359) would provide training to electric utilities on how to reduce physical and cybersecurity risks.”
• Lawmakers introduce legislation to improve cyber workforce funding: According to The Hill, “Lawmakers in the House and Senate introduced legislation on Wednesday to improve the cybersecurity workforce by directing the Department of Labor to award grants that help create and expand cyber apprenticeship programs. The Cyber Ready Workforce Act has bipartisan support, with Sens. Jacky Rosen (D-Nev.) and Kevin Cramer (R-N.D.) introducing the bill in the Senate, and Reps. Susie Lee (D-Nev.), Elise Stefanik (R-N.Y.) and Abigail Spanberger (D-Va.) sponsoring the legislation in the House.”

Cyberspace Solarium Commission Starts Figuring Itself Out

The Cyberspace Solarium Commission, created by the National Defense Authorization Act of 2019, is starting to generate some activity as it begins to figure out how it will best work. According to an overview, “The Cyberspace Solarium Commission will work to develop a consensus on a strategic approach to protecting the crucial advantages of the United States in cyberspace” and it has a fourfold mission. An FCW article notes, “Sen. Angus King (I-Maine), co-chair of the newly established Cyberspace Solarium Commission, said the group is currently determining how best to structure itself and allocate resources as it seeks to explore three visions for defending U.S. interests in cyberspace. The commission […] is made up of 14 members drawn from federal agencies, Congress and the private sector. Rep. Mike Gallagher (R-Wis.) is the other co-chair. The commission also includes FBI Director Christopher Wray, cyber-focused lawmaker Rep. Jim Langevin (D-R.I.), Sue Gordon the deputy director of the Office of National Intelligence, former National Security Agency Deputy Director Chris Ingles and Suzanne Spaulding, who used to lead the cybersecurity agency at the Department of Homeland Security. Their mandate includes election meddling, 5G and economic espionage, threats against government infrastructure, the financial system, electric grid, pipelines and businesses.”

Phone Makers and Carriers Bump Up Against the Law

Two new stories last week in The Hill show how the law is constraining phone makers and carriers related to cybersecurity and data privacy…

• Cybersecurity experts fear fallout from Apple case: According to The Hill, “The Supreme Court ruled on Monday that a group of iPhone users can proceed with their class-action lawsuit against Apple, which claims that the company’s monopoly over the downloading of apps from its App Store drives up prices. The case will now work its way through the lower courts, but at issue is the potential that Apple could be forced to allow users to download apps from third-party groups and not just the App Store. Experts warn that scenario could lead to a higher rate of malware infections from apps for Apple's iOS devices.”
• Phone carriers tell feds they have mostly stopped sharing location data: According to The Hill, “Phone companies are trying to reassure the Federal Communications Commission (FCC) that they are no longer sharing their customers’ location data with third parties. All four major wireless carriers told Democratic FCC Commissioner Jessica Rosenworcel in a series of letters this month that they have ended the practice, which had come under increasing scrutiny from regulators. Rosenworcel released the letters on Thursday and said she is still seeking answers about the FCC’s investigation into the industry.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Record level of vulnerabilities sparks cybersecurity innovation among global enterprises: According to a press release, “Globally, the average cybersecurity maturity rating stands at a worrying 1.45 out of 5 – a score determined by an organization's holistic approach to cybersecurity from a process, metrics, and strategic perspective. Companies in the Americas region lagged behind all other regions with an average maturity score of 1.21 out of 5. This comes during a time when security vulnerabilities have also surged to a record high (up 12.5% from 2017).”
• Why cybersecurity pros want to share information to combat threats: Reported in TechRepublic, “In a survey of 200 US security IT decision makers commissioned by IronNet and conducted by independent research firm Vanson Bourne, 94% said their company would be willing to increase the level of threat sharing with their industry peers if that process demonstrably improved their ability to detect threats.”
• Cybersecurity, Privacy and a Host of Technologies Challenge Audit in the Enterprise: According to a press release, “Cybersecurity, privacy and technologies—from mission-critical to digitally transformative—top the list of challenges IT audit teams and leaders grapple with every day, according to a first release of the 2019 IT Audit Benchmarking Study conducted by ISACA and global consulting firm Protiviti.”
• Seven in Ten Cybersecurity Professionals Are Using or Considering Honey Pots, Deception Technology to Deliver Advanced Forensic and Attribution Capabilities: According to a press release, “72 percent of respondents said their organization either already uses or would use honey pots or deception technology. Furthermore, 71 percent of respondents would let hackers take the fake or booby-trapped document to gather counterintelligence – rather than shutting down an attack as soon as a bad actor engages with a deceptive file – in an effort to identify the thieves later or reveal information about the location, ownership and possible vulnerabilities of the hackers’ machines.”