NTSC Technology Security Roundup

Weekly News Roundup: May 4, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

  • More Tech Expertise Needed in Congress? A Solarium Solution is OTA: According to MeriTalk, “The most bold recommendation from the [Cyberspace Solarium Commission] is to reorganize Congress to create cyber-specific committees in the House and Senate, a process complicated by institutional power dynamics. The void of cyber-specific committees has consequences though, says Cory Simpson, a senior director of the commission. […] Major Congressional reorganization or not, there is still a need, Simpson said ‘to bring technical expertise into the legislative branch.’ The Office of Technology Assessment (OTA) is a recommendation made by the commission in order to accomplish that. […] Originally created by an act of Congress in 1972, OTA produced over 750 reports on technology-related legislative issues for Congress and the public before the office was dissolved in 1995.”
  • Republican senators to introduce the COVID-19 Consumer Data Protection Act: According to IAPP, “The ‘COVID-19 Consumer Data Protection Act,’ which contains protections for personal information, particularly health, geolocation, and proximity data, was announced April 30 and will be introduced by Sen. Roger Wicker, R-Miss., chairman of the Senate Committee on Commerce, Science, and Transportation. […] Under the bill, covered information would include ‘precise geolocation data, proximity data, and personal health information.’ Any entity or person who ‘collects, processes, or transfers covered data’ and is also subject to the Federal Trade Commission Act, is a common carrier subject to the Communications Act of 1934, or is nonprofit organization would be subject to the law.”
  • States say next pandemic relief bill needs IT and cybersecurity aid: According to StateScoop, “A group of 12 associations representing state and local officials [last] Wednesday asked Congress to include direct financial support for IT and cybersecurity infrastructure in any future emergency relief package responding to the COVID-19 pandemic. In a letter addressed to congressional leaders, the coalition, led by the National Governors Association, wrote that the ongoing public health crisis has put unprecedented strains on state and local governments’ technology assets and opened them up to new cybersecurity risks that cannot be remedied without additional funding from the federal government.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • White House budget office formally designates CISA role on government-wide cybersecurity services: According to Inside Cybersecurity, “The White House Office of Management and Budget [last Monday] announced that the Cybersecurity and Infrastructure Security Agency is the lead office for providing other agencies with cyber services including vulnerability management standardization and Domain Name System resolver service, which ‘reinforces our core mission,’ according to a senior CISA official.”
  • CISA’s Coming Supply Chain Guidance to Align with Pentagon’s Vendor Certification Program: According to NextGov, “A Cybersecurity and Infrastructure Security Agency task force will release supply chain guidance that incorporates aspects of the Pentagon’s Cybersecurity Maturity Model Certification program, a CISA official said. The Defense Department’s CMMC will require that vendors meet specific cybersecurity requirements and get certified by a third-party auditor before working with the department. As Defense officials continue to hammer out the details of the new program, they have been collaborating with CISA’s Information and Communications Technology Supply Chain Risk Management Task Force.”
  • NIST releases draft hardware-security techniques white paper for public comment: According to Inside Cybersecurity, “The National Institute of Standards and Technology has released for public comment a draft white paper focused on how to secure hardware platforms in data centers and edge computing facilities.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • President issues executive order targeting threats from foreign participation in U.S. bulk-power systems: According to Inside Cybersecurity, “President Trump [last Friday] issued an executive order on ‘securing the United States bulk power system’ from foreign threats by setting a process for banning potentially risky foreign suppliers from providing such equipment to U.S. electricity operators.”
  • Protect Patient Data During COVID-19 Outbreak, Federal Agencies Warn: According to NextGov, “In a special report to top officials of the armed services, the Defense Department’s assistant inspector general for the operation of cybersecurity audits culled ‘lessons learned’ from past reports to stress the continued importance of protecting sensitive information as the department mobilizes to respond to the coronavirus pandemic. […] The report, released [April 23], notes increased patient loads at MTFs and alternative care facilities the department is helping to build and operate. On [April 24] the FBI, along with the Cybersecurity and Infrastructure Security Agency and Health and Human Services Department, also advised improving security measures in the face of COVID-19.”
  • Experts worry US elections even more vulnerable with COVID-19: According to The Hill, “Cybersecurity experts are increasingly worried that U.S. elections are growing even more vulnerable to outside interference because of the coronavirus pandemic. They say funds to prevent interference and ensure people can vote safely are running thin, despite the fact that Congress has passed $825 million in funding for election security since December. The chaos caused by COVID-19, which has forced states to delay or cancel primary elections and move toward allowing residents to vote absentee, has presented a new array of challenges for states that had already been focused on election security.”
  • Intel report warns Zoom could be vulnerable to foreign surveillance: According to ABC News, “The Zoom videoconferencing platform, so popular with people forced to stay home because of the coronavirus pandemic, could be vulnerable to intrusions by foreign government spy services, including China, according to a federal intelligence analysis obtained by ABC News. The analysis urges organizations to carefully consider the risk if they should continue working with the system. The report was issued jointly by the Department of Homeland Security’s Cyber Mission and Counterintelligence Mission centers, and was distributed to law enforcement and government agencies around the country.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Survey: COVID-19 Response Sees Nearly 50% of Cybersecurity Workers Reassigned to IT Tasks: According to (ISC)2, “When asked about changes experienced due to COVID-19, almost half (47%) of cybersecurity professionals polled by (ISC)2 said they have been reassigned to IT tasks.”
  • ISACA Survey: Cybersecurity Attacks Are Rising During COVID-19, But Only Half of Organizations Say Their Security Teams Are Prepared for Them: According to a press release, “Only 51 percent of technology professionals and leaders are highly confident that their cybersecurity teams are ready to detect and respond to the rising cybersecurity attacks during COVID-19, according to new research by global association ISACA. Additionally, only 59 percent say their cybersecurity team has the necessary tools and resources at home to perform their job effectively.”
  • Healthcare Targeted By More Attacks But Less Sophistication: Reported in Dark Reading, “Healthcare organizations are experiencing an increase in probes and fraud attempts against their businesses and suppliers, but the attacks appear not to be very sophisticated, security experts said this week. Organizations, for example, saw a 30% increase last month in the number of COVID-19-themed phishing sites and lures, but they have not seen a commensurate increase in the number of successful breaches, according to the Healthcare Information Sharing and Analysis Center (H-ISAC).”
  • Ransomware mentioned in 1,000+ SEC filings over the past year: Reported in ZDNet, “A growing number of public companies are now listing ransomware as a forward-looking risk factor in documents filed with the US Securities Exchange Commission. More than 1,000 documents mentioning ransomware as a risk factor have been filed over the last 12 months, and more than 700 in 2020 alone, with the number expected to easily surpass 2019's values.”
  • Reports of COVID-19 malware threats heavier in states with increased testing: Reported in SC Magazine, “Newly published telemetry data collected by the researchers at Bitdefender suggests that U.S. reports of coronavirus-themed malware threat activity have been heaviest in states where testing has increased and the total number of confirmed infections has grown. Among U.S. states, California reported the most threats in both March and April, followed by Texas. New York was third in March, but fell to fourth in April, supplanted by Florida. Ohio rounded out the top five.”
  • Consumers have little patience for businesses hit by cyberattack: Reported in TechRepublic, “59% of respondents would likely avoid [doing] business with an organization that experienced a cyberattack in the past year. Further, their level of forgiveness wouldn't necessarily increase much over time—45% said they wouldn't do business with a company that was attacked sometime in the past three years.”
  • Average Ransomware Payments Soared in the First Quarter: Reported in Dark Reading, “New data from Coveware on ransomware attacks in the first quarter of this year showed that compared with the fourth quarter of 2019, median ransomware payments held relatively steady at around $44,000, but average payments soared 33% to $111,605.”
  • Financial sector is seeing more credential stuffing than DDoS attacks: Reported in ZDNet, “The financial sector has seen more brute-force attacks and credential stuffing incidents than DDoS attacks in the past three years, F5's cyber-security unit said in a report published [last Monday]. […] The report's findings dispel the notion that DDoS attacks are one of today's most prevalent threats against the financial vertical. In reality, F5 says that brute force attacks, credential stuffing, and all the other account takeover (ATO) attacks have been a much bigger threat to the financial sector between 2017 and 2019.”
  • Insider Threats Jump 47 Percent, as Incident Costs Reach $11.45 Million, New Study Shows: Reported in Bitdefender’s Business Insights Blog, “In just two years, the number of insider threats has increased 47%, from 3,200 in 2018 to 4,716 in 2020. At the same time, the cost of these incidents has surged 31%, from $8.76 million in 2018 to $11.45 million in 2020. While careless or negligent employees make for 62% of incidents, costing organizations an average of $307,111 per incident, malicious insiders or credential thieves bare a higher price tag of $871,686 per incident.”

Cybersecurity Acquisitions

News about two major cybersecurity company acquisitions was reported last week:

  • Rapid7 is acquiring DivvyCloud for $145M to beef up cloud security: Reported in TechCrunch, “Rapid7 announced [last Tuesday] after the closing bell that it will be acquiring DivvyCloud, a cloud security and governance startup, for $145 million in cash and stock.”
  • Accenture Completes Acquisition of Broadcom’s Symantec Cyber Security Services Business: According to a press release, “Accenture (NYSE: ACN) has completed its acquisition of the Symantec Cyber Security Services business from Broadcom Inc. (NASDAQ: AVGO). […] The Symantec Cyber Security Services business includes more than 300 employees around the world who serve organizations across a diverse range of industries, including financial services, utilities, health, government, communications, media, technology and retail.”