NTSC Blog

Weekly News Roundup: May 6, 2019

National Bipartisan Privacy Bill Stuck on Pre-emption

As bipartisan groundswell builds for a national privacy law, one issue that senators are debating is pre-emption. Some senators fear that a national data privacy law may weaken the strength of the California Consumer Privacy Act (CCPA) that will go into effect in January 2020. According to Reuters, “Democrats and Republicans generally agree new rules are needed on what data social media companies can collect on consumers and what they should be allowed to do with that data, not only for the biggest players like Facebook Inc and Alphabet’s Google, but also smaller online firms. The privacy bill is one of the few pieces of legislation that lobbyists believe has a decent chance of becoming law because it is a bipartisan concern and does not cost taxpayers money.”

President Trump Signs Executive Order on America’s Cybersecurity Workforce

Last Thursday, President Trump signed the “Executive Order on America’s Cybersecurity Workforce” that seeks to “grow the cybersecurity capability of the United States Government, increase integration of the Federal cybersecurity workforce, and strengthen the skills of Federal information technology and cybersecurity practitioners.” According to The Hill, “[The] order establishes a rotational program for federal workers. Workers at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) will be able to swap out with similar staff at other federal agencies. That program is in line with one that would be created by a bill recently passed in the Senate. The order also implements measures meant to assist federal agencies in retraining employees who are interested in joining the cybersecurity field.”

Congressional News Roundup

In Congressional cybersecurity news last week…

• Cyber Bill on the Move: According to Politico, “The House Small Business Committee swiftly approved by voice vote three cybersecurity measures [last] Wednesday. The first, H.R. 1649, offered by top panel Republican Steve Chabot, would require the Small Business Administration to create a cyber counseling certification program so employees of small business development centers can offer ‘cyber planning assistance to small business concerns.’ The second, H.R. 1648, also sponsored by Chabot, would establish small business cybersecurity assistance units and create tools for small businesses to share cyber threat information. […] The third measure, H.R. 2331, would require the SBA administrator to submit an annual report that would include an information technology assessment and a strategy to shore up cybersecurity infrastructure.”
• Cybersecurity pros could work for multiple agencies under bill passed by Senate: According to FedScoop, “The legislation — the Federal Rotational Cyber Workforce Program Act of 2019 — passed by unanimous consent. There is no companion bill in the House, but a congressional source told FedScoop that Senate sponsors have reached out to the other chamber about how to move the legislation forward. Supporters see the bill as an extension of several initiatives from Congress and the White House, including the Federal Cybersecurity Workforce Assessment Act of 2015, which required the Office of Personnel Management (OPM) and other agencies to identify and describe their cyber-related jobs, and the Trump administration’s broad government reorganization plan from June 2018, which included proposals to alleviate shortages in the cybersecurity workforce.” This bill aligns with President Trump’s Executive Order signed on Thursday (see above).
• Poor IoT Cybersecurity May Be Partly From Consumer, Business Penny Pinching Says Chamber: According to Forbes, “The poor security of Internet of Things (IoT) devices from web-connected lightbulbs to refrigerators may be partly the result of penny pinching by consumer and business shoppers, the U.S. Chamber of Commerce told a Senate panel focusing on cybersecurity [last] Tuesday. ‘Most people's intuition is to buy the least expensive device even if the device's security is not strong---and possibly contrary to their own best interests,’ Chamber Cybersecurity Policy Vice President Matthew Eggers contended. He buttressed his claim by asserting it is unclear if buyers---including individuals, households, businesses, and public institutions---will pay for the cost of additional security features or be able to identify a strong device without a new way to help them make educated choices.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• DHS orders faster patching from federal agencies: According to FCW, “The Department of Homeland Security released a new Binding Operational Directive April 29 that cuts down on the time federal agencies have to patch critical IT vulnerabilities in half, from 30 days to 15. The order compels all civilian federal agencies to regularly review weekly cyber hygiene reports delivered by DHS that identify both critical and high vulnerabilities and patch them within 15 and 30 calendar days of being detected, not when agencies are first informed about them.”
• U.S. Warns Against Including Huawei in Any Part of 5G Network: According to Bloomberg, “The U.S. is warning countries not to include equipment from Huawei Technologies Co. or other Chinese suppliers in any parts of their telecommunications network because there’s no way to fully eradicate cyber security risks, a top cyber official said [last] Monday.”
• TSA preps new guidelines on pipeline cyber: According to FCW, “The Transportation Security Administration has submitted a plan to keep pipeline cybersecurity guidelines up to date, the Government Accountability Office's acting director told a May 1 House Energy and Commerce Energy Subcommittee hearing on pipeline security. TSA has federal oversight responsibility for the physical security and cybersecurity of oil, natural gas and hazardous materials pipelines in the U.S. That pipeline infrastructure is mostly privately held.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Cybersecurity Costing Large Financial Firms $3,000 Per Employee: Survey: Reported in Insurance Journal, “Big banks and other financial firms spend as much as $3,000 per employee to defend computer networks from cyber criminals, a survey found, as the industry remains the primary target of such attacks.”
• New 1E Survey Shows That Businesses Are Woefully Unprepared for Cyber Breaches Due to Lack of IT Security and Operations Basics: According to a press release, “Commissioned in partnership with Vanson Bourne, 1E’s independent study polled 600 IT decision-makers (300 from IT operations and 300 IT security). The research discovered that over three quarters (77 percent) believe that they are not extremely well prepared to react to a serious data breach, over half (60 percent) have experienced a serious security breach in the last two years – 31 percent more than once, and eight in ten claim digital transformation increases cyber risk.”
• New RSM Research Explores Cybersecurity Concerns and Vulnerabilities for Middle Market Businesses: According to a press release, “The report found that 15 percent of middle market executives indicated that their companies experienced a data breach in the last year, up from 13 percent in 2018 and a significant jump from 5 percent just four years ago. Additionally, more than half (55 percent) of respondents believe that an attempt to illegally access their company's data or systems is likely in 2019, an increase from 47 percent in 2018.”
• State of Operational Technology and Cybersecurity Report: According to Fortinet, “77% of OT organizations have experienced a malware intrusion in the past year, and 78% have only partial centralized visibility on the cybersecurity of their OT environments.”
• Open source security: The risk issue is unpatched software, not open source use: Reported in Help Net Security, “The average age of vulnerabilities identified in 2018 Black Duck Audits was 6.6 years, slightly higher than 2017—suggesting remediation efforts haven’t improved significantly. Forty-three percent of the codebases scanned in 2018 contained vulnerabilities over 10 years old. When viewed against the backdrop of the National Vulnerability Database adding over 16,500 new vulnerabilities in 2018, [it’s] clear patch processes need to scale to accommodate increased disclosures.”
• McAfee Survey Finds IT at Cybersecurity Fault Most: Reported in Security Boulevard, “Based on a survey of 700 cybersecurity professionals working in organizations with over 1,000 employees, the ‘Grand Theft Data II’ report finds 52% of respondents claim IT is at fault when a data leakage event occurs, versus 29% who cite business operations.”
• Financial firms devote 10% of IT budgets to cybersecurity: Survey: Reported in Business Insurance, “Financial institutions spend an average of 10% of their information technology budgets on cybersecurity, or about 0.3% of their total revenues, says a survey.”
• The Great Cyber Security Talent Shortage Continues: Reported in Security Boulevard, “The short supply of qualified security professionals has led to unfilled positions and a widening work skills gap, the [State Of Cybersecurity 2019 report by ISACA] said. More than half of the respondents (58%) said their organizations have unfilled cyber security positions. The number of organizations languishing at least six months before they are able to fill open cyber security positions is on the rise, from 26% in 2017 to 32% in 2018.”