NTSC Technology Security Roundup

Weekly News Roundup: May 7, 2018

U.S. Cyber Command Becomes 10th Combatant Command

The Pentagon announced that U.S. Cyber Command became the 10th combatant command on Friday. It’s the first new functional command created since United States Strategic Command in 1992. According to a Department of Defense news article, “The elevation of the command raises the stature of the commander to a peer level with other unified combatant command commanders, allowing the Cybercom commander to report directly to the secretary of defense…” Since its creation in 2009, U.S. Cyber Command was previously a sub-unified command under United States Strategic Command.

Maj. Gen. Stephen Fogarty to Lead United States Army Cyber Command

According to The Hill, “Maj. Gen. Stephen Fogarty has been selected to lead the U.S. Army’s cyber warfare unit, replacing soon-to-be director of the National Security Agency, Lt. Gen. Paul Nakasone. […] Fogarty has served at Fort Meade, Md., as chief of staff at U.S. Cyber Command, the Pentagon’s chief cyber warfighting unit, since June 2016. Before that, Fogarty was the commanding general at the Cyber Center of Excellence at Fort Gordon in Georgia.” The Senate confirmed his nomination on April 26. Lt. Gen. Paul Nakasone began leading the National Security Agency and U.S. Cyber Command on Friday.

CyberScoop Reports Possible Repeal of Presidential Policy Directive 20 to Empower U.S. Cyber Command

It’s well known that U.S. Cyber Command, as currently structured, is limited in its cyber response to nation states, violent extremists, and other threat actors—making it more reactive than offensive when countering global cyberattacks. According to CyberScoop, “Members of the White House’s National Security Council are pushing to rescind Presidential Policy Directive 20, an important policy memorandum that currently guides the approval process for government-backed cyberattacks, three current U.S. officials familiar with the matter tell CyberScoop. The effort is driven in part by a desire from some NSC staff to create a more streamlined channel for military leaders to get their offensive cyber operations greenlit, insiders familiar with the matter said. […] The move comes as lawmakers openly question whether U.S. Cyber Command, the nation’s premier cyber warfare unit, is hamstrung from responding to Russian meddling due to bureaucratic red tape.”

Prominent Tech Companies Argue Against Recent Proposed Encryption Solutions

Last week, we highlighted a recent Wired article that detailed how Ray Ozzie has resurrected the call for a solution to the encryption debate by proposing an idea (involving complementary public and private keys) that pleases both sides. In response, Reform Government Surveillance (a coalition that includes Apple, Facebook, Google, and Microsoft) said: “Recent reports have described new proposals to engineer vulnerabilities into devices and services – but they appear to suffer from the same technical and design concerns that security researchers have identified for years. Weakening the security and privacy that encryption helps provide is not the answer.” According to ZD Net, “The statement comes a week after the group announced the importance of strong encryption as a new core principle behind its mission, calling on governments to ‘avoid any action that would require companies to create any security vulnerabilities in their products and services.’”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • The Systems That Control Water and Power Plants Are Shockingly Vulnerable to Hackers, Study Finds: According to Gizmodo, “Positive Technologies reported on Thursday that its researchers were able to penetrate 73 percent of industrial organizations. In 82 percent of successful infiltrations, the researchers said it was possible to ‘gain a foothold and leverage it to access the broader industrial network, which contained ICS equipment.’”
  • A well-trained staff may be your best defense against IoT cyberattacks: TechRepublic reports, “According to Symantec's 2018 Internet Security Threat Report (ISTR), the total number of Internet of Things (IoT) attacks grew 600% between 2016 and 2017. […] With the widespread adoption of IoT, employees at all levels of the enterprise must now be made aware of an additional set of security vulnerabilities. Devices once considered the domain of the IT department and only the IT department should now be considered part of every employee's security responsibility.”
  • Have we hit peak ransomware? Maybe, according to F-Secure: Reported in TNW, “The magnitude of WannaCry alone accounts for much of the growth we saw in ransomware attacks last year. But elsewhere, things are quiet, with the use of ransomware by organized criminals having slumped markedly: ‘After the summer, there was a noticeable shift away from the kind of ransomware activity that we’ve seen in the last year or two,’ explained F-Secure security advisor Sean Sullivan, in a statement.”
  • Energy Companies Aren't Doing Much to Defend Against Soaring Cyber Attacks: According to Bloomberg, “Two prominent security consultant firms estimate that energy companies, ranging from drillers to pipeline operators to utilities, invest less than 0.2 percent of their revenue in cyber security. For context, that’s at least a third less than the corresponding figure for banks and other financial institutions, according to the consultants, Precision Analytics LLC and the CAP Group.”