NTSC Blog

Weekly News Roundup: June 1, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• Bipartisan bill seeks to counter China on emerging technology with $100 billion: According to Roll Call, “Bipartisan lawmakers […] [last] Wednesday announced sweeping legislation that would overhaul the government’s approach to emerging technology with the aim of countering a push by China for innovation dominance this century. The bicameral legislation would rechristen the National Science Foundation as the National Science and Technology Foundation and authorize $100 billion for a new directorate within the agency to fund research and development in 10 areas of emerging technology the lawmakers believe ‘will define global competitiveness’ in the coming decades. The fields of technology covered under the legislation range from familiar topics — artificial intelligence, cybersecurity, robotics and automation and advanced telecommunications — to more obscure ones like biotechnology and genomics, quantum computing and semiconductors, according to a summary of the legislation.”
• Senate Armed Services sets schedule for NDAA markups, offering first chance to move Solarium recommendations: According to Inside Cybersecurity, “The Senate Armed Services Committee has scheduled a series of subcommittee meetings to consider pieces of the fiscal 2021 National Defense Authorization Act, which is seen as a potential vehicle for significant cybersecurity legislation from the Cyberspace Solarium Commission.” Also, “The Cyberspace Solarium Commission [tomorrow] will release an appendix to its landmark report that focuses on ‘cybersecurity challenges during a pandemic,’ two commissioners said [last Friday], and will include five new recommendations spurred by the COVID-19 crisis.”
• Washington D.C. Significantly Overhauls its Data Breach Notification Law: According to The National Law Review, “In late March, the Washington D.C. legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations. The Security Breach Protection Amendment Act of 2019, b23-0215, passed the 12-member D.C. Council unanimously and was signed by D.C. Mayor Muriel Bowser on March 26. The new law became effective on May 19, 2020.”
• Google sees resurgence in state-backed hacking, phishing related to COVID-19: According to Reuters, “Security experts at Alphabet Inc’s Google sent 1,755 warnings in April to users whose accounts were targets of government-backed attackers, following a resurgence in hacking and phishing attempts related to the coronavirus outbreak. Google said [last] Wednesday its Threat Analysis Group saw new activity from ‘hack-for-hire’ firms, many based in India, that have been creating Gmail accounts spoofing the World Health Organization (WHO). These accounts largely targeted business leaders in financial services, consulting and healthcare corporations in numerous countries including the United States, Slovenia, Canada, India, Bahrain, Cyprus and UK, the company said in a blog post.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• Federal cyber incidents continue downward trend, according to annual FISMA report to Congress: According to FedScoop, “The federal government as a whole continues to make solid strides in improving cybersecurity management and meeting goals set out by the White House, according to the latest annual Federal Information Security Management Act (FISMA) report to Congress. The report — which the Office of Management and Budget sent to the Hill [last] Wednesday afternoon — shows there were 8% fewer cybersecurity incidents reported in fiscal 2019 across government.”
• Federal report urges cybersecurity regulation reforms sought by states: According to StateScoop, “A report published [last] Wednesday by the General Accountability Office, the investigative and auditing arm of Congress, calls on federal agencies to align the cybersecurity standards they impose on states using federal data. State chief information officers have long argued that the disparate requirements that different agencies, like the FBI or Social Security Administration, impose on states makes compliance burdensome.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• U.S. state regulators' annual report cites uptick in cybersecurity failures: According to Reuters, “An uptick of investment adviser cybersecurity exam deficiencies has fueled concerns among U.S. state financial regulators, in the annual report of the North American Securities Administrators Association (NASAA). The report offers a look at the state-regulated segment of investment advisers, and highlights significant findings from its biennial coordinated-exams.”
• Concerns over cyber misdeeds run through Trump administration report on China strategy: According to Inside Cybersecurity, “The Trump administration has put in place a strategy based on a higher tolerance for ‘friction’ with Beijing, as China continues to flaunt international norms in cyberspace and employs ‘unfair practices’ to gain advantage in critical sectors like tech and telecom, according to a congressionally mandated report from the White House.”
• States plead for cybersecurity funds as hacking threat surges: According to The Hill, “Cash-short state and local governments are pleading with Congress to send them funds to shore up their cybersecurity as hackers look to exploit the crisis by targeting overwhelmed government offices. Members of Congress have taken notice of cyber threats at the state and local level, both before and during the pandemic, and efforts are underway to address the challenges, though how much will be provided is uncertain amid a fight over the amount of additional coronavirus stimulus.”
• White House to Seek Comment on National 5G Security Strategy: According to NextGov, “The National Telecommunications and Information Administration has posted a request for public comment on how fifth-generation telecommunications networks should be implemented to support the White House’s strategy for securing the technology. ‘In accordance with the Secure 5G and Beyond Act of 2020, the National Telecommunications and Information Administration, on behalf of the Executive Branch, is requesting comments to inform the development of an Implementation Plan for the National Strategy to Secure 5G,’ reads the request NTIA posted [May 22].”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Cybersecurity: Half of employees admit they are cutting corners when working from home: Reported in ZDNet, “Analysis by researchers at cybersecurity company Tessian reveals that 52% of employees believe they can get away with riskier behavior when working from home, such as sharing confidential files via email instead of more trusted mechanisms.”
• C-suite execs often pressure IT teams to make security exceptions for them: Reported in Help Net Security, “The C-suite is the most likely group within an organization to ask for relaxed mobile security protocols (74%) – despite also being highly targeted by malicious cyberattacks, according to MobileIron.”
• Nearly One Fifth of Law Firms Show Signs of Compromise: Reported in Infosecurity Magazine, “BlueVoyant appraised thousands of law firms worldwide between January and March 2020, to compile its latest report, Sector 17 – The State of Cybersecurity in the Legal Sector. Of those targeted, some 15% are likely to have been compromised while nearly half showed signs of suspicious activity, including malicious proxy use, it said.”
• 23% of leading banks had an exposed database with potential data leakage: Reported in Help Net Security, “23% of banks had at least one misconfigured database exposed to the internet resulting in potential data leakage issues. 54% of the banks had at least one RDP exposed to the internet. [And] 31% of banks had at least one vulnerability to Remote Code Execution.”
• Hackers are stepping up attacks on health care facilities and researchers: Reported in Digital Trends, “Cyberattacks against health care facilities and public health researchers have nearly doubled amid the coronavirus pandemic, according to new data. The statistics provided to Digital Trends by cybersecurity firm Infosec and compiled from the U.S. Department of Health and Human Services show there have been 127 breaches of U.S. hospitals and health care systems from February 1 through May 18 in 2020. That’s a nearly 50% increase from the 66 breaches during the same span of time in 2019.”
• 75% Of Security Pros Say Remote Work Led to Changes in Financial Services Cyber Programs: Survey: Reported in CISO Mag, “An opinion poll from the Financial Services Information Sharing and Analysis Center (FS-ISAC) revealed that 75% of cybersecurity professionals in financial institutions across the globe made sudden changes to their firm’s cybersecurity programs to deal with remote working conditions.”
• Cloud Security Architect Proves Hardest Infosec Role to Fill: Reported in Dark Reading, “A new survey investigating cybersecurity talent trends revealed 68% of organizations struggle to recruit, hire, and retain practitioners with the expertise they need. More than three-quarters (76%) say the lack of skilled security pros is creating new risks across their organizations.”

Cisco Announces Intent to Acquire ThousandEyes

According to a press release, Cisco announced last Thursday its intent to acquire privately held ThousandEyes, Inc. headquartered in San Francisco. ThousandEyes’ Internet and Cloud intelligence platform delivers deep visibility and insights into the digital delivery of applications and services over the Internet. The acquisition is expected to close before the end of Cisco’s Q1 FY’21. ThousandEyes will join Cisco's newly-formed Networking Services business unit, reporting to Todd Nightingale. As part of the Networking Services business unit, ThousandEyes CEO and co-founder Mohit Lad will take on the role of GM of ThousandEyes, and Co-Founder, CTO Ricardo Oliveira will continue to drive ThousandEyes product vision and innovation strategy.