NTSC Technology Security Roundup

Weekly News Roundup: June 10, 2019

Maine Passes “Act to Protect the Privacy of Online Consumer Information”

While the federal government continues to discuss the pros and cons of a national data privacy law, states continue to roll out their own. Last Thursday, Governor Janet Mills signed LD 946 “An Act to Protect the Privacy of Online Customer Information.” According to a summary of the bill, “This bill prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. The bill provides other exceptions under which a provider may use, disclose, sell or permit access to customer personal information.” CNET notes, “The law is similar to FCC rules approved in 2016 that would have required broadband companies to get their customers' permission before they sell ‘sensitive’ information about their web browsing activity, app usage or whereabouts to marketers. But federal lawmakers repealed the rules in 2017 before they took effect.”

FCC Ruling Allows Voice Service Providers to Block Robocalls By Default

In the wake of a bill passed by the Senate a few weeks ago that would fine robocallers up to $10,000 per call, the FCC ruled last Thursday that voice service providers can block robocalls by default. According to a press release, “Specifically, the Commission approved a Declaratory Ruling to affirm that voice service providers may, as the default, block unwanted calls based on reasonable call analytics, as long as their customers are informed and have the opportunity to opt out of the blocking. This action empowers providers to protect their customers from unwanted robocalls before those calls even reach the customers’ phones.” The Hill notes, “Critics of the FCC’s proposal say the agency should have gone further to ensure that wireless companies won’t charge consumers extra to protect them from robocalls, as some carriers currently do. […] A coalition of trade groups representing businesses like pharmacies, debt collectors and bankers says the proposal risks hurting their ability to reach consumers with legitimate calls.”

TSA’s Pipeline Cybersecurity Plans Not Up to Date, According to GAO

The US Government Accountability Office submitted a report to Congress titled “Critical Infrastructure Protection: Key Pipeline Security Documents Need to Reflect Current Operating Environment” that pointed out that the Transportation Security Association’s pipeline cybersecurity plans are not up to date. One plan dates back to 2006 and the other from 2010, with neither updated even with the new Cybersecurity and Infrastructure Security Agency now in place. FCW notes, “There are already concerns that TSA may be struggling to handle its new responsibilities in an environment where hackers and adversarial nations routinely target and probe the nation's critical infrastructure for software and hardware security flaws. Sonya Proctor, director of the Surface Division for the Office of Security Policy and Industry Engagement at TSA, told lawmakers in February that her pipeline security team consisted of just five employees, none of whom have cybersecurity backgrounds.”

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • Lawmakers promote cyber education, accountability in defense bill: According to FCW, “DOD reportedly lost about 4,000 cyber-related personnel in 2018 and Congress is taking notice in the 2020 National Defense Authorization Act, which includes a push for more thorough cyber education and hiring efforts. The 2020 NDAA provides a glimpse into the Democrats defense tech priorities for the next fiscal year. So far, that means tech recruitment with an emphasis on diversity and inclusion, and getting policy conversations started earlier around emerging technologies, such as 5G, artificial intelligence and software development.”
  • High-profile data breaches underline cyber threats to health care industry: According to The Hill, “A handful of Democratic senators have already announced they are looking into the [recent Quest and LabCorp] breaches. Sens. Cory Booker (D-N.J.) and Bob Menendez (D-N.J.) sent letters to both Quest and LabCorp on Wednesday demanding answers, and seeking security measures to lessen the blow to patients. […] Sen. Mark Warner (D-Va.), the vice chairman of the Senate Intelligence Committee, also sent a letter to Quest [last] Wednesday asking questions about the breach.”
  • Senator probes DOJ's safeguarding of hacking tools: According to FCW, “In a June 5 letter, Sen. Ron Wyden (D-Ore.) asked Attorney General Bill Barr what the Department of Justice and its component agencies are doing to keep their tools from being leaked or stolen, as the NSA's were in 2016 when a mysterious group known as the Shadow Brokers published them on the open internet.”
  • House Democrat places hold on State Department's move to establish cyber bureau: According to The Hill, “Rep. Eliot Engel (D-N.Y.), the chairman of the House Foreign Affairs Committee, placed a hold [last] Tuesday on the State Department’s notification that it plans to establish a Bureau of Cyberspace Securities and Emerging Technologies (CSET), calling its proposed mission too narrow.”
  • House committee pushes for a window into cyberwar: According to FCW, “Members of the House Armed Services Committee want Congress to be kept in the loop when the executive branch launches offensive operations in cyberspace. In a legislative draft of the upcoming National Defense Authorization Act, the House Armed Services Subcommittee on Intelligence and Emerging Threat Capabilities is seeking to amend Title 10 of U.S. law to require that the Secretary of Defense notify congressional defense committees whenever the department engages in sensitive military cyber operations. The draft bill would also include additional parameters that further define what offensive or defensive operations constitute a ‘sensitive military cyber operation.’”

National Security News

Here, we’ve provided a roundup of several stories related to national security and cybersecurity.

  • Google is reportedly arguing that cutting Huawei off from Android threatens US security: Reported in The Verge, “According to a new report by the Financial Times, Google is trying to make the case to the Trump administration that it needs to be able to provide technology to Huawei in the name of US national security. According to one FT source, the central point of the argument is that Huawei would be forced to fork Android into a ‘hybrid’ version that would be ‘more at risk of being hacked, not least by China.’”
  • NSA warns Microsoft Windows users to update systems to protect against cyber vulnerability: According to The Hill, “The NSA’s [June 4] advisory specifically references the ‘BlueKeep’ vulnerability, which can be used by malicious actors to conduct ‘denial of service’ attacks. This shuts down a system, making it inaccessible to its users. This vulnerability could also be used by hackers to conduct ransomware attacks and lock users out of their systems. The agency noted that while Microsoft has issued a patch for this vulnerability, millions of systems have still not been updated. This is particularly dangerous since the BlueKeep vulnerable is ‘wormable,’ meaning it can spread ‘without user interaction across the internet.’”
  • Government and health care sectors had most breaches in 2018: According to Roll Call, “Government computer systems — federal, state and local — suffered the most data breaches last year, driven most likely by foreign adversaries conducting espionage operations, according to Verizon’s latest annual report on cyberattacks. In the private sector, health care, financial services and small-to-midsized accounting, tax and law firms suffered the largest number of breaches, according to the 12th edition of Verizon’s annual Data Breach Investigations Report, released last month.”