NTSC Blog

Weekly News Roundup: June 17, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

• Bipartisan bill would enable companies to defend themselves against cyberattacks: According to The Hill, “The Active Cyber Defense Certainty Act, introduced [last] Thursday by Reps. Tom Graves (R-Ga.) and Josh Gottheimer (D-N.J.), would allow companies and individuals to leave their own networks and defend against malicious actors seeking to attack them. The bill would allow authorized individuals and companies to go onto other networks in order to establish who is attacking them online, to disrupt a cyberattack as it is occurring, to retrieve or destroy stolen files, to utilize beaconing technology and to monitor the behavior of the malicious actor.”
• $733 billion defense bill passes committee: According to FCW, “The bill adds a directive for assessing the cybersecurity posture of DOD entities involved in the development, storage, processing, and transmission of data related to biothreats and pathogens. It also requires DOD to submit a quadrennial cyber posture review and to ‘assess the value of establishing a Cyber Force as a separate uniformed service,’ according to amendment text.”
• House focuses on cybersecurity R&D in energy spending bill: According to FCW, “The House Appropriations Committee approved a series of cybersecurity-related research and development initiatives designed to tighten up protection to the electric grid and other energy systems as part of its annual spending bill for Energy and Water Development. The bill, which passed committee on June 10, sets aside $150 million for Cybersecurity, Energy Security and Emergency response services, $30 million higher than 2019-levels of spending.”
• House passes bill to establish DHS cyber 'first responder' teams: According to The Hill, “The House passed legislation by voice vote [last] Monday that would create ‘cyber incident response teams’ at the Department of Homeland Security (DHS), which can be used to assist both government and private sector organizations after a data breach or other cyberattack. The DHS Cyber Incident Response Teams Act would establish these teams within DHS’s National Cybersecurity and Communications Integration Center, with the groups charged with providing assistance and support to ‘asset owners and operators’ following a cyber incident. Private sector cyber experts would be allowed to be members of the teams.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• U.S. ramping up offensive cyber measures to stop economic attacks, Bolton says: According to CyberScoop, “The U.S. is beginning [to] use offensive cyber measures in response to commercial espionage, President Trump’s national security adviser, John Bolton, said [last] Tuesday. […] Bolton’s remarks [last] Tuesday mark the first time a senior White House official has publicly acknowledged that the authorizations issued last year go beyond just election contexts. He warned adversaries that the U.S. reserves the right to retaliate to economically-motivated cyberattacks, even outside of the cyber realm.”
• DOD unveils plans for contractor cybersecurity standards: According to FedScoop, “A Department of Defense official unveiled plans [last] Thursday for contractor cybersecurity standards that are scheduled to be implemented by January 2020. Katie Arrington, special assistant to the assistant secretary of Defense acquisition for cyber, made the announcement along with a plea for the private sector to work with the government to secure its supply chain at a Professional Services Council conference Thursday. The new standards will have a five-level system, and they will combine guidance currently in place from the National Institute of Standards and Technology with new input from the private sector and academia.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Organizations are advancing their efforts, investing in OT cybersecurity programs: Reported in Help Net Security, “50% of respondents rank ICS security threats high or severe/critical – down from 69% in 2017; 62% identify people (internal and external) as the greatest risk for compromise; [and] 61% of all incidents had a disruptive effect on OT activities.”
• Better Cybersecurity Research Requires More Data Sharing: Reported in Dark Reading, “Good data on attacker tactics, security incidents, and breaches is key to identifying trends in cybersecurity, but datasets — even among academic researchers — are often not made public and just as often are of poor quality, according to security researchers who presented their conclusions at the annual Workshop on the Economics of Information Security (WEIS) conference. In a previous sampling of some 965 papers, a group of researchers from the University of Tulsa found that only 6% created their own datasets and made them public. Yet the value of such data exceeds $663 million just in cost savings to subsequent research efforts, according to a paper presented at the WEIS conference by the same group.”
• Healthcare executives lack action plan to combat cybersecurity threats: Reported in Healthcare IT News, “Although nearly a third of respondents confirmed medical device security is one of the top five risks facing the healthcare industry, most do not have effective strategy in place to assess the risks posed by such devices. Just over 40 percent of survey respondents said they were not at all prepared to meet privacy regulations, and roughly one in 10 respondents were ‘unaware’ as to whether the organization was prepared or not.”
• Medical cybersecurity execs may have priorities misplaced, study: Reported in SC Media, “Carbon Black surveyed 20 leading CISOs from the healthcare industry and found 83 percent of surveyed healthcare organizations said they’ve seen an increase in cyberattacks over the past year with 66 percent of [CISOs] saying cyberattacks have become more sophisticated over the past year. When asked what was their biggest concern, these security leaders didn’t answer ‘cybersecurity’ or how confident they are in their cybersecurity programs, but instead their top answer was compliance for 33 percent of respondents.”
• Deloitte: Cyber Framework, Use of AI, Blockchain Could Help Protect Defense Industrial Base: Reported in GovCon Wire, “A new Deloitte report has identified challenges U.S. defense contractors and suppliers face when it comes to complying with cybersecurity regulations and measures that could be implemented by companies to adhere to such regulations and build up a cyber-resilient security posture. Some of the challenges mentioned are the lack of formal governance program to evaluate the risk and enforce compliance throughout the supply chain and failure of defense prime contractors to validate the compliance of their suppliers with the National Institute of Standards and Technology SP 800-171, Deloitte said.”
• Survey: Top Cyber Threats Remain Consistent in 2019, But Will See Attack Frequency Increase: Reported in MeriTalk, “Cybersecurity professionals polled indicated that the most prevalent types of threat actors and attack vectors of recent years will remain consistent but increase in attack volume in 2019. These findings were in Part Two of ISACA’s State of Cybersecurity 2019 report, which said that the top three cybersecurity threat actors this year are cybercriminals, hackers, and non-malicious insiders, at 32, 23, and 15 percent of top actors, respectively, which are statistics that barely deviate from last year’s report.”