NTSC Blog

Weekly News Roundup: June 22, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• Coronavirus Privacy Bills Hit Roadblocks in Congress: According to The Wall Street Journal, “As authorities and companies explore surveillance tools to fight the coronavirus and reopen the U.S. economy, many federal lawmakers agree that privacy protections are key. But proposals for safeguards unveiled in recent weeks have crashed into two familiar roadblocks in the U.S. Senate. Many Republicans want federal law to override state-level rules for privacy, while Democrats have argued stronger state statutes should hold sway and want individuals to be able to sue companies for privacy violations. Momentum for a general federal privacy standard picked up late last year when Republicans and Democrats discussed respective proposals in the Senate Commerce Committee. The plans overlapped in many ways and would allow consumers to opt in to share sensitive information and require businesses to minimize how they use such data. But unresolved differences reappeared last month in dueling bills tailored for data collection around the coronavirus pandemic, leaving some policy analysts doubtful the bills will move forward.”
• U.S. Sen. Sherrod Brown (D-OH) Releases New Draft Privacy Bill: According to a press release, “U.S. Sen. Sherrod Brown (D-OH) – ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, [last Thursday] released a draft privacy bill, the Data Accountability and Transparency Act of 2020. […] Specifically, the Data Accountability and Transparency Act of 2020 would ban the collection, use or sharing of personal data unless specifically allowed by law; ban the use of facial recognition technology; prohibits the use of personal data to discriminate in housing, employment, credit, insurance, and public accommodations; requires anyone using decision-making algorithms to provide new accountability reports; creates a new, independent agency that is dedicated to protecting individuals’ privacy and the implementation of DATA 2020. The new agency will have rulemaking, supervisory, and enforcement authority, the ability to issue civil penalties for violations of the Act, and a dedicated Office of Civil Rights to protect individuals from discrimination; the proposal empowers individuals and state attorneys general to enforce privacy protections and does not preempt more protective state law; finally, the proposal would require CEO certification of compliance with the Act and contains potential criminal and civil penalties for CEO and Board of Directors.”
• Bipartisan Senate Bill Would Increase Pentagon’s Artificial Intelligence Capacity: According to NextGov, “Senate lawmakers [last] Tuesday introduced legislation that would beef up the Defense Department’s artificial intelligence and cybersecurity capabilities. Introduced by Sens. Rob Portman, R-Ohio, and Martin Heinrich, D-N.M., the Artificial Intelligence for the Armed Forces Act would change how the Pentagon recruits and retains top cybersecurity and AI talent. The bill would require the defense secretary to ‘develop a training and certification program to better enable’ the Pentagon’s human resources workforce to recruit AI and cyber talent. In addition, the defense secretary would be required to issue guidance on how the Pentagon could make better use of existing direct hire authorities to onboard AI talent.”
• Solarium Commission staff want legislative action on national cyber director, CISA-based cyber planning cell: According to Inside Cybersecurity, “The Cyberspace Solarium Commission is advocating for getting up to 20 recommendations from the group’s report included in this year’s defense policy bill, according to commission executive director Mark Montgomery, who says the creation of national cyber director and a Joint Cyber Planning Cell within CISA are among the top priorities.”
• Defense manufacturing groups would get cybersecurity grants under new legislation: According to FedScoop, “A new bipartisan bill would authorize the Department of Defense to issue grants to help small manufacturers reach compliance with new cybersecurity guidelines like the Cybersecurity Maturity Model Certification (CMMC). The Pentagon would be authorized to issue funds only to Manufacturing Extension Partnership (MEP) Centers, the public-private partnerships that assist small manufacturers, with the intent of helping those kinds of companies reach compliance. The MEP program is run through the National Institute of Standards and Technology (NIST). The bill, sponsored by Jimmy Panetta, D-Calif., and Joe Wilson, R-S.C., reflects the general concern Congress has for securing the Department of Defense’s supply chain through the CMMC program and others.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• CIA suffered historic data loss from lax cybersecurity, report says: According to Roll Call, “In early 2017 the Central Intelligence Agency suffered a massive data loss when an agency employee stole vast quantities of information including some of its most secretive hacking tools because of lax cybersecurity measures, according to a redacted investigation report obtained by Sen. Ron Wyden, a senior member of the Senate Intelligence Committee. The employee took away about 180 gigabytes to as much as 34 terabytes — or the equivalent of about 11.6 million to 2.2 billion pages of Microsoft Word documents — which included some of the agency's most valuable hacking tools from its so-called Vault 7, according to the report. The employee later gave the data to Wikileaks, which published it in a series of posts.”
• Commerce to Allow Sharing Certain Technology with Huawei: According to NextGov, “U.S. companies will be allowed to disclose certain technology to Chinese telecommunications giant Huawei when such disclosure is for the purpose of revising or developing technical standards that allow technology around the world to work together, according to a new rule from the Commerce Department.”
• Agencies say FCC should deny request for underwater cable between Hong Kong and US: According to The Hill, “A group of federal agencies has recommended the Federal Communications Commission (FCC) deny a request by a Chinese government-linked company to directly connect the U.S. and Hong Kong through an underwater communications cable. The agencies -- known as Team Telecom and made up of the Justice Department, the Department of Homeland Security and the Department of Defense -- said the FCC should deny a request made by the Pacific Light Cable Network (PLCN) to connect Hong Kong and U.S., citing concerns that the cable would enable the Chinese government to access American data. […] The agencies cited concerns around cyber vulnerabilities to underwater sea cables that could make them easy to exploit.”
• Australia sees China as main suspect in state-based cyberattacks, sources say: According to Reuters, “Australia views China as the chief suspect in a spate of cyber-attacks of increasing frequency in recent months, three sources familiar with the government’s thinking told Reuters [last] Friday, a suggestion swiftly dismissed by Beijing. The comments came after Prime Minister Scott Morrison said a ‘sophisticated state-based actor’ had spent months trying to hack all levels of the government, political bodies, essential service providers and operators of critical infrastructure. ‘We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting,’ Morrison told reporters but declined to say who Australia believed was responsible. Three sources briefed on the matter said Australia believed China is responsible, however.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Survey Finds Sluggish Cybersecurity Response to Pandemic: Reported in Security Boulevard, “A global survey of 6,724 security and IT workers published [last] week by BitDefender, a provider of a broad portfolio of cybersecurity software, suggests organizations are still struggling to come to terms with the cybersecurity implications of the COVID-19 pandemic, even though it’s clear the volume of attacks has significantly increased. According to the survey, only 20% said they have also shared comprehensive guides to cybersecurity and working from home, pre-approved applications or implemented content filtering. More troubling still, only 19% have updated employee cybersecurity training and even fewer (14%) have invested a significant amount of money in upgrading security stacks. Only 11% have implemented a zero-trust policy, the survey finds.”
• The smaller the business, the smaller the focus on cybersecurity: Reported in Help Net Security, “A remote workforce during Covid-19 increased the cybersecurity concerns of just 31% of small business owners with fewer than 10 employees, while 41% of those at companies with more than 10 employees were more apprehensive of possible cyber attacks. The lower concern levels for micro-businesses has also equated to much smaller investments in cybersecurity.”
• Because IT security and the C-suite are misaligned, digital transformation increases cyber risk: Reported in Help Net Security, “Digital transformation is increasing cyber risk, and IT security has very little involvement in directing efforts to ensure a secure digital transformation process. Such misalignment of resources is illustrated by 82% of respondents believing their organizations experienced at least one data breach as a result of digital transformation. Fifty-five percent of respondents say with certainty that at least one of the breaches affecting their organization was caused by a third party.”
• Widespread Security Vulnerabilities in Mobile Banking Apps: Reported in Infosecurity Magazine, “Half of mobile banks are vulnerable to fraud and theft of funds due to inadequate security on apps, according to a study by Positive Technologies. The analysis found that mobile banking applications have a raft of security flaws which can be exploited by cyber-criminals to access sensitive data and commit fraud.”
• Cybercriminals banking on finance: Mitigating escalation: Reported in Help Net Security, “According to Boston Consulting Group research, financial service firms experience up to 300 times as many cyber attacks per year compared to companies in other industries.”

Cybersecurity Acquisitions

News about two major cybersecurity company acquisitions was reported last week:

• IBM Acquires Cloud Security Company Spanugo: Reported in Security Week, “IBM has announced a definitive agreement to acquire cloud cybersecurity posture management solutions provider Spanugo. Founded in 2017, the Santa Clara, California-based Spanugo aims to help organizations protect IT assets across the enterprise hybrid cloud, through automating resource discovery, configuration analysis and management, and the implementation of security best practices. Spanugo’s technology allows organizations to demonstrate compliance in real time, while also helping them continuously improve their cloud security to ensure that attacks can be repelled.”
• Kratos to Acquire CPI’s Antenna Business: Reported in Via Satellite, “Kratos Defense & Security Solutions [last] Tuesday said it has agreed to acquire the ASC Signal division from Communications & Power Industries (CPI) for $35 million in cash, a deal that expands its business in the ground segment supporting space-based systems. CPI is required by U.S. anti-trust regulators to divest its ASC Signal antenna business as a condition of its recent acquisition of the former satellite communications technology business of General Dynamics.”