NTSC Blog

Weekly News Roundup: June 24, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

• House Homeland Security Republicans to introduce slew of cybersecurity bills: According to The Hill, the bills include:
  • Securing the Homeland Security Supply Chain Act
  • Pipeline Security Enhancement Act
  • State and Local Cybersecurity Improvement Act
  • Biometric Identification Transnational Migration Alert Program
• Senate bill would help state, local governments thwart cyberattacks: Mentioned above, the State and Local Cybersecurity Improvement Act would increase the cybersecurity partnership between DHS and state/local governments. According to Homeland Preparedness News, “The State and Local Government Cybersecurity Act would encourage national cybersecurity watchdog groups to share information with states and localities to help them prevent and recover from cyberattacks.”
• Senate panel advances bill to protect government devices against cyber threats: According to The Hill, “The Senate Homeland Security and Governmental Affairs Committee approved by voice vote the Internet of Things (IoT) Cybersecurity Improvement Act, a measure designed to establish cybersecurity standards for federal devices that are connected to the internet. Under the legislation, the Commerce Department’s National Institute of Standards and Technology (NIST) would be charged with creating the guidelines and the Office of Management and Budget would inform agencies of the security standards to make sure that IoT devices purchased are consistent with the NIST standards.”
• Klobuchar, Murkowski introduce legislation to protect consumer health data: According to The Hill, “Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska) on [June 14] introduced legislation aimed at safeguarding the privacy of consumer health data, specifically the data involved in DNA testing kits and health tracking apps. The Protecting Personal Health Data Act would require the secretary of Health and Human Services to create regulations for health data tracking apps, wearable devices such as FitBits and genetic testing kits. The regulations would include a clause to enable consumers to review, change and delete any health data collected by companies.”

The Hill also notes that “Three other bills set to be introduced by GOP Homeland Security committee members will include one to help TSA identify emerging threats to the transportation system, and others on reforming DHS’s structure and management.”

Power Grid Cybersecurity News Update

Here, we’ve provided a roundup of several news stories from last week related to the cybersecurity of national power grids.

• Power Industry Must Report All Cyberattacks, U.S. Regulator Says: According to Bloomberg Government, “The nation’s top energy regulator bolstered cyber-security rules for the electric grid, concerned that existing reporting rules on attacks underestimate the true scope of the threat. Rules now only require the electric industry to report cyber-security incidents that compromise or disrupt systems, such as causing an outage. Under the new standards, it must report all incidents, whether they impact systems or not, as well as any attempts to interfere with operations.”
• Hacking group targeting U.S. electric utilities: report: According to The Hill, “Xenotime, a group of hackers that has previously targeted oil and gas companies, has been targeting the U.S. electric grid in recent months, according to new research released Friday by cybersecurity group Dragos. Dragos reported that the Xenotime group began ‘probing’ the networks of electric utilities in both the U.S. and countries in the Asia-Pacific region in late 2018. The report noted that none of the probes resulted in the group gaining access to an electric utility’s system, but wrote that ‘the persistent attempts, and expansion in scope is cause for definite concern.’”
• Russia: Reported US cyberattack on power grid possible: Reported in CNN, “The US is escalating cyber attacks on Russia's electric power grid and has placed potentially crippling malware inside the Russian system, The New York Times reported [last] Saturday. The placement of the malware that deep within the Russian grid had never previously been attempted, the Times reports, and is intended partly as a warning and also to put the US in a position to conduct cyber attacks should a significant conflict arise with Russia.”

Regulatory Cybersecurity News Update

A couple of important stories emerged last week related to cybersecurity regulations.

• Groups allege wireless carriers violated privacy laws by sharing location data: According to The Hill, “Public interest groups are alleging that major phone carriers violated privacy laws by sharing their customers’ location data without their permission. The groups filed a complaint with the Federal Communications Commission (FCC) against all four national wireless providers — Verizon, AT&T, Sprint and T-Mobile — over practices that had been detailed in media reports over the past year, and urged the agency to crack down.”
• US banks face tighter scrutiny of cyber defenses: According to the Financial Times, “Several senior regulators have told the Financial Times that they are working on a cross-agency approach to testing banks against attacks that could crash global payments networks, expose customer data or otherwise threaten the integrity of an industry that now relies far more on terabytes and interchanges than bricks and mortar. The proposed system, which regulators say could be in place later this year, would replace an existing regime in which different regulators examine different parts of the same institution. This has left banks grappling with multiple requests and regulators at risk of not grasping the totality of a banks’ exposure to cyber threats.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Businesses and Charities Experiencing More Cybersecurity Breaches: Reported in Security Magazine, “Thirty-two percent of businesses and 22 percent of charities are experiencing more cybersecurity attacks, the 2019 Cyber Security Breaches Survey says. The average annual cost for business that lost data or assets after breaches was more than $5,000 and more than $12,000 for charities.”
• Cybersecurity Accountability Spread Thin in the C-Suite: Reported in Dark Reading, “A report released [last] week by Radware shows promising signs that cybersecurity is increasingly coming up in board talks and is near-universally viewed as the entire C-suite's responsibility to enable. Conducted among 260 C-suite executives worldwide, the study shows that more than 70% of organizations touch on cybersecurity as a discussion item at every board meeting. Meantime, 98% of all members across the C-suite say they have some management responsibility for cybersecurity.”
• Cyber Crime Widely Underreported Says ISACA 2019 Annual Report on Cyber Security Trends: Reported in CPO Magazine, “The headliner of the most recent part of the cyber security trends report is the underreporting of cyber crime around the globe, which appears to have become normalized. About half of the respondents indicated that they feel that most enterprises do not report all of the cyber crime that they experience, including incidents that they are legally obligated to disclose.”
• Cybersecurity Risks Are Threatening Deals, Industry Survey Shows: Reported in Bloomberg, “Of more than 2,700 information technology and business decision makers surveyed by Forescout Technologies Inc. in seven countries, 53% reported that their organization had encountered a critical cybersecurity issue or incident that put an M&A deal in jeopardy. And 65% of respondents said they had experienced buyers’ remorse because of cybersecurity concerns after closing a deal.”
• Cybersecurity, Data Privacy Top Concerns for Enterprises: Reported in Security Magazine, “Data security and privacy breaches have become a daily worry for most organizations and research shows that most organizations have poor cybersecurity defenses and abundant amounts of unprotected data, making them easy targets for attacks and data loss. But, only two thirds of organizations are managing policies and conducting training in cyber security, data privacy and confidential information, likely due to flat budgets. Additionally, many organizations believe their board members are not a source of risk for cybersecurity issues and that they understand the problem well enough to avoid missteps.”
• As cloud complexities increase, cybersecurity skills gap worsens: Reported in TechTarget, “When asked to rank their concerns when switching or adopting cloud structure, 81% of respondents identified security as No. 1. Growing cloud complexities will not make security challenges easier. The study, conducted by the Cloud Security Alliance along with network security provider AlgoSec, found common security challenges with regard to native, hybrid and multi-cloud architectures.”
• Research finds only 15% of companies are adequately prepared for a cyber attack: According to a press release, “Among the 175 security management professionals interviewed, the survey concluded that despite cyberattacks being recognized as a real and incumbent danger by most companies (87% prioritized it as a risk), only a few felt that they had adequate defenses (15%).”

Accenture Acquires Deja vu Security, Seattle-Based ‘Security of Things’ Company

According to a press release, Accenture announced last Monday the acquisition of Deja vu Security, a privately held company that specializes in security design and testing of enterprise software platforms and internet of things (IoT) technologies. The Seattle-area company has become part of Accenture Security’s Cyber Defense offerings. Financial terms of the agreement were not disclosed. Serving some of the world’s largest technology companies, Deja vu Security provides a full range of security services designed to strengthen business applications and increase cyber resilience by integrating security throughout the product development lifecycle.