NTSC Blog

Weekly News Roundup: June 29, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• Senators propose cybersecurity advisory committee to protect U.S. companies: According to The Washington Times, “The bipartisan legislation by Sens. David Perdue, Georgia Republican, and Kyrsten Sinema, Arizona Democrat, would create a new advisory committee of cybersecurity professionals from various industries and state and local governments to work with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency.” Read our press release, “NTSC Applauds Introduction of Bipartisan Legislation to Establish Cybersecurity Advisory Committee.”
• Lawmakers introduce legislation to establish national cybersecurity director: According to The Hill, “A bipartisan group of lawmakers [last] Thursday introduced legislation in the House that would establish a ‘national cybersecurity director’ to lead government efforts on cybersecurity. The National Cyber Director Act would establish the position within the White House, with the director meant to serve as the president’s key adviser on cybersecurity and other emerging technology issues.”
• Republicans push bill requiring tech companies to help access encrypted data: According to CNET, “A group of Senate Republicans is looking to force tech companies to comply with ‘lawful access’ to encrypted information, potentially jeopardizing the technology's security features. [Last] Tuesday, Republican lawmakers introduced the Lawful Access to Encrypted Data Act, which calls for an end to ‘warrant-proof’ encryption that's disrupted criminal investigations. The bill was proposed by Sen. Lindsey Graham, chairman of the Senate Judiciary committee, along with Sens. Tom Cotton and Marsha Blackburn. If passed, the act would require tech companies to help investigators access encrypted data if that assistance would help carry out a warrant.”
• Defense Authorization Act Clears Key Subcommittee in the House: According to NextGov, “Text of the fiscal 2021 National Defense Authorization Act passed unopposed through the House Armed Services’ panel on intelligence and emerging threats and capabilities with no mention of the need for a national cybersecurity coordinator. Establishing a national cybersecurity director with access to the president is a top-line recommendation of the national Cyberspace Solarium Commission and enjoys support from leading Republicans. Members of the bipartisan commission said they were working to include their recommendations in the NDAA.”
• House Armed Services leaders begin to prepare cyber-rich national defense policy bill for full-committee vote: According to Inside Cybersecurity, “House Armed Services subcommittees have completed their markups of defense policy act provisions and the panel’s leaders now turn to assembling the massive package for full-committee approval next week, including an assortment of cybersecurity policy provisions.”
• King files Solarium-based amendments as Senate moves to NDAA debate: According to Inside Cybersecurity, “Next steps on Cyberspace Solarium Commission proposals are coming into focus with Sen. Angus King (I-ME) filing 18 related amendments to the fiscal 2021 National Defense Authorization Act, as Majority Leader Mitch McConnell (R-KY) launched the annual Senate floor debate on the sprawling Pentagon policy bill.”
• California’s consumer privacy law could get stricter under new November ballot measure: According to The Sacramento Bee, “California legislators approved a landmark internet privacy law two years ago. Now, privacy advocates hope they can convince voters to pass an even stronger measure. Known as the California Privacy Rights Act, the initiative would add more teeth to existing legislation by creating a new, $10 million state agency dedicated to protecting online consumer privacy. It would also restrict the use of sensitive data — like someone’s sexual orientation, Social Security number or union membership — and would make location tracking less precise, among other changes.”
• Vermont’s Amendments to Data Breach Law and New Student Privacy Law Effective July 1, 2020: According to the Hunton Privacy Blog, “On July 1, 2020, amendments to Vermont’s data breach notification law, signed into law earlier this year, will take effect along with Vermont’s new student privacy law. The amendments to Vermont’s Security Breach Notice Act include expanding the definition of Personally Identifiable Information (‘PII’), expanding the definition of a breach to include login credentials and narrowing the permissible circumstances under which substitute notice may be used.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• U.S. Government to Spend Over $18 Billion on Cybersecurity: According to Homeland Security Today, “According to an Atlas VPN investigation, the US government is set to allocate $18.78 billion for cybersecurity spending in 2021. In September 2018, the White House published the National Cyber Strategy, which provides strategic steps towards securing the government and all critical infrastructure from cyber threats. The Department of Defense (DoD) in the Cyber Strategy report outlines the main threats that the US faces regarding cybercrime: ‘Competitors deterred from engaging the United States and our allies in an armed conflict are using cyberspace operations to steal our technology, disrupt our government and commerce, challenge our democratic processes, and threaten our critical infrastructure.’ Due to these reasons, the proposed cyber defense budget amounts to $18.779 billion in 2021.”
• Top federal IT official stepping down in July: According to The Hill, “The White House announced [last] Thursday that the Trump administration's top IT official, Suzette Kent, will step down from her position in July. Kent, who was appointed Federal Chief Information Officer (CIO) by President Trump in early 2018, announced her departure during a team meeting [last] Thursday. The position heads the Office of E-Government and Information Technology, part of the White House’s Office of Management and Budget (OMB). In the position, Kent was responsible for developing guidance on the use of internet-connected technology, along with streamlining digital interaction between the federal government and U.S. citizens and businesses, as well as overseeing some cybersecurity initiatives.”
• Feds Foresee AI as Most Valuable Security Tech, MeriTalk Survey Shows: According to MeriTalk, “While artificial intelligence (AI) has any number of useful applications, Federal government IT leaders believe that AI will be the security technology most valuable to their agencies in the coming years, according to a recent survey conducted by MeriTalk in partnership with security provider Forcepoint. Over half (53 percent) of 100-plus IT and cybersecurity supervisors or executives said AI will be the most valuable innovative security technology to their agency in the next three to five years, the new research shows.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• DHS has sent hundreds of vulnerability notifications to medical sector during coronavirus pandemic: According to NBC News, “The Department of Homeland Security has sent hundreds of tailored notifications of potential vulnerabilities to the medical sector since the coronavirus pandemic began, according to an official who spoke [last] Wednesday at a webinar hosted by cybersecurity company CrowdStrike. The notifications are not evidence of breaches, but they provide a snapshot of just how many potential targets hackers have in the medical industry as the pandemic spreads. Bryan Ware, assistant director for cybersecurity for Homeland Security's Cybersecurity and Infrastructure Security Agency, or CISA, said the U.S. government has a secret working list of coronavirus research institutions that it can give prioritized cybersecurity protections.”
• FBI sees major spike in coronavirus-related cyber threats: According to The Hill, “A top official at the FBI [last] Wednesday said that the FBI’s Internet Crime Complaint Center (IC3) has received 20,000 coronavirus-related cyber threat reports this year, as officials sounded the alarm on growing cyber threats to COVID-19 vaccine research. Tonya Ugoretz, the deputy assistant director of the FBI’s Cyber Division, said during a virtual conference hosted by cybersecurity group CrowdStrike that the IC3 was tracking a massive spike in hackers using the COVID-19 crisis to target Americans.”
• FERC seeks comments on critical infrastructure cyber risks, mitigation tactics: According to Inside Cybersecurity, “The Federal Energy Regulatory Commission is asking for industry input on how its critical infrastructure standards could be changed to ‘adequately address’ cybersecurity risks, anomaly detection and mitigation of cybersecurity events.”
• DHS warns of ransomware activity targeting remote access software: According to TechRadar, “The Department of Homeland Security (DHS) has issued a warning to businesses concerning a rise in ransomware activity targeting businesses that rely on remote access solutions, like remote desktop software.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Companies Name One of the Biggest Cybersecurity Threats: Their Employees: According to The Wall Street Journal, “Nearly 70% of companies say they worry about malicious employees, a WSJ survey found.”
• Black Hat Survey: Breach Concerns Hit Record Levels Due to COVID-19: Reported in Dark Reading, “Ninety-four percent said they believe the COVID-19 crisis increases the cyberthreat to enterprise systems and data, according to the ‘2020 Black Hat Attendee Survey.’ Twenty-four percent said the increased threat is critical and imminent. Vulnerabilities in enterprise remote access systems that support home workers were the chief concern (57%). Increased phishing and social engineering threats also ranked highly (51%).”
• Open source vulnerabilities down 20% in 2019: Reported in TechTarget, “Snyk's ‘State of Open Source Security’ report determined that new vulnerabilities were down almost 20% across the most popular ecosystems in 2019 compared with 2018, with cross-scripting vulnerabilities being the most commonly reported. On the other hand, container and orchestration challenges remained worrisome. More than 30% of survey participants said they do not review Kubernetes manifests for insecure configurations.”
• SOC team members battle with burnout, overload and chaos: Reported in Help Net Security, “The report, based on a survey conducted by Ponemon Institute, examines many of the same issues as last year, and found 60% of SOC team members are still considering changing careers or leaving their jobs due to burnout.”
• Most malware in Q1 2020 was delivered via encrypted HTTPS connections: Reported in Help Net Security, “67% of all malware in Q1 2020 was delivered via encrypted HTTPS connections and 72% of encrypted malware was classified as zero day, so would have evaded signature-based antivirus protection, according to WatchGuard.”
• Average Cost of a Data Breach: $116M: Reported in Dark Reading, “The authors of the ‘Trends in Cybersecurity Breach Disclosures’ report from Audit Analytics reviewed 639 cybersecurity breaches at public companies since 2011 and discovered that, on average, each cyber breach costs $116 million.”
• Cybersecurity market grows but faces pressure amid shrinking IT budgets: Reported in TechRepublic, “The global cybersecurity market increased by 9.7% in the first quarter compared with the same quarter in 2019, Canalys said. The rise in spending was triggered mostly at the end of the quarter as organizations rushed to set up security for their remote workers. The total amount spent hit $10.4 billion, which includes investments in network security, endpoint security, web and email security, data security, and vulnerability and security analytics.”
• Survey: Most Americans Don’t Worry About Cybersecurity Despite Increased Attacks: Reported in NextGov, “More than two in three Americans are not concerned about internet security despite a massive spike in cyber activity targeting people working remotely due to the coronavirus, according a global security study published [last] Tuesday. The 2020 Unisys Security Index—based on surveys of more than 15,000 consumers in 15 countries conducted in March and April—found that among Americans, cybersecurity concerns around working from home dropped 13 points in the past year despite a significant rise in cyberattacks during the pandemic.”
• IBM Security Survey: Most Remote Employees Lack Cyber Guidelines: Reported in MSSP Alert, “Approximately 80 percent of U.S. employees either rarely worked or did not work from home prior to the coronavirus (COVID-19) pandemic, and more than half are now doing so without security policies to help guide them, according to the IBM Security ‘Work from Home Survey.’”

Cybersecurity Acquisitions

News about four major cybersecurity company acquisitions was reported last week:

• Microsoft acquires industrial cybersecurity startup CyberX for $165M: Reported in Silicon Angle, “Microsoft Corp. has acquired industrial cybersecurity startup CyberX Inc. for an undisclosed sum. Various reports today suggest that the acquisition price was $165 million, following initial reports of the deal in May. Founded in 2013, CyberX offers an industrial cybersecurity platform built by former military cybersecurity experts with nation-state expertise defending critical infrastructure. The company’s platform focuses on continuously reducing industrial control systems risk and preventing costly production outages, safety failures and environmental incidents.”
• HelpSystems Acquires Two Security Software Companies: Reported in Infosecurity Magazine, “Minnesota software company HelpSystems has acquired two data classification companies in response to ‘brisk’ demands for its security software. The company said that the addition of Canadian company Titus and British firm Boldon James to its security portfolio establishes HelpSystems as ‘the leading platform in data classification and meets customers’ needs for a comprehensive, powerful suite of data security options.’”
• Atos to Acquire Paladion: According to a press release, “Atos announces an agreement to acquire Paladion, a US-based global provider of Managed Security Services, to strengthen its global cybersecurity services. This acquisition will bring Managed Detection & Response (MDR) capabilities to the Atos portfolio and create the next generation of Atos’ Prescriptive Security Operations Center offering. Paladion is a global leader in cloud-native Managed Detection and Response, delivering to 400+ clients in 12 countries. Its AI-driven technology has consistently been recognized by market analysts for enabling highly effective threat anticipation, detection and response.”
• Siemens acquires UltraSoC to help customers detect, mitigate and eliminate risks throughout the SoC lifecycle: Reported in Help Net Security, “Siemens has signed an agreement to acquire Cambridge, UK-based UltraSoC Technologies, a provider of instrumentation and analytics solutions that put intelligent monitoring, cybersecurity and functional safety capabilities into the core hardware of system-on-chip (SoC). Siemens plans to integrate UltraSoC’s technology into the Xcelerator portfolio as part of Mentor’s Tessent software product suite.”