NTSC Blog

Weekly News Roundup: June 8, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• Effort to Develop Open Standards for 5G Moves in Intelligence Authorization Act: According to NextGov, “An initiative to fund the development of fifth-generation networking technology based on open standards is among areas addressed in cybersecurity-focused authorizing legislation that passed the Senate Select Committee on Intelligence. ‘This bipartisan intelligence authorization bill ensures that the women and men of our intelligence agencies have the resources they need to do their jobs,’ said Intelligence Ranking Member Mark Warner, D, VA. in a press release [last] Wednesday. ‘This bill takes key steps to improve our national security, including investments in 5G technology, reforms to our security clearance process, and important protections for whistleblowers to report wrongdoing within the IC.’”
• Becerra submits CCPA final regs, awaits approval to enforce: According to IAPP, “California Attorney General Xavier Becerra announced [last] Tuesday that his office has submitted proposed final regulations under the California Consumer Privacy Act to the state's Office of Administrative Law. The attorney general's office has requested an expedited review of the regulations by OAL, which will have 30 working days and 60 additional calendar days to process the regulations for compliance with the Administrative Procedure Act. Following OAL approval, the regulations will move to the Secretary of State and become enforceable by law.”
• Sen. Maria Cantwell co-sponsors bill to shield privacy in COVID-19 contact tracing: According to GeekWire, “Sen. Maria Cantwell, D-Wash., is one of the sponsors of bipartisan legislation aimed at ensuring that coronavirus tracing apps protect consumer privacy. The Exposure Notification Privacy Act relates to automated contact tracing tools that are currently being developed by companies ranging from Apple and Google to PricewaterhouseCoopers and Juniper Networks.”
• Cyber Commission: Expand Connected Device Security Bill Beyond Federal Procurement Realm: According to NextGov, “Legislation requiring manufacturers of connected devices to enable reasonable cybersecurity measures should apply not just to products they sell to the federal government but to all customers, the congressionally established Cyberspace Solarium Commission said in a new white paper. In releasing the ‘pandemic annex’ [last] Tuesday, the commission is capitalizing on the attention focused on responding to the public health crisis to emphasize and augment its recommendations for digitizing critical services.”
• CBO Says Energy Grid Cybersecurity Bill Would Cost $1.2B: According to MeriTalk, “The Congressional Budget Office (CBO) said that H.R. 5428, the Grid Modernization Research and Development Act of 2019, would cost the United States $1.2 billion over the next five years if enacted. The legislation, cosponsored by Reps. Conor Lamb, D-Pa., and Jaime Herrera Beutler, R-Wash, would ‘refine and expand research and development programs aimed at increasing the reliability and security of the grid.’”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• Telecom, tech associations urge lawmakers to address liability issues around supply-chain vulnerability reporting: According to Inside Cybersecurity, “Industry leaders on CISA’s ICT supply-chain task force want Congress and government agencies to consider how changing liability laws could entice companies to disclose more information about their vulnerabilities.”
• NIST Seeks Input on Position Navigation and Timing Services: According to NextGov, “The National Institute of Standards and Technology has issued a request for information aimed at making the technology associated with the Global Positioning System more resistant to cyberattack. The deadline for responding to the notice NIST posted in the Federal Register [on May 27] is July 3.”
• Reports from NIST identify cybersecurity baseline, ‘foundational’ activities for IoT device makers: According to Inside Cybersecurity, “The National Institute of Standards and Technology has released two guidances on cybersecurity for Internet of Things devices, framing the action as a key step under the botnet report and roadmap issued by the Commerce and Homeland Security departments in 2018, in answer to President Trump’s executive order on cyber the previous year.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• Top DHS official says to expect 'every intelligence service' to target COVID-19 research: According to The Hill, “Christopher Krebs, the director of the Department of Homeland Security’s cybersecurity agency, said in an interview released this week that he expects to see ‘every intelligence service’ attempt to target and steal COVID-19 research and data. ‘We do expect every intelligence service to be in the mix here,’ Krebs, who serves as director of the Cybersecurity and Infrastructure Security Agency (CISA), said on an episode of CBS’s ‘Intelligence Matters’ podcast published [last] Wednesday. ‘The Chinese have obviously been one of the more brazen in terms of their approach, but others are in the game, too,’ Krebs said. ‘This is a very active space, very active space.’”
• Coronavirus update: not the type of CV you’re looking for: According to Check Point, “We have seen an increase in CV-themed campaigns in the US, and their ratio – out of all malicious files identified – doubled in the last two months with 1 out of every 450 malicious files being a CV-related scam.” Also, Check Point said, “In May, we saw a 16% increase in cyber attacks when compared to the period between March and April, when coronavirus was at its peak. This was largely due to the increase in malware attacks.”
• Cyber-Attack Hits US Nuclear Missile Sub-Contractor: According to Infosecurity Magazine, “Confidential documents have been swiped from a US military nuclear missile contractor in a cyber-attack, according to Sky News. [Last Wednesday] the news service reported that cyber-criminals were able to gain unauthorized access to the computer network of New Mexico company Westech International. The attack is believed to have been carried out by the threat group MAZE, which made the headlines last month after claiming to have attacked Minnesota egg supplier Sparboe Companies with ransomware.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• New Research from ISACA Reveals That Organizations with Unfilled Cybersecurity Roles Suffer More Attacks: According to a press release, “[While] the number of respondents indicating they are significantly understaffed fell by seven percentage points from last year, a majority of organizations (62 percent) remain understaffed. Understaffed security teams and those struggling to bring on new staff are less confident in their ability to respond to threats. Only 21 percent of ‘significantly understaffed’ respondents report that they are completely or very confident in their organization’s ability to respond to threats, whereas those who indicated their enterprise was ‘appropriately staffed’ have a 50 percent confidence level.”
• Many Exchange Servers Are Still Vulnerable to Remote Exploit: Reported in Dark Reading, “Almost four months after Microsoft patched a serious vulnerability in Microsoft Exchange servers, more than 350,000 Internet-connected servers continue to be vulnerable to the privilege escalation flaw, according to a report published [last] Wednesday.”
• Denial of service attacks against advocacy groups skyrocket: Reported in CyberScoop, “Distributed denial-of-service attacks against advocacy organizations increased by 1,120% since a Minneapolis police officer killed George Floyd by kneeling on his neck, sparking demonstrations throughout the U.S. In figures published [last] Tuesday, the internet security firm Cloudflare said it blocked more than 135 billion malicious web requests against advocacy sites, compared to less than 30 million blocked requests against U.S. government websites, such as police and military organizations.”
• Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion: Reported in Help Net Security, “Cybercriminals exposed over 5 billion records in 2019, costing over $1.2 trillion to U.S. organizations, according to ForgeRock. Coupled with breaches in 2018 costing over $654 billion, breaches over the last two years have cost U.S. organizations over $1.8 trillion.”
• Mobile Phishing Attacks Increase Sharply: Reported in Dark Reading, “Mobile security vendor Lookout analyzed data gathered last quarter from smartphones and tablets running its software and found a 66.3% increase in the rate at which corporate users in North America encountered mobile phishing compared with fourth quarter of 2019. Globally, the increase was around 37%.”
• Over 460 million records exposed in breach incidents reported in May: Reported in Bleeping Computer, “At least 460 million records were exposed in data breach incidents that were reported in May. The figure is a very conservative estimate as it reflects only publicly reported events. In many cases, the amount of data exposed to unauthorized users was not provided, so the number is likely much higher.”
• After a breach, users rarely change their passwords, study finds: Reported in ZDNet, “Only around a third of users usually change their passwords following a data breach announcement, according to a recent study published by academics from the Carnegie Mellon University's Security and Privacy Institute (CyLab).”
• Compliance Costs Are Eating Security Budgets: Reported in Security Boulevard, “[Over] half of firms across all the major verticals are spending 40% or more of their IT security budgets on compliance today. More critically, nearly six in 10 companies report that compliance stands as a barrier to enter new markets and prepare new services to meet compliance requirements.”
• How Cybersecurity Habits at Home Threaten Corporate Network Security: Reported in Security Magazine, “77 percent of remote employees are using unmanaged, insecure ‘BYOD’ devices to access corporate systems [and] 66 percent of employees have adopted communication and collaboration tools like Zoom and Microsoft Teams, which have recently reported security vulnerabilities.”

Cybersecurity Acquisitions

News about four major cybersecurity company acquisitions was reported last week:

• VMware is acquiring cybersecurity start-up Lastline: Reported in Silicon Republic, “[Last] Thursday (June 4), California-based cybersecurity start-up Lastline announced that it is being acquired by VMware. The news was confirmed in a blogpost written by Lastline CEO John DiLullo. He said that by joining forces with VMware, the cybersecurity business will be able to offer additional capabilities to its customers, while bringing comprehensive security solutions for data center, branch office and remote users to market.”
• Thoma Bravo to Acquire Secure Business Collaboration Firm Exostar: Reported in Security Week, “Private equity investment company Thoma Bravo [last] Tuesday announced its intention to acquire secure business collaboration solutions provider Exostar, reportedly for roughly $100 million. […] Specifically, the investment company says it wants to combine its expertise in enterprise software solutions with Exostar’s current management to expand capabilities, especially when it comes to cybersecurity.”
• Zscaler Acquires Edgewise Networks for App-to-App Security: Reported in MSSP Alert, “Zscaler has acquired Edgewise Networks, which specializes in application-to-application communications for public clouds and data centers. Financial terms were not disclosed. Edgewise was privately held and had raised $18 million as of June 2019, the company said at the time.”
• WatchGuard Completes Panda Acquisition: Reported in Infosecurity Magazine, “US security company WatchGuard Technologies has concluded the acquisition of Spanish cybersecurity solutions provider Panda Security. WatchGuard announced the signing of a definitive agreement to purchase Panda in March 2020. Three months on, 30-year-old company Panda is now a wholly owned subsidiary of WatchGuard.”