NTSC Technology Security Roundup

Weekly News Roundup: July 1, 2019

White House Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity news stories out of the White House from last week.

  • Under Trump, U.S. military ramps up cyber offensive against other countries: According to NBC News, “With little public scrutiny, the U.S. military has drastically stepped up its secret hacking of foreign computer networks in a new effort to keep China, Russia, Iran and other adversaries on their heels, current and former U.S. officials tell NBC News. Empowered with new legal authority from both Congress and President Donald Trump, the military's elite cyber force has conducted more operations in the first two years of the Trump administration than it did in eight years under Obama, officials say — including against Russia, despite Trump's well-documented affinity for Vladimir Putin.”
  • Trump officials weigh encryption crackdown: According to Politico, “Senior Trump administration officials met [last] Wednesday to discuss whether to seek legislation prohibiting tech companies from using forms of encryption that law enforcement can’t break — a provocative step that would reopen a long-running feud between federal authorities and Silicon Valley. […] Senior officials debated whether to ask Congress to effectively outlaw end-to-end encryption, which scrambles data so that only its sender and recipient can read it.”
  • Next steps on software bill of materials project: According to Politico, “Cybersecurity experts [convened on Thursday] for an update on the National Telecommunication and Information Administration’s software component transparency initiative. The project’s goal is to study the feasibility of creating a universal software bill of materials (the digital equivalent of a nutritional label’s ingredient list) to explain that software’s code to customers and users, especially developers incorporating that software into their own products.”

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • Federal Funding, Collaboration Called Essential to SLG Cybersecurity: According to MeriTalk, “Members of the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation discussed at a June 25 hearing ways the Federal government can help state and local governments (SLGs) deal with their cybersecurity challenges, including providing funding and opportunities to collaborate. […] Rep. John Katko, R-N.Y., the subcommittee’s ranking member, said he plans to introduce legislation to create two new grant programs to help state and local governments.”
  • Senate HELP Passes Health Pricing Bill, May Ease HIPAA Enforcement: According to Healthcare IT Security, “The Senate [Health, Education, Labor and Pensions] HELP Committee approved its Lower Health Care Costs Act of 2019, which includes provisions to both incentivize healthcare providers to adopt strong cybersecurity programs and urges the Department of Health and Human Services to consider those programs before making HIPAA enforcement decisions.”
  • NASA, Homeland Security receive D- grades on IT issues: According to The Hill, “The Department of Homeland Security (DHS) and the National Aeronautics and Space Administration (NASA) were both awarded D- grades on their information technology management efforts in a biannual scorecard of federal agencies. The House Oversight government operations subcommittee released version 8.0 of the Federal IT Acquisition Reform Act (FITARA) scorecard in a hearing [last] Wednesday. The scorecard gave IT scores to two dozen agencies, as well as individual scores for each agency in areas such as cybersecurity, the modernization of technology and transparency and risk management.”
  • U.S. Sen. Wyden Asks NIST to Create Secure File Sharing Guide: According to Bleeping Computer, “U.S. Senator Ron Wyden sent a letter to the National Institute of Standards and Technology (NIST) Director Walter G. Copan urging the agency to develop and issue standards as part of a guidance framework for securely sharing sensitive documents over the Internet. […] Wyden's request was prompted by the widespread sharing of highly sensitive files packed as password-protected zip files via email in the government sector…”

Iranian Cyber Retaliation May Impact Private Sector

The idea of “collective defense” and the importance of a strong public-private partnership around cybersecurity becomes glaringly important in cases when nation states attack the private sector in retaliation for geopolitical conflict. According to the Washington Post (via SFGate), “U.S. businesses should get ready for a barrage of digital retaliation from Iran after the Trump administration launched a cyberattack against the Islamic Republic's rocket and missile launching systems, current and former U.S. government officials said this weekend. Iranian hackers are already targeting U.S. companies with specialized malicious software designed to wipe the contents of their computer networks rather than to simply steal their data, Chris Krebs, director of the Homeland Security Department's cybersecurity division, warned in a Saturday email. And cybersecurity companies - which were already clocking a dramatic increase in Iranian hacking during the past few weeks - began warning this weekend that the nation could increase its attacks and make them far more destructive.” Krebs shared additional thoughts about these threats in an interview with Ars Technica.

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Email Threats Continue to Grow as Attackers Evolve, Innovate: Reported in Dark Reading, “According to FireEye, there was a spike in the number of content-less emails in January. Sometimes the emails have contained nonclickable URLs that are activated when a user copies and pastes it into a browser, the vendor noted. FireEye observed a troubling 26% quarter-over-quarter increase in malicious URLs pointing to phishing sites hosted on HTTPS domains. The sites, and the phishing lures to get users there, often spoofed major brands.”
  • DDoS-for-Hire Services Doubled in Q1: Reported in Dark Reading, “Nexusguard analyzed data gathered from multiple public and proprietary sources on distributed denial-of-service attacks during the first quarter of this year. The security vendor discovered that so-called booter websites offering DDoS services for hire more than doubled that quarter compared to the fourth quarter of 2018 - despite a major law enforcement crackdown on such sites in December. DNS amplification attacks—one of the most popular booter services—soared 40% quarter-over-quarter amid uninterrupted demand among cybercriminals.”
  • Construction industry staffers most vulnerable to phishing scams, report: Reported in SC Media, “KnowBe4’s Phishing by Industry 2019 report looked at 19 industries breaking them down into three categories, small, up to 250 workers; medium, 250-999; and large, 1,000 and more. Those in the construction industry placed first in falling for attacks in small and medium-sized businesses and second place in large corporations where the hospitality industry took first place.”
  • US enterprises want to expand IT teams, but face skilled worker shortages: Reported in ZDNet, “Sixty seven percent of enterprises plan to expand full time IT workers, but many are having trouble hiring skilled employees, according to staffing firm Robert Half Technology. […] Skills where enterprises needed help right away were cybersecurity [and] cloud security…”