NTSC Technology Security Roundup

Weekly News Roundup: July 13, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

  • House Approps Panel Approves Funding Boosts for NSF, NIST: According to MeriTalk, “The House Appropriations Subcommittee on Commerce, Justice, Science (CJS), and Related Agencies approved by voice vote a $71.4 billion funding bill for fiscal year 2021. The funding total under the legislation is $1.7 billion lower than the enacted FY2020 level. The bill will now head to the full House Appropriations Committee for a markup. The bill appropriates $1.04 billion for NIST – up from the $718 million requested by the White House earlier this year.”
  • House's DHS funding bill would create public-private cyber center: According to FCW, “The Cybersecurity and Infrastructure Security Agency would receive a hefty budget increase and establish a joint cybersecurity center under a new $56 billion Homeland Security funding bill crafted by the House Appropriations Committee. The bill would set aside $2.25 billion for CISA operations, about $239 million above 2020 spending levels and nearly half a billion more than the agency requested. Approximately $11.6 million would go toward establishing a new Joint Cyber Center for National Cyber Defense.”
  • Massachusetts Could Become First State to Ban Facial Recognition: According to Bloomberg Law, “The Massachusetts Senate is set to approve legislation […] that would make the state the first in the nation to ban law enforcement use of facial recognition technology. An omnibus police reform bill (S. 2800) would place a moratorium on the technology until at least Dec. 31, 2021, when a task force would make recommendations about regulating it or permanently banning it.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Biden campaign taps Obama administration alum to lead cybersecurity team: According to Politico, “Joe Biden’s presidential campaign has hired a veteran cybersecurity expert to oversee its defense against hackers during a general election expected to attract significant interest from foreign adversaries. Chris DeRusha, a former White House cyber adviser and DHS cyber staffer in the Obama administration, has joined the campaign as its chief information security officer, he told POLITICO in an email. DeRusha most recently served as Michigan’s chief security officer.”
  • As data-sharing becomes more crucial, agencies say industry can help with privacy issues: According to FedScoop, “Agencies like the Census Bureau want better commercial off-the-shelf (COTS) technologies for protecting data privacy and computation, so they can securely link datasets and make predictions about the coronavirus pandemic. […] If industry could provide a better tool for securing the environment in which data is stored and analyzed, ensuring trust, then more datasets could be linked painting a comprehensive geographic and economic picture of the virus, said Cavan Capps, the big-data lead at the Census Bureau, during a Data Coalition webinar [last] Wednesday.”
  • Secret Service merging electronic and financial crime task forces to combat cybercrime: According to CyberScoop, “The Secret Service is combining its Electronic Crimes Task Forces (ECTFs) and Financial Crimes Task Forces (FCTFs) into one unified network, the agency announced [last] Thursday. The new merged network of task forces, to be known as Cyber Fraud Task Forces (CFTFs), will detect, prevent and root out cyber-enabled financial crimes, such as business email compromise and ransomware scams, ‘with the ultimate goal of arresting and convicting the most harmful perpetrators,’ the Secret Service said in a press release.”
  • NTIA extends comment deadline on developing info-sharing program for ‘trusted providers’: According to Inside Cybersecurity, “The National Telecommunications and Information Administration is giving industry more time to provide input on how agencies should develop a legislatively mandated program focused on info-sharing between telecoms and their suppliers.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • FBI Director Wray warns of Chinese hacking, espionage threats against American companies: According to The Hill, “FBI Director Christopher Wray [last] Tuesday warned of ongoing Chinese counterintelligence threats to American companies and health care groups, saying that Chinese espionage cases had increased by 1,300 percent over the past decade. […] Wray said the threats were so widespread that all of the FBI’s field offices across the country were working on cases around Chinese espionage and that the FBI opened a new Chinese counterintelligence investigation ‘about every 10 hours.’”
  • Foreign cyber criminals take aim at Americans working from home: According to The Hill, “Federal officials and experts are warning that foreign cyber criminals are targeting U.S. businesses and Americans who are working from home on less-secure networks during the COVID-19 pandemic. Millions of Americans have shifted to working at home indefinitely to help halt the spread of COVID-19, placing them outside of more secure office networks and away from company IT professionals. According to a senior intelligence official, foreign cyber criminals are taking notice.”
  • Where CISA’s Plan for Securing Industrial Control Systems Intersects with Private-Sector Liability Protections: According to NextGov, “The Cybersecurity and Infrastructure Security Agency’s newly released strategy to invest in technology to protect industrial control systems from cyberattacks relies on private-sector entities sharing information about risks they face with the government but doesn’t include liability protections companies are asking for in exchange. […] CISA’s five-year plan to protect these systems is to work with their private-sector owners and operators to identify the threats they’re encountering and assess where they’re vulnerable, so the government can ultimately prioritize investments to improve their defenses.”
  • US Secret Service reports an increase in hacked managed service providers (MSPs): According to ZDNet, “In a security alert sent out on June 12, Secret Service officials said their investigations team (GIOC -- Global Investigations Operations Center) has been seeing an increase in incidents where hackers breach MSP solutions and use them as a springboard into the internal networks of the MSP's customers. Secret Service officials said they've been seeing threat actors use hacked MSPs to carry out attacks against point-of-sale systems, to perform business email compromise (BEC) scams, and to deploy ransomware.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • 2020 is on Track to Hit a New Data Breach Record: According to Hot for Security, “Around 16 billion records have been exposed so far this year. According to researchers, 8.4 billion were exposed in the first quarter of 2020 alone, a 273% increase from the first half of 2019 which saw only 4.1 billion exposed.”
  • Sophos Survey: 70% of Organizations Fall Victim to Public Cloud Cybersecurity Incidents: According to a press release, “[Nearly] three quarters (70%) of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%). Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.”
  • Honeywell Cybersecurity Research Reveals The Risk Of USB Threats To Industrials Has Doubled Over 12 Months: According to a press release, “The findings from the latest Honeywell Industrial USB Threat Report show that the total amount of threats posed by USB removable media to industrial process control networks remains consistently high, with 45% of locations detecting at least one inbound threat. Over the same time period, the number of threats specifically targeting OT systems nearly doubled from 16 to 28%, while the number of threats capable of causing a loss of view or other major disruption to OT systems more than doubled, from 26 to 59%.”
  • Survey Surfaces Heavy Security Toll From Alert Fatigue: Reported in Security Boulevard, “70% of respondents have seen the volume of security alerts more than double in the past five years. There is almost unanimous agreement (99%) that high volumes of alerts are causing problems for IT security teams, with 83% of respondents saying their security staff are experiencing alert fatigue. Three-quarters of respondents (75%) said they would need three or more additional security analysts to address all alerts the same day.”
  • Financial Firms Speeding Tech Adoption Due to Pandemic: Reported in Think Advisor, “In the next six months, financial services firms plan to focus on increasing cybersecurity and risk management more than any other tech changes, with 63% of those surveyed citing that, according to Broadridge. That was followed by enhancing multi-channel client communications (60%), improving customer engagement and experience (53%) and making significant cost reductions (45%).”
  • BYOD: A trend rife with security concerns: Reported in TechRepublic, “Nearly 70% of respondents said employees are allowed to bring their own devices to work while more than 20% said contractors and partners were also allowed to. But now that data breaches have become a daily occurrence, the security concerns around the use of personal devices has given cybersecurity experts pause. According to the survey, 63% of respondents expressed concerns about data leakage, insecure app downloads, or unsafe content. More than half of survey respondents said they had concerns about malware and unauthorized access to company systems and data.”
  • Surge In Remote Work Propels Network Visibility To Top Concern For Both NetOps And SecOps: According to a press release, “73 percent of respondents said security professionals need comprehensive visibility into network infrastructure to enhance cybersecurity efforts and speed remediation. […] More than half of respondents (54 percent) have already deployed IoT devices. While another 24 percent of respondents plan to do so in the next 12 months, only 57 percent of them have a mechanism in place to monitor those devices.”