NTSC Technology Security Roundup

Weekly News Roundup: July 15, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • Trump Administration Hasn’t Briefed Congress on New Rules for Cyberattacks, Lawmakers Say: According to the Wall Street Journal, “The Trump administration hasn’t allowed members of Congress to read a classified directive President Trump issued almost a year ago outlining new rules for the military’s use of cyber weapons, despite repeated requests, according to lawmakers and others familiar with the matter. The issue has prompted concern on Capitol Hill that the Pentagon is increasingly deploying offensive cyber operations against adversaries—including against Iran last month during a peak in tensions with Tehran—without keeping congressional overseers adequately informed.”
  • Top House Republican wants internet users to own their data: According to The Hill, “A top House Republican wants internet users to own data that they generate online to give them more control over what information is collected about them by internet companies. Rep. Doug Collins (R-Ga.), the ranking member on the House Judiciary Committee, released a set of internet privacy principles on Wednesday he said will guide legislation that he plans to release in the coming months.”
  • Senate Commerce Advances Blockchain, Internet of Things Legislation: According to Lexology, “[Last] Wednesday, the Senate Commerce, Science, and Transportation Committee held an executive session during which it advanced by voice vote S. 553, the Blockchain Promotion Act, sponsored by Senators Young (R-IN) and Markey (D-MA). The bill directs the Department of Commerce to create a working group that would recommend a consensus-based definition of blockchain technology and make recommendations to the National Telecommunications and Information Administration (NTIA) and Federal Communications Commission (FCC) to study the potential impact of the technology on spectrum policy. The Committee also advanced S. 1611, the Developing Innovation and Growing the Internet of Things (DIGIT) Act, sponsored by Sens. Fischer (R-NE), Gardner (R-CO), and Schatz (D-HI), which creates a public-private working group tasked with making recommendations on how Congress can help facilitate the growth of connected Internet of Things (IoT) technologies.”
  • Small Business Cybersecurity Assistance Act Offers Tools, Consulting, Resources: According to MSSP Alert, “The Small Business Cybersecurity Assistance Act, introduced by Sens. Gary Peters (D-MI) and Marco Rubio (R-FL) would authorize Small Business Development Centers (SBDCs) to work with DHS to advise small businesses on how to strengthen their cybersecurity protocols. The legislation is right in Rubio’s wheelhouse — he chairs the Senate Committee on Small Business and Entrepreneurship. Because small businesses often lack the resources to build robust cybersecurity defenses they are a favorite target of hackers. A combination of DHS’ offerings and the expertise of a managed security service provider could make small businesses a formidable foe for cyber attackers.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Cybersecurity incidents led to $45 billion in losses in 2018: Reported in The Hill, “Cyber incidents in the U.S. led to an estimated loss of $45 billion in 2018, according to a report released Tuesday by the Internet Society’s Online Trust Alliance (OTA). OTA’s Cyber Incident and Breach Trends report found that the financial impact of ransomware cyberattacks rose by 60 percent, while financial losses from the compromise of business emails doubled and cryptojacking incidents more than tripled from the year before.”
  • Cybersecurity: Malware lingers in SMBs for an average of 800 days before discovery: Reported in TechRepublic, “22% of SMBs said their networks have encountered a ransomware attack that bypassed preventative security controls, while fileless malware attacks are also on the rise. Average attack dwell time—the time between an attack penetrating a network's defenses and being discovered—ranged from 43 to 895 days for SMBs, the report found. The average dwell time for confirmed, persistent malware was 798 days.”
  • Cybersecurity Training Study Reveals Phishing Identification and Data Protection Are the Top Problem Areas for End Users: According to a press release, “Overall, one in every four questions in the ‘Identifying Phishing Threats’ and ‘Protecting Data Throughout Its Lifecycle’ categories [in Proofpoint’s fourth annual Beyond the Phish® report] were answered incorrectly. The 2019 Beyond the Phish report signifies that while employees have become more familiar with the hallmarks of phishing attacks and the need to protect data, knowledge gaps remain that cybercriminals can exploit.”
  • Cybersecurity is the biggest threat to the world economy over the next decade, CEOs say: Reported in CNBC, “CEOs see cybersecurity as the number one threat to the global economy over the next five to ten years, a new report has claimed. In its 2019 CEO Imperative Study, published [last] Tuesday, management consultancy EY surveyed 200 global CEOs among the Forbes Global 2000 and Forbes Largest Private Companies. Researchers also interviewed 100 senior investors from global firms that had managed at least $100 billion in assets.”
  • Survey finds that cyber security budgets are up; with additional investments being made in risk identification and resilience: Reported in Continuity Central, “Companies worldwide expect to boost their cyber security investments by 34 percent in the next fiscal year, after raising them by 17 percent the previous year, according to a new study covering 467 firms across industries and based in 17 countries. About 12 percent of companies surveyed plan to bolster their cyber security investments by over 50 percent.”
  • IT pros: we’re understaffed, under-resourced and under pressure: According to Sophos, “[Two] out of three organizations (68%) suffered a cyber attack in 2018 that they were unable to prevent from entering their network. Nine out of 10 (91%) said they were running up-to-date cybersecurity protection at the time. Why are companies still getting hit even though they are taking tangible steps to reduce their cybersecurity risk? The report muses that there are some security holes not being plugged.”

Cybersecurity Acquisitions

Two major cybersecurity company acquisitions were reported last week:

  • IBM Closes Acquisition of Red Hat for $34 Billion: According to a press release, the “acquisition positions IBM as the leading hybrid cloud provider and accelerates IBM’s high-value business model, extending Red Hat’s open source innovation to a broader range of clients.” IBM says it will preserve Red Hat’s independence and neutrality, and “Red Hat will strengthen its existing partnerships to give customers freedom, choice and flexibility.”
  • NTT Security Corporation acquires WhiteHat Security: According to a press release, NTT Security Corporation (Tokyo) has signed a definitive agreement to acquire privately-owned WhiteHat Security, an application security provider committed to securing applications that run enterprises’ businesses. Post-acquisition, WhiteHat Security will operate as an independent, wholly-owned subsidiary of NTT Security Corporation.