NTSC Technology Security Roundup

Weekly News Roundup: July 22, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • Senate Privacy Group Talks Data Security, Adding to FTC Role: According to Bloomberg Government, “The Senate Judiciary Committee’s first privacy working group met with large tech companies to discuss data security and increasing the Federal Trade Commission’s authority as lawmakers work to develop federal privacy legislation before the end of the year. The tech task force led by Sen. Marsha Blackburn (R-Tenn.) heard from tech companies Snap Inc., Mozilla, Salesforce and Match Group Inc. [last] Thursday. Lawmakers want to look at data security issues, competition and how to define harm in the context of consumer’s privacy being violated by internet companies, Blackburn told reporters after the meeting.”
  • Senators introduce legislation to boost cyber defense training in high school: According to The Hill, “A bipartisan group of senators [last] Thursday introduced legislation to increase cybersecurity training for U.S. high school students involved in the Junior Reserve Officers’ Training Corps (JROTC) in an effort to increase overall cyber defense training. The JROTC Cyber Training Act would direct the secretary of Defense to create a program to enhance the preparation of JROTC high school students for military or civilian careers in cybersecurity and computer science, including internship or research opportunities and funding for training. The bill is sponsored by Sens. Jacky Rosen (D-Nev.), Marsha Blackburn (R-Tenn.), John Cornyn (R-Texas) and Gary Peters (D-Mich.).”
  • House panel advances anti-robocall bill: According to The Hill, “A House panel [last] Wednesday voted to advance legislation aimed at protecting U.S. consumers from the billions of illegal robocalls made every year. The Stopping Bad Robocalls Act had accrued 152 co-sponsors and passed the House Energy and Commerce Committee, 49-0.”
  • Legislation would establish group to enhance cybersecurity: According to Homeland Preparedness News, “Bipartisan legislation introduced [last] Wednesday would establish an interagency working group tasked with developing accountability metrics to enhance cybersecurity protocols and protecting federally-funded research and development activities from foreign interference, espionage, and exfiltration. […] Under the [bipartisan Secure American Research Act], the group would have the power to draft unified security policies, guidance, and best practices to protect taxpayer-funded research; develop strategies to defend against cyber-attacks and foreign espionage threatening federal research and development; and promote the ongoing coordination of information sharing between agencies, the private sector, and academia to better understand and address the threats from foreign espionage.”
  • House E&C Committee Approves Several Cyber Bills: Reported in MeriTalk, the House Energy & Commerce Committee approved:
    • “[The] Energy Emergency Leadership Act (H.R. 362), which would create a new assistant secretary position in the Department of Energy (DoE) with jurisdiction over energy security functions, including cybersecurity.”
    • “[The] Cyber Sense Act of 2019 (H.R. 360), which would require DoE to establish a voluntary program to test the cybersecurity of products in the bulk-power system.”
    • “Under the [the Pipeline and LNG Facility Cybersecurity Preparedness Act (H.R. 370)], DoE would coordinate partners in government and the energy sector, develop cybersecurity capabilities and pilots, and develop curricula for pipeline cybersecurity.”
    • “[The] the Enhancing Grid Security through Public-Private Partnerships Act (H.R. 359), which would develop a program to promote physical and cybersecurity at electric utilities.”
  • House passes bills to boost small business cybersecurity: According to The Hill, “The House passed legislation by voice vote [last] Monday intended to increase cybersecurity at the Small Business Administration (SBA) and separately approved a bill to help small businesses defend against cyber attacks.” The two bills were H.R.1649 – the Small Business Development Center Cyber Training Act of 2019 and H.R.2331 – the SBA Cyber Awareness Act.

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • FTC looks to update children's internet privacy rules: According to The Hill, “The Federal Trade Commission (FTC) is looking to update its rules on internet privacy for children after renewed concerns about how tech companies are catering to, and collecting data on, young internet users. The five FTC commissioners voted unanimously to seek public input on updating its regulations on the Children’s Online Privacy Protection Act (COPPA), which went into effect nearly 20 years ago.”
  • Will defense contractors be ready for CMMC?: According to FCW, “Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say. The framework, which aims to certify a company's compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June. It will be used to evaluate and rate contractors' ability to protect sensitive data on a 1-5 scale starting next year. The initial version of the framework is scheduled to go public in January 2020.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Cybersecurity still a top concern among RIA compliance execs: Reported in Investment News, “For the sixth year in a row, cybersecurity remains the biggest compliance concern at registered investment adviser firms, according to a survey of 369 RIA firms by the Investment Adviser Association and ACA Compliance Group. Cybersecurity is the ‘hottest’ compliance topic among 83% of survey respondents, with 70% indicating that their firms increased compliance testing in this area over the past year, the organizations said in a joint release.”
  • Threatlist: 68% of Overwhelmed IT Managers Can’t Keep Up with Cyberattacks: Reported in Threatpost, “In a survey of 3,100 IT managers across 12 countries (at organizations with 100 to 5,000 employees), two out of three of them said their organizations (68 percent) suffered a cyberattack in 2018, despite efforts to prevent them. This, despite the fact that a full 26 percent of IT’s time, on average, is spent on cybersecurity issues. Nine out of 10 (91 percent) of respondents said they were running up-to-date cybersecurity protections at the time of a successful attack, according to the Sophos, who published the report.”
  • Check Point’s 2019 Cloud Security Report Identifies Range of Enterprise Security Challenges in Public Clouds: According to a press release, key findings of Check Point’s 2019 Cloud Security Report include the top four public cloud vulnerabilities cited by respondents: unauthorized cloud access (42 percent), insecure interfaces (42 percent), misconfiguration of the cloud platform (40 percent), and account hijacking (39 percent).
  • GitLab Survey Surfaces Major DevSecOps Challenges Ahead: Reported in DevOps.com, “[Half] of the respondents reported that security vulnerabilities are discovered mostly by the security team rather than developers after code is merged and in a test environment. And, when cybersecurity professionals participate in a DevSecOps process, the survey found those organizations are three times more likely to discover bugs before code is merged. In addition, a full 90% of those organizations are more likely to have tested between 91% and 100% of their code early in the development process.”
  • Data Loss, Leakage Top Cloud Security Concerns: Reported in Dark Reading, “Most (93%) cybersecurity professionals are ‘moderately to extremely concerned’ about cloud security, with data loss and leakage (64%) and data privacy (62%) at the top of the collective list.”

Cybersecurity Acquisition News

Two major cybersecurity acquisition stories appeared last week.

  • Broadcom Reportedly Gives Up on Symantec Buyout: According to Yahoo! Finance, “Broadcom AVGO has ceded its intention to acquire Symantec SYMC as the to-be-acquired company maintained its stance on $28 per share deal, per a CNBC report citing ‘people familiar with the matter.’ Previously reports stated that Broadcom was willing to make a deal of $28.25 per share for Symantec. However, later the chipmaker wanted the acquisition to close below $28, which wasn’t acceptable to Symantec.”
  • Cisco In Talks To Buy Signal Sciences To Grow Cybersecurity Portfolio: According to CRN, “Cisco Systems is mulling another security purchase to build out its growing portfolio, according to a new report. The tech giant is in talks to purchase Signal Sciences, a Los Angeles cybersecurity startup in which Cisco already has a relationship, according to a report published by The Information [last] Friday that cited several people familiar with the conversations. Five-year-old Signal Sciences is a web application security company that develops software to protect applications running in private data centers and in the cloud.”