NTSC Technology Security Roundup

Weekly News Roundup: July 29, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • IoT Cybersecurity Improvement Act calls for deployment standards: According to TechTarget, “The IoT Cybersecurity Improvement Act of 2019, co-sponsored by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), would require the National Institute of Standards and Technology (NIST) to issue guidelines for the secure development, configuration and management of IoT devices. It would also require the federal government to comply with these NIST standards. Perhaps more significantly, the bill would likely reach beyond the federal government if passed and made into law. Security experts predict that NIST standards would help elevate IoT security throughout private industry and during development of consumer products.”
  • House passes anti-robocall bill: According to The Hill, “The House [last] Wednesday took a major step toward cracking down on illegal robocalls by passing legislation allowing for tougher penalties against the scammers who generate billions of unwanted calls each year. Lawmakers passed the measure, sponsored by Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.), in a 429-3 vote. The bill takes aim at illegal spam calls by toughening up the Federal Communications Commission’s (FCC) ability to take action against illegal robocalling operations and requiring all carriers to implement technology to make sure calls are authentic.”
  • Senate committee advances 'deepfakes' legislation: According to The Hill, “A Senate committee on Wednesday approved legislation designed to lessen the threats posed by altered or manipulated videos known as ‘deepfakes.’ The Senate Homeland Security and Governmental Affairs Committee approved by voice vote bipartisan legislation that would direct the Department of Homeland Security (DHS) to conduct an annual study of deepfakes and similar content. The measure, introduced last month by Sens. Rob Portman (R-Ohio) and Martin Heinrich (D-N.M.), also would require DHS to assess the artificial intelligence (AI) technologies used to create deepfakes and propose changes or new regulations around these technologies.”
  • Senators propose bills to improve cybersecurity for cars, planes: According to a press release, “Senator Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.), members of the Commerce, Science and Transportation Committee, [last] week reintroduced two pieces of legislation to address cybersecurity in cars and on airplanes in the age of the Internet of Things. The first bill – the Security and Privacy in Your Car (SPY Car) Act – directs the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to ensure cybersecurity in increasingly computerized vehicles and to protect drivers’ privacy. […] The second piece of legislation – the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act – requires the disclosure of information relating to cyberattacks on aircraft systems, as well as the establishment of standards to identify and address cybersecurity vulnerabilities to the United States commercial aviation system.”
  • Modernization panel calls for staffer HR hub, mandatory cybersecurity training: According to Roll Call, “The Select Committee on the Modernization of Congress unanimously approved two dozen recommendations [last] Thursday, urging lawmakers to create a centralized human resources hub for staffers, resurrect the Office of Technology Assessment and make cybersecurity training mandatory.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • NSA to establish new cybersecurity arm this fall: According to The Hill, “The National Security Agency (NSA) announced Tuesday that it will form a cybersecurity arm in October to unify its foreign intelligence and cyber defense missions. The Cyber Directorate will be responsible for defending against ‘threats to National Security Systems and the Defense Industrial Base,’ the NSA said in announcing the new initiative.”
  • AG Barr rails against encryption — but security experts have heard it before: According to NBC News, “[Last] Tuesday, Attorney General William Barr had an ominous message for the American public: so-called ‘warrant-proof’ strong encryption that law enforcement can’t access imposes an unacceptably high risk to the country. […] Barr’s words echoed those of government officials going back more than 25 years who have called for the government’s ability to bust through strong encryption, which can make data held on a cellphone or computer almost unreadable to anyone who does not possess the password to decrypt it. It’s a message security experts have heard before and expect to hear again, particularly now that some major tech companies have embraced encryption as a way to promise security to consumers who are starting to take privacy seriously.”
  • Pentagon Picks GOP House Candidate to Lead Cyber Office: According to Bloomberg, “The Pentagon has named an unsuccessful Republican congressional candidate to lead a new cybersecurity office, according to a memo obtained by Bloomberg News. Katie Arrington, who lost in her campaign for a South Carolina House seat last year, will lead a new Chief Information Security Office under Kevin Fahey, the assistant defense secretary for acquisition, said in the memo dated [last] Wednesday.”

Data Breach News Roundup

Two stories last week presented significant developments in how the federal government and state governments are handling data breach notification and related penalties.

  • Equifax to pay up to $700 million to feds, states in 2017 data breach settlement: According to The Hill, “Equifax will pay $575 million in fines for the massive 2017 data breach that exposed sensitive information for 147 million people. The sum is part of a settlement announced Monday morning with 50 U.S. attorneys general, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). The settlement requires Equifax to pay $300 million to a compensation fund for victims of the breach and could end up paying an additional $125 million if the fund runs out — meaning the company could end up paying as much as $700 million.”
  • New York Boosts Cybersecurity by Expanding Breach Definition: According to GovTech, “Companies will have to be more forthcoming with New Yorkers about cyber-attacks that jeopardize private data under a pair of new laws signed [last] Thursday by Gov. Andrew Cuomo. The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, updates New York’s laws concerning notification requirements and consumer data protection obligations and broadens the state Attorney General’s oversight regarding data breaches impacting New Yorkers.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Users in dark about security products' effectiveness: Reported in Axios, “53% of IT security managers don't know whether the cybersecurity products they use actually work as promised, according to an upcoming survey from the Ponemon Institute and security firm AttackIQ.”
  • Cybersecurity knowledge gap not uniform across sectors: Reported in HR Dive, “Workers in finance know more than workers in other industries about cybersecurity, according to a report from Proofpoint. After analyzing more than 100 million answers to cybersecurity questions from employees in 16 industries, Proofpoint found that finance workers answered 80% of questions correctly. Transportation and education sector workers had the least knowledge among the various sectors, answering 24% of questions correctly on average, Proofpoint determined.”
  • Cybersecurity Risks Are Threatening Deals, Industry Survey Shows: Reported in Bloomberg, “53% reported that their organization had encountered a critical cybersecurity issue or incident that put an M&A deal in jeopardy. And 65% of respondents said they had experienced buyers’ remorse because of cybersecurity concerns after closing a deal.”
  • Survey: Only Half of Organizations Believe They Can Stop Cyber Attacks: According to a press release, “50 percent of organizations believe attackers can infiltrate their networks each time they try. […] According to the CyberArk Global Advanced Threat Landscape 2019 Report, less than half of organizations have a privileged access security strategy in place for DevOps, IoT, RPA and other technologies that are foundational to digital initiatives.”
  • CEOs’ Low Cyber Compliance Exposes Businesses to Major Risk: According to a press release, “Although the research demonstrated that many senior IT professionals have tried to implement CEO-specific cybersecurity plans, more than half (54%) believe their CEO exposes their organization to potential compromise by not following procedure. Over a third (38%) also weren’t fully aware of the technology their CEO used in their own homes.”