NTSC Technology Security Roundup

Weekly News Roundup: July 6, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

  • Lawmakers push cyber updates in Senate defense bill: According to FCW, “Proposals from the Cyberspace Solarium Commission report have been introduced in the Senate [last] week as part of the National Defense Authorization process. The amendments filed by Sens. Angus King (I-Maine) and others include more than a dozen provisions drawn from the report. These include proposals to set up an information sharing environment and forensic malware repository between the Cybersecurity and Infrastructure Security Agency and the National Security Agency and establish a new Bureau of Cyber Statistics at the Department of Commerce and a new Bureau of Cyberspace Security and Emerging Technology at the State Department as well as a strategy to secure foundational internet protocols and email and mandate security certification and labeling for information and communication technology products.”
  • Lawmakers, White House square off over new cyber post: According to FCW, “Members of the Cyberspace Solarium Commission are hopeful that they can pass legislation establishing a National Cyber Director, but they're still working to figure out what specific objections the White House may have to the proposal. In a June 30 call with reporters, King said that while he has heard the White House opposes the idea, he has yet to see ‘a letter or a statement’ explaining why, or whether different legislative language could alleviate any concerns. He views the proposal as ‘a favor’ to the White House by giving it a single point of accountability on cyber policy issues.”
  • Defense bill amendment would put a cybersecurity coordinator in each state: According to StateScoop, “A bipartisan group of U.S. senators [last] Monday proposed an amendment to the upcoming National Defense Authorization Act that would give each state a federally funded ‘cybersecurity coordinator’ to manage the information-security relationships between the federal government, states and their localities. The amendment, from Sens. Maggie Hassan, D-N.H., John Cornyn, R-Texas, Rob Portman, R-Ohio, and Gary Peters, D-Mich., borrows language from a similar bill the same quartet proposed in January and got passed in March by the Senate Homeland Security Committee.”
  • House version of annual defense policy bill clears Armed Services panel, steeped in cyber provisions: According to Inside Cybersecurity, “The annual National Defense Authorization Act cleared a hurdle late [last] Wednesday, passing the House Armed Services Committee on a 56-0 vote and advancing a number of Cyberspace Solarium Commission and other cybersecurity proposals.”
  • King-Sasse amendments, reflecting Solarium Commission work, could revamp nation’s info-sharing system: According to Inside Cybersecurity, “Cybersecurity amendments that Sens. Angus King (I-ME) and Ben Sasse (R-NE) hope to add during Senate floor debate on the annual defense policy bill would attempt to super-charge the threat information-sharing process with the most significant structural and policy changes since enactment of the Cybersecurity Act of 2015.”
  • Deepfake Threats Would Get Annual DHS Look Under Proposed Law: According to Defense One, “Bipartisan legislation directing an annual, comprehensive examination into the technology underpinning, and threats posed by super-realistic manipulated media called deepfakes may have found a path forward as an amendment to the Senate’s fiscal 2021 National Defense Authorization Act. Sens. Rob Portman, R-Ohio and Brian Schatz, D-Hawaii proposed adding the Deepfake Report Act—originally unveiled one year ago—to the annual authorization bill [last] Thursday. The Deepfake Report Act, which passed the Senate in October and was referred to the House Consumer Protection and Commerce Subcommittee, would mandate the Homeland Security Department to investigate the potential impacts of deepfakes and other, related technologically altered content on national and election security.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • National Security Agency warns that VPNs could be vulnerable to cyberattacks: According to CBS News, “The National Security Agency issued a new cybersecurity advisory [last] Thursday, warning that virtual private networks, or VPNs, could be vulnerable to attacks if not properly secured. The agency's warning comes amid a surge in telework as organizations adapt to coronavirus-related office closures and other constraints.”
  • FCC formally designates Huawei and ZTE as national security threats: According to The Hill, “The Federal Communications Commission (FCC) [last] Tuesday formally designated Chinese telecommunications groups Huawei and ZTE as national security threats, blocking them from accessing FCC funds. The move was the formalization of a unanimous decision by the FCC in November to ban U.S. telecom groups from using the FCC’s $8.3 billion Universal Service Fund to purchase equipment from companies deemed threats. Both Huawei and ZTE were identified as national security threats in November, with the FCC’s Public Safety and Homeland Security Bureau formalizing this process [last] Tuesday.”
  • FERC seeks comments on critical infrastructure cyber risks, mitigation tactics: According to Inside Cybersecurity, “The Federal Energy Regulatory Commission is asking for industry input on how its critical infrastructure standards could be changed to ‘adequately address’ cybersecurity risks, anomaly detection and mitigation of cybersecurity events.”
  • Artificial Intelligence Systems Will Need to Have Certification, CISA Official Says: According to NextGov, “Vendors of artificial intelligence technology should not be shielded by intellectual property claims and will have to disclose elements of their designs and be able to explain how their offering works in order to establish accountability, according to [Martin Stanley, a senior technical advisor who leads the development of CISA’s artificial intelligence strategy].”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Trend Micro Finds 72% of Remote Workers Have Gained Cybersecurity Awareness During Lockdown: According to a press release, “Nearly three quarters (72%) of remote workers say they are more conscious of their organization’s cybersecurity policies since lockdown began, but many are breaking the rules anyway due to limited understanding or resource constraints.”
  • The more cybersecurity tools an enterprise deploys, the less effective their defense is: Reported in ZDNet, “On average, enterprises deploy 45 cybersecurity-related tools on their networks. The widespread use of too many tools may contribute to an inability not only to detect, but also to defend from active attacks. Enterprises that deploy over 50 tools ranked themselves 8% lower in their ability to detect threats, and 7% lower in their defensive capabilities, than other companies employing fewer toolsets.”
  • US Schools and Colleges Have Leaked 24.5 Million Records Since 2005: Reported in Infosecurity Magazine, “Schools and colleges in the US have leaked 24.5 million records since 2005, according to new research by technology website Comparitech. K–12 school districts across the country have suffered 1327 breaches in the last 15 years – with last year’s count setting an all-time high.”
  • Unauthorized Data Sharing Puts Companies at Risk: Reported in Infosecurity Magazine, “According to the survey, 30% of systems administrators granted direct access to sensitive data based only on user requests. The results show up in audits and can lead to financial penalties. Of companies that experienced unauthorized data-sharing incidents, 54% ended up with non-compliance findings from audits.”
  • DDoS Attacks Jump 542% from Q4 2019 to Q1 2020: Reported in Dark Reading, “In the first quarter of 2020, distributed denial-of-service (DDoS) attacks jumped more than 542% compared with the last quarter of 2019 and more than 278% year-over-year. NexusGuard researchers suggest the spike may be linked to a parallel increase in malicious cyber activity during the COVID-19 pandemic.”
  • Businesses Lack a Workable Ransomware Recovery Strategy: Reported in Infosecurity Magazine, “According to research from Ontrack of 484 organizations, 39% either did not have or were not unaware of a ransomware strategy, while 26% admitted they couldn’t access any working backups after an attack.”
  • Malware Incidents Fall Amid Overall Rise in Security Events Last Year: Reported in Infosecurity Magazine, “Malware incidents fell by 23% in 2019 despite an overall increase in security events, according to Orange Cyberdefense in its inaugural Security Navigator report. The findings suggest that businesses have grown investment in technologies that protect themselves from these kinds of threats, leading cyber-criminals to shift to other types of attack. Of the security events the cybersecurity company analyzed last year, only 22% were classified as malware-related, which compared to 45% in the previous year.”