NTSC Technology Security Roundup

Weekly News Roundup: July 9, 2018

Industry Groups and Tech Companies Raise Concerns Over California Consumer Privacy Act

Industry groups such as the Internet Association, Consumer Watchdog, and the ACLU along with tech companies (including Google and Facebook) are sharing various concerns over the new California Consumer Privacy Act. Concerns among the different companies and groups range from alarm at how fast the bill was passed to language in the bill that is vague, too tough, or not tough enough. According to Fortune, “Like the EU’s General Data Protection Regulation (GDPR), AB 375 forces companies to tell consumers what personal data they store, why they’re storing it and with whom they’re sharing it. Consumers get to sue companies for data breaches and intentional violations of privacy, and they will be able to tell companies not to sell their personal data without losing access to the companies’ services.”

In the Wake of GDPR, EU Parliament Threatens Suspension of EU-US Privacy Shield

After GDPR took effect in May 2018, the EU Parliament has recently threatened the suspension of the EU-US Privacy Shield. According to TechCrunch, “The parliamentarians’ view is that the data transfer mechanism does not provide the necessary ‘essentially equivalent’ data protection for EU citizens — and should therefore be suspended until US authorities come into compliance. […] Suspending the mechanism entirely would certainly concentrate minds in the US administration — given the thousands of US companies signed up to rely on it simplifying their business operations. Were that to happen, many of these companies would be left scrambling to put in place alternative legal arrangements to authorize data transfers — or even have to suspend data flows altogether, depending on their threshold for legal risk.”

DHS Developing Products to Help Private Sector

As the DHS continues to expand its mission of helping the private sector, it showed some progress last week with reports about two technology products.

  • According to NextGov, “The DHS Science & Technology Directorate awarded Delaware-based Cyber 20/20 with a $200,000 contract to demonstrate whether its open-source technology will help the financial services sector better defend against emerging threats from nation-states, hackers and other bad actors. Cyber 20/20’s tech is called Trained Using Runtime Analysis from Cuckoo Outputs, or TURACO. According to DHS, it ‘expands the capabilities of Cuckoo, an open-source sandbox, to better detect and analyze malicious attacks.’”
  • According to CyberScoop, “A Department of Homeland Security-funded product designed to better protect mobile-phone users from phishing is becoming available to government and private-sector clients, the department said [last] Thursday. DHS’s Science and Technology Directorate, which partially funded the tools made by mobile security company Lookout, hailed the product’s ability to block phishing attempts and detect malware lurking in mobile applications. The beefed-up product, Lookout Mobile Endpoint Security, is now available for Android and iOS operating systems, the department said.”

Gartner Notes Six Security and Risk Management Trends

Reported in Help Net Security, Gartner recently highlighted six emerging security and risk management trends that pertain to security leaders.

1. “Senior business executives are becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation.”

2. “Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities.”

3. “Security products are rapidly exploiting cloud delivery to provide more-agile solutions.”

4. “Machine learning is providing value in simple tasks and elevating suspicious events for human analysis.”

5. “Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations.”

6. “Dangerous concentrations of digital power are driving decentralization efforts at several levels in the ecosystem.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Hiring Alone Will Not Solve Government’s Security Problems: According to NextGov, “…a recent survey of nearly 3,000 security professionals from The Ponemon Institute and ServiceNow indicates that hiring more staff will not be enough to solve the government’s security problems. […] While agencies plan to hire more cyber experts, they will need to adopt automation tools that scan for vulnerabilities and threats to fix broken patching processes if they want to secure their data.”
  • Consumers still happy to exchange data with businesses if there’s a benefit: Reported in Help Net Security, “Globally, 51% of consumers are still happy to exchange their data with businesses, as long as there is a clear benefit for doing so. This is despite 74% having some degree of concern about their online privacy. 83% of consumers across all 10 markets surveyed stated that they would like more control over their personal information.”
  • Cryptocurrency exchange theft surges in first half of 2018: Reported in Reuters, “Theft of cryptocurrencies from exchanges soared in the first half of this year to three times the level seen for the whole of 2017, leading to a three-fold increase in associated money laundering, according to a report from U.S.-based cybersecurity firm CipherTrace released on Tuesday.”
  • New Report Reveals Disparity Between Executives and IT Employees in Their Level of Cybersecurity Concern: According to a press release, “In a May survey of executives, IT, security, audit and finance professionals conducted by Americas' SAP Users' Group (ASUG), only 25 percent of executives, including C-level employees such as CIOs and CTOs, stated that they were very or extremely concerned about security. In contrast, 80 percent of IT and security respondents reported their concern level in the very and extremely concerned range.”
  • Cybersecurity remains non-core competency for most C-suite executives: Reported in Help Net Security, “Whilst cybersecurity has now become a critical business function, it remains a non-core competence for a significant number of boards. CISOs have become increasingly common in recent years (recent research suggests that nearly two-thirds of large US companies now have a CISO position), but the majority do not report directly to the CEO, which reduces their effectiveness.”