NTSC Technology Security Roundup

Weekly News Roundup: August 12, 2019

North Korea Has Made $2 Billion from Cyberattacks

At many NTSC conferences, events, and meetings, we hear about the ongoing onslaught of nation state attacks against businesses. Recently, a confidential United Nations report illustrates the benefits that accrue to nation states from such attacks. According to Reuters, “North Korea has generated an estimated $2 billion for its weapons of mass destruction programs using ‘widespread and increasingly sophisticated’ cyberattacks to steal from banks and cryptocurrency exchanges, according to a confidential U.N. report seen by Reuters [last] Monday. […] The experts said North Korea ‘used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income.’ They also used cyberspace to launder the stolen money, the report said.”

Cybersecurity Regulatory News Update

In regulatory news related to cybersecurity last week…

  • Delaware and New Hampshire Join Growing List of States With New Insurance Data Security Laws: According to the National Law Review, “Delaware (July 31, 2019) and New Hampshire (August 2, 2019) have become the latest states to add to the insurance cybersecurity landscape by enacting information security laws. These laws come on the heels of Connecticut’s law enacted a few days earlier. Notably, while Connecticut followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations model, Delaware and New Hampshire followed South Carolina, Ohio, Michigan, and Mississippi in adopting a version of the model law put forth in 2018 by the National Association of Insurance Commissioners (“NAIC”). Although the New York and NAIC frameworks are similar—both require written information security programs and impose a 72-hour breach notification deadline—the legislation as enacted by each state varies, resulting in a patchwork compliance framework for insurance companies that practice across multiple states.”
  • New Risk Guidance Being Developed for Cybersecurity, Compliance: According to the Wall Street Journal, “The new guidance from the Committee of Sponsoring Organizations of the Treadway Commission is expected to address how companies can apply the principles of enterprise risk management, or ERM, to protect against cyberattacks; how to better craft risk-appetite statements; and how to better manage risk and compliance across an enterprise. COSO develops frameworks that many companies use to manage financial and nonfinancial risks. Its chairman, Paul Sobel, said in an interview that the guidance will be rolled out later this year and early next.”

Congressional and Federal Cybersecurity News Update

Here, we’ve provided a roundup of Congressional and federal cybersecurity news stories from last week.

  • New draft rule bans government purchase of Chinese telecom gear: According to FCW, “Three departments in charge of federal purchasing policy unveiled an interim rule Aug. 7 amending Federal Acquisition Regulation to ban agencies from purchasing telecommunications and video surveillance equipment from five Chinese firms, including Huawei. The interim rule from the General Services Administration, the Department of Defense and NASA takes effect Aug. 13 and stems from a provision in the 2019 National Defense Authorization Act prohibiting federal agencies from purchasing telecommunications and video surveillance equipment, along with any ‘substantial or essential component of any system, or as critical technology as part of any system’ from the Chinese tech firms or their affiliates.”
  • Congress is ready to try again on AV legislation: According to Automotive News, “House and Senate leaders are seeking input from a broad swath of stakeholders to help formulate a self-driving vehicle bill that addresses everything from access for people with disabilities to cybersecurity concerns. A letter circulated by the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation said lawmakers are working on a ‘bipartisan and bicameral basis’ to lay groundwork for a bill. Comments from stakeholders are due to the committees by Aug. 23.”
  • DHS Is Building A Contract To Manage All Its Cybersecurity Operations Centers: According to NextGov, “The Homeland Security Department is building a contract vehicle of vendors able to manage its 17 unclassified security operations centers—the cybersecurity hubs for the government’s central cybersecurity agency. The agency issued a request for information [last] Wednesday outlining its tentative acquisition strategy and asking for feedback from industry on capabilities and approach to spinning up additional resources in times of crisis, such as during a large-scale cyberattack.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • SMEs forced to meet cybersecurity demands in order to win contracts: Reported in BetaNews, “A study by cyber security awareness platform CybSafe shows nearly 37 percent of organizations have been required to achieve a recognized cyber security standard by their enterprise customers before successfully securing contracts. This represents a nine percent increase over 2017. In addition, 40 percent of enterprises have now ensured that cyber security is part of their contract with SMEs -- a six percent increase on 2017, and 66 percent of enterprises have inquired about cyber security training, up from 54 percent in 2017.”
  • There is widespread business confusion and ignorance about the upcoming CCPA regulation: Reported in Help Net Security, “Almost half (44.2%) of all respondents have never heard of the CCPA, and only 11.8% of respondents know if the law applies to their business. […] About a third (34%) of executives/owners say they don’t know if they will need to change how they capture, store and process data to comply. Another 22% say they ‘don’t care,’ while 35.3% of respondents say nothing needs changing for CCPA compliance.”
  • Biggest Cyber-Blind Spot for Small Business Owners? Remote Workers: According to a press release, “83 percent of small business owners allow and offer employees the option to work securely from a remote location when needed and appropriate. With young business owners (those ranging from ages 18-34), this number jumps up to 95 percent. Yet, only 50 percent of small business owners have updated their remote work security policy in the past year.”
  • Insider threats cause many of the most damaging security incidents: Reported in Health Data Management, “70 percent of organizations are more frequently seeing insider attacks and 60 percent experienced one or more within the last 12 months. More than two thirds (68 percent) feel ‘extremely to moderately’ vulnerable to these attacks.”
  • SlashNext Survey Finds Only 1 in 8 Organizations Report Real-Time Operationalization of Threat Intelligence Feeds to Block Live Web Threats: According to a press release, “Only 12% of respondents reported real-time operationalization of threat feeds for blocking, while 19% report it took between 5-30 minutes and another 20% claim 30-60 minutes to operationalize. Nearly half (49%) report operationalization times of more than an hour.”
  • Cybersecurity Leaders Face Challenges with Cyber Transformation: Reported in Security Magazine, “[Just] under 15 percent of the total budget spent is on transformation initiatives including cloud, analytics, and IoT. […] 90 percent surveyed [cited] 10 percent or less of budget dollars assigned for efforts such as cloud migration, software-as-a-service (SaaS) implementation, analytics, and machine learning (ML).”
  • Survey: Cloud Customers, Not Providers, Increasingly Responsible for Managing Threats: Reported in NextGov, “In a report published Tuesday, researchers ranked data breaches, system misconfigurations and shoddy security architectures as the top three threats facing cloud platforms. While cloud providers and users share responsibility for preventing breaches, the onus for defending against the other two threats falls squarely on the customers themselves, they said.”

Cybersecurity Acquisition News

Three major cybersecurity acquisition stories appeared last week.

  • Broadcom to Acquire Symantec Enterprise Security Business for $10.7 Billion in Cash: According to a press release, “The addition of Symantec's enterprise security portfolio will significantly expand Broadcom's infrastructure software footprint as it continues to build one of the world's leading infrastructure technology companies.” CNN notes “[the] proposed acquisition is still subject to antitrust approval. And it comes just over a year after Broadcom's $117 billion bid for rival Qualcomm (QCOM) was blocked by President Donald Trump over national security concerns.”
  • McAfee to Acquire NanoSec: According to a press release, “The acquisition of NanoSec will strengthen the container security capabilities of McAfee MVISION Cloud and MVISION Server Protection products, giving its customers the ability to speed up application delivery while enhancing governance, compliance and security of their hybrid, multi-cloud deployments. NanoSec’s security capabilities will be applied to applications and workloads deployed in containers and Kubernetes and will be integrated into McAfee MVISION Cloud and MVISION Server Protection offerings.”
  • ManTech Acquires H2M Group: According to a press release, “This acquisition strengthens ManTech’s ability to help key government agencies implement new automation techniques that enable intelligence analysts to more effectively navigate large amounts of data, and to distill the critical information that informs actionable intelligence necessary to make mission-critical decisions.” ManTech’s services include “cyber, data collection & analytics, enterprise IT, systems engineering and software application development solutions that support national and homeland security.”