NTSC Blog

Weekly News Roundup: September 24, 2018

White House Releases National Cyber Strategy

Last Thursday, the White House released a broad national cyber strategy for countering cyber threats that includes securing critical infrastructure, combatting cybercrime, improving incident reporting, developing a superior cybersecurity workforce, and attributing and deterring unacceptable behavior in cyberspace. According to the Washington Examiner, “‘The people who need to be worried about this are the people who have taken or are preparing to take hostile actions in cyberspace against us, whether it’s foreign states, terrorist organizations, criminal organizations or whatever it may be,’ [national security adviser John Bolton] said. Bolton said that the new strategy builds on Trump’s recent repeal of Presidential Policy Directive 20 last month. That document set limits on offensive cyber activities.”

Department of Defense Updates Cyber Strategy for First Time Since 2015

On the heels of the White House’s national cyber strategy, the Department of Defense released an updated version of its cyber strategy—the first update since 2015. Previously operating from a “doctrine of restraint” in cyberspace, the new cyber strategy says the DoD will “defend forward to halt or degrade cyberspace operations targeting the Department” and “preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident regardless of whether that incident would impact DoD’s warfighting readiness or capability. Our primary role in this homeland defense mission is to defend forward by leveraging our focus outward to stop threats before they reach their targets.”

The five objectives of the DoD’s strategy are:

1. Ensuring the Joint Force can achieve its missions in a contested cyberspace environment.

2. Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages.

3. Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident.

4. Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks.

5. Expanding DoD cyber cooperation with interagency, industry, and international partners.

Cybersecurity Bill Updates

Last week, the Washington Post and Politico offered updates on activity surrounding several cybersecurity bills:

• According to the Washington Post, “The House Homeland Security Committee [recently] advanced a pair of bipartisan bills […] that would force the Department of Homeland Security to open the door to security researchers to probe the agency for cybersecurity vulnerabilities. DHS has resisted such a move, but lawmakers are ready to force the agency’s hand, saying independent testing is an important step toward improving its cyber hygiene. One bill, called the Hack DHS Act, would create a bug bounty pilot program that would pay security researchers to root out bugs in the agency’s networks. The other would require DHS to set up a vulnerability disclosure policy that protects ethical hackers from legal action if they find a security flaw and report it responsibly. Both cruised through the committee with bipartisan support.”
• According to Politico, “The top legislative cybersecurity priority for DHS might finally be nearing the finish line. Multiple sources tell [Morning Cybersecurity] that the Senate could soon bring a bill establishing the Cybersecurity and Infrastructure Security Agency to the floor. The legislation, H.R. 3359 (115), long ago passed the House and has been awaiting action in the Senate. Now, sources familiar with the bill say, it could hit the floor as early as next week if no senator objects. As recently as last week, DHS Secretary Kirstjen Nielsen said the Senate needed to ‘urgently’ act on the bill, which would rename and elevate the National Protection and Programs Directorate that currently houses the bulk of the department’s cyber work.”

NIST’s Encryption Standard Has Minimum $250 Billion Economic Benefit, According to New Study

According to a press release, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has released a study that estimates a $250 billion economic impact from the development of its Advanced Encryption Standard (AES), widely adopted by industry, over the past 20 years. According to the new study, NIST’s investment in AES has been repaid many times over, with economy-wide benefits exceeding its costs. The study’s most conservative estimate shows a 29-to-1 benefit-to-cost ratio for the AES program. The estimated benefit-to-cost ratio for the whole economy is 1,976-to-1. The assessment covers the period from 1996-2017.

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Security priorities are shifting in response to increased cybersecurity complexity: Reported in Help Net Security, “One of the report’s key findings is that in many organizations (96 percent), the traditional role of the CISO has expanded. As security concerns are integrated into the planning for new digital initiatives, CISOs are more often included as active participants in enterprise business discussions. […] The primary driver cited for the elevation of the CISO is the increasing difficulty of protecting enterprise data.”
• Account takeover attacks ramping up, leading to explosion of phishing: Reported in TechRepublic, “Account takeover attacks (ATO) are on the rise, and most (78%) result in phishing attacks within companies” and “22% of ATO incidents target sensitive departments, meaning businesses must stay updated on cybersecurity efforts.”
• Cryptojackers Grow Dramatically on Enterprise Networks: Reported in Dark Reading, “Cryptojacking — threat actors placing illicit cryptocurrency miners on a victim's systems — is a growing threat to enterprise IT according to a just-released report from the Cyber Threat Alliance (CTA). CTA members have seen miner detections increase 459% from 2017 through 2018 and there's no sign that the rate of infection is slowing.”
• Why voice fraud rates continue to rise with no signs of slowing down: Reported in Help Net Security, “[The] rate of voice fraud climbed over 350 percent from 2013 through 2017, with no signs of slowing down. Additionally, between 2016 and 2017, overall voice channel fraud increased by 47 percent, or one in every 638 calls. The year-over-year increase can be attributed to several causes, including the development of new voice technology, the steady uptick in significant data breaches, and acts of fraud across multiple channels.”
• Credential stuffing attacks cause heartache for the financial sector: Reported in ZDNet, “Akamai has witnessed a surge in credential stuffing attacks of late. Between November 2017 and June 2018, over 30 billion malicious login attempts were recorded. While the success rate for such attacks is relatively low, the ease in which they can be performed keeps them popular.”
• 6.4 billion fake emails a day: How can you avoid the risks: Reported in Panda Security, “6.4 billion fraudulent emails are sent every day. If we also take into account the fact that, according to Cofense, 91% of all cyberattacks start with a phishing email, there can be no doubt that email is the highest risk attack vector for companies.”
• NSA leak fuels rise in hacking for crypto mining: report: Reported in Yahoo! News, “A report by the Cyber Threat Alliance, an association of cybersecurity firms and experts, said it detected a 459 percent increase in the past year of illicit crypto mining -- a technique used by hackers to steal the processing power of computers to create cryptocurrency.”
• Insurance experts expect higher cyber-related losses: Reported in Help Net Security, “Insurance companies are expecting increased cyber-related losses across all business lines over the next 12-months, driven by increasing reliance on technology and high-profile cyber-attacks, according to Willis Towers Watson.”
• Researchers: Users allowed to access infected sites found through search engines: Reported in The Hill, “Security firm SiteLock scanned more than 6 million of their clients’ sites during the second quarter of 2018. The firm found only 17 percent of infected sites are blacklisted by search engines like Google, meaning visitors to those sites could be unwittingly exposing themselves to malware.”
• 80 Percent of US Adults Have Never Considered Cybersecurity Careers, Survey Finds: Reported in Tripwire, “A new national University of Phoenix survey found that 80 percent of U.S. adults have never considered a career in cybersecurity. When asked why, more than four in 10 said that they have no interest in the field.”
• Data breaches make companies underperform the market in the long run: Reported in Help Net Security, “While the share prices of companies that experienced a sizeable/huge data breach suffer just a temporary hit, in the long term breached companies underperformed the market, an analysis by consumer tech product review and comparison site Comparitech has shown.”