NTSC Blog

Weekly News Roundup: September 30, 2019

NTSC Applauds House Homeland Security Committee Advancing Cybersecurity Advisory Committee Bill

Last Wednesday, the House Committee on Homeland Security advanced a bipartisan bill to establish an advisory committee to advise, consult, and make recommendations to the Director of the Cybersecurity and Infrastructure Security Agency (CISA). According to Bloomberg Law, “The Department of Homeland Security would get a cybersecurity advisory board of local government and business representatives under a bill approved unanimously by the House Homeland Security Committee. The committee Sept. 25 advanced the Cybersecurity Advisory Committee Authorization Act (H.R. 1975), introduced by Rep. John Katko (R-NY). It now goes to the full House for consideration.” The NTSC published a press release last week supporting this bill.

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

• Senate subcommittees take action on cyber funding: According to Politico, “Senate appropriators [last] Tuesday advanced two fiscal 2020 bills that pay for a trio of agencies with significant cybersecurity accounts. The Homeland Security subcommittee approved the DHS funding measure, which would dedicate $2 billion to CISA, $350 million more than the president’s budget requested, according to a panel summary. Within that amount, $1 billion is for cybersecurity specifically. The bill includes $117 million to eliminate a backlog of vulnerability assessments.”
• Senate approves bill to boost cyber assistance for federal agencies, private sector: According to The Hill, “The Senate [last] Tuesday passed legislation intended to boost the federal government’s ability to respond to and assist agencies and private sector companies in the event of debilitating cyber incidents. The DHS Cyber Hunt and Incident Response Teams Act would require that the Department of Homeland Security (DHS) maintain permanent ‘teams’ that could be deployed to assist in cases of cyberattacks or in order to identify vulnerabilities that could allow for a cyberattack to take place.”
• House bill aims to secure telecom networks against foreign interference: According to The Hill, “The bipartisan leaders of the House Energy and Commerce Committee on Tuesday introduced legislation that would ban the use of federal funds to purchase telecommunications equipment from companies deemed national security threats. The Secure and Trusted Communications Network Act would require the Federal Communications Commission (FCC) to compile a list of companies deemed by federal authorities outside the agency as posing national security risks to telecom networks.”
• Cyber Bills You Might Have Missed: According to Nextgov, “The House [last] Thursday approved the Unifying DHS Intelligence Enterprise Act, which would require the agency to draft overarching guidance for sharing information among its various intelligence offices, as well as with other industry and government groups. [Also, the] Senate Committee on Energy and Natural Resources [last] Wednesday forwarded two pieces of legislation to lock down the electric grid: one bill would require the Energy Department to ‘develop advanced cybersecurity applications and technologies for the energy sector,’ and the other would prompt the agency to offer additional resources to help utility companies find and address cyber vulnerabilities.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• CISA updates emergency communications plan to include a 'cybersecurity goal': According to Inside Cybersecurity, “The DHS Cybersecurity and Infrastructure Security Agency has updated its National Emergency Communications Plan, which is intended to ensure continuity of the country's warning system at a time of crisis, to reflect advances in technology, address vulnerabilities and weaknesses of older ‘legacy’ components, and include a ‘cybersecurity goal.’ ‘The update to the NECP is the blueprint for designing and improving the nation’s emergency communications capabilities at all levels of government,’ CISA Director Christopher Krebs said in a statement…”
• Acting DNI Maguire describes 'cyber war' as greatest threat to the country: According to The Hill, “Acting Director of National Intelligence Joseph Maguire [last] Thursday testified that cyber threats are the most significant risks the nation faces and noted that the protection of U.S. election systems is ‘the most important job’ of the intelligence community.”
• Watchdog: Energy Department not doing enough to protect grid against cyber attacks: According to The Hill, “A report released [last] Wednesday by the Government Accountability Office (GAO) found that the Department of Energy (DOE) has not done enough to protect the electrical grid against increasing cyber attack attempts, the same day a Senate committee approved legislation intended to bolster DOE’s work on grid security.”
• Energy is using cyber risk assessments to make cloud decisions: According to FedScoop, “The Department of Energy has started factoring quantitative cybersecurity risk into its internal budget decisions. DOE adopted the Factor Analysis of Information Risk (FAIR) management framework and has begun initial, daily risk assessments at interested national laboratories, Emery Csulak, the department’s chief information security officer, told FedScoop. This fall, DOE plans to onboard even more agencies.”
• DHS FISMA ratings go up: According to FCW, “The Department of Homeland Security's information security practices have gone from good to better, according to a new inspector general audit. Measuring via a five-point scale developed through the Federal Information Security Modernization Act, DHS improved its scores for the ‘protect’ (developing and implementing appropriate safeguards of critical services) and ‘detect’ (monitoring for irregular system activity) functions from a three out of five to four.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Businesses are Prioritizing Cybersecurity Above All Else, Optiv Security Report Finds: According to a press release, “64 percent of businesses now prioritize cybersecurity above all else, even if it slows some users’ productivity down, according to a new research report from Optiv Security.”
• How Bots Affect E-commerce: According to Imperva, “30.8% of traffic to e-commerce sites are bots, 17.7% of traffic to e-commerce sites comes from bad bots, [and] 23.5% of those bad bots are classified as sophisticated.”
• Ransomware Hits Multiple, Older Vulnerabilities: Reported in Dark Reading, “A new report says that 35% of the vulnerabilities exploited in ransomware attacks are more than 3 years old — an updating lapse that looks significant in the face of the $8 billion that ransomware cost companies in 2018. The study identified the 57 most commonly used vulnerabilities in ransomware attacks. According to the research, 15 of these vulnerabilities are used by multiple ransomware families, and 17 trending vulnerabilities (those active in the wild, and with growing numbers of attacks) affect more than one technology vendor.”
• Majority of All Cloud Misconfigurations Go Unnoticed: Reported in Cyware, “A McAfee report reveals that an overwhelming majority (99%) of all Infrastructure-as-a-Service (IaaS) misconfigurations are not reported to the cloud provider. Over 90% of users face security issues with IaaS configurations, however, only 26 percent of users are equipped to deal with misconfiguration challenges.”
• Webroot Report: Nearly Half of Employees Confess to Clicking Links in Potential Phishing Emails at Work: According to a press release, “While a majority (79%) of people reported being able to distinguish a phishing message from a genuine one, nearly half (49%) also admit to having clicked on a link from an unknown sender while at work. Further, nearly half (48%) of respondents said their personal or financial data had been compromised by a phishing message. However, of that group more than a third (35%) didn't take the basic step of changing their passwords following a breach.”
• GDPR: Only one in three businesses are compliant – here's what is holding them back: Reported in ZDNet, “Under one in three organizations are fully compliant with the General Data Protection Regulation, despite the privacy legislation coming into force across Europe almost a year and a half ago.”
• Study Reveals Major Security Challenges Companies Face: Reported in CISOMAG, “86 percent of security leaders are confident that they have no gaps in their security controls deployed across devices, applications, people, and data. Also, 64 percent of companies are making it a priority to implement a risk framework aligning cybersecurity risk and enterprise risk.”