The FCC appears to be ramping up its focus on cybersecurity, starting with “a broad-reaching inquiry into the vulnerabilities threatening the security and integrity of the Border Gateway Protocol” earlier this year, said an analysis by Hogan Lovells lawyers Monday. They also cited an NPRM approved last week that proposes new rules to make the emergency alert system and wireless emergency alerts more secure. “FCC observers are … watching the FCC’s increased focus on cybersecurity for signs of whether it may extend the sorts of critical infrastructure regulations that the Cybersecurity and Infrastructure Security Agency (CISA) is developing for other industries into the telecommunications space as well,” the lawyers said: “The proposed rule regarding EAS and WEA may provide a clue on that question.” They said that, in comments on the NPRM, FCC Commissioner Geoffrey Starks “notes approvingly that the proposed rule aligns the timeframe for cyber incident reporting with the timeframe found in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which CISA is administering, and argues that the FCC’s ‘actions must be within the larger whole-of-government approach to protect our nation’s networks and infrastructure.’”
The Biden administration’s IoT labeling program will help consumers gauge the level of security for internet-connected devices across sectors, Anne Neuberger, deputy national security adviser for cyber and emerging technology, said Thursday. The White House anticipates a program rollout in the spring, she said. Data shows consumers are willing to pay more for security, she said during a Center for Strategic and International Studies event: Consumers value security, but they can’t make a “security decision” because when they buy products like smart TVs, there’s no way to compare the security features. The U.S. needs to make sure it harmonizes regulations across sectors because companies operate across the economy, said National Cyber Director Chris Inglis. They discussed cybersecurity issues at large. Neuberger urged companies not to pay ransoms for ransomware attacks. While it helps the company being attacked, it incentivizes the continued illegal activity, she said.
The U.S. is seeking the extradition of a Ukrainian national who allegedly led an international malware campaign that infected millions of computers globally, DOJ said Tuesday, announcing an indictment for crimes associated with Raccoon Infostealer. According to DOJ, Mark Sokolovsky, 26, leased access to the malware for $200 per month. Customers used Raccoon Infostealer to collect personal and financial information from victims’ devices. Sokolovsky, who's being held in the Netherlands on a U.S. extradition request, faces "20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense."
Passwords continue to be the leading cause of businesses’ cyber breaches, said Consolidated Communications Wednesday, saying 81% of breaches are caused by weak or stolen passwords. Employees’ “faulty memories” lead most people to reuse passwords across platforms, the company said, which “creates an ideal scenario for hackers.” Once hackers penetrate a network, “new forms of attack are making them harder to detect than ever before.” The company encourages proactive network management, a strong firewall and zero-trust network security policies.
Fortune 100 companies are giving the public more information about how they're dealing with cybersecurity challenges, but the gaps in information remain big, said Chuck Seets, Ernst and Young EY Americas Assurance principal, and Pat Nieman, EY Americas audit committee forum leader, in a Sunday blog at the Harvard Law School Forum on Corporate Governance. They said only 9% of proxy statements and Form 10-Ks analyzed disclosed any use of response readiness simulations. With cybersecurity near "an inflection point" due to bigger risks and looming regulation, companies lagging in disclosures and in tackling cyberthreats "should foster a culture of cooperation while elevating the tone at the top," they said.
Vector Capital will make a $100 million minority investment in Malwarebytes to speed the growth of its consumer and enterprise cybersecurity businesses, said the private equity firm Wednesday. Malwarebytes will leverage the funding to add new features to its consumer protection and privacy “suite,” and launch new “modules” that enable organizations to reduce their attack surface from the same cloud platform they use for “detection and remediation,” it said. The investment will also enable Malwarebytes to "enhance and scale" its international channel partner program, it said. The funding transaction is expected to close in Q4.
U.S. businesses are at a high and growing risk of data security threats from “increasingly effective phishing attempts and the lack of procedures to restrict data access,” reported GetApp Tuesday. “Newer companies are especially vulnerable to security threats,” said GetApp, which bills itself as the recommendation engine for small businesses. The company canvassed about 1,000 respondents in August, finding the total number of ransomware attacks has doubled in the past two years, while the proportion of companies paying the ransom has “steadily decreased,” it said. “This finding can be attributed to more companies either successfully decrypting data and removing the malware or recovering from the attack by using a backup without paying a ransom.”
Comments are due Nov. 14 for the Cybersecurity and Infrastructure Security Agency’s cyber incident reporting requirements, CISA announced Friday. The Cyber Incident Reporting for Critical Infrastructure Act (see 2203160051), which President Joe Biden signed into law in March, requires public comment for proposed regulations on cyber incident and ransom payment reporting. CISA will host a series of listening sessions. “I’m excited to see CISA move forward with implementing this cybersecurity law, which will help us counter the growing threat of cyberattacks against our institutions and allies,” said Senate Intelligence Committee Chairman Mark Warner, D-Va., who co-authored the law.
The Biden administration’s development of a national cyber strategy is “well underway,” the GAO said in a report Monday, citing comments from the national cyber director. The federal government must develop a comprehensive cyber strategy to have a “clear roadmap” for overcoming threats, the GAO said, noting Congress created the top cyber position in 2021. The national cyber director’s office is gathering feedback from “federal entities,” including the National Security Council, the GAO said.
The competitive environment in cybersecurity “remains favorable” to CrowdStrike, and “we continue to see strong demand even as organizations respond to macroeconomic conditions,” said CEO George Kurtz on an earnings call Tuesday for fiscal Q2 ended July 31. For CrowdStrike, “this primarily manifested in the form of increased levels of required approvals on some deals as companies evaluated investment priorities, which can extend the time it takes to close deals,” said Kurtz. “However, cybersecurity is not a discretionary line item.” CrowdStrike’s quarterly revenue exceeded $500 million for the first time, he said.