More than a third of organizations globally experienced a ransomware attack or breach that blocked access to systems or data in the past 12 months, and for those that fell victim, it was "not uncommon to have experienced multiple ransomware events,” reported IDC Thursday. Ransomware is now the “enemy of the day” and the “topic of conversation on Main Street," said analyst Frank Dickson. Ransomware threats have “evolved in sophistication” by actively “evading detection” and “leveraging multifaceted extortion,” he said. IDC analyzed ransomware attacks for the past year, finding the “incident rate” was lower for U.S.-based companies (7%) than the global worldwide rate (37%). The manufacturing and finance industries took the biggest ransomware hits, transportation, communications and media the fewest, it said. Only 13% of organizations experienced a ransomware attack without having to pay a ransom. Average ransom payments approached $250,000, but a few payments exceeding $1 million “skewed the average,” it said.

McAfee’s closing on the sale of its enterprise business to Symphony Technology Group for $4 billion cash on July 27 began McAfee’s “journey” as a “pure-play consumer cybersecurity company,” said CEO Peter Leav on an earnings call Tuesday for fiscal Q2 ended June 26. McAfee added 556,000 “net new core” direct-to-consumer subscribers, closing the quarter with 19.4 million subs, compared with 16.6 million in Q2 a year earlier. “It's very clear that the behavior for consumers is forever changing,” said Leav. “We've seen that again and again in the digitization of all of our lives, and that's not a one-off,” he said. There’s also “a greater degree of focus from those who are trying to exploit that,” he said. “It's unfortunate, but the world of cyber-criminal behavior continues to expand as well.”

The Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security launched a task force Thursday to collaborate with government agencies and the private sector on cyber defense. CISA’s Joint Cyber Defense Collaborative will “integrate unique cyber capabilities” across agencies and companies. It will design U.S. cyber defense plans, implement coordinated defense efforts and support “joint exercises to improve cyber defense operations.”

Nearly two-thirds of experts who experienced ransomware threats in the past year witnessed “partnerships” among bad actors, reported VMware Monday. It canvassed 123 “incident response professionals” globally in May and June, finding defenders are “looking for new ways to fight back,” it said. Victims now experience “destructive/integrity attacks” more than half the time, said VMware. “Cybercriminals are achieving this through emerging techniques, like the manipulation of time stamps, or Chronos attacks,” which nearly 60% of respondents have witnessed, it said. “Catalyzed by the shift to remote work, 32% of respondents also experienced adversaries leveraging business communication platforms to move around a given environment and launch sophisticated attacks.”

President Joe Biden signed a national security memorandum Wednesday directing the Department of Homeland Security and National Institute of Standards and Technology to “develop cybersecurity performance goals for critical infrastructure.” DHS’ Cybersecurity and Infrastructure Security Agency will work with NIST and other agencies. Those standards will help companies providing services for utilities to strengthen cybersecurity, the White House said. The NSM established the President’s Industrial Control System Cybersecurity (ICS) Initiative, a voluntary program between government and industry “to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings.” CISA issued an advisory Wednesday with the Australian Cyber Security Centre, U.K.’s National Cyber Security Centre and the FBI. It listed “top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020 and those vulnerabilities being widely exploited thus far in 2021.” Four of the “most targeted vulnerabilities in 2020 involved remote work, VPNs, or cloud-based technologies,” CISA said. Federal agencies need to “strengthen efforts to address high-risk areas” in cybersecurity and information technology, GAO said Wednesday. The auditor noted agencies implemented about 73% of about 5,100 recommendations on cyber and IT since 2010: About 950 cybersecurity and approximately 300 IT recommendations remain.

Cybersecurity fears abound in the U.S. and U.K. on the use of COVID-19 digital vaccination cards, a Harris poll found. Analytics firm Anomali hired Harris to canvass a combined 3,000 adults in the two countries June 30-July 7, finding 80% of Americans and 76% of Brits expressed cybersecurity concerns about storing vaccine certifications on their smartphones. Identity theft topped the list of worries for both groups at 51%. The survey found 64% fear that digital vaccination cards will spawn cyberattacks that cause “moderate to major” disruption to business, government and consumers.

Senate legislation Thursday would require the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to act to better identify cyberattacks against critical infrastructure. Introduced by Rob Portman, R-Ohio; Gary Peters, D-Mich.; Mark Warner, D-Va.; and Marco Rubio, R-Fla., the DHS Industrial Control Systems Capabilities Enhancement Act would require CISA to ensure “it can better identify and mitigate threats to Industrial Control Systems.” Companion legislation introduced by House Homeland Security Committee ranking member John Katko, R-N.Y., passed the House unanimously.

FCC Commissioner Brendan Carr hailed House Commerce Committee advancement of the Secure Equipment Act (HR-3919). The committee also cleared seven other telecom cybersecurity measures (see 2107210064). HR-3919 and Senate companion S-1790 would ban the FCC from issuing new equipment licenses to Huawei and other companies the commission considers a national security risk. It “would help ensure that insecure gear from companies like Huawei, ZTE, and others can no longer be inserted into America’s communications infrastructure,” Carr said Thursday. “We have already determined that this gear poses an unacceptable risk to our national security” (see 2106090063) and HR-3919/S-1790 “would ensure that the FCC closes this Huawei loophole.”

Bipartisan legislation introduced Wednesday would require agencies, contractors and critical infrastructure operators to report cyberhacks within 24 hours of discovery (see 2103040066). Introduced by Senate Intelligence Committee Chairman Mark Warner, D-Va.; Vice Chairman Marco Rubio, R-Fla.; and Sen. Susan Collins, R-Maine, the Cyber Incident Notification Act includes liability protection in certain circumstances. Warner has predicted a bipartisan cybercrimes reporting bill (see 2106100053). Senate Environment and Public Works Committee members told a hearing the federal government should invest in resources to defend against cyberthreats to critical infrastructure. Cyber is a long-term, constantly evolving challenge, said Chairman Tom Carper, D-Del.: It requires “sustained federal investment, not one-time solutions.” Ranking member Shelley Moore Capito, R-W.Va., backed training exercises and information sharing between agencies. She’s looking forward to including cyber policies in committee legislation. The Cyberspace Solarium Commission’s March 2020 report concluded water utilities remain largely unprepared to defend networks against cyber disruption, testified Rep. Mike Gallagher, R-Wis., commission co-chair with Sen. Angus King, I-Maine. It's an “extremely dangerous” situation, said King, saying the next Pearl Harbor or Sept. 11, 2001, attack will be cyber-related. The private sector should have liability protection when sharing information because delays don’t work, said King. The government hasn’t made the necessary investments to protect transportation systems, which begins with cybersecurity, said ITS America CEO Shailen Bhatt. ITS recommended a more robust transportation cybersecurity strategy with requirements for transportation agencies to meet certain “marks” determined by the National Institute of Standards and Technology and the Center for Internet Security.

House Consumer Protection Subcommittee ranking member Gus Bilirakis, R-Fla., will soon introduce legislation to ensure the FTC is “focused on ransomware” and working with a broad group of law enforcement agencies, House Commerce Committee ranking member Cathy McMorris Rodgers, R-Wash., announced at a subcommittee hearing Tuesday. She cited recent ransomware attacks on Colonial (see 2106110031) and others as reasons for Congress to act. Bilirakis isn’t a member of the House Oversight Subcommittee, which held the hearing with testimony from Microsoft and FireEye. Last year, more than 2,400 organizations were victimized by ransomware attacks with a financial impact of about $500 million, said Microsoft Assistant General Counsel Kemba Walden. Subcommittee Chair Diana DeGette, D-Colo., cited a Microsoft report claiming more than 99% of cyberattacks could be prevented with multifactor authentication deployed. She asked if Congress should mandate such requirements through legislation, and Walden agreed. House Commerce Committee Chairman Frank Pallone, D-N.J., cited the Biden administration’s recent efforts to combat ransomware, including a new ransomware website (see 2107150036) and efforts to make it more difficult for hackers to transfer funds using digital currency. Victims pay to accelerate the process of recouping their business operations or because it’s in the best interest of protecting their data and customer data, said FireEye-Mandiant Senior Vice President Charles Carmakal. This is despite the lack of guarantees the compromised data will be deleted, he said: Victims do anticipate that stolen data is eventually published “at a later point in time.”