The Senate Homeland Security Committee passed legislation unanimously Wednesday to establish a Department of Homeland Security cyber response fund (see 2105110068). S-1316 would let DHS declare “significant” cyber incidents to use the $20 million over seven years.

ABI warned about IoT security. “Some devices are incapable of being secured,” it said Friday: Original equipment manufacturers and vendors “often choose to accept the risk, rather than remediate it during a Cost-Benefit Analysis (CBA), while many others choose not to do a CBA.” ABI estimates 8.6 billion IoT global connections, rising to 23.6 billion by 2026: "This exponential growth will usher in a new era of connectivity and productivity in the years ahead" and "new threat vectors and vulnerabilities."

TiVo’s Stream 4K was the only streaming player out of 18 devices in a recent Consumer Reports rating that didn’t encrypt data it sent out, said the organization Monday. User information -- such as SSID, city and state, and longitude and latitude coordinates that could be used to pinpoint a street address -- were exposed, said CR, which notified TiVo. The Xperi-owned company “quickly agreed to fix the problem,” it said. TiVo attributed the weakness to a third-party app’s “transmission of certain data.” CR found the TiVo Edge DVR also was sending unencrypted data, but information didn’t include user data such as IP addresses, and CR didn’t see it as a risk to consumers. The TiVo Stream 4K flaw could leave users open to security vulnerabilities such as a malicious app that has access to a user’s network, CR said: An attacker could use the information, along with other valuable data, to create “an even more invasive attack.” TiVo fixed the problem by the end of March, a company spokesperson told us Tuesday: "We take consumer privacy very seriously and acted as quickly as we could -- pushing the fixes out to the affected devices."

Online scam activity in 2020 increased 185% from 2019, reported fraud prevention company Bolster Thursday. “Remote working, online distribution and digital sales channels created an explosion in digital business in 2020,” said Bolster. “As companies accelerated their digital transformation to adapt to the COVID-19 pandemic, online phishing and fraud activity exploded, averaging more than 19,000 new threats being created daily.” The company estimates 6.95 million new phishing and scam pages were created in 2020, with COVID-19 and gift card scams topping the list. Tech, retail and finance were the top three industries targeted, and Gmail was the phishing email service of choice.

Global IoT connections will nearly triple to 23.6 billion by 2026, ushering in “a slew of new threat vectors and vulnerabilities” that will fuel a $16.8 billion business in IoT security, reported ABI Research Tuesday. Such concerns are “widespread,” said analyst Michela Menting. “There are limited IoT security solutions in the market, due in large part to the fragmented nature of the IoT itself.” The volume of IoT security revenue won’t always correlate with the number of connections, and some markets are expected to experience “disproportional revenue” growth, said Menting.

The federal government is standing down its two unified coordination groups in response to the SolarWinds and Microsoft Exchange incidents (see 2104140043), the White House said Monday, citing “vastly increased patching and reduction in victims.” The White House “will be handling further responses through standard incident management procedures,” said Deputy National Security Adviser-Cyber and Emerging Technology Anne Neuberger. The administration will use lessons learned from the UCGs to “improve future unified, whole of Government responses to significant cyber incidents,” she said, citing private sector coordination.

The federal government should establish a comprehensive strategy for national cybersecurity and for mitigating global supply chain risks, the GAO said Friday. It urged federal agencies to implement hundreds of “critical” recommendations, including some 400 IT management and 750 cybersecurity proposals. Agencies have implemented about 75% of 4,700 recommendations since 2010, GAO said. It noted that in December, few of the 23 civilian federal agencies GAO reviewed “implemented foundational practices for managing information and communication technology supply chain risks.”

More than a third of U.S. consumers worry about the cybersecurity and safety of their connected vehicles, and a similar proportion (35%) fear a cyberattack could damage or destroy their vehicle’s data, software or operating systems, reported HSB Wednesday. The insurance carrier hired Zogby Analytics to canvass 1,500 adults in December, finding that of the 55% who sync their smartphones to their vehicles, half (51%) said they “don’t know or aren’t sure what personal information is stored in their vehicle’s entertainment system.” Of the 11% of respondents who said they drive an electric vehicle, half of them worry that charging stations are an easy target for cyberattacks, said HSB.

The federal government needs to provide answers on why it didn’t detect the SolarWinds cyberattack, despite significant investment, Senate Homeland Security Committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, wrote the Department of Homeland Security and OMB Tuesday (see 2103190014). “Despite significant investments in cyber defenses, the federal government did not initially detect this cyberattack,” they wrote. U.S. cyber strategy will “require careful consideration of the appropriate role of the federal government, companies, and citizens in cyber defense, especially when it comes to nation-state actors with near unlimited resources and time.” The agencies didn’t comment.

Bad actors are picking up the pace and raising the bar on cyberthreats, blogged Tom Emmons, Akamai principal product architect, about the fast-rising rate of “volumetric” distributed denial-of-service (DDoS) attacks this year. “We've already seen more attacks over 50 Gbps” through March 24 than in all 2019, Emmons said Wednesday. “DDoS attacks are getting bolder and badder. Three of the six biggest volumetric DDoS attacks Akamai has ever recorded and mitigated have been in the past month, including the two largest known DDoS extortion attacks to date.” Threat actors “continue to expand their sights,” said Emmons. “The number of customer attacks per month has continued at near record volume, and we have continued to see diversification of attacks across geographies and industries.” Criminals apparently cling to "hope of a major Bitcoin payout,” he said. Bad actors “have started to ramp up their efforts and their attack bandwidth, which puts to rest any notion that DDoS extortion was old news.”