GAO urged 23 federal agencies under the Chief Financial Officers Act “to designate responsibility for leading agency-wide” supply information and communications technology (ICT) supply chain risk management activities “and define SCRM roles and responsibilities for senior leaders who participate in supply chain activities.” Tuesday's report said no agency fully implemented “foundational practices for managing” telecom supply chain risks and 14 hadn’t implemented even one. “As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property,” GAO said. The auditor sought “agency-wide” telecom supply chain risk management “strategy that makes explicit the agency’s risk tolerance and identifies how the agency intends to assess, respond to, and monitor ICT supply chain risks across the life cycle.” The agencies should “develop organizational ICT” supply chain risk management “requirements for inclusion in contracts that are tailored to the type of contract and business needs” and “develop organizational procedures to detect counterfeit and compromised ICT products prior to their deployment,” GAO said. Seventeen agreed with all recommendations, while the other six agreed and disagreed to varying degrees. The Department of Homeland Security, one of the few covered agencies identified, agreed that agencies ‘face numerous ICT supply chain risks” and noted its Federal Acquisition Security Council’s collaboration with the ICT Supply Chain Risk Management Task Force.

An individual in New Hampshire pleaded guilty to conspiring with others to wage distributed denial of service cyberattacks in October 2016 against the Sony PlayStation Network, causing “massive disruption” to the internet, said DOJ Wednesday. DOJ is withholding the identity of the defendant, who was underage at the time of the crimes. The DDoS attacks caused the Sony, Twitter, Amazon, PayPal, Tumblr, Netflix and Southern New Hampshire University websites “to become either completely inaccessible, or accessible only intermittently for several hours” on a single day, said DOJ. Sony’s losses from lost advertising and “remediation costs” included about $2.7 million in net revenue, it said. Sony Interactive Entertainment didn’t respond to questions Thursday.

Escalating cyber risks and the shortage of qualified security personnel will spike demand for managed and professional security service providers for better detecting and anticipating breaches, reported Frost & Sullivan Monday. It forecast the U.S. MSS/PSS market will rise to $18.8 billion by 2024, from $12 billion this year. "With customers requesting more proactive security measures to defend against evolving cyber threats, MSS/PSS providers must adopt more advanced security analytics platforms to detect and anticipate the potential threats more effectively," it said. "These new security analytics platforms should feature advanced functionalities, such as forensics and incident response, across the entire systems in different environments, be it on-premises or for cloud-based services."

Fifty-seven percent of consumers believe there’s more risk of identity theft this year due to COVID-19, Experian reported Friday. Some 18% have been affected by a coronavirus-related scam. And 28% would risk being a victim for a good Cyber Monday deal, up from 19% last year. Just under half of the 1,000 adult consumers surveyed Oct. 29-Nov. 5 shop on protected internet connections; 47% check to see if websites are secure. A third will pay for purchases online with a credit card dedicated specifically for this purpose, up 7% from 2019. Experian tips for safer online shopping: (1) Don’t use public Wi-Fi, which makes it easier for hackers to intercept data and steal sensitive information; (2) Enter credit card information from a private home network or use a secure virtual private network connection; (3) Use strong passwords and change them regularly; (4) Use secure websites indicated by a URL beginning with “https”; 5) Use a credit card, which offers more protection than a debit card if you need to file a claim with your card issuer.

With many Americans holding holiday gatherings online, the FCC warns that videoconferencing software can be “vulnerable to security breaches,” said Dave Savolaine, a commission consumer education and outreach specialist, on an agency webinar Friday. Password-protecting videoconference calls can prevent intruders from planting malware on devices, he said. He recommends that video call hosts log in before guests arrive to prevent unwanted visitors. Use platforms’ “waiting room” feature "to see who’s knocking on the door before they’re let in,” said Savolaine. The host should lock the video meeting once all expected visitors arrive, he said. “This isn’t just so you don’t have to listen to that one relative who may be obnoxious at your holiday gathering. This is also for the safety of your devices.”

Industry is underinvested in support and incentives for securing emerging technology, the World Economic Forum reported Monday. The WEF cited increases in regulatory requirements and cybersecurity costs. It noted cybercrime reporting is up 300% since the start of the pandemic, says the FBI. “We have been doing cybersecurity the same way for the past 15 years and it’s not going to work anymore,” said WEF Cybersecurity Lead Will Dixon. “What has changed is that now, the criminals of the future can easily exploit these emerging technologies and our growing interconnectivity at a scale not seen before.”

Nearly 70% of U.S. small-to-medium businesses are concerned about cybersecurity vulnerabilities at their locations, blogged Parks Associates Monday. Thirty-seven percent are likely to buy data security services in the next six months. The connected device landscape for SMBs has been steadily growing and “becoming more complicated,” said analyst Jennifer Kent, noting the increased device load on networks from access control devices, cameras, thermostats, lighting and signage. Having employees working at home during the pandemic is “opening new vulnerabilities to a company’s network,” she said.

The FCC Communications Security, Reliability, and Interoperability Council meets virtually Dec. 9 at 1 p.m. EST, says Thursday's Federal Register.

Huawei never caused “a single cybersecurity incident” in the 30 years it has been building networks globally, said a Chinese Foreign Affairs Ministry spokesperson Wednesday when asked about the U.S. pressuring other countries not to cooperate with the company on 5G. “Not a single country can prove this company is prone to hidden risks or security threats,” he said. “We hope countries will continue upholding an objective and unbiased position and make independent decisions that serve their national interests.” Imposing restrictions on Huawei under the “pretext” of national security concerns is “unfounded and inconsistent with international economic and trade rules,” he said. The U.K. said in July that it wasn't “strong-armed” by the U.S. into recent actions against Huawei (see 2007220026). The White House didn’t respond to questions.

Nearly 70% of small and midsize businesses are concerned about cybersecurity vulnerabilities at their business locations, with 18% reporting an increased need for data security due to the COVID-19 pandemic, said Parks Associates Friday. Many companies have to extend their networks into households to allow their employees to work at home, which introduces connected devices to the business network, affecting performance and expanding cybersecurity risks, said analyst Jennifer Kent. Parks plans a webinar with Irdeto on data security and network management for the SMB segment Nov. 11 at noon EST.