Three Democratic 2020 presidential candidates said they wouldn’t allow Chinese companies to build critical U.S. infrastructure, during a Tuesday night debate. None of the three -- former Vice President Joe Biden, former New York City Mayor Mike Bloomberg and Sen. Elizabeth Warren of Massachusetts -- specifically mentioned Chinese telecom equipment manufacturers Huawei and ZTE. Senate Commerce Committee Chairman Roger Wicker, R-Miss., reached a deal before the Presidents Day recess for the chamber to soon pass the Secure and Trusted Communications Networks Act (HR-4998) by unanimous consent (see 2002130054). The House-passed bill would allocate at least $1 billion to help U.S. communications providers remove from their networks Chinese equipment determined to threaten national security. The three candidates pivoted to other issues on China, including whether President Xi Jinping is a dictator. Bloomberg emphasized it’s important for the U.S. to push China to uphold trade agreements that bar the “stealing of intellectual property.” The FCC asked eligible telecom carriers Wednesday whether they use equipment or services from Huawei or ZTE (see 2002260010).

Cybersecurity collaboration is a business imperative, not a charitable contribution, the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education concluded Tuesday in a report for industry, government and schools. NICE recommended: establish program goals and metrics; develop strategies and tactics; measure impacts and results; and sustain effort. Goals should focus on “ensuring strong and community relevant training, increased cybersecurity workforce capacity, facilitated learner placement, and fostered cybersecurity innovation,” NICE said.

House Science Research and Technology Subcommittee members eyed beefing up the U.S. cybersecurity workforce, during a Tuesday hearing. Science Committee Chairwoman Eddie Bernice Johnson, D-Texas, noted interest in moving additional cybersecurity-focused legislation “this year.” She said the National Institute of Standards and Technology remains “the right agency to continue to lead efforts" here. “Technology alone will not mitigate the many" cyber risks, Johnson said. “Educate and train individuals in cybersecurity at all levels, and it requires not just degrees but different types of certifications as well as continuing education." The public should "be well-educated about cyber hygiene, starting in our elementary schools.” Research and Technology Chairwoman Haley Stevens, D-Mich., cited a NIST National Initiative for Cybersecurity Education (NICE) finding that “nearly one in three cybersecurity jobs go unfilled.” That's partly due to lack of even basic cybersecurity skills training in schools, though there are “multiple pathways to careers in cybersecurity,” Stevens said. The field “lacks diversity” and “we cannot address our current and future cybersecurity workforce needs without recruiting and retaining more women and minorities.” Subcommittee ranking member Jim Baird, R-Ind., touted the recently filed Securing American Leadership in Science and Technology Act. He said HR-5685 “makes strategic investments in cybersecurity research and development across federal science agencies.” NICE Director Rodney Petersen said the program is noticing a “need to enhance cybersecurity career discovery for learners of all ages, transform the learning process to emphasize the multidisciplinary nature of cybersecurity and the multiple career pathways." He noted the National Council for the American Worker is creating the “first ever national workforce strategy.” The strategy “is promoting the importance of multiple pathways to careers (not just a 4-year university education), the essential role of employers as part of our national education and workforce system, the need for companies to employ skill-based hiring and the need for greater transparency in the skills that companies need and the return on investment of different educational pathways,” Petersen said. IBM Enterprise and Technology Security division Human Resources Director Sonya Miller urged Congress to pass the Harvesting American Cybersecurity Knowledge through Education Act. S-2775 would create a White House Office of Science and Technology Policy working group to coordinate federal cybersecurity workforce training. It would direct NIST to develop “standards and guidelines for improving the cybersecurity workforce for an agency” (see 1911050061). Tennessee Tech University Cybersecurity Education, Research and Outreach Center Director Ambareen Siraj urged more funding for several federal scholarship and workforce development programs, and supporting “nontraditional pathways” into the industry. Merit Network CEO Joseph Sawasky said federal and state governments should develop “the talent pipeline” early, and government should encourage cyberskills development “for under-represented groups.”

Chinese military personnel were charged with hacking Equifax in 2017 and stealing personal data, DOJ announced Monday. A federal grand jury charged four members of the Chinese People’s Liberation Army with conspiring to steal data from some 145 million Americans during a three-month hacking. Attorney General William Barr said this economic espionage “fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.” Equifax CEO Mark Begor thanked DOJ for treating state-sponsored cybercrime with the “seriousness” it deserves: “Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand.” The indictment doesn’t excuse Equifax deficiencies that enabled the breach, Senate Intelligence Committee Vice Chair Mark Warner, D-Va., said: “A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care -- and face any consequences that arise from that failure.” He urged support for his data broker legislation with Sen. Elizabeth Warren, D-Mass. (see 1905070066). The Chinese Embassy didn't comment. Sen. Ron Wyden, D-Ore., echoed Warner, saying companies become “irresistible targets” when cutting corners on security. He urged support for his Mind Your Own Business Act (see 1910170035). The indictments show a need for secure infrastructure, not “onerous privacy regulations,” Information Technology and Innovation Foundation Vice President Daniel Castro said Monday: “The ongoing debate about consumer data privacy has been muddled and misguided from the outset -- focusing the blame on corporate victims rather than on the perpetrators of state-directed cyber espionage.”

Officials from the National Institute of Standards and Technology and IBM will testify at the House Research and Technology Subcommittee’s Tuesday hearing on the cybersecurity workforce (see 2002040006). Witnesses are: NIST National Initiative for Cybersecurity Education Director Rodney Petersen, IBM Human Resources Director-Security and Enterprise and Technology Security Sonya Miller, Tennessee Tech University professor Ambareen Siraj and Merit Network Chief Executive Officer Joseph Sawasky.

The House Research and Technology Subcommittee plans a hearing 10 a.m. Tuesday in 2318 Rayburn on developing the U.S. cybersecurity workforce.

Consumer Reports petitioned 25 camera vendors Monday to raise the standard for product security and privacy after recent incidents with connected cameras. The advocacy group is “alarmed by recent security incidents involving Ring, Wyze, Guardzilla and other connected camera products,” said Ben Moskowitz, director-Consumer Reports’ Digital Lab. Due to the “sensitive nature" of the data the devices collect, it urged manufacturers to incorporate additional security measures such as requiring multifactor authentication, emailing users when a login occurs from a new device or IP address, and increasing password protection against credential stuffing and brute-force dictionary attacks. CR’s ratings will continue to change to reflect the stronger data security and privacy practices it believes are essential for consumer protection. Letters were sent to ADT/LifeShield, Arlo, August, Blink, Canary, D-Link, Eufy/Anker, Frontpoint, Guardzilla, Honeywell Home, iSmartAlarm, Logitech, Google/Nest, Netvue, Night Owl, Ooma, Remo-Plus, Ring, Samsung SmartThings, Scout, SimpliSafe, TP-Link, Wyze and Zmodo. ADT, Google and Samsung didn't comment. Honeywell spun off its home business almost two years ago, a spokesperson emailed now: Home and do-it-yourself "products are now under Resideo, which manufacturers and markets those products. They simply license the Honeywell name." Resideo didn't comment on CR's request.

The Commerce Department should establish a bright-line process similar to the export administration regulations’ entity list for identifying supply chain threats, USTelecom said in comments Friday. The Information Technology Industry Council recommended Commerce designate foreign adversaries threatening the supply chain with specific criteria. In response to President Donald Trump’s May executive order, Commerce proposed new procedures for reviewing transactions, including imports, that involve information and communications technology and services seen as potential national security threats (see 1911260044). Commerce's bright-line process should rely on Homeland Security Department “risk assessment and related tools to draw lines between prohibited and permitted transactions,” USTelecom said. The association asked Commerce to coordinate its transaction evaluations with other agencies at “every step.” ITI called for a narrow scope for what transactions will trigger security reviews and a waiver process. It urged avoiding duplicative transaction reviews with export administration regulations, international traffic in arms regulations and the Committee on Foreign Investment in the U.S. Commerce's proposed rules are “overly-broad and highly subjective,” BSA|The Software Alliance said Friday. The proposed procedures would let Commerce “launch a review of virtually any ‘transaction’ involving almost any form of commercial technology, regardless of whether it has a clear nexus to national security or to a foreign adversary,” BSA wrote, saying it would create much industry uncertainty. The EO directs Commerce to issue regulations barring technology from foreign companies -- like Huawei and ZTE -- from U.S. networks.

Wyze discovered an additional database that was left unprotected, the smart camera maker told customers Sunday. Passwords and personal financial data weren’t part of the database, said Chief Product Officer Dongsheng Song on the website. The company learned of the leak from a community member who contacted Wyze after a Friday update alerting users to a data leak report. A company investigation found some Wyze user data wasn’t properly secured and was left exposed Dec. 4-26. That vulnerability didn't involve any of Wyze's production data tables, Song said: "While significant, this database only contained a subset of data. It did not contain user passwords or government-regulated personal or financial information" but did contain "customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations," he said. Wyze is working on an email notification to all affected customers that it plans to release in the “near future.” The company continues to work on ways to improve its security, he said.

BlackBerry continues to run “ahead” of schedule toward integrating Cylance into the company’s portfolio of products and services, said CEO John Chen on a fiscal Q3 call Friday. BlackBerry bought Cylance, a specialist in artificial intelligence-based cybersecurity, for $1.4 billion, the largest acquisition in its history (see 1811160024). BlackBerry/Cylance is “achieving the product-development synergies we discussed when we announced the acquisition,” said Chen. It will demonstrate a “mobile threat defense” product at CES, plus solutions combining Cylance cybersecurity and BlackBerry’s QNX automotive operating system, he said. BlackBerry/Cylance “meets the needs of a large addressable market of both fixed and mobile end-points,” he said. “We’re now ready to increase sales and marketing synergies.” With the “efficiency gains so far” in the BlackBerry/Cylance integration, “we remain comfortable that Cylance will be accretive in fiscal 2021,” said Chen. BlackBerry shares closed 12.4 percent higher Friday at $6.53.