If Huawei equipment is enough of a threat to warrant barring USF funds to networks using it, the FCC should look further into having that hardware removed even from networks where carriers aren't getting USF funds, Commissioner Brendan Carr told the Practising Law Institute. Legal issues could arise with that approach, but the topic should at least "be on the table," he said Tuesday. He said the FCC is working "with other three-letter agencies" on such issues. Huawei didn't comment. The draft NPRM on segmenting the 5.9 GHz band for use by unlicensed devices and intelligent transportation systems shows a shift from the agency's original approach that stems from discussions with the Transportation Department, said Matthew Berry, chief of staff to FCC Chairman Ajit Pai. The agency “meaningfully” changed its approach, Berry said. The commission will “certainly want to have an order next year,” Berry said. Commissioners vote Thursday on the item to free up some of the band for Wi-Fi.

Amazon released patches for Blink security camera vulnerabilities, said cybersecurity company Tenable Tuesday, after it discovered seven severe vulnerabilities in the Blink XT2. Amazon urged users to confirm their device is updated to firmware version 2.13.11 or later, Tenable said. If exploited, the vulnerabilities could give attackers full control of an affected device, allowing them to remotely view camera footage, listen to audio output and hijack the device for use in a botnet, Tenable said. Attackers could perform distributed denial of service attacks, steal data or send spam, it said, including obtaining sensitive account information, viewing stored photographs and videos, adding or removing devices from the account or blocking camera communications. Amazon emailed: “Customer trust is important to us and we take the security of our devices seriously. Customers have received automatic security updates addressing these issues for impacted devices.”

Windstream updated its home network security offering, Kinetic Secure, providing endpoint as well as modem-level security, said the company Monday. Windstream invested in cybersecurity company F-Secure to enable the service upgrade. Features of the service include internet browsing protection and parental controls; internet anti-virus security for mobile devices; identify theft protection; 24/7 home agent tech support; and app-based Wi-Fi management tools. Several service tiers are available in the subscription-based service.

Takeaways on wireless network security can help "shape the debate surrounding the U.S. approach to addressing threats posed by untrusted communications equipment currently located in U.S. communications networks," FCC Commissioner Geoffrey Starks said on a report Thursday on the integrity of 5G, 4G and 3G networks. Concerns continue over possible risks from Chinese manufacturers such as Huawei and ZTE. Starks hosted the workshop June 27 (see 1906270039). The FCC released Thursday quotes from lawmakers, DOJ and interest groups supporting national security supply chain rules set for a vote Friday (see 1911200030).

Ring devices are overly susceptible to hacking and security concerns, five Democratic senators wrote Amazon Wednesday. Sens. Ron Wyden, Oregon.; Ed Markey, Massachusetts; Chris Van Hollen, Maryland; Chris Coons, Delaware; and Gary Peters, Michigan, cited reports detailing “a recently-patched flaw that left Wi-Fi passwords of Ring doorbells vulnerable to hackers and the apparent unfettered access Ring employees in Ukraine had to videos created by every Ring camera in the world.” Americans have a right to know who has access to this data and if it’s secure from hacking, they said. The company didn't comment.

The biggest threat to securing data stored in the cloud “is the cloud itself,” reported Sophos Tuesday. “Some businesses have found that pouring all their most precious information into a virtualized data store led to inadvertent, gigantic breaches of that data, sometimes in the most public and damaging ways possible,” said the cybersecurity company. The “threat model” of protecting data stored in the cloud is “quite different” from that of physical workstations or servers, and requires “a very different" tool set, it said. “The very thing that makes the cloud a great platform for computing and business operations also creates some of its greatest challenges.” Identifying and controlling threats to cloud data “becomes exponentially more difficult,” it said. “Flexibility” is key with cloud computing, but it can “come back to bite you later,” said Sophos. “One false step can lead to an administrator inadvertently opening up their entire customer database to exposure.”

A breach at a fiber communications network provider prompted a change of heart about cybersecurity, its CEO told a NARUC panel in San Antonio Monday (see 9:30 a.m. schedule). Syringa Networks' Greg Lowe said that before this year's virtual break-in -- where his company's data was held hostage until he agreed to pay ransom -- "we didn’t believe we were a target, in our cultural bias." And "we believed we had adequate measures protecting ourselves," he added. "I personally don’t think passwords are very useful … but we relied on them nonetheless." That’s "the biggest mistake any company can make, asking your employees to be diligent" on security measures including about passwords, he said. After the incident, "we contacted the FBI. That was a joke," he said. The bureau declined to comment. Lowe spent that day "trying to figure out whether to pay that ransom or let the entire business burn to the ground," he recalled. Syringa needed its billing records, so after talking to the board, "we decided to pay that ransom." The week after the intrusion was discovered, "we were back to work but kind of on a limited basis," Lowe said. Now, "we treat our internal network as a core piece of our business." The company knows it will be targeted, and faced an intrusion last week that was thwarted, Lowe said. "We also know that we’ll never have enough security to prevent intrusion." And "we don’t depend on our employees anymore" to take preventive steps, he said: "We use multifactor authentication on everything" requiring more than one password for email accounts and outside websites. It allows access only to email addresses, websites and applications appearing on a "white list." Lowe described "a mind shift from preventive to deterrent mode," said CenturyLink Senior Director-National Security Kathryn Condello. She suggested stakeholders examine so-called cyber essentials from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. Syringa last year bought from CenturyLink former Level 3 metropolitan network assets in the Boise area, where that buyer is based. Companies "have to make a risk decision" about cybersecurity, said Fidelis Cybersecurity Chief Technology Officer Craig Harber. "How much am I willing to invest versus how much am I willing to lose."

Sen. Josh Hawley, R-Mo., introduced legislation Monday meant to limit the access of China and foreign adversaries to American data. The National Security and Personal Data Protection Act prohibits American and Chinese companies from transferring user data or encryption keys to China or other countries deemed national security threats.

More than 70 percent of U.S. smart device homes have security concerns, said Parks Associates Wednesday, and a quarter of those who don't own smart home devices have similar worries that prevent them from investing in the technology. As devices offer more services and interconnectivity, “cybersecurity is inadequate to protect today's connected consumer," said Kenneth Wacks. Home devices that store data, require updates, and perform multiple functions “create additional vulnerabilities,” he said. Consumers are increasingly aware personal data can be misused, said the analyst, saying building in privacy and security protection during product development costs less for device makers than fixing problems. Such breaches can do “significant damage to a brand," Wacks said. More than 40 percent of U.S. broadband households don’t trust companies to keep their data safe, and 54 percent don’t feel they get much in return for sharing data.

CompTIA seeks beta testers for its revised certification exam for cybersecurity analysts, said the association Thursday. The revised exam, scheduled to launch Q2, will increase the emphasis on software security and other areas “that have become increasingly critical to cyber defense,” it said. The “proliferation” of IoT devices and cloud-computing options has “resulted in a greater demand for incident response skills,” and those, too, will be tested with the new exam, it said. Beta-testing candidates should have at least four years of “hands-on information security or related experience,” said CompTIA.