A bill requiring the Department of Homeland Security to create a cyber-vulnerabilities disclosure program was introduced Thursday by Sens. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H. The Public-Private Cybersecurity Cooperation Act is the companion of a House-passed bill sponsored by House Majority Leader Kevin McCarthy, R-Calif.
Securing against botnets requires collective action from government, internet and communications stakeholders, industry officials said Thursday, releasing a report. The Council to Secure the Digital Economy cybersecurity coalition between tech and communications groups warns against “prescriptive, compliance-focused regulatory requirements.” Government’s role isn't regulation that stymies response to threats, Information Technology Industry Council CEO Dean Garfield said during a panel. The goal should be to cut back 90-95 percent of threats because no amount of collaboration will be able to eradicate all threats, CTA CEO Gary Shapiro said. There’s no higher cause than addressing threats to the digital economy, USTelecom CEO Jonathan Spalter argued, saying the cyber group plans to release an annual report: “This isn’t one and done.” Threats are increasing as the value of the tech sector grows, Garfield said. Shapiro called it a multi-factorial problem with multi-factorial solutions. Botnets can turn “everyday products into an army of devices capable of transmitting torrents of Internet traffic capable of knocking targeted networks offline,” Deputy Attorney General Rod Rosenstein said during a separate appearance Thursday. He encouraged the private sector to continue searching for “constructive solutions." The Commerce and Homeland Security departments released a road map highlighting focus areas for government and the private sector: the IoT, enterprise, internet infrastructure, technology development and awareness/education.
Eight people with ties to Russia, Ukraine and Kazakhstan were indicted for “causing tens of millions of dollars in losses in digital advertising fraud,” DOJ said Tuesday. Charges included wire fraud, computer intrusion, aggravated identity theft and money laundering. Three defendants arrested abroad await extradition, and the others remain at large, DOJ said. The FBI was authorized to seize 31 internet domains and “information from 89 computer servers, that were all part of the infrastructure for botnets engaged in digital advertising fraud activity,” Justice said.
The National Institute of Standards and Technology released for comment by Jan. 11 draft cybersecurity guidelines for cloud computing. NIST seeks feedback any “gaps” in the draft.
The House passed Senate-amended legislation creating a new cybersecurity agency within the Department of Homeland Security, clearing the way for President Donald Trump’s signature (see 1808080044). The Cybersecurity and Infrastructure Security Agency Act (HR-3359) establishes DHS’ National Protection and Programs Directorate (NPPD) as a new agency prioritizing cyber and physical infrastructure security.
The FCC Communications Security, Reliability and Interoperability Council meets Dec. 13, says a Federal Register notice for Wednesday. The group gathers 1-5 p.m. in the FCC Commission Meeting Room.
Civil penalty authority could encourage companies to take data security seriously, an incentive to increase investment, said FTC Consumer Protection Bureau Director Andrew Smith Friday at a Free State Foundation event. He was asked about the agency’s recent no-fine settlement with Uber (see 1810260040). It’s very difficult to show the “causal link” between a security breach and harm to consumers, he said, but some commissioners believe there’s a “systemic underinvestment” in data security.
A federal judge ordered a New Jersey-based hacker to pay $8.6 million in restitution and serve six months of house arrest for leading a cyberattack on Rutgers University’s network, DOJ said Friday. U.S. District Judge Michael Shipp sentenced Paras Jha, 22, for launching “a series of” distributed denial of service attacks on the Rutgers network November 2014-September 2016. The attacks “effectively shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments,” DOJ said.
The Department of Homeland Security should establish a civilian cybersecurity corps modeled after the Civil Air Patrol, Coast Guard Auxiliary or volunteer firefighters, New America said in a report Thursday. The corps should be federally funded but run at the state and local levels, wrote cybersecurity policy fellow Natasha Cohen and senior fellow Peter Warren Singer.
Failure to disclose a Google Plus security vulnerability for a reported six months (see 1810120039) raises questions about whether the platform again violated FTC agreements, Sens. Amy Klobuchar, D-Minn., and Catherine Cortez Masto, D-Nev., wrote CEO Sundar Pichai Tuesday. The lawmakers compared the situation to the FTC’s investigation of the Facebook-Cambridge Analytica privacy breach. A Google spokesperson cited an article saying the company did nothing illegal.