A global policy approach to cybersecurity defense is “essential to effectively combat” threats, said BSA|The Software Alliance Wednesday, releasing its International Cybersecurity Policy Framework. “Thoughtful, robust cybersecurity policies are critical to the stability of the Internet and the vibrancy of the global economy,” CEO Victoria Espinel said. The framework suggests governments incorporate or consider 48 elements when establishing national cybersecurity policies.

The Department of Homeland Security failed to fully implement most of the 29 cybersecurity-related recommendations GAO has suggested since 2016, GAO reported Tuesday. “Until DHS fully and effectively implements its cybersecurity authorities and responsibilities, the department's ability to improve and promote the cybersecurity of federal and private-sector networks will be limited.” The department didn’t comment Tuesday.

The U.S. accounted for 52.5 percent of malicious domain name system (DNS) queries to command and control servers globally between September and February, Akamai reported Tuesday. China accounted for 12 percent of malicious queries in the same span, a sign that command and control hosting is becoming less U.S.-centric, Akamai said. The report analyzed data from more than 14 million DNS queries from communications service provider networks.

The National Institute of Standards and Technology’s Cybersecurity Framework v1.1 is “a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Director Walter Copan Tuesday, announcing the version’s release. It has updates for authentication and identity; self-assessing cybersecurity risk; managing cybersecurity within the supply chain; and vulnerability disclosure, said the agency.

CenturyLink called attention to botnets, saying it tracked an average 195,000 daily threats, affecting 104 million unique targets, from servers and computers to handheld and other devices. They "are one of the foundational tools bad actors rely on to steal sensitive data and launch DDoS [distributed denial of service] attacks," said Mike Benjamin, head of CenturyLink's Threat Research Labs, in a Tuesday release on a 2018 threat report. "The United States, Russia and China hold the lead as the three most common points of origin for malicious internet activities," followed by Brazil and Ukraine, the telco said. The U.S., China, Germany, Russia and the U.K. were the top five countries targeted in bot attacks, it said. "Scanning for vulnerable devices is the basis" for two common botnets, Mirai and a precursor Gafgyt (also called Bashlite, Lizkebab and Torlus), the report said: "Once vulnerable devices are identified, they are instructed to connect to a download server to install the malware. They then may be instructed to port scan for vulnerable devices or use external scanners to find and harvest new potential bots. ... Mirai and Gafgyt have been tied to DDoS attacks against gaming servers and the botnet owner’s perceived rivals.

The Center for Cybersecurity Policy and Law will work with the tech sector to improve hardware vulnerability disclosure policy and processes, wrote Intel Director-Global Security and Internet Governance Policy Audrey Plonk Thursday. “The goal is to identify the specific needs and circumstances of the hardware ecosystem, opportunities to advance disclosure policy and practice, and options for future improvements.”

The FTC will launch an educational campaign to help small businesses improve cyber defense and data security measures, the agency announced Tuesday. It will distribute “reader-friendly educational materials with information about cybersecurity that small businesses need,” the agency said.

The Intel Product Assurance and Security group, formed as a response to Google Project Zero earlier this year (see 1801110011), is looking long term to the evolving threat landscape and improving future chip security, said group General Manager Leslie Culbertson. Intel sees an opportunity to accelerate security innovation in the industry via partnerships in academia and through more engagement with security companies, Culbertson said. Although the Google Project Zero vulnerabilities “presented many challenges,” a positive outcome was the “unprecedented collaboration among so many in the ecosystem,” she said, citing security researchers, operating system and software vendors, system manufacturers, cloud providers and other chip makers. “I hope this collaboration is a blueprint for the future.”

The most common form of security breaches are SQL injections (23 percent), domain name system attacks (21 percent), pirated content (20 percent) and distributed denial of services attacks (17 percent), said a recent Akamai survey of 200 U.S. tech groups the company released Wednesday.

The FCC Public Safety Bureau sought comment on ISPs’ progress on security measures designed to prevent exploitation of carrier Signaling System 7 (SS7) network infrastructure. The FCC’s Communications Security, Reliability and Interoperability Council recommended last year that service providers take steps to protect SS7 infrastructure, the bureau said Tuesday. The bureau cites a March 2017 CSRIC report. “These recommendations were intended to increase awareness of SS7 signaling vulnerabilities, and included risk mitigation strategies for the continued use of SS7. The recommendations also listed measures, such as filtering and authentication of traffic between service provider networks, designed to promote the security of SS7 communications network traffic.” The bureau asks for comment on “progress, barriers, and lessons learned” on implementing the recommendations. Comments are due May 3, replies June 4.