Swiss consumer electronics maker Punkt Tronics will market products embedded with "BlackBerry Secure" cybersecurity technology, under a technology and brand licensing agreement, said BlackBerry Wednesday. The BlackBerry Secure platform has “best-in-class security that helps safeguard end-user privacy and protects enterprises from attackers looking to exploit device vulnerabilities,” said BlackBerry.

Data from an additional 2.4 million consumers was compromised during Equifax’s 2017 breach, it said Thursday (see 1710020021). About 145 million Americans were reportedly affected by the breach, which involved private data like names, addresses, birth dates, driver's license information and Social Security numbers. Interim CEO Paulino do Rego Barros said the disclosure wasn't about “newly discovered stolen data” but resulted from sifting through previous information, analyzing databases not taken by attackers and “making connections that enabled us to identify additional individuals." House Commerce Committee Chairman Greg Walden, R-Ore., and House Digital Commerce Subcommittee Chairman Bob Latta, R-Ohio, called the announcement “deeply concerning,” saying it raises further questions about the company’s “total failure.” They requested a briefing with Mandiant that's investigating the breach. Senate Commerce Committee Chairman John Thune, R-S.D., criticized Equifax for taking a “piecemeal” approach in addressing consumer issues. “The company knew the incident affected nearly the entire population of credit-active consumers in the United States and had every reason to believe this number could grow,” he said.

Industry and government representatives have been “handicapped” in defending global digital infrastructure, and USTelecom and the Information Technology Industry Council “stand ready” to create “new solutions,” their executives wrote Monday. The organizations last week announced the Council to Secure the Digital Economy (CSDE) (see 1802230054). USTelecom CEO Jonathan Spalter and ITI CEO Dean Garfield co-authored an opinion piece in the Morning Consult saying industries most often targeted for cyberattacks are those with the most to lose, including government and critical infrastructure. They said government and industry made “significant advances” in applying security measures in the U.S., Europe and Asia, but there hasn't been adequate strategic and operational coordination across sectors and countries. Garfield and Spalter cited some positive developments, including President Donald Trump’s executive order in 2017 and other executive branch measures on botnets and automated threats.

An Arkansas man was sentenced Friday to 33 months in federal prison for aiding and abetting computer intrusions by developing and selling his NanoCore RAT and Net Seal malware to individuals who then used it to conduct such intrusions as surreptitiously activating webcams, DOJ said. It said U.S. District Judge Liam O'Grady of Alexandria, Virginia, also ordered that Taylor Huddleston, 27, of Hot Springs, serve two years of supervised release after his prison sentence. DOJ said Huddleston pleaded guilty in July.

The SEC adopted interpretive guidance to help companies prepare disclosures about cybersecurity risks and incidents, the agency said Wednesday. Chairman Jay Clayton said the guidance highlights federal securities laws' disclosure requirements and the importance of policies and procedures for disclosure controls. He said the aim of the guidance is "clearer and more robust disclosure by companies" about cybersecurity risks, giving investors more complete information. The commission said it's not suggesting companies must make detailed disclosures such as specific technical information about their systems or potential system vulnerabilities, but they should disclose incidents and risks material to investors, including financial, legal or reputational consequences. The agency said companies might need to disclose previous or ongoing incidents to put risk discussions in context.

FCC Commissioner Mike O'Rielly called Tom Wheeler's cybersecurity regulation views unhinged from the law. O'Rielly said he had ignored Wheeler's "musings, despite their inaccuracies and overall misguided perspectives," but felt compelled to call out the former chairman for "gibberish" he had "pontificated" (here) on the commission's lack of action on internet network security. "Wheeler's views reaffirm that he is unwilling to read the law and follow basic principles of statutory construction," O'Rielly blogged Wednesday. He said Wheeler is "abusing" Communications Act Section 1 (which explained the purposes for creating the FCC) by arguing it gives the commission direct "authority over all communications activity, especially cybersecurity." That reading would constitute a "massive" expansion of jurisdiction, giving the FCC "authority over 'communications by wire or radio' ... without bounds," O'Rielly said. He said the plain reading of Section 1 is as a preamble, offering a "policy statement, not actual authority." If the section gave the FCC direct authority, he said, it wouldn't need "ancillary authority" or the rest of the Act. O'Rielly said U.S. Court of Appeals for the D.C. Circuit rulings support his view, including Comcast v. FCC (2010) on net neutrality. While respecting O'Rielly "as a patriot," Wheeler said Thursday the blog post "seems to be in keeping with Donald Trump's refusal to respond to Russia's attack on our system. Networks have always been attack vectors; that a new network has opened up a new means of attack is no surprise. What is surprising is that when our nation is under attack we decide to have law-school quibbles about language instead of stepping up and protecting the nation."

Companies are increasingly relying on artificial intelligence and automated security systems, as the majority of cybersecurity attacks result in more than $500,000 in damages, Cisco reported Wednesday. Cisco surveyed 3,600 chief information security officers, and found more than half reported cybersecurity attacks that cost organizations more than $500,000 in damages. Thirty-nine percent of respondents rely on automation, 34 percent on machine learning, and 32 percent are “highly reliant” on AI. The extent of system breaches expanded, with respondents claiming 32 percent of breaches affected more than half their systems. That compares with 15 percent reported for 2016.

Many web hosting companies that cater to small businesses don't offer proper access to email authentication and anti-phishing technologies, putting small businesses at risk of facilitating phishing, FTC staff reported. Staff surveyed 11 web-hosting companies. Two used domain-based message authentication, a technology to reject phony emails with domain-authentication discrepancies, and three provide a way for configuring that. Small businesses should “pay close attention to the security features offered by web hosts so that they can choose a host that will protect their websites and email accounts with SSL/TLS and email authentication technologies.” The agency didn't identify the companies.

U.S.-based web application attacks increased 31 percent in Q4 from the year-ago quarter, and perpetrators continue to focus on industries with high-value data, Akamai reported Tuesday. The report showed the retail industry was the hardest hit from web application threats, with 38 percent of attacks. Media and entertainment had 18 percent, technology 11, the public sector had 4.4 percent. Senior Editor Martin McKeay said attackers increasingly seek more direct ways for financial gain, such as ransomware. Worldwide web application attacks increased 10 percent, with a 10 percent increase in SQLi attacks globally. “Of the 17 billion login requests tracked through the Akamai platform in November and December, almost half (43 percent) were used for credential abuse,” the report said.

DOJ established a Cyber-Digital Task Force to focus on “detecting, deterring and disrupting malicious cyber activity.” According to a memo from Attorney General Jeff Sessions, it will be chaired by a senior department official appointed by the deputy AG. It would deliver an initial report on the department’s current cyber-related activities and a series of recommendations by June 30.