Despite more awareness of cybersecurity risks, only 37 percent of people use identity theft services and 28 percent have no plans to sign up, said a McAfee survey released Tuesday. McAfee surveyed 6,400 people globally, finding 61 percent are more worried about data security than five years ago. Thirty-three percent rank protecting identity as their No. 1 cybersecurity priority ahead of protecting privacy, connected devices, data and connected home devices.

The number of nation-state cyberattacks will grow in 2018 and will demand collective action among global governments to fend off bad actors, Microsoft President Brad Smith said in a report released Tuesday, co-authored by Carol Ann Browne, director-executive communications. Recent WannaCry and Not-Petya attacks were “akin to military assaults” that demand a “new generation of arms control discussions to address them,” the executives wrote. Microsoft praised the White House for joining with other countries publicly blaming North Korea for WannaCry (see 1712190043) as a “step in the right direction towards addressing growing nation-state cyberattacks.” Global technology leaders should adopt a cybersecurity tech sector accord to enable tech companies to act as “internet first responders,” the report said: “Look for progress over the next six months.” Microsoft also hopes governments will clarify international law in the digital space, an issue of particular significance as the company prepares for oral argument Feb. 27 in the U.S. v. Microsoft case (see 1710160009) on warrants issued for data stored overseas. The case has significant international implications as companies increasingly store data overseas so it’s closer to customers, Microsoft said. “Rather than rely on or improve existing treaties to obtain information located in other countries, the DOJ prefers to exercise jurisdiction over cloud service providers and compel them unilaterally to fetch emails in other countries and bring them to the U.S.,” the report said, arguing the government is trying to “stretch the statute in ways that Congress didn’t anticipate.” Microsoft holds out some hope that DOJ and the tech sector could craft a “late compromise” for new legislation that would “bring agreement on a more modern and international approach.” Barring that, the Supreme Court will need to decide by June on the basis of a law “not written with the 21st century in mind,” the report said. Microsoft flagged privacy and surveillance as related priority 2018 issues, citing the May 25 implementation of the European Union’s General Data Protection Regulation, which will add new requirements for companies that store personal information of European consumers no matter where the company is located. It will be up to the tech sector largely to manage the new requirements, which are still subject to “continuing deliberations” that will continue through 2018 and beyond, the report said. Net neutrality also made Microsoft's top 10 list, with the company praising ISP pledges to avoid discrimination in the absence of binding net neutrality rules. If those promises prove false, it could be the impetus for Congress to create "lasting and bipartisan" regulation that has "so far proved elusive," Microsoft said.

U.S. cybersecurity policy isn't yet equipped to meet the “immense” challenge of protecting valuable data, though there has been progress, blogged Internet Security Alliance President Larry Clinton Tuesday. Clinton praised work to improve the National Institute of Standards and Technology’s cybersecurity framework, which is headed for another update this spring. He also said corporate boards now rank cybersecurity among their top challenges, whereas a few years ago it was less of a priority. But nation-state attacks (see 1801020027) that have evolved beyond espionage to “straight out cyber crime" make it seem “no one is safe" and may soon “pose serious risk to critical infrastructure,” he said. Policymakers have yet to develop an approach that focuses on the entire cybersecurity system instead of “incremental assets," he said, and is complicated by a system that looks for scapegoats after major cyber breaches rather than developing systemic solutions. “We are all on the same side. We need to act like it,” Clinton said. In historic security models, each entity was expected to secure itself. But the internet demands a different, integrated response that's developed through a “conscious partnership” like the one NIST used to create the framework, he said.

The FTC gave final approval to a settlement with Lenovo over complaints that preinstalled software compromised security protections in order to deliver ads to consumers, the agency announced Tuesday. Commissioners voted 2-0 to approve the 20-year consent decree reached in September (see 1709050020), settling charges brought by the FTC and 32 states that Lenovo's preinstalled software program, Visual Discovery, created serious security vulnerabilities on laptops sold in the U.S. Lenovo agreed to no longer misrepresent any features of preloaded software “that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties,” the FTC said. If the company does install such software, the FTC order requires Lenovo to obtain consumers’ affirmative consent before the software runs on laptops. The company is required for 20 years to implement a comprehensive software security program that will be subject to third-party audits “for most consumer software preloaded on its laptops,” the FTC said. Lenovo said the FTC informed the company of the final settlement, "which now brings this matter to a close,” a spokeswoman said.

Kaspersky Lab went to court seeking to reverse the Department of Homeland Security's ban on use of its products in federal IT systems, the company said Monday of its U.S. District Court for the District of Columbia case. "DHS’s actions have caused undue damage to both the company’s reputation in the IT security industry and its sales in the U.S.," Kaspersky said. The firm has been under fire for several months after reports that vulnerabilities in its software enabled the Russian government to breach U.S. federal systems (see 1712060045).

New malware reached an "all-time high" of 57.6 million new samples in Q3, a 10 percent gain over the previous quarter, McAfee Labs said Monday. New ransomware rose 36 percent, boosted by an increase in Android screen-locking threats. Top Q3 data breaches tracked included Equifax; a Verizon customer support supplier using a compromised server; and Apache Struts, a component of many websites and which experienced a coding vulnerability. The "Faceliker Trojan" malware, which manipulate Facebook to artificially "like" content by infecting users' browsers when they visit malicious websites, which McAfee first reported in September, also showed a Q3 gain.

A new cybersecurity agency focused on critical infrastructure would be housed in the Department of Homeland Security in the HR-3359 bill the House passed Monday. The bill would create the Cybersecurity and Infrastructure Agency (see 1707250029), a restructuring that includes elements of the existing DHS National Protection and Programs Directive. The change fulfills DHS’ goal of elevating "vital cybersecurity and infrastructure security missions to strengthen the security of digital America and our nation’s critical infrastructure," said House Homeland Security Chairman Michael McCaul, R-Texas, in a floor speech. There is no Senate version of the bill under consideration.

Reps. Jerry McNerney, D-Calif., and Debbie Dingell, D-Mich., criticized FCC Chairman Ajit Pai Monday for not providing what they feel is “adequate” documentation of the claim that a May distributed denial-of-service attack caused outages to its Electronic Comment Filing System (see 1705080042 and 1708170042). Congressional Democrats have repeatedly pushed for additional proof of the DDoS claims, including a request for GAO to do an independent review (see 1705310024, 1707070039 and 1710130052). The FCC declined to provide specific details on plans to protect ECFS against future attacks (see 1706280044 and 1707310071). “Given your high regard for transparency, we would expect that you would have disclosed to us by now the requested documents or an explanation of technical or legal prohibitions for your refusal to do so,” Dingell and McNerney wrote Pai. “Transparency is important, even when it’s not convenient. We expect you to live up to your commitment to transparency,” they said. “Many unanswered questions” remain about “the motive behind the alleged attacks, the response of the FCC, and whether the outage had a major impact on the ability of the American people to comment on the proceeding to eliminate net neutrality protections,” the lawmakers said. The agency “should be transparent about any potential issues with the factual record on a proceeding of this magnitude, and should not move forward with a vote until the American people know what happened.” The FCC didn't immediately comment.

NTIA is developing policy recommendation to fight the rise in botnets, to be presented in a report to be delivered to the president in January, Evelyn Remaley, deputy associate administrator, said on a Practising Law Institute panel Thursday. IoT vulnerabilities have the attention of global businesses and governments, Remaley said: “We’re trying to get ahead of this but not stop innovation.” Response to global cybersecurity threats demands continuing commitment to the multistakeholder process, providing flexible options for industry and government, the panel heard. “We’re at an inflection point,” said Wilkinson Barker attorney Clete Johnson, an architect of National Institute of Standards and Technology's Cybersecurity Framework. Large-scale data breaches like at Equifax, growth in the number of distributed denial of service attacks fueled by botnets (see 1711210047), and increasing vulnerabilities in IoT devices are threats, he said. "We should be trying to increase the quality and security of IoT devices, and build security in at the outset of production,” said Eric Wenger, Cisco cybersecurity and privacy director-global government affairs. Cybersecurity is the only domain “where we ask companies to secure themselves,” said Kiersten Todt, Cyber Readiness Institute managing director. “We continue to use traditional frameworks and shoehorn them into a new landscape.” Todt, who worked in the Obama administration’s cybersecurity commission, said one of the “greatest risks” to national security is the amount of data stored after it’s outdated with no clear deletion procedures. “As America grapples with its cybersecurity challenges, it’s important to note that Europe has taken a different approach on privacy and cybersecurity standards," said Rudy Brioche, Comcast vice president-global public and policy counsel. Wenger said the rise of competing legal security and privacy standards isn't helpful to companies working globally, which is why global multistakeholder work is critical. Other PLI news: 1712070063 and 1712070047.

The National Institute of Standards and Technology is seeking comments by Jan. 19 on a second draft of its Cybersecurity Framework released Tuesday that is based on extensive consultation with the private and public sectors, NIST said. Internet Security Alliance President Larry Clinton praised the updated framework for making “significant achievements toward achieving the goals of the original [Cybersecurity] Executive Order.” The new draft clarifies supply chain risk management assessments, and extends use of the framework to include information technology systems and IoT, the agency said. As the agency works on the second draft, it will be looking at ways to help organizations of all sizes use the framework to meet their specific cybersecurity needs, NIST said.