In the hot seat for the fourth time in three days, former CEO Richard Smith was chastised by Democrats and Republicans on the House Financial Services Committee at a Thursday hearing on the theft from Equifax of personally identifiable information on 145.5 million Americans. As in the other hearings (see 1710040039 and 1710030034), committee members pressed Smith, who again apologized and was consistent with answers, about the company's lag in announcing the incident, why the website vulnerability wasn't fixed immediately, the selling of stock by three executives right after Smith was notified of the activity, and problems with rolling out remediation services to affected customers. Rep. Ann Wagner, R-Mo., who chairs the Oversight and Investigations Subcommittee, said she'll be "closely monitoring the additional facts." She's more "disturbed or harsh" than her colleagues because she was a victim of tax identity theft over the past year: "For me, this isn't just another data breach, it is a breach of trust." Smith's status as essentially an unpaid spokesman to deal with the fallout after he retired two weeks ago troubled ranking member Maxine Waters, D-Calif., who said: "Your being here today doesn't do much for us." Rep. Carolyn Maloney, D-N.Y., said she wrote to the other credit reporting agencies, TransUnion and Experian, about their practices to patch vulnerabilities. She said Experian responded that it immediately implemented the patch and its system shuts down automatically if a patch isn't implemented. She asked Smith why Equifax's system didn't work the same, but moved to another question before he could answer fully.

The Department of Homeland Security is on the "front lines" of federal government efforts to defend critical infrastructure from cyberthreats, terrorism and natural disaster, said officials from the agency's National Protection and Programs Directorate (NPPD) at a House Homeland Cybersecurity Subcommittee hearing Tuesday. "We must ensure that NPPD is appropriately organized to address cybersecurity threats both now and in the future," said Christopher Krebs, senior official performing the duties of the undersecretary, and Jeanette Manfra, assistant secretary for cybersecurity and communications. House Homeland Security Committee Chairman Michael McCaul, R-Texas, hopes the House will advance legislation he introduced to elevate NPPD as a stand-alone agency so it can better support DHS' cybersecurity mission. In a prepared statement, McCaul said he was pleased with President Donald Trump's executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure: With October designated to raise awareness of cybersecurity (see 1710020057), it's time to "learn more about these threats and offer ideas on how we can best secure ourselves."

Focusing on the “why” of cybersecurity and not just the IT components involved is the only way to manage attacks like the recent Equifax hack (see 1710020021), Internet Security Alliance President Larry Clinton blogged. It has been 10 years since October was declared “Cybersecurity Awareness Month,” he said. “We can spike the football on the issue of cybersecurity awareness. Understanding the cybersecurity problem? Not so much.” Not only is the cyber system inherently vulnerable, criminals also stand to gain hugely from large-scale attacks, and Clinton wants more work on understanding why attacks occur. Friday, the White House said President Donald Trump declared October cybersecurity awareness month.

Facebook delivered more than 3,000 online political ads linked to the Russian Internet Research Agency to Congress, which is investigating the role that materials played in interfering with last year's U.S. elections, blogged Vice President-Global Public Policy Joel Kaplan Monday. "All of these ads violated our policies because they came from inauthentic accounts," said Kaplan, outlining steps the company is taking to prevent similar future problems, as CEO Mark Zuckerberg had announced (see 1709250058). Facebook is building new tools to provide more advertising transparency and will strengthen automated and manual review, such as adding 1,000 people to its global review teams over the next year and investing more in machine learning, said Kaplan. He added the company will tighten restrictions on ad content and will update policies for more documentation from advertisers that want to run federal election-related ads. "Potential advertisers will have to confirm the business or organization they represent before they can buy ads. As Mark said, we won’t catch everyone immediately, but we can make it harder to try to interfere," said Kaplan. Facebook also will try to establish industry standards and best practices with other companies and governments, he said.

The National Institute of Standards and Technology is floating a draft updating guidelines for applying the risk management framework to information systems and organizations. A Thursday notice said the update to Special Publication (SP) 800-37, Revision 2 would provide closer linkage and communication between corporate-level risk management processes to operations and system activities, would demonstrate how NIST's Cybersecurity Framework can be implemented using the agency's risk management processes, and would integrate privacy concepts. It said institutionalizing risk-management preparatory activities would help identify and develop security and privacy baselines, reduce complexity of IT infrastructure and prioritize assets. NIST seeks comments by Oct. 3, anticipates publishing an initial public draft in November, a final draft in January and a final document in March.

Equifax Senior Vice President Paul Zurawski wrote Sen. Richard Blumenthal, D-Conn., that the credit reporting service "is working cooperatively with a number of Congressional committees and will continue to do so in the coming weeks and during the upcoming Congressional hearings," said a company spokeswoman. The company responded to us after deadline Tuesday following a Senate Commerce Subcommittee on Consumer Protection hearing where ranking member Blumenthal said he wrote Zurawski with questions about the breach of 143 million Americans' sensitive records. He said Zurawski essentially responded that the company wouldn't answer the questions (see 1709260021). The full committee is expected to hold a hearing in mid-October about the FTC and Equifax, said Subcommittee Chairman Jerry Moran, R-Kan. House Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta, R-Ohio, said it plans a Tuesday hearing on the breach, with former CEO Richard Smith to testify. The 10 a.m. hearing will be in 2123 Rayburn.

Walter Copan​, National Institute of Standards and Technology director nominee, emphasized the importance of increasing the visibility and private sector use of the agency's cybersecurity framework, during a Senate Commerce Committee hearing Wednesday. He faced questions on cybersecurity and on providing support for FirstNet (see 1709270056). Meanwhile, Consumer Product Safety Commission Chairman nominee Ann Marie Buerkle, up for reconfirmation, faced a question from Sen. Catherine Cortez Masto, D-Nev., on the extent to which the CPSC should factor into its work IoT and other emerging technologies. The NIST framework is an “essential underpinning for both national security and economic security,” Copan said in response to a question from Chairman John Thune, R-S.D. “If confirmed, I look forward to leading this organization to further develop and communicate” the framework and adapting other cybersecurity tools to a rapidly changing marketplace. Sen. Amy Klobuchar, D-Minn., asked Copan to talk about how he would “ensure FirstNet is able to provide reliable priority service” to first responders. NIST's role “in understanding the allocation of spectrum and supporting technologies for FirstNet is a high priority,” Copan said. Cortez Masto suggested Buerkle consider how CPSC's interest should expand in response to “this new technological age,” particularly in relation to IoT and digital products. “We are beginning our inquiry” into how IoT and other digital products will change how CPSC conducts hazard inquiries and recalls, Buerkle said. “It is something that we are paying attention to and will look to invest some funds into it.”

It costs $11.7 million on average for an organization to manage cybercrime incidents or to spend to recover disruption this year, an increase of 23 percent from 2016, said research Tuesday by Accenture and the Ponemon Institute. Based on a global survey of 2,182 security and IT professionals from 254 organizations, the study found that an organization, on average, experiences 130 breaches a year, up 27 percent from last year. The four main impacts to organizations are business disruption, loss of information, loss of revenue and damage to equipment, said a news release. It said malware and web-based attacks are the costliest types, with companies spending, on average, $2.4 million and $2 million, respectively. Incidents involving "malicious insiders" take about 50 days to mitigate, and ransomware takes about 23 days, the study said. Globally, among seven industrialized countries, U.S. companies reported the highest total average cost in cybercrime, while Australia reported the lowest.

Equifax CEO Richard Smith received a letter from House Science, Space and Technology Committee Chairman Lamar Smith, R-Texas, and Oversight and Government Reform Committee Chairman Trey Gowdy, R-S.C., requesting documents and a briefing related to the company's data breach affecting up to 143 million Americans. The lawmakers noted it took six weeks for the company to notify consumers (see 1709140014). They asked for by Sept. 28 the briefing and information on "the standards used to secure this data," and "implications of this breach for the federal workforce and national security." Equifax didn't comment.

The FTC confirmed Thursday that "in light of the intense public interest and the potential impact of this matter," it's investigating the Equifax data breach of a 143 million Americans, said a spokesman in a statement. The commission typically doesn't comment on current investigations. Meanwhile, Democratic Sens. Richard Blumenthal of Connecticut, Al Franken of Minnesota, Ed Markey of Massachusetts and Sheldon Whitehouse of Rhode Island introduced the Data Broker Accountability and Transparency Act that would require data brokers like Equifax to establish comprehensive data and security programs and provide "reasonable notice" when a data breach occurs. The bill would give consumers the right to access their records and correct inaccuracies and the right to stop data brokers from "using, sharing, or selling their personal information for marketing purposes," said a joint news release. The bill would directs the FTC to enforce the law and promulgate rules within a year, including a centralized website that provides a list of covered entities and consumer rights, the release said. Sen. Ron Wyden, D-Ore., introduced the Free Credit Freeze Act in a news release to let consumers use personal identification numbers to freeze and unfreeze their credit reports for free instead of a typical $15 charge imposed by credit bureaus. Meanwhile, the Apache Software Foundation said Equifax was at fault for not patching a website application vulnerability called Apache Struts CVE-2017-5638 that led to the theft of personal data of 143 million Americans. "This vulnerability was patched on 7 March 2017, the same day it was announced," wrote Sally Khudairi, vice president-marketing and publicity for the all-volunteer Apache, in a Thursday alert. "The Equifax data compromise was due to their failure to install the security updates provided in a timely manner." A day earlier, Equifax said its probe with an unnamed independent cybersecurity firm found hackers exploited the Apache vulnerability that led to breach from mid-May through July. "We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement," said Equifax.