Legislation that would reorganize the Department of Homeland Security and raise the role of its cybersecurity branch was passed via voice vote by the House Homeland Security Committee during a markup Wednesday. HR-3359, which Chairman Michael McCaul, R-Texas, and ranking member Bennie Thompson, D-Miss., introduced Monday, would redesignate the National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency to be comprised of the cybersecurity, infrastructure security and emergency communications divisions. McCaul said the NPPD realignment is a "major step forward," making the agency "more streamlined and effective," and will "prioritize the cyber mission within the department." Similar legislation last year advanced through the committee but was never considered on the House floor, and McCaul earlier this year signaled reintroduction (see 1704270029 and 1705240033). The committee also advanced a substitute amendment to HR-2626, sponsored by Rep. Will Hurd, R-Texas, that would use facial recognition and other biometric technology to screen travelers at U.S. ports of entry. Rep. Filemon Vela, D-Texas, sponsored an amendment, which was approved, to HR-2626 that requires Customs and Border Protection to provide a report on facial recognition data collected and how it's used to ensure privacy remains at the forefront. Rep. Nanette Diaz Barragan, D-Calif., sponsored an amendment, which was approved, that social media screening of visa applicants be undertaken only for individuals considered high risk, and not be based on their residency and citizenship alone. The committee also approved HR-3202, sponsored by Rep. Sheila Jackson-Lee, D-Texas, that would require the DHS secretary to provide a report on the policies and procedures developed for coordinating cyber vulnerability disclosures and instances in which they were used to reveal such vulnerabilities by industry and other stakeholders.

Nevada Gov. Brian Sandoval (R) announced a National Governors Association initiative on tech innovation in energy and transportation, including on cybersecurity and communications and data systems, NGA said in a Tuesday news release. The recently named NGA chairman said the yearlong program “will examine how governors and those we govern can stay one step ahead in our rapidly changing world and how we can better prepare for the ongoing technological transformation of the economy.”

The FTC started providing hypothetical examples of security practices based on closed investigations to help businesses improve, said a Friday news release. Through its "Stick with Security" effort, the agency will blog every Friday about lessons learned. The agency has held workshops and issued a guide to help businesses with security (see 1606150016).

AlphaBay and Hansa, two of the top three dark web criminal marketplaces trading more than 350,000 commodities such as drugs, firearms and malware combined, were shut down by two major law enforcement operations led by the FBI, the Drug Enforcement Administration and the Dutch National Police, Europol, which supported the operations, said in a Thursday news release. AlphaBay, which had more than 200,000 users and 40,000 vendors, is considered the largest illegal online market with 100,000-plus listings for stolen and fraudulent identity documents and access devices, malware and computer hacking tools and other illicit services and goods, the release said. The FBI and DEA shut down the site July 7 and arrested its creator and administrator, a Canadian citizen living in Thailand, the release said. No. 3-ranked Hansa was taken over June 20 by Dutch police, who covertly monitored criminal activities until the site was closed Thursday, Europol said. About "10,000 foreign addresses" of buyers were passed on to Europol, it added.

The FTC will host roundtables with small business owners on cybersecurity across the country. In a Thursday news release, the agency said the first event will be held Tuesday in Portland, Oregon, in partnership with the National Cyber Security Alliance, the Small Business Administration and others. That will be followed by a Sept. 6 discussion in Cleveland and another that month in Des Moines, Iowa, the FTC added. The discussions are part of FTC acting Chairman Maureen Ohlhausen's initiative, which includes a website, to help small businesses protect themselves from cyberattacks and avoid scams. The SBA estimates there are 28 million small businesses employing nearly 57 million people, the release said.

WannaCry and other recent cyberattacks affected how 60 percent of companies protect themselves, said a Neustar-commissioned survey of 290 security executives in 11 countries. Senior Vice President Rodney Joffe said in a Wednesday news release that while a majority acknowledges the problem exists, there's "a disconnect between the concern of attacks and companies actually taking action." The survey, completed in May and conducted by Harris Interactive, found 28 percent ranked ransomware as "most concerning," while 21 percent said it was "system compromise." Forty-four percent said they're focused on addressing both ransomware (see 1705180032 and 1707060041) and distributed denial-of-service attacks, the release said.

Participants in an NTIA multistakeholder initiative to address IoT device security upgrades agreed to a final draft document that recommends what information manufacturers and vendors should convey to consumers before they buy a product. During a Tuesday virtual meeting, the group reached "consensus" on the draft, which recommended elements companies should consider in informing buyers about whether devices receive security updates; whether they're done automatically, by a user or professionally; and how long a device would receive such support. The draft talks about how a user should be notified about updates and what happens after a device is no longer supported. Harley Geiger, Rapid7 director-public policy, said that this document could become part of a larger government effort to deal with botnets and automated threats. He said the working group hasn't thought about a strategy for promoting adoption of the document but said it would be good to see it "in the wild" with some companies using it. The document was drafted by a working group in the NTIA-driven process, which has met three times since October. NTIA plans a Sept. 12 meeting in Washington to possibly reach consensus on other drafts presented by working groups on a catalog of existing IoT security documentation; technical capabilities of providing upgrades; and incentives for companies to provide updates.

Consumers should be aware of internet-connected toys and other entertainment devices that could pose a cybersecurity and privacy risk to their children, said an FBI public service announcement issued Monday. The PSA provides reasons why parents should be concerned, what makes some toys vulnerable and the laws to protect families. The FBI encourages parents to better research a connected toy's security measures, updates it may need and where their child's data is being stored and with whom. They should monitor their children's activities with the toys such as making voice recordings, use strong and unique passwords, and provide minimal amount of data for user accounts, the agency said, adding consumers should read disclosures and privacy policies regarding notifications of problems. Privacy groups and some lawmakers, like Sen. Mark Warner, D-Va., in recent months have sounded an alarm on such interactive toys (see 1705220057, 1704260007 and 1703220045).

Public Knowledge is asking the FCC to investigate the exposure of millions of Verizon customer records in a cloud server, discovered last month by a security researcher. PK Policy Fellow Yosef Getachew said Verizon failed to protect its customers' privacy, and also to notify them of the exposure. "The FCC is well within its authority to investigate Verizon’s data security breach and take appropriate enforcement action," he said. Neither the FCC nor a Verizon spokesman Thursday commented on PK's request for a probe. The Verizon spokesman said the investigation is ongoing and the company is working with the vendor "to make sure this never happens again." In a Wednesday news release, the telco said records of 6 million unique customers -- not 14 million as cybersecurity firm UpGuard initially blogged -- were exposed. "The overwhelming majority of information ... had no external value" and no Social Security numbers or Verizon voice recordings were exposed, said Verizon. There was "no loss or theft" of customer data, it added. UpGuard blogged Wednesday that its researcher Chris Vickery discovered the breach June 8 of the cloud server owned by Israel-based Nice Systems.

Arris launched a cable modem gateway with McAfee internet security protection exclusively through Best Buy, it said Wednesday. The device is designed to “move the security burden” off individual connected devices and onto the home gateway for “easier and better protection,” said Arris. The $199 SBG7580-AC includes a DOCSIS 3.0 modem, 802.11ac Wi-Fi router and four-port gigabit Ethernet hub. The device has parental controls and comes with three years of internet security protection by McAfee, Arris said.