More than one-third of surveyed entities that experienced a cyber breach in 2016 reported revenue losses of more than 20 percent, Cisco reported. More than 50 percent of organizations that experienced a data breach faced public scrutiny as a result, it said Tuesday. Cisco said it surveyed almost 3,000 organizations' chief security officers and security operations leaders. Ninety percent of surveyed organizations that reported significant losses due to breaches said they're now improving their cyberthreat defenses, technologies and processes, including security awareness training for employees and implementing cyber risk mitigation techniques. Cisco found that organizations investigated only 56 percent of security alerts and remediated less than half of the legitimate alerts. “In 2017, cyber is business, and business is cyber -- that requires a different conversation, and very different outcomes,” said Chief Security and Trust Officer John Stewart in a news release. “Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk.”

The Competitive Carriers Association joined the Communications Information Sharing and Analysis Center. ISAC, through a partnership with the Department of Homeland Security and the National Coordination Center for Communications, “is a critical collaboration between government and industry stakeholders to monitor and prevent harm to America’s telecommunications infrastructure,” CCA said in a Monday news release. “The Communications ISAC operates as a hub for telecommunications industry participants to share and analyze information on network vulnerabilities, intrusions, and other threats.” CCA President Steve Berry said he looked forward to “facilitating greater CCA member integration with the Communications ISAC, particularly with our small carrier members.” CCA members “have invested a great deal constructing broadband networks that serve rural and underserved populations, and like larger carriers, strive to offer their customers the most resilient and secure networks possible -- from both a physical and cyber perspective,” he said.

The FCC should allow the Department of Homeland Security to be the lead agency on cybersecurity, said Shane Tews, visiting fellow at the American Enterprise Institute’s Center for Internet, Communications and Technology Policy, in a Thursday blog post. The FCC Public Safety Bureau issued a white paper last week, before former Chairman Tom Wheeler's resignation, saying the commission can’t rely on organic market incentives alone to reduce cyber risk within the communications sector. The federal government needs to assert “appropriate” regulatory oversight over ISPs’ cybersecurity practices in the absence of clear market incentives to drive improvements, the white paper said (see 1701180082). Tews and others said they don't believe new FCC Chairman Ajit Pai will consider making the paper's proposals commission policy (see 1701250077). Congress would do well to instead consider House Homeland Security Committee Chairman Michael McCaul's, R-Texas, planned DHS Reform and Improvement Act as the “best way for the government to facilitate information sharing in this way,” Tews said. McCaul said this month he planned to soon reintroduce the bill, which would reorganize DHS' National Protection and Programs Directorate as the Cybersecurity and Infrastructure Protection Agency in a bid to elevate DHS' cybersecurity focus (see 1701050073). Pai has said other agencies have better legal standing and expertise to handle cybersecurity issues than the FCC, and the commission should only be a consulting agency, Tews said. “Establishing a systematic, reliable reporting process and a trusted repository for information-sharing across industries and the government would be a step in the right direction,” she said. “Now is the time to embrace the importance of the internet for our digital economy and to acknowledge the risks that come with the rewards.”

Sens. Cory Gardner, R-Colo., and Chris Coons, D-Del., filed legislation Wednesday to create the Senate Select Committee on Cybersecurity, as expected (see 1612200044) after they previewed the legislation last week (see 1701190036). The Senate resolution would establish the proposed cybersecurity committee to focus on both the U.S.’ data breach prevention strategy and cyber activities. The cybersecurity committee would have 21 members, including the leaders of the Senate Appropriations, Armed Services, Banking, Commerce, Foreign Relations, Homeland Security, Intelligence and Judiciary committees, the resolution said. The committee would also include five members from the Senate at large, three from the majority party and two from the minority party. “Cybersecurity policy is one of the most complex and significant challenges facing Congress, yet the Senate’s structure to investigate and address cyber issues is diffuse and inadequate,” Gardner said in a news release. “This has led to an uncoordinated policy response to recent cyber attacks on government agencies, businesses, and infrastructure.” Gardner said the proposed committee “is essential to investigating emerging cyber risks and bolstering our defenses against them through legislative solutions, and I’m hopeful that my colleagues recognize that a centralized structure is the best path forward to effectively tackle the cyber challenge.” Senate Minority Leader Chuck Schumer, D-N.Y., Senate Armed Services Committee Chairman John McCain, R-Ariz., and two other senators called last month for a unified Senate cybersecurity committee in part to investigate Russia-led hacks aimed at influencing the 2016 presidential election (see 1612190061).

Consumers 18-35 are more concerned about their personally identifiable information (PII) than those 36-50, IDC reported Tuesday. Overall, 84 percent of U.S. consumers surveyed expressed concern about their PII security, and 70 percent said they're more concerned than a few years ago. Growing sensitivity to data exposure has consumers “on the verge of making serious changes in their behavior,” said IDC. As technology becomes more integrated in people’s lives, and businesses and governments leverage data to provide services or sell products, individuals can feel "overly connected and may yearn for greater anonymity,” said analyst Sean Pike. “Consumers can exact punishment for data breaches or mishandled data by changing buyer behavior or shifting loyalty.” Executives need to understand the risk their organizations assume when collecting consumer PII, “but also the potential security and compliance solutions available to help manage the collection, processing, and use of sensitive data," he said.

Since the EU high court rejected the old safe harbor trans-Atlantic data sharing framework in October 2015, corporate legal concerns over cross-border data transfers have spiked, said BDO Consulting in a Thursday news release outlining its third annual e-discovery survey of more than 100 senior in-house counsel at "leading" U.S. firms. Sixty percent of corporate counsel -- up 9 percentage points from Q4 2015 -- said "their biggest challenge in cross-border e-discovery comes from numerous -- and often conflicting -- international privacy and security laws." That worry topped other issues including access to data, communication barriers and coordination with local resources. While BDO said safe harbor's successor, the EU-US Privacy Shield, harmonizes some privacy protections, individual country requirements still vary (see 1602290003). The general data protection regulation (GDPR) also provides more clarity on data protections, but also increases the EU's privacy scope and enforceability (see 1604140021), it said. BDO said 74 percent of respondents ranked data breaches as a top data-related legal risk, with 68 percent saying the legal department is more involved with cybersecurity now than a year ago. Mobile data management and under- or over-preservation of data also were listed as top legal risks. The company said independent research firm ALM conducted the survey but didn't indicate when.

Regulatory oversight is a critical part of reducing cyber risk on telecom networks, the FCC Public Safety Bureau said Wednesday. “As the end-to-end Internet user experience continues to expand and diversify, the Commission's ability to reduce cyber risk for individuals and businesses will continue to be taxed,” the bureau said in a white paper. “But shifting this risk oversight responsibility to a non-regulatory body would not be good policy. It would be resource intensive and ultimately drive dramatic federal costs and still most certainly fail to address the risk for over 30,000 communications service providers and their vendor base.” The FCC can’t rely on organic market incentives alone to reduce cyber risk, it said. “As private actors, ISPs operate in economic environments that pressure against investments that do not directly contribute to profit. Protective actions taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections. Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.” FCC Chairman Tom Wheeler, who steps down Friday, mailed the cybersecurity white paper to Sen. Mark Warner, D-Va. “This whitepaper outlines risk reduction activity engaged in by the Commission during my tenure and suggests actions that would continue to affirmatively reduce cyber risk in a manner that benefits from and incents further competition, protects consumers, and addresses significant national security vulnerabilities,” Wheeler wrote. Earlier, Wheeler was seen as backing off more ambitious cybersecurity plans (see 1611300063).

Hacker Guccifer 2.0 pushed back against U.S. intelligence agencies' assessment that the hacker executed the Russia-backed breaches of IT systems associated with the Democratic National Committee and the campaign of former Democratic presidential nominee Hillary Clinton aimed at influencing the outcome of the 2016 presidential election. “These accusations are unfounded,” Guccifer 2.0 said in a Thursday blog post. “I have totally no relation to the Russian government.” An unclassified version of the U.S. intelligence agencies' report on the Russia-led hacks, released last week (see 1701060060), is a “crude fake” that “doesn't stand up to scrutiny,” Guccifer 2.0 said. “It’s obvious that the intelligence agencies are deliberately falsifying evidence. ... They’re playing into the hands of the Democrats who are trying to blame foreign actors for their failure.” Guccifer 2.0 suggested “we'll see more fakes” from President Barack Obama's administration before President-elect Donald Trump is inaugurated Friday. Trump now believes Russia ordered the election-related hacks. Several cabinet nominees echoed Trump in backing the intelligence report (see 1701110051).

U.S. cybersecurity offense "is way ahead of our defense," Rudy Giuliani said Thursday in a conference call after the incoming Donald Trump administration announced that it would consult with the former New York City mayor on cybersecurity issues and that Giuliani would chair a committee on cybersecurity developments involving company heads. That committee also will hold a number of meetings with President-elect Donald Trump about cybersecurity, said a Trump transition team release. "It's kind of like cancer in the sense there are so many different things being done to cure cancer, you almost feel like if you could put all the people together in the same room, maybe we could cure it," Giuliani said, saying "a perfect defense" to cybersecurity threats is unlikely and improvement is the aim. The Trump transition team said the meetings are to get "experiential and anecdotal information" from the executives about cybersecurity issues and how they were handled. The Trump team also said it's not seeking consensus advice or recommendations. Giuliani is Greenberg Traurig chairman-global cybersecurity, and chairman-CEO of security consulting firm Giuliani Partners.

Mozilla faulted the Senate Judiciary Committee Wednesday for not including a broader discussion of cybersecurity issues during Attorney General nominee Jeff Sessions’ confirmation hearings. Sessions committed during a hearing Tuesday to follow the USA Freedom Act, which restricts NSA from the bulk collection of Americans' phone records, despite his voting against the bill in 2015 (see 1701090038). Surveillance continued to occasionally emerge as an issue during Sessions' hearing Wednesday (see 1701110069). Senate Judiciary almost exclusively mentioned cybersecurity in the context of government-sponsored cyberattacks like Russia’s hacking of IT systems associated with the Democratic National Committee and the campaign of former Democratic presidential nominee Hillary Clinton, said Mozilla Chief Legal and Business Officer Denelle Dixon-Thayer in a blog post. “Discussion about robust cybersecurity for everyday Internet users -- through practices like strong encryption -- was largely absent,” she said. “It would have been helpful if the Senate asked Sessions to clarify his position, and even better if they asked him to clarify that privacy and security are important for all Americans and a healthy Internet.”