Senate Homeland Security Committee leaders pressed the Office of Management and Budget Wednesday for an update on OMB work to revise its policy on IT management and federal government cybersecurity. The 2014 Federal Information Security Modernization Act required OMB to update its guidelines to “eliminate inefficient or wasteful reporting” procedures. The bill also required OMB to provide quarterly updates to Congress on its implementation of those updates (see 1412110073). OMB has opened its proposed revisions for public comment. “We appreciate OMB's work” to update the guidelines “but also emphasize the importance of completing this revision in a timely manner,” said Senate Homeland Security Chairman Ron Johnson, R-Wis., and ranking member Tom Carper, D-Del., in a letter to OMB Director Shaun Donovan. The committee leaders asked Donovan to provide them with a timeline for OMB's completion of its revisions and asked OMB to regularly brief the senators' staffs on the revisions process.
Global spending on IoT security will reach $348 million in 2016, a 24 percent increase from 2015, and is expected to reach $547 million in 2018, Gartner said in a Monday report. Though IoT security spending will be “moderate” at the outset, it will increase “at a faster rate after 2020, as improved skills, organizational change and more scalable service options improve execution,” said the research firm. “The market for IoT security products is currently small but it is growing as both consumers and businesses start using connected devices in ever greater numbers." The firm forecasts 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 11.4 billion by 2018. “However, considerable variation exists among different industry sectors as a result of different levels of prioritization and security awareness," it said. Gartner predicts by 2020 more than 25 percent of identified attacks in enterprises will involve IoT, but IoT will be less than 10 percent of IT security budgets, it said. “Security vendors will be challenged to provide usable IoT security features because of the limited assigned budgets for IoT and the decentralized approach to early IoT implementations in organizations. Vendors will focus too much on spotting vulnerabilities and exploits, rather than segmentation and other long-term means that better protect IoT.”
Federal transportation regulators need to define and document government's role and responsibilities to address cyberattacks on vehicles, especially as autonomous and connected-vehicle technologies are deployed, GAO said in a Monday report. It said the National Highway Traffic Safety Administration is investing more in cybersecurity research and is soon expected to release industry guidance to help decide when vulnerabilities should be considered safety defects in justifying recalls. NHTSA also is examining the need for cybersecurity standards and regulations, but such guidance won't be available for another two years at least, GAO said. Until NHTSA develops a plan defining its role, "the agency's response efforts could be slowed as agency staff may not be able to quickly identify the appropriate actions to take," GAO said. The report also said several industry led-efforts are underway to help automakers and parts suppliers to mitigate cybersecurity vulnerabilities, increase threat and vulnerability information sharing among companies and deploy better technologies such as message encryption and authentication.
The European Broadcasting Union (EBU) released recommended cybersecurity requirements for broadcast systems, software and services. In a statement Wednesday accompanying the set of recommendations, Andreas Schneider, chairman of the EBU Strategic Programme on Media Cybersecurity, which put together the guidelines, said between "the provision of Internet-based services and the convergence of traditional broadcast and information technology, the risk of cyber attacks targeting media companies is now -- more than ever before -- a real threat." Recommendations -- EBU R143 -- take into account guidelines from different European national security agencies and contributions from a French-language broadcasters' cybersecurity group chaired by TV5, EBU said. Recommendations include application of security safeguards in planning and designing systems, declarations by potential vendors that they can meet those safeguards, and assistance to broadcasters in defining minimal vendor system acceptance levels.
The FCC Task Force on Optimal Public Safety Answering Point Architecture will start phase II of its work during a May 6 meeting at the FCC, said a notice in Wednesday's Federal Register. “The Task Force will hear overview presentations of 2016 tasks from the Task Force’s three working groups; specifically Working Group 1 -- Optimal Approach to Cybersecurity, Working Group 2 -- Optimal Approach to NG911 Architecture Implementation, and Working 3 -- Optimal Approach to NG911 Resource Allocation.” The group completed a report last year, which it formally approved Jan. 29 (see 1601290051). FCC Chairman Tom Wheeler said at the Jan. 29 meeting that he would make advocacy of more funding for next-generation 911 his top priority every time he appears before Congress in his remaining time as chairman. The meeting starts at 1 p.m. EDT in the Commission Meeting Room.
CBS Sports Digital fixed a vulnerability related to Android and iOS versions of its app that transferred users' names, email addresses, account passwords, birth dates and ZIP codes over an insecure connection, after a mobile security firm discovered the problem, a company spokeswoman said Tuesday. She said a vulnerability on the CBS Sports mobile website that transmitted users' email/user ID and passwords in clear text rather than being encrypted also was fixed. "There was no data breach on either the CBS Sports app or mobile site," the company emailed. "Our internal teams are rigorous about monitoring our platforms for any potential security issues. We take issue with outside companies publicizing the security operations of other firms for their own purposes rather than user protection." Mobile security company Wandera said in a threat advisory that it had discovered the vulnerabilities, which potentially exposed personally identifiable information when users signed up for an account. It said the CBS Sports app is one of the most popular sources for sports news. "Our researchers have identified that a significant amount of personal data is collected during the account registration process, and all these details are sent in clear text over an unencrypted connection to the app's backend services," the advisory said. Neither company said when the vulnerabilities were discovered or fixed.
5G Americas members have a commercial interest in ensuring the security of their services and products as 5G services are deployed, said Chris Pearson, president of 5G Americas, in meetings with FCC officials. “5G standards are in the very early stages of development,” the group said in a filing in docket 14-177. “5G Americas agreed with the Commission that support for security must be a fundamental component in the design of any new network architecture and protocols developed for mobile wireless services in all generations of mobile broadband technologies including when using millimeter wave spectrum for 5G.” The group said security has been a design component in third and fourth generations of mobile broadband technologies. “5G Americas appreciates the Commission’s concern that as new wireless applications are used by vertical sectors such as smart grids, telemedicine, industrial control, public safety, and automotive, those sectors will have strict security requirements that are mission critical,” the group said. 5G Americas noted that because of these requirements, a number of standards development organizations and industry bodies are developing security features specific to each sector. Representatives of AT&T, Cisco, Intel, Qualcomm, Sprint and T-Mobile USA also participated in the meetings, the filing said. They met with staff from the Public Safety and Wireless bureaus and the Office of Engineering and Technology.
NAB will increase security at next week's NAB Show, it said in a news release Friday. NAB is “increasing security and law enforcement personnel around the exterior perimeter of the Las Vegas Convention Center and will establish designated building entry and exit points” for the April 16-21 event, though the release said ”there are no known threats to the convention.” An NAB spokesman said the extra security is appropriate “in light of recent incidences, both domestic and global.” The association had said it was considering extra security after the March 22 attacks on Brussels (see 1603220043). The convention security will work “in close consultation” with the Las Vegas Metropolitan Police, Department of Homeland Security, FBI and the Las Vegas Convention Center, the release said. The extra security measures announced for the NAB seem less sweeping than those at January CES, which imposed bag restrictions, stadium-style bag searches and the use of metal detectors and pat-downs at the show's various entrances after the Nov. 13 Paris attacks (see 1512180053).
FTC will host a one-day conference June 15 in Chicago to help companies, especially startups and small- and medium-sized ones, get a leg up on securing their products, services and networks, the commission said in a news release Thursday. It's the FTC's fourth such Start with Security event, with other workshops hosted in Austin, San Francisco and Seattle (see 1602090057). Commissioner Maureen Ohlhausen will open the event, which is co-sponsored by the Northwestern Pritzker School of Law. No agenda was released.
Thirty-seven percent of U.S. businesses lack confidence that their third-party vendors would inform them if a data breach involving sensitive information occurred, said a Ponemon Institute Web-based survey commissioned by law firm BuckleySandler and Treliant Risk Advisors. Ponemon surveyed 598 people in various industries, and involved companies that had a vendor data risk management program. "The study reveals the difficulty companies have in mitigating, detecting and minimizing risks associated with third parties that have access to their sensitive or confidential information," the survey said. It found that 73 percent of respondents didn't believe indirect service providers or subcontractors hired by a third-party vendor would notify companies of a data breach. "The risk to strategic data assets extends beyond any single third-party but rather to the web of relationships that comprise the data ecosystem," BuckleySandler Managing Director Rena Mears said in a Monday news release. Companies worry about data safeguards, security policies and procedures implemented by third parties, but the survey said that companies "rarely" perform reviews of vendor management policies and programs involving data risk. "Companies should compile a comprehensive inventory of and conduct data and privacy risk assessments for all third-party vendors; however, we found that few companies represented in this research, in particular those outside the regulated banking sector, have done so," Treliant Chief Business Officer Susanna Tisa said.