The FCC released in a Friday public notice the final report of its Task Force on Optimal Public Safety Answering Point Architecture, which the group approved Jan. 29 (see 1601290051). The report combines three working group reports on PSAP funding, cybersecurity and optimal PSAP architecture, which were largely completed last year (see 1512100043). The task force has another year to run. FCC Chairman Tom Wheeler said at the Jan. 29 task force meeting that he will make advocacy of more funding for next-generation 911 his top priority every time he appears before Congress in his remaining time as chairman. The FCC said it plans another notice on the work that it will ask the group to do this year.
The National Institute of Standards and Technology’s Cybersecurity Framework has gained significant support among U.S. firms since its release two years ago, NIST said Thursday. Tech research firm Gartner estimated 30 percent of U.S. organizations now use the NIST framework and about 50 percent of companies will use the framework by 2020, NIST said. The framework is “a merger of business sense and cyber-logic,” said NIST Computer Security Division Program Manager-Security Research and Integration Group Matt Barrett in a news release. NIST is collecting comment on the NIST framework through Feb. 23. Comments NIST has received thus far indicate that there isn’t major demand for a full update of the Cybersecurity Framework (see 1602180068).
President Barack Obama selected the leaders of the Commission on Enhancing National Cybersecurity (CENC) Wednesday, announcing former National Security Adviser Tom Donilon as the commission’s chairman and former IBM CEO Sam Palmisano as vice chairman. Obama formed CENC last week as part of the White House’s Cybersecurity National Action Plan, which industry lawyers and lobbyists have viewed as an ambitious capstone to the Obama administration’s cybersecurity legacy. CENC is required to make recommendations by Dec. 1 on strengthening private sector and public sector cybersecurity (see 1602090068). Donilon "understands government and national security issues" and Palmisano "understands the intimacies of computing, of the digital world, the economic aspects of this, making them the "two of the best possible people to chair" CENC, Obama said, according to a White House transcript. "We're confident that this is going to be the kind of product that is of great importance to everybody. And this is not an ideological issue that should divide Washington along party lines. This is something that everybody has got an interest in getting right." Secretary of Commerce Penny Pritzker and Secretary of Homeland Security Jeh Johnson will also be “working very closely” with CENC, Obama said.
A Pakistani citizen admitted to laundering more than $19.6 million in proceeds from an international telecom fraud scheme in which foreign-based hackers hijacked private branch exchange systems that ran the internal phone networks of businesses and other organizations in the U.S. Muhammad Sohail Qasmani, 47, pleaded guilty to one count of conspiracy to commit wire fraud, said the FBI in a Thursday news release. It said hackers placed calls on an organization's phone system to identify unused extensions and then illegally reprogrammed the system to make unlimited long distance calls that were charged back to the victimized organization. Qasmani, who was arrested in December 2014 at Los Angeles International Airport, faces up to 20 years in prison and a $250,000 fine. The agency identified the scheme's mastermind as Noor Aziz, 53, who's on the FBI's list of most wanted cybercriminals.
Cybersecurity Coordinator Michael Daniel defended the White House's Cybersecurity National Action Plan Thursday against criticism that CNAP was introduced too late in President Barack Obama's administration. He said CNAP “is really a capstone” of the work the administration has been doing on cybersecurity since Obama took office in 2009. Industry stakeholders praised introduction Tuesday of CNAP, saying it builds off Obama's 2013 and 2015 cybersecurity executive orders, the White House's cybersecurity legislative work and other efforts. Stakeholders also questioned whether the White House would see much of a result from the plan before Obama leaves office in January and whether Congress would be willing to sign off on the White House's proposal to bump up cybersecurity funding to $19 billion in FY 2017 (see 1602090068). “We're doubling” down via CNAP on many of the White House's past cybersecurity initiatives, including new work related to critical infrastructure cybersecurity, Daniel said during a New America event. The White House believes it will be able to receive “broad” support on Capitol Hill for its cyber budget proposal despite what are likely to be “robust and frank discussions with Congress” about the Obama administration's overall $4.1 trillion FY 2017 budget proposal, Daniel said. The newly created Commission on Enhancing National Cybersecurity (CENC), which will need to provide recommendations to the White House by the end of 2016 on ways to improve cybersecurity in the private sector and public sector, will be able to provide a “good distillation of the path forward” on cybersecurity, Daniel said. CENC is unlikely to generate “brand new ideas” on cybersecurity but will instead probably provide the White House with recommendations based on best practices from academia, businesses and tech experts, he said.
The global success of Netflix “has attracted the attention of attackers” in the form of malware and phishing email campaigns targeting Netflix users’ information, Lionel Payet, Symantec threat intelligence officer, said in a Thursday blog post. “The details are then added to a growing black market that claims to provide cheaper access to the service,” Payet said. Netflix subscriptions allow one to four users on the same account, he said. This means that an attacker could use a phishing campaign to “piggyback on a user’s subscription without their knowledge,” he said. “In these phishing campaigns, attackers redirect users to a fake Netflix website to trick users into providing their login credentials, personal information, and payment cards details. These tactics are not uncommon; cybercriminals are still using them on a daily basis.” The bigger problem is that the attackers “may not just keep this access for themselves,” he said. “There is an underground economy targeting users who wish to access Netflix for free or a reduced price. The products could even allow customers to open their own illegal store.” The most common illicit offers are for access to existing Netflix accounts, Payet said. “These accounts either provide a month of viewing or give full access to the premium service. In most advertisements for these services, the seller asks the buyer not to change any information on the accounts, such as the password, as it may render them unusable. This is because a password change would alert the user who had their account stolen of the compromise.” For their own protection, Symantec “advises users to only download the Netflix application from official sources,” he said. “Additionally, users should not take advantage of services that appear to offer Netflix for free or a reduced price, as they may contain malicious files or steal data.” Netflix representatives didn’t comment.
Despite the bigger risks of hacks posed by IoT deployments, more than seven of 10 corporate IT departments spend less than 20 percent of their time “securing the corporate network and data assets,” a Strategy Analytics survey found. The research firm canvassed 600 firms worldwide and found that 56 percent of respondents acknowledged their firms had experienced an IoT breach in the previous 12 months, and 39 percent said their networks didn't suffer any security breaches, it said. "The survey results are a huge wake-up call,” Strategy Analytics said. “IoT environments exponentially increase the size of the attack vector since companies have so many more devices, end points and applications to secure," it said. "IoT deployments can potentially be very risky business.” Other survey findings: (1) 44 percent of corporations that got hacked were unable to determine the source or the type of security attack or the duration of the breach, “which is alarming," Strategy Analytics said. (2) Only 7 percent of firms’ IT departments spend more than half their time on security. (3) 56 percent of respondents cited “end user carelessness” as the top security threats to their IoT networks, followed by 42 percent who cited “malware” as the biggest IoT security threat.
The Department of Homeland Security’s National Cybersecurity Protection System (NCPS) "only partially" has met its objectives of detecting, analyzing and preventing malicious activity on federal networks, the Government Accountability Office said Thursday in a report. NCPS gives DHS a “limited ability” to detect malicious activity via known malicious data pattern “signatures” but doesn’t detect deviations from baseline network behavior, GAO said. NCPS also doesn’t monitor some types of network traffic and the signatures it monitors don’t address threats exploiting common security vulnerabilities, GAO said. NCPS’ analytical tools include a centralized platform for aggregating data and the capability for analyzing malicious code characteristics, GAO said. NCPS’ capability to prevent intrusions onto federal networks is limited to only the types of traffic it monitors, including email. NCPS doesn’t have the ability to address malicious content transmitted via Web traffic but plans to have this capability at some point this year, GAO said. DHS plans to further enhance its analytics capabilities by 2018, GAO said. DHS hasn’t developed most of the functionality of NCPS’ information sharing capability, and its current threat notifications have garnered mixed results, GAO said. The office recommended that DHS’ Office of Cybersecurity and Communications develop metrics for measuring NCPS’ effectiveness and “clearly defined requirements” for detecting threats on federal networks. GAO also recommended developing other enhancements to NCPS’ detection and prevention capabilities.
GOP presidential candidate Ben Carson proposed creating a National Cyber Security Administration (NCSA) Monday as part of a campaign position paper on protecting U.S. interests online. “Just as we established the National Aeronautics and Space Administration to coordinate and focus the U.S. space program, we must create a national initiative to organize and streamline our efforts to secure America’s online presence,” Carson said. The NCSA wouldn’t be a “new federal bureaucracy” but “a consolidation and unification of the countless and often redundant programs, initiatives and offices which operate disjointedly throughout the government,” Carson said. “Such an agency must be kept separate from the military, but work with them when national security demands it. The NCSA will create a unity of purpose, not just across federal agencies, but in cooperation with ‘We the People.’ This will be America’s venue to bring together experts and lay persons towards a common goal of securing the country, from the individual user at home to the highest government official.” Other GOP presidential hopefuls previously released campaign proposals on cybersecurity. Jeb Bush’s proposal, released in September, emphasized the need for now-passed cybersecurity information sharing legislation and the end of information sequestration at the Department of Defense, NSA and other U.S. intelligence agencies. Bush also pushed for NTIA to retain its oversight of the Internet Assigned Numbers Authority rather than transitioning oversight to ICANN as proposed. Carly Fiorina pushed for a centralized command for protecting federal networks and systems in response to data breaches at the Office of Personnel Management.
FTC Commissioner Julie Brill will open the Feb. 9 "Start with Security" event in Seattle, with speakers from Belkin, DocuSign, Facebook, Intel, Microsoft and others, the commission said Thursday. The daylong event will have panels on how startups can build a culture of security within their organizations, integrate security testing and review in their development processes, make a business case for incorporating security, and address security in IoT products and services, said the agenda. It's part of FTC's ongoing initiative to help companies, especially startups and early stage businesses, build security into their products, services and culture. The commission held similar workshops in Austin (see 1511050042) and San Francisco (see 1509090045) last year.