The FCC Communications Security, Reliability and Interoperability Council meets Dec. 3, the agency said in Friday’s Federal Register. The meeting will be CSRIC’s third as part of its fifth charter. CSRIC working groups are examining the emergency alert system, emergency alerting platforms, evolving 911 services and security by design (see 1509210049). The FCC failed to publish the CSRIC meeting notice within the 15-day threshold but said it couldn’t find an acceptable alternate date for the meeting because “a significant number of CSRIC members have made business and travel plans to attend” the Dec. 3 meeting and there's no other date within one month of Dec. 3 “that will accommodate CSRIC members’ schedules.” Delaying the CSRIC meeting “will also cause undue financial burdens on many of the CSRIC members who have made travel arrangements,” the FCC said. CSRIC’s meeting is set to begin at 1 p.m. in the Commission Meeting Room at FCC headquarters.
The Department of Homeland Security managed to strengthen its cybersecurity capabilities over the course of FY 2015 but failed to comply with multiple important information security requirements, said DHS’ Office of Inspector General in a report released Thursday. “Without addressing these deficiencies, the Department cannot ensure that its systems are properly secured to protect sensitive information stored and processed in them,” said the OIG. In particular, DHS failed to “include its classified system information as part of its information security scorecard” or as part of its Federal Information Security Modernization Act (FISMA) compliance submissions to the Office of Management and Budget, the OIG said. Some DHS agencies and offices “did not maintain their information security programs on a year-round, continuous basis” and the department’s enterprise management systems “lacked input validation controls to ensure accurate data was entered into the system,” the OIG said. DHS agreed with most recommendations from the OIG but said it didn’t concur with a recommendation that DHS strengthen its FISMA reporting process to ensure its classified system data was included on its FISMA compliance submissions to OMB. FISMA compliance reporting requirements for FY 2015 “do not require the submission of agency classified system data,” with a separate scorecard being used to report that information in case such scorecards need to be made classified documents, DHS said.
The Department of Homeland Security and other sector-specific agencies (SSAs) “are acting to address sector cyber risk, but additional monitoring actions could enhance their respective sectors’ cybersecurity posture,” said a GAO report. Only three departments -- Defense, Energy and Health and Human Services -- have “established performance metrics” that effectively measure progress, GAO said Thursday. DHS, which is the SSA for the communications sector and eight other critical infrastructure sectors, hasn’t developed performance metrics for any of its sectors, “although according to agency officials, such efforts are under way,” GAO said. DHS officials have said they’ve proposed performance metrics for the communications and information technology sector that should be implemented through 2018. DHS also collaborated in cross-sector cybersecurity work, including via the FCC Communications Security, Reliability and Interoperability Council, GAO said.
The ACLU said it filed a lawsuit Tuesday against the Department of Justice to “uncover” what a conferenced cybersecurity information sharing bill “will actually authorize" under DOJ interpretation of the bill. The House and Senate are in the process of conferencing the House-passed Protecting Cyber Networks Act (HR-1560) and the Senate-passed Cybersecurity Information Sharing Act (S-754). The ACLU’s lawsuit, filed in U.S. District Court in the Southern District of New York, seeks “timely disclosure” under the Freedom of Information Act of a 2003 legal opinion from Justice’s Office of Legal Counsel (OLC) interpreting “common commercial service agreements.” The ACLU said it’s concerned the opinion could result in a dangerous interpretation of a conferenced information sharing bill. Although the ACLU, other privacy groups and tech sector stakeholders opposed S-754 in the lead-up to that bill’s passage in October (see 1510280057), its controversial provisions “may pale in comparison to what the bill allows when read in conjunction” with the OLC opinion, the ACLU said in a blog post. “Before our lawmakers expand the government’s surveillance authority under the guise of cybersecurity legislation, shouldn’t we -- and the legislators themselves -- know what the real consequences will be?” DOJ didn't immediately comment.
ViaSat unveiled an ethernet 100 Gbps encryption device, debuting at the SC15 supercomputing conference this week in Austin. In a news release Monday, ViaSat said the SEC line of products features multiple bandwidth profiles and low latency.
Securus Technologies said it's contacting law enforcement authorities about media reports that inmate calling records were leaked online. In a statement Friday, the inmate calling service provider said it has "seen no evidence that records were shared as a result of a technology breach or hack into our systems." Instead, it said, the preliminary evidence "suggests that an individual or individuals with authorized access to a limited set of records may have used that access to inappropriately share those records." Securus said it will support law enforcement in prosecution of individuals found to have illegally shared information. "Data security is critically important to the law enforcement and criminal justice organizations that we serve, and we implement extensive measures to help ensure that all data is protected from both digital and physical breaches," Securus said. "It is very important to note that we have found absolutely no evidence of attorney-client calls that were recorded without the knowledge and consent of those parties. Our calling systems include multiple safeguards to prevent this from occurring. Attorneys are able to register their numbers to exempt them from the recording that is standard for other inmate calls. Those attorneys who did not register their numbers would also hear a warning about recording prior to the beginning of each call, requiring active acceptance." The Intercept Wednesday ran a story headlined "Not So Securus: Massive Hack of 70 Million Phone Calls Indicates Violations of Attorney-Client Privilege."
NTIA’s Dec. 2 meeting of its vulnerability research disclosure multistakeholder process will focus on trying to make more progress in areas stakeholders identified during the process’ late September meeting -- awareness and adoption, multiparty disclosure, economic incentives and disclosure safety -- said NTIA Director-Cybersecurity Initiatives Allen Friedman in an email Thursday. Most attending NTIA’s September vulnerability research multistakeholder meeting urged NTIA to focus on incentivizing responsible vulnerability research practices over developing new best practices (see 1509290061). NTIA’s Dec. 2 meeting, at the 20 F Street NW Conference Center, will review drafts developed at the September meeting, Friedman said. The meeting also will be an “opportunity to break out into working groups to plan out specific focused steps, and discuss as a whole community the broad agenda and milestones for the next few meetings,” Friedman said. The Dec. 2 meeting is to run 10:30 a.m.-4:30 p.m. A mid-January meeting will also be in D.C., while a late February meeting in the San Francisco Bay Area will “be timed around” the Feb. 29-March 4 RSA cybersecurity conference, Friedman said.
Deputy Secretary of Homeland Security Alejandro Mayorkas will meet with senior Chinese government officials in Beijing Nov. 12-13 to “advance implementation” of the U.S.-China bilateral agreement signed in September, a DHS spokeswoman said in a statement Monday. The bilateral agreement, announced during Chinese President Xi Jinping’s visit to the U.S., would prohibit both the U.S. and Chinese governments from doing or “knowingly” supporting IP theft, including of trade secrets (see 1509250059). Mayorkas will also discuss preparations for an initial ministerial-level U.S.-China dialogue set for Dec. 1-2 in Washington, DHS said.
The National Institute of Standards and Technology's National Cybersecurity Center of Excellence (NCCOE) sought comment Wednesday on its draft cybersecurity practice guide for mobile device security. The draft guide notes how existing technologies can help companies improve security of sensitive data stored on employee-used mobile devices. The guide includes a “typical” IT scenario that “shows organizations how to configure a device so that it can be trusted, as well as how to remove the device from systems" if it's stolen or lost, or when an employee leaves a company, NIST said. The guide also includes instructions for installing and integrating security solutions into existing IT infrastructure. “Mobile devices extend or eliminate the notion of traditional organization boundaries, posing challenges that nearly all businesses regardless of sector or organization size” face, said NCCOE Deputy Director Nate Lesser in a news release. Comments on the draft guide are due Jan. 8, NIST said.
Akamai Technologies said it bought Secure Web Gateway provider Bloxx in an all-cash transaction. Bloxx’s technology will “complement Akamai's cloud security strategy for protecting businesses against Internet vulnerabilities,” Akamai said in a Monday news release. It said the deal will allow Akamai to “extend its portfolio of cloud-based security services to focus on the enterprise” and “go beyond traditional blacklisting by providing real-time risk assessment and enabling customers to specify the actions Akamai will take based on the detected threat level.”