Online news publication Re/code should destroy, not publish, any information it might have related to the Sony Pictures Entertainment data breach, said Sony lawyer David Boies, chairman of law firm Boies, Schiller, in a letter Sunday. Boies said SPE would hold Re/code responsible for “damages or loss” stemming from the publication of the breached data. Rep. Marsha Blackburn said earlier this month that the SPE breach is another reason to pass her Secure It Act (HR-1468) (see 1412080061).
The automotive industry doesn’t need to “reinvent security credentialing” or create an “isolated” automotive network as it moves forward on a vehicle-to-vehicle security credential management system (SCMS), CTIA said in comments filed Monday in response to a National Highway Traffic Safety Administration request for information. Many of the issues faced in that industry are similar to those raised by a “growing M2M [machine-to-machine] communications ecosystem that supports the Internet of Things,” CTIA said. “M2M communications systems are faced with the same challenges to establish secure lines of communications and authenticate devices. Creating a separate, isolated network dedicated to automotive vehicles and associated infrastructure would likely result in dis-economies of scale in connection with production costs, deployment, and interoperability.”
The House and Senate passed the Cybersecurity Enhancement Act (S-1353), the fifth cybersecurity bill to pass Congress last week. The bill, originally floated last year but passed Thursday in a pared-back form, codifies the National Institute of Standards and Technology’s authority to develop voluntary cybersecurity standards. NIST released the Version 1.0 Cybersecurity Framework in February and has since sought stakeholder input on how they're using the framework. Obama is likely to sign S-1353 along with four other cybersecurity bills that mostly focused on cybersecurity work within the Department of Homeland Security, an industry lobbyist told us. Secretary of Homeland Security Jeh Johnson praised Congress Thursday for passing the four DHS-centric cybersecurity bills, which included the National Cybersecurity Protection Act (S-2519).
Four cybersecurity-related bills now await President Barack Obama’s signature after activity in the House and Senate Wednesday and Thursday. The House unanimously approved the National Cybersecurity Protection Act (S-2519) Thursday, a day after the Senate approved the bill, previously known as the National Cybersecurity and Communications Integration Center Act. S-2519, which included language from the House-passed National Cybersecurity and Critical Infrastructure Protection Act (HR-3696), would codify the Department of Homeland Security’s current cybersecurity role, including the role of the National Cybersecurity and Communications Integration Center (see 1412100052). The House also unanimously passed the Federal Information Security Modernization Act (S-2521) Wednesday. The bill, which would revise the existing Federal Information Security Management Act (FISMA), had faced opposition from House Oversight Committee Chairman Darrell Issa, R-Calif., who wrote a similar House-passed FISMA reform bill (HR-1163). The Senate passed the Cybersecurity Workforce Assessment Act (HR-2952) Thursday, which combined an existing version of HR-2952, previously known as the Critical Infrastructure Research and Development Advancement Act, with language from the DHS Cybersecurity Workforce Recruitment and Retention Act (S-2354). The revised HR-2952 would deal with DHS cybersecurity workforce development issues. Obama will also consider the Border Patrol Agent Pay Reform Act (S-1691), which passed the House Wednesday and also includes language from S-2354. Obama is likely to sign all four bills, since the White House hasn’t previously disapproved of the provisions included in the bills, an industry lobbyist told us.
The National Institute of Standards and Technology’s recent release of its summary of stakeholder feedback on NIST’s Cybersecurity Framework Version 1.0 shows general awareness and market acceptance of the framework, but that more needs to be done to promote the framework in the U.S. and internationally, said the Information Technology Industry Council (ITI). “Foreign governments, many at important junctures in their own cybersecurity policymaking, are carefully watching U.S. activities,” said Danielle Kriz, ITI global cybersecurity policy director, in a blog post Tuesday. “While we do not expect foreign governments to adopt the Framework, we hope all governments will work in a similarly inclusive and transparent manner and create globally workable policies that enable entities to better manage their cybersecurity risks.” Kriz encouraged NIST and the White House to augment their global outreach on the framework in 2015 in tandem with ITI’s efforts. The White House should continue to work on implementing President Barack Obama’s 2013 cybersecurity executive order, while the Department of Commerce “should reinvigorate its Internet Policy Task Force (IPTF) and ask what activities the IPTF and Commerce generally should undertake to improve cybersecurity,” Kriz said. ITI is developing recommendations on cybersecurity legislation for the 114th Congress to consider, Kriz said.
The Senate passed the Federal Information Security Modernization Act (S-2521) on a voice vote Monday. The bill would update the existing Federal Information Security Management Act, and direct the Department of Homeland Security to create rules for federal agencies’ response to government data leaks. The Senate Homeland Security Committee cleared the bill in June (see 1406270036). The House will need to sign off on S-2521, which differs from a House-passed version of the bill (HR-1163). House Oversight Committee Chairman Darrell Issa, R-Calif., who sponsored HR-1163, doesn’t support S-2521 and is continuing to encourage the Senate to approve HR-1163, a spokeswoman said. The Senate is still expected to consider the National Cybersecurity Protection Act (S-2519) before the lame-duck session ends this week, an industry lobbyist told us. S-2519 would codify the DHS's current cybersecurity role, including the role of its National Cybersecurity and Communications Integration Center (see 1412080071). The version of S-2519 up for Senate consideration includes language from an earlier version of S-2519 and the House-passed National Cybersecurity and Critical Infrastructure Protection Act (HR-3696). The House is also expected to consider the Senate-passed Border Patrol Agent Pay Reform Act (S-1691), which includes language from the DHS Cybersecurity Workforce Recruitment and Retention Act (S-2354), the lobbyist said. The Senate passed S-2354 in September (see 1411070037).
The Department of Homeland Security’s Office of Cybersecurity and Communications gave CenturyLink a task order to provide Einstein 3 Accelerated intrusion prevention security services to federal civilian agencies, the company said Monday. DHS’s Einstein program measures network traffic patterns to indicate possible malicious cyberactivity, CenturyLink said. DHS gave the company the one-year task order in 2013. The new task order asks the telco to provide additional managed security services beyond those included in the original task order by integrating with CenturyLink systems specifically designed to provide cybersecurity services for federal agencies, the company said.
FCC Chairman Tom Wheeler sent letters, as promised Thursday, to wireless carrier CEOs requiring them to lay out steps they will take by the end of Q1 to combat smartphone theft (see 1412040049), FCC officials confirm. The letters weren't posted by the commission. Wheeler asks the CEOs to describe specific steps they're taking to ensure all phones can be locked, wiped and restored, to protect unique identifiers for every device and to improve “the timeliness, accuracy and availability of data about smartphone theft for use by law enforcement,” said one of the letters made available to media. “I would also ask you to take appropriate steps to ensure that employees in your retail and authorized reseller affiliates understand the importance of their role in preventing mobile device theft by checking the appropriate database to ensure that every device they initialize for service has not been reported lost or stolen.” Wheeler said he would send the letters, in remarks Thursday to the FCC Technological Advisory Council. CTIA supports FCC efforts to curb smartphone thefts, said Jamie Hastings, vice president-external and state affairs, in a statement. But Hastings questioned the deadlines in the Wheeler letter, which were not part of the TAC’s stolen phone report. “We must all work together to achieve our shared objectives as soon practical, but we need to be careful in setting artificial deadlines on some stakeholders with respect to implementing technical changes,” Hastings said.
Neustar officials told FCC Public Safety Bureau Chief David Simpson and other public safety and Wireline Bureau staff Nov. 25 that a “hurried” transition to a new local number portability administrator would bring “real and pressing” dangers to public safety and national security, said an ex parte filing posted Friday in docket 09-109. "Neustar's claims that it is the only entity that can operate a safe and secure number portability database are just bunk," Telcordia counsel John Nakahata said in a statement to us on Friday. Neustar's filing urged the commission to release an amended request for proposal (RFP), requiring both Neustar and Telcordia to establish their ability to comply with the National Institute of Standards and Technology Cybersecurity Framework, saying the LNPA selection is the first opportunity to ensure the framework is utilized in major changes to national infrastructure. The bidders should also show their ability to maintain and administer the Local Number Portability Enhanced Analytical Platform (LEAP), Neustar said. The RFP failed to address how the service would be transitioned to a new provider, specify performance requirements, explain how or when a transition would take place, or establish a plan for law enforcement to test and certify a new LEAP platform, Neustar said. The revised request should also require bidders to show how they’d ensure the continued accuracy of 911 services, the filing said. Neustar has provided Port PS, a free, proprietary service, to 911 providers that allows them to update location information after a phone number has been ported and ensure that emergency services can accurately determine a caller’s location, Neustar said. The service wasn't considered in the original RFP, the company said. Neustar was represented at the meeting by, among others, Lisa Hook, president, and Len Kennedy, senior vice president-general counsel. Nakahata, of Wiltshire & Grannis, said, "Telcordia can and will deliver a safe and secure solution that protects consumers and carriers, while providing needed access for national security, law enforcement and public safety." The best way to ensure "a safe and secure" Number Portability Administration Center "at the best possible price" is to finish the selection process based on the North American Numbering Council's recommendations, "and to let the industry and Telcordia move forward with contract negotiation and implementation," Nakahata said.
The Department of Justice is adding a cybersecurity unit to its Computer Crime and Intellectual Property Section, said Assistant Attorney General Leslie Caldwell Thursday. The dedicated cyber unit will give legal guidance on investigations into electronic surveillance and aid Congress in writing cybersecurity legislation, Caldwell said during a speech at Georgetown University. The new unit is meant to ease citizens’ concerns about privacy following former NSA contractor Edward Snowden’s disclosures beginning last year about NSA surveillance programs. Mistrust in government “can hamper investigations and cybersecurity efforts,” Caldwell said in a prepared version of her speech. The new cyber unit will “ensure that the powerful law enforcement tools are effectively used” and protect “the privacy of everyday Americans,” Caldwell said.