Manufacturers should give consumers "clear information about whether, how, for how long, and at what cost their IoT devices will receive security support," the FTC commented on NTIA's multistakeholder initiative on security patching for such devices (see 1610190051). A Monday news release said commissioner voted 2-0 to file the comment in response to an NTIA working group draft document outlining how companies can better inform consumers about IoT security updates. The FTC said companies should, before selling an IoT device: say whether the device can receive security updates, how it receives those updates and when security support will end. On the last point, the commission said manufacturers should provide "a minimum security support period," for "clear, concrete information" compared with an "anticipated timeline" that could be misconstrued as a guarantee. The commission said manufacturers should give a date for starting and ending support. Plus, companies should disclose "key use limitations" before consumers buy a "smart" device so they know it will stop working or become vulnerable when security support ends, said the FTC. It recommended companies adopt a uniform security notification method and give consumers a way to sign up for real-time notifications. The commission said the working group shouldn't require manufacturers to explain how they evaluate, verify or test updates to consumers because those elements may impose "significant communication costs" to industry while providing little to no consumer benefit.
The office of Sen. Dick Durbin, D-Ill., emailed Thursday that he and Illinois state Sen. Michael Hastings (D) will send letters to local election authorities, warning them about malware on their systems as a result of Russia's 2016 U.S. election cyberattack (see 1706140068). “Direct and deliberate interference in our election is an unprecedented breach and threat to U.S. democracy and national security," said Durbin in a statement to us. "It is absolutely critical that we work in Washington, Springfield, and every local election authority to ensure we are protected against the next act of cyberwarfare.”
The number of records stolen via data breaches in 2016 globally rose nearly 54 percent compared with the prior year, said India-based technology company Wipro, which released its first cybersecurity report Thursday. The report was based on interviews with chief information security officer teams in 139 organizations across various sectors and in 11 countries in Asia, Europe, Middle East and North America. In a news release on the report, Wipro said user credentials were stolen in 56 percent of the breaches, meaning more damage could be perpetrated. It said 56 percent of all malware attacks last year were a result of Trojans, viruses accounted for 19 percent, and worms were 20 percent. It said IoT devices with low memory and processing footprint have "very little security capabilities" such as patching and are "easy prey" for hackers.
Without encrypting data, nearly 6 billion records may be exposed in security breaches resulting in nearly $220 billion in damages by 2020, the Internet Association said Thursday in a news release on research about the role of encryption. "This research contributes even more evidence to the consensus that encryption is a necessary part of keeping our country safe. Mandatory security vulnerabilities or encryption back doors do not make us safer," said IA President Michael Beckerman. IA said security breaches are potentially increasing at "exponential rates" and "unencrypted data is now a threat to every industry and internet user." The research also cited state-sponsored cybercrime, especially from China, as a threat to U.S. companies. It said Chinese industries use hacking rather than R&D to copy American IP.
Illinois state Sen. Michael Hastings (D) is working on an "instructional letter" with Sen. Dick Durbin, D-Ill., the second-highest-ranking Senate Democrat, that will be sent to state election authorities, "instructing them to scrape their systems" of potential malware, said a Wednesday news release from Hastings. Durbin's office didn't comment. Hastings cited Russia's cyberattack against the U.S. election system (see 1701060060) that Bloomberg reported Tuesday was more widespread than previously known. Hastings said Illinois gave the FBI and Department of Homeland Security "full access" to probe its systems. He said new evidence has shown hackers tried to alter and delete records but didn't succeed. "These actions suggest the hacking was more of a spying mission and a potential test run for a more devastating attack," the release said. Hastings said the Illinois Board of Elections should continue to investigate and strengthen systems to prevent future attacks.
NTIA seeks comment by July 13 on actions that could help address automated and distributed threats to the digital ecosystem (see 1706090008) as part of executive order 13800 (the Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure), said the agency in Tuesday's Federal Register.
Three recommendations from a recent Department of Health and Human Services task force report on enhancing cybersecurity in the healthcare sector "stand out," blogged Internet Security Alliance CEO Larry Clinton and Senior Director Stacey Barrack. They are: identifying scalable governance best practices and developing executive education programs; requiring current and future federal cybersecurity regulations be harmonized; and incentivizing the sector to implement leading practices. Increased regulation "may actually be hurting" efforts to improve security since few experts have time to address compliance, they wrote Monday. Plus, a "dynamic system" -- possibly with grant and tax incentives and "good actor credits" -- is "desperately" needed to motivate the sector to implement improvements, they said. The report, promoted in HHS officials' testimony during a House hearing last week (see 1706070040), shows government "is slowly, but surely" starting to understand the problem and its need to work with industry, wrote Clinton and Barrack.
This iteration of the Communications Security, Reliability and Interoperability Council meets for the first time June 23, with Brian King, T-Mobile senior vice president-national technology service delivery and operations, at the helm, FCC Chairman Ajit Pai said Monday. Pai indicated in April that CSRIC was rechartered, though with less focus than it had in the past on cybersecurity (see 1704100059). The three working groups are: Transition Path to NG911, with Mary Boyd of West Safety Services as chair; Comprehensive Re-imagining of Emergency Alerting -- chaired by Farrokh Khatibi of Qualcomm; Network Reliability and Security Risk Reduction, chaired by Travis Russell of Oracle. “The CSRIC’s first meeting will introduce members of the Committee, set out initial assignments, and provide more information about the working groups,” said a public notice. The meeting starts at 1 p.m. in the Commission Meeting Room. A full list of members is in the notice (and see the personals section of this issue of this publication).
President Donald Trump and his advisers “should not wait to force a showdown with China” over that country’s recently implemented cybersecurity law, said American Enterprise Institute resident scholar Claude Barfield blogged Friday. The law, which took effect in early June, drew opposition from many U.S.-based interests because it includes data localization rules (see 1612080077, 1703080067 and 1705150067). “The Trump administration should elevate the new Chinese cybersecurity law to top priority” in the two countries’ bilateral negotiations, Barfield said. “The administration should make it clear that if regulations under the new law damage US companies’ ability to compete in the Chinese market, the United States will not just protest -- it will act to institute reciprocal actions that close off the US market to top Chinese technology companies such as Alibaba, Baidu, and Tencent.”
NTIA is seeking comment on how to improve industry's ability to lessen threats from automated and distributed attacks like botnets and what role government should take. The agency posted the request Thursday on its website, and comments will be due 30 days after it's published in the Federal Register. "Left unchecked, without meaningful progress, these new classes of automated and distributed attacks could be a serious risk to the entire ecosystem," the notice said. "Since poorly considered action would likely create significant unnecessary costs and unintended consequences, substantial, carefully considered action must be considered." NTIA also said the Department of Commerce will host a public workshop on improving communications systems and outcomes to help guide implementation of Executive Order 13800 (the Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure). The workshop will be at the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence July 11-12.