The FCC’s newly reconfigured Communications Security, Reliability and Interoperability Council will meet June 23, starting at 1 p.m.. in the Commission Meeting Room, said a notice in Wednesday's Federal Register. The last CSRIC met the final time in March (see 1703150058). The FCC rechartered the group in April for a new two-year term, though with no focus on cybersecurity issues (see 1704100059).
Cybersecurity, including prevention of data breaches and ransomware threats, has become a top priority for the Department of Health and Human Services, officials plan to tell the House Commerce's Subcommittee on Oversight and Investigations at a hearing Thursday. Emery Csulak, chief information security officer with the Centers for Medicare and Medicaid Services; Steve Curren, director-division of resilience within HHS' Office of Emergency Management; and HHS Chief Information Officer Leo Scanlon jointly submitted prepared testimony. Since 2014, the healthcare and public health sector has been hit with breaches, with a rise in ransomware attacks last year, they will tell lawmakers. "These attacks shifted the threat landscape considerably, as they no longer threatened just personal information but also the ability of health care organizations to provide patient care." Partnerships across HHS, government and private sectors helped provide expertise to fight the threat, they plan to say. In response to the WannaCry ransomware attack (see 1705180032, 1705160038, 1705160008 and 1705150008), which hit hospitals in the U.K. (see 1705120055), HHS worked with the Department of Homeland Security's National Cybersecurity and Communications Integration Center to develop an "immediate response" to help the healthcare sector's security experts respond to and report the WannaCry intrusions, they say. This was the first time HHS organized itself to respond to a cybersecurity incident, setting a standard, they say. Working groups and initiatives are underway to improve cybersecurity across the department and health sector, according to the testimony, citing HHS' Healthcare Cybersecurity Communications Integration Center aimed at improving collaboration among entities and strengthen reporting and threat awareness. The center helped coordinate the WannaCry response, the officials say. On May 11, a government-driven healthcare industry cybersecurity task force released a report with recommendations on improving protections across agencies, the HHS officials note. Recommendations include that improvements are needed in the security and resilience of medical devices and health IT, healthcare workers and industry need to be more aware of cybersecurity and make it a priority, and there should be greater information sharing.
The House Communications Subcommittee plans a hearing 10 a.m. Tuesday in 2322 Rayburn on wireless security. “In today’s increasingly digital and wireless world, cyber criminals continue to adapt, discover, and exploit vulnerabilities in our networks to gain unauthorized access and cause harm to consumers and businesses around the country,” Chairman Marsha Blackburn, R-Tenn., said in a statement: The hearing "will provide our members an opportunity to learn more about these threats, what stakeholders are doing to combat and prevent these attacks, and what policies could be helpful.”
Short, low-volume distributed denial-of-service attacks aimed at masking “more serious network intrusions” are the “greatest DDoS risk” for most entities, Corero Network Security reported Monday. Ninety-eight percent of DDoS attack attempts that Corero measured during Q1 were less than 10 Gbps in volume and 71 percent lasted 10 minutes or less, the cybersecurity firm said. “Short DDoS attacks might seem harmless, in that they don't cause extended periods of downtime,” said CEO Ashley Stephenson in a news release. “IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions.”
President Donald Trump’s administration should “press China to change its course” on its recently implemented cybersecurity law, the Computer & Communications Industry Association Monday told National Economic Council Director Gary Cohn. The law, which took effect last week, drew opposition from CCIA and other U.S.-based interests because it includes data localization rules (see 1612080077, 1703080067 and 1705150067). Addressing the Chinese law “is the perfect opportunity to demonstrate the Administration’s commitment to winning on behalf of America’s most productive and job-creating companies,” CCIA said. “Without the Administration’s support -- or with its indifference -- all industry sectors that rely on high-tech goods and services will continue to get a bad deal as they look to compete in China.”
Cybersecurity needs board oversight and isn't just an IT issue, "it’s an enterprise wide risk management issue," blogged Internet Security Alliance Senior Director Stacey Barrack. "Most corporate boards are comprised of 'digital immigrants'" who "need to learn how to understand cyber-risk," she wrote Friday. Such risk management takes "strategic thinking" that doesn't treat information security as a "siloed" issue, Barrack wrote. She noted, as did another expert in a blog Thursday (see 1706010018), that "several significant cyberbreaches did not actually start within the target’s IT systems, but rather from vulnerabilities in one of its vendors or suppliers."
Target's 2013 data breach with a record $300 million in damages should be a wake-up call on cybersecurity, blogged Shane Tews of the American Enterprise Institute. She noted the company recently settled with 47 states over the credit card incident. "If Target had taken IT management seriously ... it could have saved itself hundreds of millions of dollars and a damaged reputation," wrote the AEI Center for Internet, Communications and Technology Policy visiting fellow Thursday. She sought "clear, responsible guidelines for IT management and data security" for companies sharing data on customers. Senior executives should understand that such protections are "part of their management responsibilities," Tews wrote. "A company’s incident-response plan can make the difference between a momentary slow down and a full day or weeks-long fiasco." Target didn't comment.
Senate Communications Subcommittee ranking member Brian Schatz, D-Hawaii, led a letter to the FBI Wednesday requesting an investigation of the alleged distributed denial-of-service attacks on the FCC website, which may have affected comments in the net neutrality proceeding (see 1705170067). “We ask that the FBI prioritize this matter and investigate the source of this attack,” said the Democrats, also including Sens. Al Franken, D-Minn., Patrick Leahy, D-Vt., Ed Markey, D-Mass., and Ron Wyden, D-Ore. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.” They requested a briefing by June 23. "The FBI received the letter," a bureau spokeswoman said, "and will provide a response to the members of Congress."
The National Institute of Standards and Technology should morph work on how to effectively measure use of the Cybersecurity Framework into development of “an analytical tool that will enable individual entities to assess their unique threats on a monetized basis,” Internet Security Alliance CEO Larry Clinton blogged. NIST has been working with stakeholders on a proposed v1.1 update including metric language aimed at starting a conversation (see 1701100084). Stakeholders urged the agency to be cautious (see 1704110045 and 1705160072). NIST should develop a tool to help entities “assess which elements of the [framework] will be most cost-effective in addressing them” rather than identify “which elements of the [framework] are cost-effective in general,” Clinton said Wednesday: Use of the framework “is effective, but exactly what elements” are effective “and the degree of effectiveness likely changes from organization to organization based a number of variables such as size, sector, culture and business plan."
The FCC plans to upgrade auction systems to make them more resilient to attack, its FY 2018 budget proposal said. “As recent news headlines have emphasized, the threat of cyber-attacks and security vulnerabilities are very real, and the Commission takes these threats and vulnerabilities very seriously. The FCC will proactively engage security engineers and architects to ensure the modernization of systems in the cloud are secure and adhere to Federal mandates and regulations to include two factor authentication.”