The FCC is rechartering its Communications Security, Reliability and Interoperability Council for a new two-year term, though with apparently less focus on cybersecurity than the CSRIC under former Chairman Tom Wheeler. The last CSRIC met the final time in March (see 1703150058) and no top FCC official spoke. Early in his chairmanship, Ajit Pai rescinded two cybersecurity items issued under Wheeler -- a white paper on communications sector cybersecurity regulation and a notice of inquiry on cybersecurity for 5G devices (see 1702060059). Wheeler appointed David Simpson chief of the Public Safety Bureau in 2013 because of his cybersecurity expertise (see 1402190030), and Simpson spoke frequently at CSRIC meetings while he was at the FCC. “The issues to be considered may include, but are not limited to: (1) the reliability of communications systems and infrastructure; (2) 911, Enhanced 911 (E911), and Next Generation 911 (NG911); (3) emergency alerting; and (4) national security/emergency preparedness (NS/EP) communications,” the FCC said in a public notice. Nominations for membership are due at the FCC no later than April 24, the PN said. The new CSRIC will start work early in the summer, the FCC said.
BSA|The Software Alliance and the Coalition for Responsible Cybersecurity (CRC) praised the U.S. government Friday for working in annual negotiations on implementation of the multinational Wassenaar Arrangement export control rules to clarify and revise language on the export of intrusion software and IP surveillance systems. U.S. officials faced pressure to renegotiate Wassenaar language viewed as having a chilling effect on U.S. cybersecurity firms (see 1507220082, 1507240054 and 1702130031). “Requiring cybersecurity practitioners to obtain export control licenses prior to performing even basic remediation efforts is a recipe for disaster,” said BSA Policy Director Christian Troncoso in a news release. “Unless the Wassenaar Arrangement controls are meaningfully narrowed, network defenders will face significant time delays in their ability to respond to constantly evolving threats.” BSA and CRC also urged Wassenaar signatories to engage with stakeholders to “craft meaningful changes to the controls on 'intrusion software,' take seriously the concerns ... and commit to renegotiating the flawed provisions to ensure that global cybersecurity is not put at risk.”
Z-Wave devices receiving certification require uniform adoption of a new security protocol, said a Z-Wave Alliance announcement Sunday. The board voted in November to require mandatory implementation of the Security 2 (S2) framework to give devices “new levels of impenetrability,” the release said. The alliance, which developed the security standards with chipmaker Sigma Designs, said by securing communication locally for home-based devices and in the hub or gateway for cloud functions, S2 “virtually removes the risk of devices being hacked while they are included in the network." The group cited a 2016 AT&T study that said 58 percent of companies weren’t confident about the security of connected devices.
Internet security is a “big deal and is underappreciated,” Control4 CEO Martin Plaehn told us at the Home Technology Specialists of America spring meeting (see news item in the March 30 issue of this publication) Thursday in Coronado, California. Security is part of the connected home’s network layer that Control4 sought to bolster when it bought network and cloud management company Pakedge last year (see 1602050037). The home automation industry is on a “journey to make ourselves more impenetrable,” Plaehn said, but that’s happening slowly. Hackers for the most part are doing it out of “peer sport,” Plaehn said. Plaehn has long maintained that anything in the home that runs on AC power or batteries will eventually be connected. OneVision Resources meanwhile is pitching the custom integrator channel on a technical support strategy that could be the answer to its long-sought but elusive recurring revenue model, banking on the so-called disconnected home. “If you consider that the connected home is a reality and that the Internet of Things is inevitable, then what’s also inevitable is the internet of broken things,” founder Joseph Kolchinsky told us at HTSA Friday. “There needs to be an entire profession around this and there needs to be a whole service model around it,” said Kolchinsky of tech support. Kolchinsky compared the tech support revenue challenge that electronics integrators face with the challenge newspapers and magazines experienced with the rise of the internet: Consumers don’t want to pay for it.
Protecting against data loss (57 percent), threats to privacy (49 percent) and breaches of confidentiality (47 percent) were the top three cloud computing security concerns based on an online survey released Wednesday by Crowd Research Partners. The survey of more than 1,900 cybersecurity executives, managers and IT practitioners in January and February said unauthorized access was the biggest threat to security (61 percent), followed by hijacking accounts (52 percent). The researcher said 53 percent of respondents want to train and certify their current IT staff to address new security challenges, while 30 percent want to partner with a service provider, 27 percent want to use software to address the problem, and 26 percent want to hire dedicated staff. Seventy-five percent said traditional security tools don't work or have limited functionality in the cloud, and 33 percent of organizations expect security budgets to increase over the next 12 months.
Google’s dispute with Symantec over the validity of Symantec-issued certificates “imposes considerable costs on a range of companies that have no legal relationship with Google,” said Ariel Rabkin, an American Enterprise Institute Center for Internet, Communications and Technology Policy visiting fellow, in a Tuesday blog post. Google said last week its Chrome web browser will begin applying special scrutiny to Symantec-issued certificates because it no longer has “confidence in the certificate issuance policies and practices of Symantec.” Symantec-issued certificates didn’t accurately identify the certificate’s owner in some cases, Google said. Websites with Symantec certificates “will need to pay for more renewals and perhaps will need to switch to certificates from another vendor,” Rabkin said. “Symantec itself will doubtless have increased costs or lost business.” Google “has no evident legal obligation to trust Symantec’s certificates. Manufacturers have no general duty to make interoperable products,” Rabkin said. “When Apple changes its laptop design and previous third party add-ons no longer work, the add-on vendors cannot sue for lost business.” Congress and the FTC shouldn't impose a standard of care on certificate authorities in response to the dispute because “the technology ecosystem changes too quickly, the level of harms here are fairly small, and the cost of regulation is potentially high,” Rabkin said. The companies are having "an ongoing discussion, and we look forward to continuing our conversations with Symantec about this issue," a Google spokesman said. "We want to enable an open and transparent assessment of the compatibility and interoperability risks, relative to potential security threats to our users." Symantec didn’t comment.
The FCC warned consumers of what it’s calling “can you hear me?" scams. Commissioner Mignon Clyburn mentioned the scams last week as she and colleagues voted on taking up illegal robocalls (see 1703230035). “The scam begins when a consumer answers a call and the person at the end of the line asks, ‘Can you hear me?’” the agency said in a Monday consumer alert. “The caller then records the consumer's ‘Yes’ response and thus obtains a voice signature. This signature can later be used by the scammers to pretend to be the consumer and authorize fraudulent charges via telephone.”
CTA is offering smart home technology installers a security checklist for internet-connected devices, it announced Thursday, with protocols for installing and configuring products to help protect consumers’ smart home devices from malware or hackers. “Trust is at the heart of the smart home business, and to succeed we need to equip experienced installers with the latest best practices,” said Dan Fulmer, CTA TechHome board member.
CTA President Gary Shapiro is concerned about the U.S. ban on carrying on laptops, tablets and other larger electronics for passengers flying to the U.S. from much of the Middle East and North Africa because of concerns about terrorism, he said in an emailed statement. Passengers will have to keep the devices in their checked luggage. The ban was announced Monday. “CTA generally opposes bans on the use of consumer technology products in flight, unless there is a specific technical or security justification,” Shapiro said. “CTA led the successful effort to expand the use of non-transmitting portable electronics devices (PEDs) during all phases of flight in the United States. We recognize, however, that specific national security concerns may on occasion warrant a temporary ban on use of electronics in-flight. We anxiously await more detailed information on the rationale for the restrictions put in place … on certain airlines flying into the U.S. Overall, any ban on the use of PEDs in flight related to security concerns should be narrowly tailored, transparent and, ideally, time-limited.” The Electronic Frontier Foundation, in a Wednesday blog post, said the new restrictions “have provoked a growing sense of insecurity among personal and business travelers flying between America, the Middle East and Turkey, and rightly so. Travelers to and within the United States were already concerned over reports of increasing levels of warrantless inspection of their devices at the border of the United States.” Requiring travelers to check electronic devices raises new privacy concerns, the group said: “If someone else has physical access to your device almost all information security guarantees are off the table. Data can be cloned for later examination.”
Nearly 1,300 data breaches exposing personal data for about 1.6 million New Yorkers were reported last year, said state Attorney General Eric Schneiderman in a Tuesday news release. The record number of reported breaches increased by 60 percent from 2015, and the exposure of records tripled, his office said. Hacking, the leading cause in previous reports, accounted for more than 40 percent of the data breaches, the office said. Last year, employee negligence, insider wrongdoing and loss of a device or media combined were about 37 percent of the breaches, Schneiderman's office added. Social Security numbers and financial records were the most acquired data -- about 81 percent of breaches -- followed by driver's license numbers, date of birth and password or account information, the release said. The office provided recommendations to help organizations better secure data or provide a better response in case of breach.