The Internet Security Alliance released a fact sheet the group says illustrates that the “tremendous growth in cybersecurity rules and regulations is diverting scarce security resources and actually undermining our nation’s cyber defenses.” Some corporate chief information security officers' reported spending almost 40 percent of their time meeting government-mandated compliance measures and audits, and some firms reported spending up to 30 percent of their cybersecurity budget on compliance, ISA said in the fact sheet. “We now have cyber mandates springing up like weeds as virtually every governmental entity, federal state and local, fight to be the ‘cyber guy,'” said ISA President Larry Clinton in a statement Monday. “The result is an uncoordinated, inconsistent and often counterproductive set of requirements that actually hurts, not [helps], increased security.” ISA and other groups aren't “saying we ought not to have cyber controls or assessments,” Clinton said. “But, we need to have a rational and well-thought out system or we will waste vital resources and undermine our security.”
Nearly 1,300 data breaches exposing personal data for about 1.6 million New Yorkers were reported last year, said state Attorney General Eric Schneiderman in a Tuesday news release. The record number of reported breaches increased by 60 percent from 2015, and the exposure of records tripled, his office said. Hacking, the leading cause in previous reports, accounted for more than 40 percent of the data breaches, the office said. Last year, employee negligence, insider wrongdoing and loss of a device or media combined were about 37 percent of the breaches, Schneiderman's office added. Social Security numbers and financial records were the most acquired data -- about 81 percent of breaches -- followed by driver's license numbers, date of birth and password or account information, the release said. The office provided recommendations to help organizations better secure data or provide a better response in case of breach.
The Senate Commerce and House Homeland Security committees both scheduled cybersecurity hearings for 10 a.m. Wednesday. The Senate Commerce hearing will address cybersecurity issues for IoT, blockchain, artificial intelligence, quantum computing and other “emerging technologies,” and how those technologies present “innovative opportunities to combat cyber threats more effectively,” the committee said Friday. Intel Chief Technology Officer Steve Grobman, IBM Security Vice President-Threat Intelligence Caleb Barlow, National Venture Capital Association Chairman Venky Ganesan and Cylance Chief Security and Trust Officer Malcolm Harkins are set to testify, Senate Commerce said. The hearing will be in Dirksen 106. House Homeland Security said its hearing will focus on the Department of Homeland Security’s civilian cyber defense mission and the cyberthreat landscape. The hearing appears to be partially focused on committee Chairman Michael McCaul’s, R-Texas, planned reintroduction of his Department of Homeland Security Reform and Improvement Act, which would reorganize the department’s National Protection and Programs Directorate as the Cybersecurity and Infrastructure Protection Agency (see 1701050073). Former NSA Director Keith Alexander, now IronNet Cybersecurity CEO, and former White House Cybersecurity Coordinator Michael Daniel, Cyber Threat Alliance president, are among those to testify. George Washington University Center for Cyber and Homeland Security Director Frank Cilluffo and EastWest Institute Global Vice President Bruce McConnell will also testify, House Homeland Security said. The hearing will be in House Capitol Visitor Center Room 210.
Industry groups and other commenters backed the IoT green paper developed by NTIA and Department of Commerce, which posted the comments Wednesday (see 1703140022 and 1701120050). But many provided recommendations on improving the paper and IoT development approach. ACT|The App Association said the paper didn't adequately describe IoT's potential in fueling job growth and should have an "unambiguous policy recommendation" that an ex ante or ex post government action be based on data-driven evidence. "Government actions (or reactions) based on hypothetical and/or anecdotal harms will pose a significant threat to the innovation in the app ecosystem that will drive the growth of the IoT," ACT commented. The Center for Democracy & Technology said NTIA's assessment of IoT privacy issues is "inadequate." CDT said the IoT raises new questions about what constitutes personal data and privacy, which are challenging current legal frameworks. It said NTIA and Commerce should pursue consensus-based global standards and highlight efforts to promote privacy in the industry. NCTA commented that there are security areas the paper doesn't address including: incorporating a unique identifier for each IoT device; supporting authentication and authorization for users to validate a person to use a device and have permission to perform an operation; ensuring data at rest is protected; and "over manageability" of IoT devices for users. NCTA said users will need to keep an inventory of their devices, managing credentials, including when a device changes ownership. CTIA said 5G networks will "provide the speed, reliability and capacity necessary" for IoT growth, addressing "dense usage patterns in urban areas, and [powering] data-rich applications like high-resolution video and medical imaging, streaming media, and augmented and virtual reality." Microsoft worried about the expectation of "unlimited support" for connected devices, because some security advancements can be enabled only through new hardware, not patching. The company said unlimited support would probably stifle innovation by putting a large cost burden on new market entrants and dissuading consumers from buying new devices. CTA commended the paper for concluding that the IoT "require a reaffirmation, not a reevaluation" of government policy to encourage private sector leadership, global standards development and a multistakeholder approach in policy making. The group backed passage of the Digit Act (S-88), which would give Commerce lead responsibility in identifying regulatory hurdles to IoT development.
Many new members joined a DOD-created cybersecurity trade association, the Consortium for Command, Control, Communications and Computer Technologies, said a Thursday notice in the Federal Register. New members included companies, universities and consultants, among them AT&T, Brocade, Booz Allen Hamilton, Cornell University, George Mason University and Tuscaloosa.
States play a key role in national cybersecurity, Virginia Gov. Terry McAuliffe (D) said Wednesday. Cybersecurity must be viewed as a “whole-of-state issue that affects every level of government and every facet of our daily lives,” the National Governors Association chairman said at an NGA regional summit in San Jose, a news release recounted. “By 2020, 200 billion networked devices are expected to be connected across the globe,” he said. “Domestic and foreign actors target sensitive information and systems that, if compromised, could have significant economic and political consequences, and result in serious damage to our vital infrastructure.”
The DOJ indicted two Russian intelligence agents and two Russia-hired hackers Wednesday for their roles in the 2014 Yahoo data breach that resulted in the theft of information on 500 million Yahoo accounts. That breach and a 2013 breach, both disclosed last year, collectively compromised 1.5 billion user accounts. Yahoo has been dealing with congressional inquiries, lawsuits and a $350 million price reduction in the Verizon deal to acquire the company (see 1612150010, 1612230029 and 1702210024). Among the indicted were Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, both agents with Russia's Federal Security Service (FSB), DOJ said. The department said it also indicted Russian national Alexsey Alexseyevich Belan and Canadian-Kazakh national Karim Baratov, and that FSB hired both. The defendants face a combined 47 charges, including conspiracy, computer fraud, aggravated identity theft, trade secret theft and economic espionage, DOJ said. The defendants “targeted Yahoo accounts of Russian and U.S. government officials, including cyber security, diplomatic and military personnel,” said acting Assistant Attorney General Mary McCord during a news conference. “They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities.” McCord said Belan has been on the FBI's most wanted cyber criminals list for more than three years and faced charges in the U.S. on two other occasions for hacking e-commerce companies. Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., praised DOJ Wednesday for the indictments, which he said are “yet another reminder that American businesses must invest in robust cyber defenses, be more willing to share threat information, and be much more upfront with consumers when their defenses fail.” Warner said in a statement he continues to believe Yahoo “had a responsibility to be more forthcoming in publicly reporting this breach sooner than it did, and both the public and private sectors often move too slowly to address the growing threats posed by cyber criminals.”
President Donald Trump should order the CIA and other U.S. intelligence agencies to “responsibly disclose” any cyber vulnerabilities they've identified in U.S. devices and software, said Information Technology and Innovation Foundation Vice President Daniel Castro in a Monday blog post. It responded to WikiLeaks’ posting last week of more than 8,700 documents purporting to originate from the CIA’s Center for Cyber Intelligence, including some unverified files about how the agency could use smart TVs and other devices as surveillance tools (see 1703070047). The documents “validate concerns that U.S. spy agencies are stockpiling cybersecurity vulnerabilities,” Castro said. “The intelligence community uses undisclosed vulnerabilities to develop tools that can penetrate the computer systems and networks of its foreign targets. Unfortunately, since everyone uses the same technology in today’s global economy, each of these vulnerabilities also represents a threat to American businesses and individuals.” Full disclosure of stockpiled vulnerabilities will help the private sector patch “security holes,” Castro said.
Chairman Ajit Pai’s recent moves to shift the FCC away from a role in cybersecurity policy are a “dangerous departure” from President Donald Trump’s “aggressive cybersecurity policy” stance, said former Public Safety Bureau Chief David Simpson in Morning Consult. Pai reversed a Simpson-authored white paper on communications sector cybersecurity regulation and a notice of inquiry on cybersecurity for 5G devices (see 1702060062 and 1702060059), among other moves (see 1702030070). Pai halted cybersecurity provisions in ISP privacy rules, Simpson wrote. The “greatest concern” will be the FCC’s future “benign neglect” of cybersecurity, he said. Simpson noted Commissioner Mike O’Rielly’s testimony last week before the Senate Commerce Committee that the commission has “extremely limited” statutory authority over cybersecurity absent a clear directive (see 1703080070). “Addressing cybersecurity early is smart policy,” Simpson said. “It leads to more robust, resilient and cost-efficient services. ... This is a national security and emergency preparedness requirement.” He criticized the communications sector’s “self-serving theory” that the Department of Homeland Security should take over oversight of the sector’s cybersecurity. Expanding DHS’ oversight “with no regulatory authority over the commercial communications sector, will be expensive, doomed to failure or both,” Simpson said. Trump can reverse FCC “cyber indifference” by in part making cybersecurity a “whole of government” priority that includes the FCC and FTC in the National Security Council’s assessment of cyber risk, Simpson said. He encouraged stakeholders to “demand a more effective dialog between congressional committees with cybersecurity risk responsibilities." The FCC didn’t comment.
President Donald Trump's anticipated cybersecurity executive order is "moving along and maybe within a week or so we could see something," said former IBM CEO Sam Palmisano during a Center for Strategic and International Studies event Monday. Palmisano, vice chairman of the federal Commission on Enhancing National Cybersecurity, said he would attend a White House meeting later Monday to provide feedback on the revised order. Palmisano said he has not received any official confirmation on the EO's timeline. The White House didn’t comment. The White House has continued to revise the anticipated order in the weeks since officials first delayed Trump's planned late January signing of it. Then, the order would have directed the Office of Management and Budget to assess all federal agencies' cybersecurity risks and required agencies to manage their risk using the National Institute of Standards and Technology's Cybersecurity Framework (see 1701310066). Recent drafts of the EO have included language that would direct the Department of Commerce to explore ways to encourage “core communications infrastructure” companies “to improve the resilience of such infrastructure and to encourage collaboration with the goal of dramatically reducing threats perpetrated by” botnets (see 1702280065). Likely requirements for agencies’ cybersecurity accountability will be “a very important piece of this” executive order, said former National Security Adviser Tom Donilon, who chairs CENC, during the CSIS event. “That is a contract, if you will, between the president and the people he hires to run the agencies and departments.”