FTC staff recommended that a draft template to help security researchers disclose cybersecurity vulnerabilities to industries, particularly for automobile and medical device manufacturers, can be "useful tool for any company providing software-based products and services to consumers," said the agency in a Thursday news release. Commissioners voted 2-0 to authorize staff to comment on the draft template that was produced by an NTIA-driven multistakeholder process (see 1612150074). The FTC said its staff suggested "the draft template be revised to make clear that the recommendations could apply to more than just safety-critical industries. In its comment, the staff noted that companies that provide Internet-connected products or collect sensitive consumer information should consider implementing a vulnerability disclosure policy and related processes."
There are 16 common data breach scenarios that can affect every part of an organization, said a Verizon news release outlining a report Tuesday. "Breaches are growing in complexity and sophistication," said Bryan Sartin, executive director of Verizon's Research, Investigations, Solutions and Knowledge (Risk) team, which performs cyber investigations for companies and government. "Breaches touch every part of an organization up to and including its board of directors." The telco said 10 of the 16 scenarios represent more than 60 percent of the 1,400 cases investigated by the RISK team over the past three years. The other six are less common but still considered "highly damaging."
“Mega” distributed denial-of-service attacks increased 140 percent year-over-year in Q4, Akamai said Tuesday in a report. Akamai said it considers any DDoS attack larger than 100 Gbps to be a “mega” attack. Twelve such attacks took place in Q4, it said. The largest DDoS attack during Q4, from non-IoT botnet Spike, peaked at 517 Gbps, Akamai said. Seven of the 12 mega attacks are “directly attributed” to the Mirai botnet, which caused the October DDoS attacks against Dyn, Akamai said. The number of IP addresses associated with DDoS attacks also grew during Q4 even though the overall number of DDoS attacks dropped, the company said. The U.S. was the source of the most IP addresses associated with DDoS attacks during the quarter, and remained the top source country for web app attacks, Akamai said. “As we saw with the Mirai botnet attacks during the third quarter, unsecured [IoT] devices continued to drive significant DDoS attack traffic,” said Senior Security Advocate Martin McKeay in a news release. “With the predicted exponential proliferation of these devices, threat agents will have an expanding pool of resources to carry out attacks, validating the need for companies to increase their security investments. Additional emerging system vulnerabilities are expected before devices become more secure.”
House Cybersecurity Caucus co-Chairman Jim Langevin, D-R.I., House Homeland Security Committee Chairman Michael McCaul, R-Texas, and five other cybersecurity-focused congressmen jointly urged National Security Adviser Michael Flynn Friday to renegotiate elements of the multinational Wassenaar Arrangement export control rules that they believe weaken cybersecurity. Members of Congress began pressing in 2015 for then-National Security Adviser Susan Rice to pressure the State Department to renegotiate Wassenaar after U.S. cybersecurity companies began raising concerns that implementation of 2013 changes to the agreement to include the export of intrusion software and IP surveillance systems would have a chilling effect (see 1507220082 and 1507240054). “The U.S. stands only to disadvantage itself strategically and economically against foreign competitors by subjecting its firms to the administrative burden involved in applying for an export license each time they wish to conduct simple information sharing activities with international subsidiaries, partners, or clients,” said Langevin and the others in a letter to Flynn. House Oversight Committee Chairman Jason Chaffetz, R-Utah; House Oversight IT Subcommittee Chairman Will Hurd, R-Texas; House Homeland Security ranking member Bennie Thompson, D-Miss.; House Homeland Security Cybersecurity Subcommittee Chairman John Ratcliffe, R-Texas; and subcommittee ranking member Cedric Richmond, D-La., also signed the letter. The White House should reconvene an interagency task force to develop the U.S.’ stance ahead of 2017 Wassenaar negotiations, the lawmakers said. The Department of Commerce’s Bureau of Industry and Security should “continue to forgo” implementing regulations aimed at abiding by cybersecurity aspects of the Wassenaar changes while the issue is still up for negotiation, the lawmakers said. “These actions will strengthen our nation’s cybersecurity posture and maintain American industry’s edge in the cyber domain.” BSA|The Software Alliance praised the lawmakers Friday for urging renegotiation of Wassenaar. The 2013 changes to Wassenaar were “well intentioned,” but the cybersecurity-related provisions were “imprecisely drafted and would subject core defensive technologies to onerous licensing requirements that would advantage our adversaries by grinding much-needed cybersecurity activity to a halt,” BSA said in a statement. “We urge the Trump Administration to take seriously the concerns raised in today’s letter and commit to renegotiating the flawed provisions to ensure that US cybersecurity is not put at risk.” The White House didn’t comment Monday.
CenturyLink won a task order to provide managed trusted IP services (MTIPS) to the FCC IT center in Gettysburg, Pennsylvania, a company release said Thursday. The facility takes in inquiries and complaints for the commission. CenturyLink will help protect the Gettysburg center and the commission from network attacks with its MTIPS secure connectivity systems, said Erich Sanchack, senior vice president-federal government. The award was made under the Networx Enterprise contract and is worth about $175,000 a year over five years.
Facebook is unveiling a feature that helps people provide assistance to and communicate with others immediately after a crisis, wrote Naomi Gleit, vice president-social good, in a Wednesday blog post. The "community help" function is an update to the company's "safety check" feature, which was launched in 2014 and lets users tell friends and family they're all right after a crisis, she said. Called Community Help, the feature is being launched in Australia, Canada, India, New Zealand, Saudi Arabia and the U.S. for the first couple of weeks for natural and accidental incidents before it's made more widely available and for more types of incidents, she said. In a separate blog post, Facebook said it updated policies, resources and tools to better enforce rules against discriminatory advertising on its site after the company was criticized last year for permitting advertisers to potentially discriminate against users by race. "We make it clear that advertisers may not discriminate against people based on personal attributes such as race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition," it said. The company said it created a new section that provides more information on anti-discrimination policy and educational resources from agencies and civil rights groups that specialize in fighting such discrimination. Facebook is also testing machine learning technology to spot credit opportunity, employment and housing ads -- "the types of advertising stakeholders told us they were concerned about" -- by "disapproving" them and providing the updated policy.
AT&T, IBM, Nokia, Palo Alto Networks, Symantec and Trustonic formed the IoT Cybersecurity Alliance Wednesday to “use their combined expertise to help tackle today's top [IoT] security challenges,” AT&T said: IoTCA “will research and raise awareness of ways to better secure the IoT ecosystem.” AT&T said the group also intends to “influence” cybersecurity standards and policies. “Be it a connected car, pacemaker or coffee maker, every connected device is a potential new entry point for cyberattacks," said AT&T Chief Security Officer Bill O’Hern. "Each device requires very different security considerations. It's become essential for industry leaders and innovators like those in the founding members of this Alliance, to work together to help the industry find more holistic security approaches for IoT.”
NTIA’s Institute for Telecommunication Sciences (ITS) plans a Feb. 15-16 workshop in Boulder, Colorado, on tactical encryption and key management (E&KM). RAND Corp. is co-hosting the workshop, which is sponsored by the Defense Advanced Research Projects Agency, NTIA said in a notice set to run in Friday's Federal Register. The workshop aims to “identify solutions to the problem of how to dynamically key and re-key different groups with varying levels of access and for varying lengths of time using existing infrastructure or over an ad hoc network that is reliable and user friendly,” NTIA said. E&KM “is a process that can be onerous, difficult, and time-consuming. We hypothesize that advances in processing efficiency and networking technologies can greatly simplify (or perhaps even automate) E&KM thus enabling secure dynamic coalitions and information flow control in mobile, tactical applications. We further hypothesize that these secure, dynamic coalitions and information control schemes can be constructed and maintained without a central, off-site coordination authority.” ITS hopes the workshop will “look into the future to see what E&KM may look like and will look at the present to see what technologies can be leveraged to take us there,” NTIA said. The workshop will run 8 a.m.-5 p.m. MST both days in the Department of Commerce’s Boulder Laboratories Building 1 Lobby, NTIA said.
The Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) is generally performing the 11 cybersecurity functions required under the 2014 National Cybersecurity Protection Act (NCPA) but must fully establish metrics and a method for evaluating its performance, GAO reported Wednesday. NCCIC is charged under NCPA and the 2015 Cybersecurity Act with acting as the main federal civilian portal for cybersecurity-related information sharing and manages a range of programs related to monitoring and mitigating for cybersecurity vulnerabilities (see 1412100052 and 1512160068). NCCIC hasn't “determined the applicability” of NCPA-required implementation principles to all of its required cybersecurity functions nor “established metrics and methods by which to evaluate its performance against the principles,” GAO said. “Until NCCIC determines the applicability of the principles to its functions and develops metrics and methods to evaluate its performance against the principles, the center cannot ensure that it is effectively meeting its statutory requirements.” GAO also said a range of factors is impeding NCCIC from “efficiently” performing its role, including an inability to “completely track and consolidate cyber incidents reported to the center.” NCCIC doesn’t have “ready access” to the contact information for all owners and operators of cyber-dependent critical infrastructure entities, GAO said. DHS agreed to GAO recommendations.
More than one-third of surveyed entities that experienced a cyber breach in 2016 reported revenue losses of more than 20 percent, Cisco reported. More than 50 percent of organizations that experienced a data breach faced public scrutiny as a result, it said Tuesday. Cisco said it surveyed almost 3,000 organizations' chief security officers and security operations leaders. Ninety percent of surveyed organizations that reported significant losses due to breaches said they're now improving their cyberthreat defenses, technologies and processes, including security awareness training for employees and implementing cyber risk mitigation techniques. Cisco found that organizations investigated only 56 percent of security alerts and remediated less than half of the legitimate alerts. “In 2017, cyber is business, and business is cyber -- that requires a different conversation, and very different outcomes,” said Chief Security and Trust Officer John Stewart in a news release. “Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk.”