Sen. Chris Coons, D-Del., will partner with Sen. Cory Gardner, R-Colo., on Gardner’s expected legislation (see 1612200044) to create a permanent Senate Select Committee on Cybersecurity. “A committee with concentrated authority would be directed to complete investigations into cyber attacks and ensure the Administration takes the necessary steps to identify cyber vulnerabilities, address emerging threats and prevent future attacks,” they said in a joint opinion piece for Time this week. “Its members would consist of the chairmen and ranking members of all relevant committees that have jurisdiction over cyber issues, as well as a designee appointed by the chairman of each committee. The committee would have the ability to convene hearings, consider legislation and call witnesses in order to produce reports updating Congress and the American public on its progress.” Senate leadership has pushed back against the creation of a select committee in recent weeks. No bill has been introduced. The Senate Armed Services Committee, chaired by Sen. John McCain, R-Arizona, is creating a new subcommittee devoted to cybersecurity this Congress and named its leadership Wednesday: Sen. Mike Rounds, R-S.D., is subcommittee chairman and Sen. Bill Nelson, D-Fla., also top Democrat on the Commerce Committee, will be its ranking member.
The global blockchain technology market could be worth $20 billion by 2025, up from $315 million in 2015, predicted Transparency Market Research in a Wednesday news release. The research firm said it expects the market for blockchain, a type of authentication technology for online payments, to grow at a compound annual growth rate of 58.7 percent from 2016 to 2024. IBM, R3 and Chain Inc. lead the global market, with a combined 45.3 percent share in 2015, and will likely make acquisitions to widen their customer base and enhance their technologies, TMR said. Stringent regulations are one restraint on the market, it said: “It is imperative that [companies] adhere to privacy laws, which vary with each country.”
Regulatory oversight is a critical part of reducing cyber risk on telecom networks, the FCC Public Safety Bureau said Wednesday. “As the end-to-end Internet user experience continues to expand and diversify, the Commission's ability to reduce cyber risk for individuals and businesses will continue to be taxed,” the bureau said in a white paper. “But shifting this risk oversight responsibility to a non-regulatory body would not be good policy. It would be resource intensive and ultimately drive dramatic federal costs and still most certainly fail to address the risk for over 30,000 communications service providers and their vendor base.” The FCC can’t rely on organic market incentives alone to reduce cyber risk, it said. “As private actors, ISPs operate in economic environments that pressure against investments that do not directly contribute to profit. Protective actions taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections. Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.” FCC Chairman Tom Wheeler, who steps down Friday, mailed the cybersecurity white paper to Sen. Mark Warner, D-Va. “This whitepaper outlines risk reduction activity engaged in by the Commission during my tenure and suggests actions that would continue to affirmatively reduce cyber risk in a manner that benefits from and incents further competition, protects consumers, and addresses significant national security vulnerabilities,” Wheeler wrote. Earlier, Wheeler was seen as backing off more ambitious cybersecurity plans (see 1611300063).
Idaho Gov. Butch Otter (R) will hire a director of information security to lead state efforts to combat hacks on state computer networks, as part of an executive order signed Monday. Otter's executive order also enacts other recommendations of the governor’s Cybersecurity Task Force, including adopting the National Institute of Standards and Technology Cybersecurity Framework and providing employee training and public outreach about cybersecurity best practices. “We learned this past year, firsthand, just how real the threat of cyberattacks is when the Department of Fish and Game’s licensing vendor was hacked,” Otter said in a news release. “Having a comprehensive plan to protect the personal information of our citizens must be a top priority.”
Neustar said it gave North American Portability Management a draft nondisclosure agreement (NDA) on the local number portability administrator transition to Telcordia/iconectiv. But the LNPA incumbent said it had concerns about the intervention of FCC bureaus, which sided with NAPM in a dispute over the treatment of confidential information and asked Neustar to agree to a new NDA by Tuesday (see 1701060065). "Although we object to the Bureaus' overreach in this matter, we delivered a revised NDA that should be reasonably acceptable to the other parties and resolve the matter," said a Neustar letter posted Wednesday in docket 09-109. The company said it "remains committed to working diligently with the NAPM to bridge any perceived gaps" but it "reserves all rights and remedies, including the right to seek review" of a recent bureau letter at the appropriate time. Neustar said the bureau letter called NAPM's Nov. 22 draft NDA a "workable solution" without noting it reflected the consortium's "rejection of the draft the FCC staff reviewed and was sufficiently satisfied with" to deliver to the NAPM. It also disputed the letter's implication that "national security-related information" could be at risk due to the NDA negotiations. "Neustar originally proposed making explicit in the NDA that national security information must be protected" and also proposed measures "to mitigate potential risks" to U.S. national security in the transition, said the company. Neustar also called any suggestion it was to blame for transition delay "baseless," and said, "Any delay to this point is the result of iconectiv being required to start from scratch its software development because of its impermissible use of foreign nationals." The FCC, NAPM and iconectiv didn't comment. Meanwhile, Neustar's planned sale to a private investor group got antitrust clearance, said an early termination notice Tuesday of the FTC, which posts such notices for both it and DOJ. Its sale to a group led by Golden Gate Capital is expected to need review by the FCC and the Committee on Foreign Investment in the United States, but the transaction isn't expected to slow the LNPA transition (see 1612140062).
Hacker Guccifer 2.0 pushed back against U.S. intelligence agencies' assessment that the hacker executed the Russia-backed breaches of IT systems associated with the Democratic National Committee and the campaign of former Democratic presidential nominee Hillary Clinton aimed at influencing the outcome of the 2016 presidential election. “These accusations are unfounded,” Guccifer 2.0 said in a Thursday blog post. “I have totally no relation to the Russian government.” An unclassified version of the U.S. intelligence agencies' report on the Russia-led hacks, released last week (see 1701060060), is a “crude fake” that “doesn't stand up to scrutiny,” Guccifer 2.0 said. “It’s obvious that the intelligence agencies are deliberately falsifying evidence. ... They’re playing into the hands of the Democrats who are trying to blame foreign actors for their failure.” Guccifer 2.0 suggested “we'll see more fakes” from President Barack Obama's administration before President-elect Donald Trump is inaugurated Friday. Trump now believes Russia ordered the election-related hacks. Several cabinet nominees echoed Trump in backing the intelligence report (see 1701110051).
U.S. cybersecurity offense "is way ahead of our defense," Rudy Giuliani said Thursday in a conference call after the incoming Donald Trump administration announced that it would consult with the former New York City mayor on cybersecurity issues and that Giuliani would chair a committee on cybersecurity developments involving company heads. That committee also will hold a number of meetings with President-elect Donald Trump about cybersecurity, said a Trump transition team release. "It's kind of like cancer in the sense there are so many different things being done to cure cancer, you almost feel like if you could put all the people together in the same room, maybe we could cure it," Giuliani said, saying "a perfect defense" to cybersecurity threats is unlikely and improvement is the aim. The Trump transition team said the meetings are to get "experiential and anecdotal information" from the executives about cybersecurity issues and how they were handled. The Trump team also said it's not seeking consensus advice or recommendations. Giuliani is Greenberg Traurig chairman-global cybersecurity, and chairman-CEO of security consulting firm Giuliani Partners.
Mozilla faulted the Senate Judiciary Committee Wednesday for not including a broader discussion of cybersecurity issues during Attorney General nominee Jeff Sessions’ confirmation hearings. Sessions committed during a hearing Tuesday to follow the USA Freedom Act, which restricts NSA from the bulk collection of Americans' phone records, despite his voting against the bill in 2015 (see 1701090038). Surveillance continued to occasionally emerge as an issue during Sessions' hearing Wednesday (see 1701110069). Senate Judiciary almost exclusively mentioned cybersecurity in the context of government-sponsored cyberattacks like Russia’s hacking of IT systems associated with the Democratic National Committee and the campaign of former Democratic presidential nominee Hillary Clinton, said Mozilla Chief Legal and Business Officer Denelle Dixon-Thayer in a blog post. “Discussion about robust cybersecurity for everyday Internet users -- through practices like strong encryption -- was largely absent,” she said. “It would have been helpful if the Senate asked Sessions to clarify his position, and even better if they asked him to clarify that privacy and security are important for all Americans and a healthy Internet.”
The National Institute of Standards and Technology's long-anticipated draft "Version 1.1" (v1.1) update to the Cybersecurity Framework, released at our deadline Tuesday, includes a new section on developing effective cybersecurity metrics. NIST has been considering potential updates to its existing 2014 framework in response to comments last year from stakeholders who encouraged the agency not to pursue a major revamp of the document (see 1602240065). NIST's framework “can be used as the basis for comprehensive measurement” of the efficacy of cyber risk management practices, the draft said. The framework's implementation tiers and categories are themselves metrics, NIST said. Any metrics on cyber risk management “should be designed with business requirements and operating expense in mind,” the agency said. “The expense of a measurement system may increase as the accuracy of measurement increases. To mitigate undue cost to the organization, the accuracy and expense of a system need only match the required measurement accuracy of the corresponding business objective.” NIST included the metrics section in the draft “to get the conversation started,” said Framework Program Manager Matthew Barrett in a news release. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.” V 1.1 also includes additional information on managing cyber supply chain risks and clarifications of framework terms. NIST said it's collecting stakeholder feedback on the v1.1 draft through April 10.
Secretary of Homeland Security nominee John Kelly didn't discuss his views on cybersecurity issues in a prepared opening statement released before his Tuesday confirmation hearing before the Senate Homeland Security Committee, though those issues were widely expected to come up during the hearing. Senate Homeland Security Chairman Ron Johnson, R-Wis., said at the start of the hearing that “cyberthreats are real and growing, and our critical infrastructure is not adequately secure. As a result, the next secretary of the Department of Homeland Security will be shouldering enormous responsibilities.” The hearing was still ongoing at our deadline.