Auto industry objections to a push for an emergency stay on launch of dedicated short-range communication systems (DSRC) aimed at curbing traffic accidents lack relevancy and swerve around the petition's core argument -- how commercial applications in the 5.9 GHz band negatively affects road safety, consumer privacy, cybersecurity and public interest groups said in reply comments posted Friday in RM-11771. Instead, those opponents to the petition "offer nothing more ... than the same tone-deaf talking points and avoiding the substantive issues at hand," the public interest groups said. The only opponents to the petition are licensees with commercial interests, and many critics don't address the specific privacy and cybersecurity concerns raised in the petition, while consumer and auto safety groups all back it, the public interest groups said. The filers were Public Knowledge, Open Technology Institute at New America, Access Humboldt, Privacy Rights Clearinghouse and Consumer Watchdog. Numerous auto industry groups and allies have pushed for denial of the OTI/PK request (see 1608250051). General Motors in a filing Thursday said the petition is based on "myths grossly exaggerating the security risks posed by DSRC and mischaracterizing the [FCC's] reasoned and long-established rules for the DSRC service." In its reply comments, GM said there are no heightened cybersecurity risks from any backward compatibility mandate in DSRC service rules, and Section 95.1509 of FCC rules -- governing DSRC technical standards -- doesn't preclude future security improvements. It challenged claims that commercial DSRC applications pose a cybersecurity and privacy risk, pointing to IEEE security standards for applications using wireless access in a vehicular environment. Such DSRC applications might include parking management and payment or fuel management, and in each case, consumers will have a choice of whether to share information on an application-by-application basis, GM said, saying its 2017 Cadillac CTS, with DSRC vehicle-to-vehicle communications, won't include any commercial DSRC applications: "There is no need for regulatory action to address a non-existent problem, much less a precipitous 'emergency stay.'"
Intel and TPG agreed to form a jointly owned, independent cybersecurity company with the McAfee name, the companies said in a Wednesday news release. McAfee is an Intel subsidiary, but after the proposed $4.2 billion deal, TPG will own 51 percent of McAfee and Intel the rest, they said. TPG agreed to make a $1.1 billion equity investment. Intel Security general manager Chris Young will be CEO of the new McAfee, the companies said. The transaction is expected to close in Q2, subject to regulatory approvals and closing conditions, they said.
The National Institute of Standards and Technology and Department of Transportation plan a Thursday workshop on the effectiveness and challenges of applying current privacy controls in NIST Special Publication 800-53, Revision 4, which is aimed at providing baseline privacy and security controls that strengthen federal information systems and organizations against cyberattacks. The revised publication was released more than three years ago. The 9 a.m.-3 p.m. event, which won't be webcast, will discuss privacy risk management, the role of privacy controls in develop better programs and whether additional guidance is needed. The event is at DOT, 1200 New Jersey Ave. SE.
The Consumer Federation of America and its ID theft working group created a checklist to help organizations that suffered a data breach choose a service provider to mitigate and recover from any potential damage. CFA said in a Tuesday news release the checklist includes asking whether ID theft service providers will provide ways for victims to reduce damage, if services are available round the clock, if monitoring is provided and how quickly alerts are sent. The consumer group said organizations should ask providers if they can handle multiple languages, if personnel are specially trained to help victims and whether they will continue helping victims even after a contract ends. The list also covers state and federal laws that require breach disclosure and whether such recovery services should be acquired in advance or after a breach has been detected. The Identify Theft Resource Center recently reported a total of 638 breaches affecting more than 28.5 million records.
Smartphone malware infections rose 96 percent in 2016's first half, from the same 2015 period, reaching an all-time high in April, Nokia said in a Thursday report. Android devices “were the most targeted mobile platform by far,” with 74 percent of all mobile malware infections, it said. "Attackers are targeting a broader range of applications and platforms, including popular mobile games and new IoT devices, and developing more sophisticated and destructive forms of malware." On the new sophistication in malware, new variations of threats “attempt to root the phone in order to provide complete control and establish a permanent presence on the device,” Nokia said.
With IFA to open to the public beginning Friday, we observed crews placing signs Thursday at key entrances to the Messe Berlin fairgrounds warning visitors to the international consumer electronics show in Berlin to be aware of added security measures. “We ask for your understanding for our additional security checks,” read the signs we saw Thursday in German and English outside IFA’s North entrance. The signs urge visitors to use the smartphone app KATWARN for “fast and direct information” about the security restrictions and about any potential trouble. KATWARN bills itself as a free service developed by Fraunhofer that tells the user not only that “there is a dangerous situation, but also HOW you should behave,” said the service’s website. Airport-style metal detectors were visible at three entrances to the fairgrounds we visited since arriving Tuesday in Berlin when there never have been any at previous IFA shows. But we saw none in use for the Wednesday and Thursday IFA news-media days, nor were there any obvious added security measures put in place for reporters covering IFA, such as the type of restricted bag policies CES imposed in January after the November terrorist attacks in Paris (see 1512180053).
The National Institute of Standards' Cybersecurity Framework, risk-based guidelines that help organizations identify, implement and enhance cybersecurity, takes a consistent approach with the FTC data security program, said Andrea Arias, an attorney with the commission's Privacy and Identity Protection Division, in a blog post Wednesday. She wrote NIST's framework isn't a checklist or standards but helps organizations assess cybersecurity capabilities and set goals and a plan for improving and maintaining practices. Organizations don't actually comply with framework but assess risk and mitigation, she said. This is where the framework is consistent with the FTC, which tries to determine if a company's data security and processes are reasonable as per its enforcement, she said. "By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement." She said alleged lapses the FTC challenged in enforcement actions correspond to the framework's five core functions -- identify, protect, detect, respond and recover -- that help companies organize information, enable risk management decisions, address threats and improve protections from learning about previous activities. "As the FTC’s enforcement actions show, companies could have better protected consumers’ information if they had followed fundamental security practices like those highlighted in the Framework," wrote Arias.
About 30 percent of respondents in a poll of more than 220 information security professionals who attended the Black Hat hacker conference nearly a month ago said their organizations are prepared for IoT-related security risks, said security company Tripwire in a Thursday news release. Twenty-seven percent said their organizations weren't prepared, 37 percent said their organizations will soon be prepared and 5 percent weren't concerned about IoT security risks, the company's poll found. Fifty-two percent didn't think their organizations accurately tracked the number of IoT devices on their networks, while 34 percent said their organizations did a good job. Plus, 78 percent said they were concerned about IoT devices being "weaponized" in distributed denial-of-service attacks. Only 11 percent ranked DDoS attacks as one of the top two security threats their organization face. Phishing, cyberespionage, ransomware and insider threats were the other risks that were cited more frequently, Tripwire found. About half of the respondents said IoT devices on their networks will increase by at least 30 percent next year.
The Computer & Communications Industry Association raised concerns Tuesday about a joint France-Germany push for what the industry group believes is a plan to weaken encryption. French Interior Minister Bernard Cazeneuve and German Interior Minister Thomas de Maizière called Tuesday for EU legislation aimed at clarifying the rights and obligations of telcos and ISPs doing business in EU countries, including “obligations on operators deemed uncooperative in the removal of illegal content or decryption of messages.” Meanwhile, the European Commission is working on a new “ePrivacy proposal” that likely will include a loophole that allows governments to request access to encrypted data, CCIA said. “We are worried that EU proposals can allow governments to challenge end-to-end encryption and thus threaten the security and confidentiality of Europeans' communications,” said CCIA Europe Director Christian Borggreen in a statement. “It is certainly understandable that some would respond to recent tragedies with backdoors and more government access. But weakened security ultimately leaves online systems more vulnerable to all types of attacks from terrorists to hackers. This should be a time to increase security -- not weaken it.”
More confidence in the process of information sharing between the public and private sectors would help in addressing cybersecurity challenges, Sen. Ben Cardin, D-Md., told county officials in Ocean City, Maryland, Thursday. “Every day we are being attacked,” Cardin said. “We are being attacked by criminals who are stealing. … They’re stealing money, they’re stealing industry designs, they’re stealing intellectual property.” He referred to “actively engaged” cybersecurity soldiers, citing threats from Russia, China and additional unnamed countries, and “cyberterrorists” striving to attack the U.S. financial, energy and transportation systems. He touted an amendment he backs -- and detailed in a May news release -- “to make the Cyber Command a full military command comparable to our regional command structures within DOD,” and touted Maryland’s leadership on cybersecurity. “Maryland is the cybersecurity center, we think, of the universe,” Cardin said, referring to Fort Meade and the National Institute of Standards and Technology, both in the state. There are “increased resources being made available to deal with the threat of cyber,” he said. He cited what he called the leadership of retiring Sen. Barbara Mikulski, D-Md., on this and other issues and said he met with her on “hand-off” issues to allow the Maryland delegation to “carry on” without any loss in pursuing its priorities. National Association of Counties Executive Director Matthew Chase cited a Thursday morning meeting with House committee staffers on cybersecurity in the context of the U.S. elections. There’s an “incredibly lengthy” list of priorities left between now and end of this Congress, Chase said. Cardin said Congress will have three weeks in session in September before the elections. Federal funding will expire Sept. 30 absent congressional action. “We need to get a budget number in September that gives you the predictability that your federal partner will be there to help you,” Cardin said.