FTC Chairwoman Edith Ramirez will open a Sept. 7 event on ransomware that will feature three panels of private-sector experts and government officials, including an FBI agent, the commission said in a Monday news release. In ransomware, criminals typically encrypt files after they hack into a person's or company's computer and then demand a ransom in exchange for the key to decrypt the files, the FTC said. Some members of Congress also said ransomware is becoming a major problem (see 1604190032). The FTC panels will focus on the scope of ransomware, best defenses against it and how consumers should respond if they've been hit, the release said. The commission's Office of Technology Research and Investigation and New York University's computer science department will present research based on different types of ransomware used, the FTC said. The 1-4:30 p.m. event will be at FTC's Constitution Center offices, 400 7th St. SW.
NTIA plans a workshop Sept. 1 on potential IoT benefits and challenges and the government's role in possibly helping advance those technologies. In a notice to be published in Thursday's Federal Register, the agency said it will post on its website a detailed agenda on the workshop, with several panels and speakers. The workshop, open to the public and scheduled for 9 a.m.-3 p.m., will provide input to the Department of Commerce's upcoming IoT green paper, the notice said. The meeting will be at the Patent and Trademark Office, 600 Dulany St., Alexandria, Virginia. In a blog post last week, Angela Simpson, NTIA deputy assistant secretary-communications and information, said (see 1608020060) the agency also is planning to launch a new multistakeholder process to help consumers better understand IoT products that support security upgrades -- building on a June request for comments on IoT benefits and challenges and one last year on cybersecurity.
The Social Security Administration is now requiring that people have a cellphone number to use the “my Social Security” website. “We’ve added an extra layer of security for our customers when they interact with us online,” the SSA said in a blog post. “This extra layer of security is called ‘multifactor authentication’ and complies with an executive order requiring federal agencies to provide more secure authentication for their online services. Any agency that provides online access to a customer’s personal information must now use multifactor authentication.”
Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., pressed FCC Chairman Tom Wheeler on “consumers’ safety and privacy as car manufacturers deploy vehicle-2-vehicle and vehicle-2-infrastructure communications technologies in their automobiles,” in a letter dated Thursday. They said the IoT also could be called the “Internet of Threats” without appropriate measures in place. “Ensure that DSRC [dedicated short-range communications] spectrum is only used for vehicle safety and not commercial applications that may make vehicles more vulnerable to safety, cyber, and privacy threats,” they told the FCC among a list of items. “Mandate that automakers, commercial entities, and anyone else licensed to use DSRC spectrum submit privacy and cybersecurity plans to the FCC.” These entities also should “periodically” update their privacy and security plans, the senators recommended. The FCC should require “DSRC spectrum users to notify appropriate law enforcement, government agencies, and consumers if a serious breach occurs and take appropriate steps to mitigate the harms of such a breach.” Markey and Blumenthal are “pleased” with a July 25 FCC notice seeking comment on these issues, they said.
Harman joined the Automotive Information Sharing and Analysis Center (Auto-ISAC), it said in a Wednesday news release. The group collaborates to share, track and analyze intelligence about cyberthreats and potential vulnerabilities against connected cars. Harman reinforced its commitment to protective cybersecurity measures, highlighting its 5+1 automotive security frameworks and its acquisition of TowerSec in January. Joining Auto-ISAC “adds another layer of intelligence and information sharing to progress the industry’s automotive cybersecurity agenda,” said Saar Dickman, Harman vice president-automotive cybersecurity. Harman has been developing a multilayer security framework that addresses “defense in depth” within the system design, along with over-the-air updates and software-based security solutions for future vehicles as well as ones that can be retrofitted to unsecured cars on the road today, it said. Auto-ISAC members make more than 99 percent of light-duty vehicles on the road in North America, said Harman.
NTIA said it’s beginning a new multistakeholder process via the Internet Policy Task Force on the cybersecurity upgradability of the IoT. The NTIA-facilitated process, which is to begin with an initial meeting in early fall, will focus on developing ways to improve consumers’ understanding of cybersecurity upgrades to IoT products, the agency said Tuesday. NTIA chose to proceed with the multistakeholder process in response to comments in both its recent IoT request for comment (see 1606020059) and the IPTF’s 2015 request for comment on cybersecurity issues (see 1506010055) that “identified security upgradability as an issue that required attention and coordination,” said Deputy Assistant Commerce Secretary-Communications and Information Angela Simpson in a blog post. She said that the process’ goal will be to “promote transparency in how patches or upgrades to IoT devices and applications are deployed. Potential outcomes could include a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.” There are instances in the IoT space where there has been “limited consideration for supporting future security patches, even though many devices will eventually need them,” Simpson said. “Enabling a thriving market for devices that support security upgrades requires common definitions so consumers know what they are getting.” No common definitions on IoT cybersecurity upgrades currently exist “and manufacturers can struggle to effectively communicate to consumers the security features of their devices,” she said.
Former CIA Director Michael Hayden and George W. Bush administration Deputy National Security Adviser Elliott Abrams are among 28 former officials from Republican presidential administrations who jointly urged congressional leaders Friday to formally investigate the hacking of Democratic National Committee servers. The attacks are “an assault on the integrity of the entire American political process” and “not a partisan issue,” the Republicans said in a letter. The DNC hack and Wikileaks' subsequent publication of emails stolen during the hack are viewed as possibly spurring a more serious discussion about foreign cyber espionage during the presidential campaign (see 1607270061). “Congress has a responsibility to get to the bottom of this extraordinary breach, not only to determine who was responsible but also to consider the appropriate response,” Abrams and the others said in the letter. “The hacking of a political party’s email system by Russian intelligence agencies would, if proven, constitute unprecedented foreign interference in an American presidential campaign.”
The FTC approved a final order against AsusTeK Computer over allegations the company put personal information of thousands of consumers at risk on the internet because it didn't update software on its routers (see 1602230032), the commission said in a Thursday announcement. Commissioners voted 3-0 to approve the consent order, which requires the company to establish and maintain a comprehensive security program over the next 20 years that will be subject to independent audits. Asus must also notify customers about software updates or provide a way for customers to receive security notices, said the order. The commission said the order also forbids Asus from misleading customers about the security of its products. Asus, which settled with the FTC in February, didn't comment.
President Barack Obama signed off Tuesday on a presidential policy directive clarifying federal government agencies’ responsibilities for responding to a cyberattack, including making the Office of the Director of National Intelligence responsible for leading intelligence support in response to the attack. The directive delegates the DOJ to take the lead in law enforcement activities related to a cyberattack, while the Department of Homeland Security will aid in mitigating the attack. The White House’s release of the directive came amid the fallout over WikiLeaks’ release of controversial Democratic National Committee emails believed to have been harvested from DNC servers during a 2015 hacking incident. The White House emphasized Tuesday that its planning for the directive significantly predated the DNC hacking incident. The White House’s directive directs the Cyber Response Group within the National Security Council to coordinate development and implementation of U.S. government policies in response to cyberattacks. The CRG or the larger NSC can form a cyber unified coordination group (CUCG) as the “primary method” of coordinating among federal agencies in response to “significant” cyber incidents, Obama said in the directive. The CUCG normally will include the Department of Homeland Security and other lead federal agencies for threat response and support, but also will include the FCC and other sector-specific agencies depending on the nature of the incident, the directive said. The FCC also would be called upon to participate in CRG activities when “its inclusion is warranted by the circumstances and to the extent the [FCC] determines such participation is consistent with its statutory authority and legal obligations,” an annex to the directive said. The White House directive also set up a five-level framework for rating cyber incidents. Level 1 attacks are “unlikely to affect public health, national security” or other U.S. interests, while a Level 5 incident “poses an imminent threat to wide-scale critical infrastructure services, national government or to the lives” of U.S. citizens, the directive said.