Neustar urged the FCC to act on its show-cause motion against Telcordia despite an FBI letter saying it had no objections to Telcordia becoming local number portability administrator. Neustar, the LNPA incumbent, said the FBI letter didn't address its motion asking why Ericsson-owned Telcordia shouldn't be disqualified from serving as LNPA (see 1606020050). "Although the FBI's letter narrowly focuses on the services provided to the law enforcement community, it fails to address Ericsson's misrepresentations or misconduct," said Neustar in a Thursday filing in docket 09-109. "The facts that have been revealed indicate that Ericsson misled the Commission and violated national security requirements set forth in the Selection Order." Separately, the LNP Alliance fired back at a Telcordia (iconectiv) letter criticizing the group and New America's Open Technology Institute (see 1606230048). "The iconectiv Letter -- in the most preachy and pedantic tone -- implies that the LNP Alliance and other concerned parties are 'spooked' because they don’t understand the simplest, basic details of the LNPA Transition," said an LNP Alliance response. "In fact, the LNP Alliance’s acute concern with the LNPA Transition emanates from decades of experience with the manner in which even the most routine telecom process changes have so often become a pretext for large carriers to engage in anticompetitive and anticonsumer mischief. Whether changes to ordering, provisioning, billing or porting processes, large carriers have routinely taken advantage of process changes to shake loose hard-earned customers and increase competitive pressure on new entrants. The LNPA Transition has all the earmarks of the worst of such transitions -- poor transparency, a process controlled by nine (9) of the nation’s largest carriers, and de minimis oversight by regulatory authorities, including no state oversight role whatsoever. The iconectiv letter addresses a series of straw man issues never raised by the LNP Alliance, and neglects to address the principal issues it has raised, while unfairly maligning the integrity of the consumer groups that have duly weighed in on this issue." Telcordia didn't comment Thursday. Wednesday, North American Portability Management filed its monthly update on the LNPA transition.
Verizon urged the FCC to keep its current discontinuance process available for carriers if it creates a new process for discontinuing legacy telecom services to facilitate technology transitions. "We urged the Commission that any additional criteria it considers in the context of discontinuances related to technology transitions should be limited to the proposed streamlined process for discontinuing voice services. Providers should continue to have the option of using the existing process in all circumstances," said a Verizon filing Thursday in docket 13-5 on meetings with aides to Commissioners Mike O'Rielly and Mignon Clyburn. The telco also said the commission shouldn't require cybersecurity certifications as a condition for the streamlined track. Another recent Verizon filing elaborated: "As both the Chairman and the National Institute for Standards and Technology have recognized, a one-size-fits-all approach -- particularly one involving proscriptive regulations -- is not the best way to address cybersecurity concerns. Establishing cybersecurity guidance on a provider-by-provider or, where discontinuance applications cover a small geographic area, region-by-region basis is unworkable and inefficient." In that filing, Verizon said AT&T's proposal for a 2025 sunset date for an interoperability criterion is too far in the future.
Pandora warned subscribers in an email Tuesday of a “situation that could possibly affect your Pandora account.” Pandora said there’s no evidence users’ Pandora accounts were “compromised or tampered with in any way,” but user names and passwords "that were breached from a service other than Pandora a few years ago were posted on the web recently.” Pandora security teams analyzed the data and found certain Pandora users’ names were included on the list, said the company, and it urged those users to change passwords. It didn’t say which service’s user names and passwords were breached, or how many, though a Google search for “Pandora” and “password breach” brought up an article from Gizmodo Australia dated June 22 referring to a LinkedIn breach. “Last month a data breach from 2012 saw over 100 million LinkedIn usernames and passwords accessed and released onto the internet,” it said, but the link was broken and users who clicked through found a “couldn’t find the page you’ve requested” message. Meanwhile Monday, Pandora and Uber said Pandora will be integrated within the Uber driving app, enabling drivers and passengers to “listen to the music they love.” It "can be challenging to find high quality music that both drivers and riders love -- without radio ads and interruptions to the music,” said Bob Cowherd, Uber senior product manager-music and media. The partnership extends to Pandora and Uber customers in the U.S., Australia and New Zealand, said the companies. “Coming soon,” they said, riders will be able to “personalize their experience” when they're on an Uber trip. Riders registered with Pandora will have access to their favorite stations on an Uber trip “so they can easily listen through the car speakers," said the companies.
The FBI told the FCC it doesn't object to the selection of Telcordia as local number portability administrator and has no reason to believe the company couldn't satisfy the requirements of law-enforcement agencies. "Consistent with the prior filing of the Federal Bureau of Investigation, the Drug Enforcement Administration, and the U.S. Secret Service, the FBI continues to believe that accurate, confidential, affordable and secure provisioning and administration of the LNP database is in the best interests of the FBI and all of United States law enforcement," said a letter from Todd McCall, FBI assistant director-Operational Technology Division. "The FBI does not possess any information, as of this date, to reasonably question Telcordia's ability to meet these needs or to otherwise object to the FCC's selection of Telcordia as LNPA." The letter was posted Tuesday in docket 09-109.
Cisco will pay $293 million to acquire cloud security vendor CloudLock, Cisco said in a news release Tuesday. CloudLock sells cloud access security broker technology to enterprise customers, providing data and analytics about user activity and sensitive data. CloudLock employees will join Cisco’s networking and security business group, Cisco said. The deal is expected to close in Q1, subject to customary closing conditions, it said.
Microsoft proposed three sets of cybersecurity norms Thursday in a white paper aimed at government and industry. The three sets of proposed standards include offensive rules aimed at nation-states, industry-focused tenets and defensive customs aimed at both governments and the private sector. The proposed principles include ones addressing nonproliferation of cyber vulnerabilities, coordination on vulnerability disclosure practices and mitigation of government-initiated cyberattacks. “Norms should advance common objectives where possible, regardless of whether the norms are focused on offense, defense or industry,” said Microsoft Vice President-Trustworthy Computing Scott Charney in a blog post. “While there is a strong complementary structure for nation-state norms and industry norms, they vary in two important instances: nation-states possess the ability to create mass effects through offensive cyber activities; and the global ICT industry has the ability to patch all customers, even during conflicts between and among governments.” Microsoft’s white paper also proposes a public-private forum for addressing the need for attribution of severe cyberattacks, saying further development of attribution processes is needed to make the company’s proposed cybersecurity "rules of the road" effective. “As governments commit increasing resources into offensive cyber capabilities, the global ICT industry must strengthen its resolve, and take active steps to prevent user exploitation through adherence to industry norms,” Charney said. “We must continue to raise the bar in our defensive capabilities to deter nation-states from targeting technology users.”
The Office of Personnel Management and three other federal agencies haven't always “effectively implemented access controls” on high-impact systems under their jurisdiction,” GAO said in a report released Tuesday. It stemmed from GAO's survey of 24 federal agencies, including 18 that identified cyberattacks from foreign governments on their systems as their most frequently occurring security threat. OPM, the Department of Veterans Affairs, NASA and Nuclear Regulatory Commission displayed control weaknesses in “protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities,” GAO said. “Weaknesses also existed in patching known software vulnerabilities and planning for contingencies. An underlying reason for these weaknesses is that the agencies had not fully implemented key elements of their information security programs.” All four agencies had fully implemented risk assessments but were less thorough in implementing security plans, controls assessments and action plans, the GAO said. NASA, NRC, OPM and VA “should all fully implement key elements of their information security programs,” GAO said. The four agencies generally agreed to the GAO recommendations, but OPM said it didn’t concur with the recommendation on evaluating its security control assessments.
Citing the damage data breaches could inflict on businesses and consumers, FTC Commissioner Maureen Ohlhausen told participants Wednesday at the commission's Start with Security forum in Chicago that it's important to integrate security practices into a company. “So whether you’re building an app or managing your network or choosing your vendors, sound security practices are not an accident," she said. "They begin with a commitment to prioritize security within a business’s culture." Data breaches, she said, can harm a company's financial interests and reputation and result in a loss of consumer confidence. Consumers whose data is stolen can become victims of fraud and identity theft, she said. For instance, 16.6 million people -- U.S. residents 16 years and older -- were victims of identity theft in 2012, mainly credit card fraud, said Ohlhausen, citing the Bureau of Justice Statistics. She also cited the FTC's enforcement approach in making sure that companies have reasonable security practices and protections, and recent actions against AsusTeK Computer, Henry Schein Practice Solutions and Oracle (see 1602230032, 1605230030 and 1603290046). The Chicago workshop, with several panels of security experts providing insights and practical tips for the broader business community, is the fourth over the past year, including stops in Austin, San Francisco and Seattle.
The FCC Communications Security, Reliability and Interoperability Council will meet at 1 p.m. June 22 in the Commission Meeting Room at commission HQ, the agency said in a notice Monday. It said the CSRIC is to vote on reports on the emergency alert system, submarine cable resiliency, network timing, cybersecurity information sharing and the priority services framework.
Symantec introduced cybersecurity protection for connected cars, the company announced. Called Anomaly Detection for Automotive, the product protects against “zero-day attacks” and other security vulnerabilities unique to the connected car. Zero-day attacks are so named because a defender against those attacks has zero days to come up with a fix once a security flaw becomes widely exploited. “Connected cars offer drivers conveniences such as navigation, remote roadside assistance and mobile internet hot spots,” Symantec said Wednesday, citing Gartner forecasts of 220 million connected cars on the road globally in 2020. Though new connected-car technologies “promise to enhance the driving experience, these advancements also create avenues of attack for hackers that can endanger drivers and passengers,” Symantec said. Its product uses machine learning to provide “passive in-vehicle security analytics” that monitor all “controller area network” bus traffic without disrupting normal vehicle operations, the company said. Since the product learns “what normal behavior is,” it’s able to “flag anomalous activity that may indicate an attack,” it said: “The solution works with virtually any automotive make and model.”