Maryland, which has sought a national role in cybersecurity policy, is joining the roster of states adopting the new federal framework of cybersecurity standards and exploring the potential for developing new regulations for the private sector, according to the state's cybersecurity chief.

“Maryland state government will adopt the framework which is strongly supported by the National Association of State Chief Information Officers (NASCIO) and the National Governors Association (NGA),” Elliot Schlanger, Maryland’s director of cybersecurity and chief information security officer, told Inside Cybersecurity in a statement.

Maryland Gov. Martin O'Malley (D) co-chairs the NGA's Resource Center for State Cybersecurity along with Michigan Gov. Rick Snyder (R). Earlier this month, an NGA spokeswoman declined to comment directly on the framework.

The prospect of creating new state regulations is an option that O'Malley and fellow governors from around the country are exploring to improve the cybersecurity posture of critical infrastructure, Schlanger added. “Through the Resource Center, governors collectively explore different strategies to improve critical infrastructure, including the appropriate use of legislation and regulation,” he said.

The federal framework of cybersecurity standards developed by the National Institute of Standards and Technology “provides an adaptable roadmap, for both public and private entities alike, in which core activities are specified, assessed and acted upon in an effort to mitigate security risks,”  Schlanger said via email. “The framework also allows different stakeholders throughout the organization to align their communications about issues concerning information security and privacy. Finally, the framework is universally applicable to the various units of state government which tend to exhibit differing maturity levels concerning their security posture.”

Asked whether O’Malley plans to take action on his own to adopt the framework, or will await the approval of a Maryland state bill with the same intent, Schlanger replied, “I believe these are independent activities. Maryland state government will adopt the NIST framework because it represents good ideals, practices and business and it will assist state government to build its strategic foundation for on-going cybersecurity activities. In parallel, [the bill] SB197 will likely succeed in the current session and become law.”

Officials in Virginia, California and Hawaii have also pledged to adopt the framework. -- Christopher J. Castelli (ccastelli@iwpnews.com)

The release and pending markup of a cybersecurity information-sharing bill in the Senate could create momentum for moving a variety of initiatives through Congress this year, but early reactions show how difficult it remains to address cyber issues.

“It's pretty extraordinary that they're putting this out in light of the Snowden revelations,” the American Civil Liberties Union's Gabriel Rottman said in response to the draft bill released Tuesday by Senate Intelligence Chairman Dianne Feinstein (D-CA) and ranking member Saxby Chambliss (R-GA).

Feinstein and Chambliss announced they plan to mark up the bill next week.

“The bill incentivizes the sharing of cybersecurity threat information between the private sector and the government and among private sector entities,” Feinstein said in a statement. “It responds to the massive and growing threat to national and economic security from cyber intrusion and attack, and seeks to improve the security of public and private computer networks by increasing awareness of threats and defenses.”

House Intelligence Chairman Mike Rogers (R-MI) and ranking member Dutch Ruppersberger (D-MD) issued a joint statement praising the new Senate bill.

"This legislation will allow the private sector to protect itself from this severe onslaught of attacks, ultimately protecting the American economy as a whole," the House intelligence leaders said. "We are confident that a final bill that enhances our security while protecting privacy and civil liberties can be worked out quickly in conference.”

Senate Homeland Security and Governmental Affairs Chairman Tom Carper (D-DE) was also encouraged by the development.

"Passing legislation that will update our nation’s cybersecurity laws remains a top priority for Chairman Carper for this year," a Carper aide told Inside Cybersecurity. "The Chairman and his staff are currently reviewing the legislation released by Senators Feinstein and Chambliss earlier today. Chairman Carper is encouraged to see bipartisan work on cybersecurity and he and his colleagues continue to find areas to work together on legislation to enhance our nation’s cybersecurity efforts. He remains hopeful that they will come to an agreement on a bipartisan measure soon."

Other lawmakers who have been involved in discussions over cyber legislation declined to comment on Tuesday.

Clearing a path?

Industry officials for months have expressed hope that a bipartisan deal in the Senate intelligence panel would clear the way for the Senate to pass an information-sharing bill that could be easily reconciled with the House-passed Cyber Intelligence Sharing and Protection Act.

Plus, sources have said an information-sharing bill could pull along measures on the federal cyber workforce, research and development, the Department of Homeland Security's role in cyberspace and other discrete cyber provisions that may lack the heft to move on their own.

But despite the initial round of praise for Feinstein and Chambliss' significant accomplishment in reaching agreement, the road ahead is far from certain. It remains to be seen, for instance, whether the Senate leadership has any interest in bringing a cyber bill to the floor.

Paul Rosenzweig, founder of Red Branch Consulting and a former high-ranking Department of Homeland Security official, praised the bill as “a good effort -- very much consistent with CISPA from the House and easy to conference if it passes the Senate.”

But Rosenzweig added in a blog post on Tuesday: “I have to wonder, however, if this type of legislation is viable in the post-Snowden era. We shall see . . .”

Rosenzweig cited a variety of pluses and minuses in the Senate bill, saying, for instance, “The requirement to remove personally identifying information from shared cyber threat information is both critical to securing buy in from privacy advocates and likely a significant vulnerability that diminishes effectiveness.”

On liability, he added, legal “protection to those in the private sector who share information with the government is a strong incentive. But it continues to contain the litigation bait of a 'willful misconduct' exception -- which converts the liability protection into a bit of an artful pleading requirement.”

Critics, including the ACLU's Rottman, said the measure should be closely scrutinized and suggested it fails to overcome problems associated with CISPA.

“My first blush comment is they really can't rush this one,” Rottman said.

He said the bill “would create a significant loophole that could allow the government to go to the companies and ask for 'voluntary' cooperation and then use the information disclosed . . . for broad law enforcement purposes, including 'leaks' investigations into national security whistle-blowers.”

That, Rottman said, is “a major step back if true.”

“That's all made significantly worse by the liability protection and the 'good faith' absolute defense for cooperation that arguably violates the terms of the law,” Rottman said. “There also doesn't appear to be any protection at all for sharing with military and intelligence agencies, and the exception for removing personal information means this could conceivably be a back door into an expansion of surveillance activities.” -- Charlie Mitchell (cmitchell@iwpnews.com)

Cybersecurity stakeholders in the coming months will watch for next moves on incentives and sector initiatives, as well as updates on the framework of cybersecurity standards and the Department of Homeland Security's closely watched inquiry into small business issues.

The first half of 2014 was largely about defining the terms of the cybersecurity dialogue -- and determining the venues for a policy discussion that would be driven, in large part, by the National Institute of Standards and Technology's framework.

Now, at the midpoint of the year, upcoming steps on incentives for companies to improve cybersecurity, sector-specific programs, the roadmap for the NIST framework, and DHS initiatives -- including the small business inquiry and overall “C-Cubed Voluntary Program” -- will define the future direction of cyber policy.

The Obama administration's policy on incentives continues to advance at a deliberate pace.

A White House official recently told Inside Cybersecurity that efforts to streamline regulations to help companies pursue cybersecurity improvements will culminate in a report in early 2016.

Industry groups have cited regulatory relief as a valuable potential incentive for enhanced cyber efforts and some have expressed impatience over the pace of regulatory moves.

Likewise, the administration is slowly formulating a position on incentives for cyber threat information sharing, even though a bill is heading toward markup in the Senate Intelligence Committee after the July Fourth congressional recess.

That measure would provide liability protection for companies that share information with the government, which has been one of industry's top priorities on Capitol Hill.

White House officials cite both pros and cons to such liability relief, and President Obama's cybersecurity coordinator, Michael Daniel, is in the midst of an ongoing examination of barriers to information sharing.

Some in industry say legal fears related to information sharing are a side issue, and that the economics of cybersecurity is the key -- and should be the focus of discussions over incentives.

Larry Clinton of the Internet Security Alliance said the administration “has made great strides in its understanding of the differences between public sector and private sector cyber risk including a sophisticated appreciation of the economics of cybersecurity.”

Clinton is a leading advocate for developing a policy of incentives as called for in President Obama's 2013 cybersecurity executive order.

Speaking at a DHS-sponsored forum last week at Penn State, Clinton called for “a systematic and collaborative process to assess the utility and effectiveness of the framework.”

That, Clinton said, will help identify what and where incentives are needed.

The sectors lead

While the issue of incentives is discussed in fitful starts and stops, sector-specific initiatives have been marching ahead -- and will likely provide the most visible examples of progress on developing new, risk-based approaches to cybersecurity.

Industry-driven efforts are underway to deliver sector “guidances” this summer, with work products expected from the energy and transportation sectors, the information technology industry and others.

The telecommunications industry is engaged in a process, launched by the Federal Communications Commission, that will result in recommendations early next year on a new overall approach to cybersecurity that would supplant the traditional regulatory model. The FCC's “working group 4” will hold its next meeting on July 28.

In addition to providing a possible model of collaboration between industry and regulators, the working group 4 process could also yield important data on how companies are using the NIST framework.

Trade associations for the oil and natural gas industry are spreading the word about Department of Energy-developed cyber maturity models that track with the NIST framework and in the coming months expect to report on their progress in encouraging the use of the tool.

When the framework was released in February, federal officials expressed hope that it would help spur a multitude of industry-led efforts to craft a new paradigm on cybersecurity.

That hope has been fulfilled to a degree through specific government-industry efforts like working group 4, and even through campaigns like the U.S. Chamber of Commerce's ongoing roadshow to promote the framework.

Further, the handbook for corporate directors released in June by American International Group, the National Association of Corporate Directors and Internet Security Alliance represents an unprecedented step to frame the cybersecurity discussion for the corporate boardroom.

Officials from those groups have launched an effort to put the handbook in front of executives across the country.

Efforts at NIST and DHS

Amid the private-sector activities, stakeholders' eyes are locked on NIST and DHS for signs of where the government is going with its overall cyber strategy.

The first half of the year has been about spreading the word and raising awareness, NIST and DHS officials have said repeatedly.

Along with the framework, NIST officials in February issued a “roadmap” for future efforts

and said they would hold a public workshop after about six months.

It now appears the workshop -- and an update on progress in areas identified for further development -- will be held sometime this fall, according to a NIST spokeswoman.

Likewise, the DHS inquiry into “small-business solutions” for cybersecurity has yet to yield a work product amid intense industry interest in where the department is going on the topic.

DHS officials say a report on responses to the small-business inquiry is still in the works and that a meeting should be held with industry stakeholders sometime in the next two months.

DHS provided stakeholders with an update on the so-called C-Cubed program at a June meeting in Boston, and will continue to do so at events around the country.

Cybersecurity stakeholders in the coming months will watch for next moves on incentives and sector initiatives, as well as updates on the framework of cybersecurity standards and the Department of Homeland Security's closely watched inquiry into small business issues.

The first half of 2014 was largely about defining the terms of the cybersecurity dialogue -- and determining the venues for a policy discussion that would be driven, in large part, by the National Institute of Standards and Technology's framework.

Now, at the midpoint of the year, upcoming steps on incentives for companies to improve cybersecurity, sector-specific programs, the roadmap for the NIST framework, and DHS initiatives -- including the small business inquiry and overall “C-Cubed Voluntary Program” -- will define the future direction of cyber policy.

The Obama administration's policy on incentives continues to advance at a deliberate pace.

A White House official recently told Inside Cybersecurity that efforts to streamline regulations to help companies pursue cybersecurity improvements will culminate in a report in early 2016.

Industry groups have cited regulatory relief as a valuable potential incentive for enhanced cyber efforts and some have expressed impatience over the pace of regulatory moves.

Likewise, the administration is slowly formulating a position on incentives for cyber threat information sharing, even though a bill is heading toward markup in the Senate Intelligence Committee after the July Fourth congressional recess.

That measure would provide liability protection for companies that share information with the government, which has been one of industry's top priorities on Capitol Hill.

White House officials cite both pros and cons to such liability relief, and President Obama's cybersecurity coordinator, Michael Daniel, is in the midst of an ongoing examination of barriers to information sharing.

Some in industry say legal fears related to information sharing are a side issue, and that the economics of cybersecurity is the key -- and should be the focus of discussions over incentives.

Larry Clinton of the Internet Security Alliance said the administration “has made great strides in its understanding of the differences between public sector and private sector cyber risk including a sophisticated appreciation of the economics of cybersecurity.”

Clinton is a leading advocate for developing a policy of incentives as called for in President Obama's 2013 cybersecurity executive order.

Speaking at a DHS-sponsored forum last week at Penn State, Clinton called for “a systematic and collaborative process to assess the utility and effectiveness of the framework.”

That, Clinton said, will help identify what and where incentives are needed.

The sectors lead

While the issue of incentives is discussed in fitful starts and stops, sector-specific initiatives have been marching ahead -- and will likely provide the most visible examples of progress on developing new, risk-based approaches to cybersecurity.

Industry-driven efforts are underway to deliver sector “guidances” this summer, with work products expected from the energy and transportation sectors, the information technology industry and others.

The telecommunications industry is engaged in a process, launched by the Federal Communications Commission, that will result in recommendations early next year on a new overall approach to cybersecurity that would supplant the traditional regulatory model. The FCC's “working group 4” will hold its next meeting on July 28.

In addition to providing a possible model of collaboration between industry and regulators, the working group 4 process could also yield important data on how companies are using the NIST framework.

Trade associations for the oil and natural gas industry are spreading the word about Department of Energy-developed cyber maturity models that track with the NIST framework and in the coming months expect to report on their progress in encouraging the use of the tool.

When the framework was released in February, federal officials expressed hope that it would help spur a multitude of industry-led efforts to craft a new paradigm on cybersecurity.

That hope has been fulfilled to a degree through specific government-industry efforts like working group 4, and even through campaigns like the U.S. Chamber of Commerce's ongoing roadshow to promote the framework.

Further, the handbook for corporate directors released in June by American International Group, the National Association of Corporate Directors and Internet Security Alliance represents an unprecedented step to frame the cybersecurity discussion for the corporate boardroom.

Officials from those groups have launched an effort to put the handbook in front of executives across the country.

Efforts at NIST and DHS

Amid the private-sector activities, stakeholders' eyes are locked on NIST and DHS for signs of where the government is going with its overall cyber strategy.

The first half of the year has been about spreading the word and raising awareness, NIST and DHS officials have said repeatedly.

Along with the framework, NIST officials in February issued a “roadmap” for future efforts

and said they would hold a public workshop after about six months.

It now appears the workshop -- and an update on progress in areas identified for further development -- will be held sometime this fall, according to a NIST spokeswoman.

Likewise, the DHS inquiry into “small-business solutions” for cybersecurity has yet to yield a work product amid intense industry interest in where the department is going on the topic.

DHS officials say a report on responses to the small-business inquiry is still in the works and that a meeting should be held with industry stakeholders sometime in the next two months.

DHS provided stakeholders with an update on the so-called C-Cubed program at a June meeting in Boston, and will continue to do so at events around the country.

A new report by a government contract lawyer offers advice on helping small businesses meet new federal cybersecurity requirements. The report identifies the challenges that small contractors and larger companies without cybersecurity experience might face in complying with tougher data security requirements, which may ultimately weaken the security of the government's information systems.

The report, “Regulating Information Security In the Government Contracting Industry: Will the Rising Tide Lift All Boats?” by Keir Bancroft with the law firm Venable, argues that training and information sharing by federal agencies will be key to helping smaller companies meet these new requirements. The paper was published by the American University Law Review.

The analysis comes as the Obama administration is developing a framework for cybersecurity standards that industries will be encouraged to adopt, while also rewriting procurement requirements to ensure the security of data services and products sold to the government.

While Bancroft notes the increased attention to cybersecurity by federal policymakers, his article also outlines existing statutory and regulatory requirements for information security, including the Paperwork Reduction Act, the Computer Fraud and Abuse Act, the Computer Security Act and the Federal Information Security Amendments Act of 2012 and 2013.

Bancroft writes that the “risk of harm arising from cybersecurity breaches and the exposure of sensitive information warrants increased vigilance and protections.” However, he adds that increased protection “threatens to outpace the technology and resources available for subsets of the government contracting community, particularly small businesses.”

Moreover, those new requirements could have a broader impact by affecting the business decisions of larger companies. “The regulations might also affect larger businesses just entering the government contracts industry or seeking work with new federal agencies; they may find that the cost of compliance outweighs the benefit of participating in the new market,” the article says.

Bancroft argues that the government's push for tougher cybersecurity requirements has failed to take into account the challenges that those requirements might pose for contractors. “Absent from the laws and regulations proposed to date has been significant consideration for the effects increased security requirements will have on small businesses or larger, relatively inexperienced contractors that are just getting involved in contracts with the federal government or new federal agencies calling for information security compliance,” the article states.

Bancroft argues that the government should adopt an “iterative” process to cybersecurity that ensures the ability of service providers and contractors to comply with initial requirements while those standards are refined and strengthened.

“The rising tide . . . threatens to leave behind any contractors not equipped with the resources or the experience to keep pace with the many new requirements,” the article says. “These businesses will try to comply with the requirements, but the lack of resources and experience to do so may leave themselves vulnerable to security breaches.”

Bancroft says training, continuous monitoring of contractor compliance and business incentives will be key to ensuring cybersecurity, adding that “solutions should be structured to incentivize the involvement of all parties in opportunities that call for increased levels of information security and cybersecurity.” -- Rick Weber (rweber@iwpnews.com)

A leading advocate for privacy protections argues that the U.S. Constitution's restrictions on quartering soldiers in private homes, detailed in the Third Amendment, imposes certain conditions on the Obama administration's emerging cybersecurity policies.

In particular, “Congress must have a role in establishing the framework used to authorize any offensive cyberoperation,” according to an article by Alan Butler, a lawyer for the Electronic Privacy Information Center (EPIC), published last week in the American University Law Review.

Butler argues that the “often overlooked” Third Amendment applies to cybersecurity activities because they can affect private networks and hardware. “Under this analysis, quartering of 'soldiers' in private computer systems occurs when military operators directly or indirectly employ files or software that accesses and places itself upon a private system,” writes Bulter, who is appellate advocacy counsel for EPIC.

EPIC is part of a broad coalition that in July sued the National Security Agency over allegations of Internet spying and privacy violations.

Butler says the Obama administration's executive order calling for the development of voluntary cybersecurity standards and promoting public-private partnerships is a “step in the right direction,” but government action to counter and defend against cyber attacks may trigger constitutional restrictions.

According to Butler, the constitutional restrictions on cybersecurity can be softened by the pubic-private cooperation being encouraged by the Obama administration to strengthen cybersecurity and reduce the risk of attacks. “This collaborative process not only makes good practical sense, because private companies directly control many target systems, but the process also facilitates a consent mechanism that limits Third Amendment implications of cyberoperations,” Butler says in the article.

When threat detection is coordinated by the military and private sector, “these relationships will necessarily involve consent” under the Third Amendment, he writes. “The alternative is giving only military agencies control over the standards-setting process, which some members of Congress have proposed, but the president's executive order [13636] rejected.”

Butler argues for “transparency and accountability” to ensure security, privacy and civil rights. “The cyberattack attribution problem should not be treated like a double-edged sword that can prevent identification of foreign attackers and lead to mistaken retaliation against innocent intermediaries, while shielding the United States from accountability when it makes a mistake.”

This call for transparency and accountability is best addressed by a greater role for Congress and network owners and operators, he contends. “The legislature and private sector must be involved in the standards-setting and decision-making processes to maintain the balance between civilian and military power that the Third Amendment embodies,” Butler says.

The president's executive order “is a step in the right direction,” Butler says, “but so far Congress has not provided adequate guidance or legal balance to executive power in this area.” -- Rick Weber (rweber@iwpnews.com)

In response to research that found cyber threats were shifting from data to operational technology, a division of Lloyd's of London has announced a new type of insurance coverage to address increased cybersecurity risks to the electric utility industry.

“In-depth research by Lloyd's of London insurer AEGIS London shows technology running the world's critical infrastructure is increasingly at risk of cyber attack,” according to an April 9 press release announcing the CyberResilience insurance product.

The research, conducted by BAE Systems Applied Intelligence, focused on cyber attacks against power and utility companies in the United States, Europe and Canada. The research drew on incident reports from the U.S. Department of Homeland Security and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The findings also show that utility companies “are better prepared to deal with cyber threats to their operational technology than many recent media reports have indicated.” But the BAE Systems report laments a lack of technological solutions to address these cyber threats.

“The biggest challenges energy companies and utilities face are constraints outside their control such as the lack of 'adequate and mature technology solutions,'” the AEGIS London press release states.

The new insurance product, and its focus on critical infrastructure operators, fits with the Obama administration's push for more rigorous cybersecurity measures at industrial facilities. The White House's recently released framework of cybersecurity standards is focused on protecting critical infrastructure, including power plants, and the Federal Energy Regulatory Commission has directed the utility industry to toughen its cyber protection requirements for the grid.

The federal cybersecurity framework is a good step toward addressing rising web threats, Symantec Government Affairs Director Jeff Green said.

“Anything that helps increase awareness is going to be helpful,” Green said during a webinar to discuss Symantec's recent report on Internet threats.

Green said that Symantec itself is using the framework developed by the National Institute of Standards and Technology to analyze its own cybersecurity posture.

“It's making it easier for organizations that are not as sophisticated,” Green said. “If the framework gets the people off the sidelines, we're going to be advancing things.”

Green added that the framework establishes a common language for discussing cybersecurity, simplifying conversation about cyber risks.

The 2014 Internet Security Threat Report by Symantec found that ransomware and mobile cyber attacks are on the rise, while targeted attacks are becoming more sophisticated to deal with heightened awareness of suspicious online content. The report also found that the “Internet of Things” – devices ranging from refrigerators to baby monitors that are connected to networks – are becoming a prime target for hacking.

As data breaches increased, especially toward the end of 2013, the report found that the healthcare sector was hit with 44 percent of the overall reported incidents. However, the sector also had one of the lowest percentages for identities exposed from data breaches at 1 percent. The highest percentage of identities exposed went to the retail sector, with 30 percent of the overall number of exposed identities.

Senators will be discussing cyber crime this week while multiple industry conferences delve into cybersecurity issues affecting the energy sector, retailers, cyber innovation and more.

The Senate Judiciary Committee on Tuesday holds a hearing titled “Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks.”

Botnets are networks of computers that criminals have infected with malicious software that can perform tasks without the owner knowing it. This makes the computer a “zombie” that can automatically send spam messages, spread viruses, attack other computers, and even commit crimes.

McAfee's recent threat report found that hackers are profiting off of botnets by selling them for virtual currency mining capabilities. Norton's Internet Security Threat Report also found that there were numerous takedowns of botnets during 2013. However, the report warned of the capabilities of botnets.

“Botnets are an extremely potent asset for criminals because they can be used for a wide variety of purposes,” the report stated.

Starting Tuesday, the oil and gas industry will converge in Houston for a cybersecurity conference. The conference will address specific cyber threats to the industry and will consider methods to improve communication between IT networks.

Also on the agenda are discussions on incident response plans enhancing oil and gas industrial control systems and  supervisory control and data acquisition systems. The conference will conclude on Thursday.

Tuesday is also the day for Tripwire's webinar on “hacking point of sale.” The webinar will examine how retailers are compromised. Slava Gomzin, a security and payments technologist at HP, will lead the webinar. Payment system operations, protocols and weaknesses are among the topics to be discussed during the webinar.

In New York on Thursday, the Security Innovation Network will host the 2014 Innovation Summit. Deputy Secretary of Energy Daniel Poneman and Adm. Michael Rogers, commander of U.S. Cyber Command, will deliver keynote speeches.

The summit will bring together the nation's three largest power centers in cybersecurity – Washington, Silicon Valley, and Wall Street – to address important collaborations and research initiatives and “reinvigorate public-private partnership efforts and increase relationships that foster the sharing of information and joint collaboration on cybersecurity research projects.”

Also on Thursday, the National Science Foundation will host Crispin Cowan from Microsoft for a seminar on how to deal with vulnerabilities on software that is not “bug free.” The seminar will address how to deal with hackers trying to exploit the vulnerabilities software bugs create.

The Information Systems Security Association on Tuesday will host a meeting on social media and insider threats in Washington, DC. The event will address app use – what information apps collect about the user and the mobile device itself – as well as disclosure of information about the workplace on social media.

Moreover, it will address the growing trend of working at home and using “bring your own device” policies – policies that allow employees to use their own personal devices for work-related activities – and the “new workforce” views on security, privacy, data sharing, and company loyalty.

Terry Gudaitis, the owner of Mindstar Security and Profiling, a company specializing in security training, and consulting and imminent threat assessment, will headline the ISSA event. – Joshua Higgins (jhiggins@iwpnews.com)

A new report on cybersecurity finds that corporate IT professionals are not satisfied with the cybersecurity measures their companies have in place.

The report, conducted by the Ponemon Institute and sponsored by Websense, found that 47 percent of the IT practitioners surveyed have been either “very frequently” or “frequently” disappointed in their company's security investments.

“Many would like to see a complete security refresh of their solutions, as they feel frequently disappointed with the level of protection their security solutions give them,” the report states.

As a result, 29 percent of the IT professionals would completely overhaul their company's cybersecurity systems if given the opportunity and the resources needed. However, Ponemon also found that communication between corporate executive teams and IT was limited. Thirty-one percent of cybersecurity teams never speak with their executive team on cybersecurity, the report states, while 23 percent spoke with executives annually and 19 percent spoke semi-annually. One percent of IT professionals met with executives on a weekly basis.

Though the IT professionals are disappointed with their company's cyber measures, 49 percent of the respondents said their companies are planning to make significant investments in and adjustments to cyber defenses during the next year. Similarly, 38 percent said that their companies are investing in skilled personnel and technologies for cybersecurity.

Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, will speak at the 2014 National Cyber Security Hall of Fame Enshrinement Dinner in Baltimore on Oct. 30.

“We are thrilled to have Adm. Rogers speak at this year's Cyber Security Hall of Fame Enshrinement Dinner,” Larry Letow, co-founder of the hall of fame, said in a statement. “As a leader in the cyber industry, the class of 2014 and our distinguished attendees will look forward to Adm. Rogers' remarks on the cyber world.”

This Nov. 24, 2014 report from Symantec explains a new cyber threat capable of long-term intelligence-gathering operations against governments, infrastructure operators, businesses, academia and private individuals. Called “Reign,” this threat stands out from other advanced persistent threats in that it is used for collection of data and continuous monitoring of targeted organizations and individuals, rather than seeking specific information and intellectual property.

This Jan. 25, 2015 report by FireEye finds a “mixed state of readiness” in countries that must comply with new European Union cybersecurity regulations. The report states that organizations are expecting additional spending on security hardware, software, and policy implementation to comply with the new regulations. “Deployment and upgrade initiatives are expected to be both complex and difficult to support due to a lack of in-house knowledge and expertise in the relevant data protection definitions and requirements,” the report states.

About 1,467 financial institutions in 86 countries are impacted by so-called Trojan attacks -- malware that can result in loss or theft of financial data or disrupt financial networks -- but companies in the United States have been hit by the most infections, a new Symantec report finds.

The United States is also home to the single most targeted financial institution, the report states. That unnamed institution, the report says, saw attacks from 95 percent of all Trojans analyzed in the report.

However, in general, attacks from these threats are dropping.

The report finds that the number of financial Trojans dropped by 53 percent in 2014, and traditional phishing emails have dropped by 74 percent.

Cyber attacks are advancing faster than cyber defenses, according to a new report by Symantec.

The Internet Security Threat Report, released this week, by Symantec finds that cyber attackers are streamlining and upgrading their attack techniques, while companies are still struggling to fend off attacks using older tactics.

And the growth of the Internet of Things poses an increasing security problem, according to the report, as companies struggle to stay ahead of cyber attackers.

This June 23, 2015 report by security company Websense discusses specialized cyber attacks against the financial sector, which sees 300 percent more frequent security incidents than other industries. According to the report, evidence suggests the need for “global economy continuity” and cyber insurance may be hindering real security adoption in the financial services sector.

This 2015 report from Deloitte outlines healthcare executives' perspectives on networked medical device cybersecurity. The report reveals three areas of focus when addressing cybersecurity and privacy of medical devices: Governance, risk identification, and risk management. “Health care organizations are challenged to anticipate the full spectrum of intentional and unintentional threats that might expose potential vulnerabilities in their networked medical devices,” the report states.

Automotive manufacturers will need to collaborate within and across industries and with regulators to address cyber threats to autonomous vehicles, a new report from the World Economic Forum and the Boston Consulting Group states.

According to the report, automated vehicles could suffer indirect and direct cyber attacks, and eliminating the risk to vehicles is impossible.

“Because it is impossible to eliminate cybersecurity threats, [autonomous vehicle] stakeholders must shift their focus to managing them,” the report states. “[Original equipment manufacturers] will need to collaborate within and across industries and with regulators to recognize threat patterns, develop proactive defense strategies, and coordinate responses.”

Autonomous vehicle stakeholders, to successfully roll out these new technologies, must collaborate closely with policymakers to develop pilot programs to demonstrate the usefulness and the security of autonomous vehicles, the report states.

Technology company Intel is establishing a new Automotive Security Review Board to examine cybersecurity in automobiles and provide regular updates on industry cyber best practices.

The new board will convene security professionals with experience in cyber-physical systems to conduct ongoing security tests and audits to develop best practices and design recommendations for automotive cybersecurity solutions.

Intel on Monday released the first version of these best practices, which will be updated based on the board's findings and industry comments.

In the paper, Intel calls on the auto industry to build security into automobiles through “intentional” and “proactive” measures such as tamper protection, isolation of safety-critical systems, authentication, network encryption, data privacy, behavioral monitoring, anomaly detection, and shared threat intelligence.

Further, it encourages best practices for production processes to assure that design components are correctly implemented and that post-sale cyber measures are put in place to address new vulnerabilities, including those from intentional and accidental owner actions, and malicious attacks.

“Best practices for automotive security are an evolution and amalgamation of both product safety and computer security,” the recommendations state. “Intel is actively engaging with standards organizations and ecosystems to address unique challenges for next-generation vehicles.”

It adds, “This paper is a call for action to the automotive industry to work together on improving security of vehicles and transportation systems to such a degree that attacks will be hard to execute while preventive and mitigation techniques are in place to react to vulnerabilities quickly and before widespread damage can be done. Together, the goals of trusted vehicles, secure cars, and a confident user experience are achievable.”

Intel will provide the new board with automotive development platforms for participating security professionals to conduct research, which will then be incorporated into later iterations of the Intel best practices white paper.

The inaugural meeting of the board will be held next month, according to Intel, and security professionals are able to sign up online to participate in the new board's work. – Joshua Higgins (jhiggins@iwpnews.com)

There has been a 458 percent increase in the number of times hackers scanned “Internet of Things” devices for vulnerabilities, a new report by AT&T finds.

According to the report, released Thursday, an estimated 50 billion devices from sensors in cars to utility meters and home appliances will be sharing data online by 2020.

“Those small sensors can be harder to secure than bigger, more sophisticated devices like PCs and tablets, and their growth will give malicious insiders a host of new ways to engage in sabotage and hactivism,” the report states. “Bottom line: More but less complex devices mean more potential security gaps to manage.”

The report also finds that businesses are slow to address data breaches.

Nearly 75 percent of businesses do not involve their full board of directors in oversight of cybersecurity, the report says, and 51 percent of them are not re-evaluating their information security following high-profile breaches.

Seventy-eight percent of employees do not follow security policies put in place at organizations, the report says.

On Oct. 1, 2015, AT&T released this cybersecurity report revealing a 62 percent increase in the number of distributed denial of service attacks over the past two years. In addition, nearly 75 percent of businesses have not had board engagement on cyber issues, according to the report, and 51 percent of organizations are not re-evaluating their cybersecurity posture following high-profile data breaches.

This December 2015 report from security firm Websense identifies eight data security trends likely to occur in 2016. Mobile wallets and new payment technologies will create new opportunities for online credit card theft and fraud, the report says, and cybersecurity insurances will become a ">
4080

Twenty-nine percent of CEOs list cybersecurity as the issue that has the largest impact on their company today, this January 2016 KPMG report reveals, and information security is the top risk of concern for 20 percent of CEOs. However, only half of CEOs surveyed say they are fully prepared for cyber attacks.

Businesses’ own self-interest should be the primary driver of cybersecurity program implementation, not regulation, this Feb. 9, 2016 report by the Association of Chartered Certified Accountants argues. “Cybersecurity is a fast-moving field,” the report states. “Things change faster than most legislatures could hope to keep up with.”

Three-quarters of popular websites contain major security vulnerabilities, according to this April 2016 Internet Security Threat Report by Symantec. Fifteen percent of those vulnerabilities are deemed “critical,” providing hackers an easy way to access and manipulate website data.

Cybersecurity is becoming a “global agenda item” for regulators, according to this June 2016 report by KPMG. The report reveals that the federal framework of cybersecurity standards is increasingly being cited by regulators in the United States as a way of structuring a cybersecurity program. However, there is not yet consistency in adoption or application of standards.

Cybersecurity in medical devices currently is “unacceptable” and requires an immediate industry-wide response, this June 2016 KPMG report argues. To address emerging vulnerabilities, the entire healthcare industry, from manufacturers to care providers, must collaborate to identify and mitigate security risks to devices and protect the safety of patients.

American International Group will begin offering standalone primary coverage for property damage, injury, business interruption, and product liability that occurs as a result of cyber attacks or other releated risks.

AIG announced Thursday that its new CyberEdge Plus plan will “offer broader and clearer coverage for harms that had previously raised issues with insurers over the scope of available coverage.”

The CyberEdge policy will protect companies from third-party claims after the failure of network security or failure to protect data, direct costs for responding and recovering to a breach, business interruption resulting in lost income and operating expenses, monetary losses as a result of ransomware threats, and liability faced by companies for content distributed on their websites.

AIG will offer coverage with limits up to $100 million.

The new standalone insurance coverage comes as the Department of Homeland Security works to develop a cyber-incident data repository to help insurers and businesses assess the risk and cost of a potential breach.

Organizations are two times more likely to identify a cybersecurity incident “within hours or minutes” when they are a big data cybersecurity analytics user, according to a new report by the Ponemon Institute and cloud company Cloudera.

The report, published last week, surveyed nearly 600 cybersecurity professionals, revealing that 65 percent say big data analytics is “very important to ensuring a strong cybersecurity posture.”

“Heavy users of big data analytics have a higher level of confidence in their ability to detect cyber incidents than light users,” the report states.

The report found that heavy big data analytics use assisted with detecting advanced malware and ransomware, compromised devices, “zero day” attacks, and malicious insiders.

This September 2016 KPMG report on general counsel trends reveals that cybersecurity is becoming a top issue for corporate general counsel. “The threat of cyber attack has been lurking for a number of years, but is now seen as greater than both litigation and contract risk,” the report says.

Federal officials and lawmakers will discuss election cybersecurity, encryption, and other cyber issues this week, as industry events tackle cloud security, ransomware, and other security risks at conferences around the country.

Commerce Department Deputy Secretary Bruce Andrews will discuss cybersecurity across North America during a New America event today. The event will examine issues ranging from public-private cooperation in incident response, small and medium enterprise cybersecurity, global cybersecurity policy, and more.

The Senate Commerce Committee will question the members of the Federal Trade Commission during a Tuesday hearing. The hearing comes as the FTC pursues a variety of activities around cybersecurity, data protection, and privacy.

Tuesday also marks the day of the U.S. Chamber of Commerce's fifth annual cybersecurity summit. Officials from the Department of Homeland Security, Commerce Department, FBI, Justice Department, National Security Agency, the National Institute of Standards and Technology, and other government agencies are slated to speak on issues ranging from a White House cybersecurity commission to public-private partnerships, encryption, and international issues.

Cybersecurity of the election system once again becomes the hot topic on Capitol Hill as the House Oversight Subcommittee on Information Technology holds a hearing titled “Cybersecurity: Ensuring the Integrity of the Ballot Box.” Witnesses have not yet been announced.

NIST convenes a high-performance computing security workshop at its headquarters in Gaithersburg, MD, on Thursday and Friday, focusing on topics such as the NIST cybersecurity framework, security best practices, supercomputing, and more.

Industry events

The Project Management Institute will host in Michigan on Monday a professional development day on cybersecurity, featuring remarks from officials at the FBI's Detroit Cyber Task Force and the Treasury Department and industry professionals from Dow Chemical Company, Sterling Insurance Group, and Ally Financial.

New America revisits cybersecurity Tuesday, with an event on cybersecurity in the Asia-Pacific, where Tobias Feakin, director of national security programs at the Australian Strategic Policy Institute, will present findings of a new Asia-Pacific Cyber Maturity Metrics Report.

The third annual Women in Cyber Security Reception will take place in Baltimore on Tuesday, allowing attendees an opportunity to network with other cybersecurity professionals.

SecureWorld Dallas kicks off Tuesday as well, with cloud security and privacy, cybersecurity legal issues, ransomware, and other cybersecurity topics teed up for discussion. Keynote addresses will be given by representatives of the Ponemon Institute, Radware, Trend Micro, and Forsythe Technology during the two-day conference.

Cloud security, social engineering attacks, government cybersecurity, and the Internet of Things will all be discussed in San Francisco Tuesday during Structure Security 2016 The two-day event will convene information security professionals, tech and business leaders, and security vendors to address emerging areas of cybersecurity concern and offer strategies to minimize cyber risk.

The industry events wrap up this week with a National Regulatory Research Institute webinar examining cyber threats to critical infrastructure. – Joshua Higgins (jhiggins@iwpnews.com)

The proliferation of cyber tools could lead to an increasing number of nation-state sponsored cyber attacks in 2017, a new Booz Allen report suggests, with increased Chinese cyber espionage and expanded Internet of Things-focused cyber attacks expected.

The report, released Thursday, says that IoT-based attacks could extend beyond distributed denial of services attacks seen in 2016 to expanded network compromises.

Moreover, cyber-physical systems are likely to become hotter targets for nation-states and other malicious actors aiming to instill a sense of insecurity among American citizens in the aftermath of Russian efforts to cast doubt on the U.S. electoral system.

“In the United States, 2016 witnessed a non-stop cavalcade of political leaks intent on altering the political landscape, and the increased attention on cybersecurity as a national issue could make follow-on [industrial control system] attacks look like an effective tactic for heightening discontent,” the report states.

The report adds: “In the end, if fostering and driving a sense of insecurity is the objective, attackers do not even need to cause lasting or significant damage. Short-term blackouts, traffic delays caused by inoperative control systems, and knock-on effects such disturbances would have on people’s lives—these things would highlight the threat and disturb U.S. internal politics and our sense of security, all without creating the kind of catastrophic, doomsday-like effects long hypothesized by security professionals worrying over ICS cybersecurity.”

The Senate Homeland Security and Governmental Affairs Committee today is set to take a closer look at the evolving threat in cyberspace – including ransomware, challenges to the Internet of Things and botnets – as a prelude to further congressional action on cyber issues.

“The mission of this Committee is to enhance the economic and national security of America and promote more efficient, effective, and accountable government,” Chairman Ron Johnson (R-WI) is expected to say in his opening remarks at a hearing today. “Ensuring an effective cyber deterrence and response strategy is key to achieving this goal. Before we can begin to discuss solutions, we must first understand the threats and trends associated with these threats.”

This is the panel's first dive into cybersecurity this year. The House Homeland Security Committee has held several cyber-focused hearings, addressing Department of Homeland Security as well as private-sector efforts, and building toward an expected markup of legislation to restructure DHS' cyber functions. Johnson has yet to weigh in on the draft DHS legislation that House Homeland Security Chairman Michael McCaul (R-TX) has circulated.

Witnesses at today's Senate hearing include Steven Chabinsky of White & Case LLP, who recently served on former President Obama's cybersecurity commission; Jeffrey Greene of Symantec, whose annual cyber threats report highlighted the growth in ransomware and IoT security issues, among other trends; along with Brandon Valeriano of the Marine Corps University and Kevin Keeney, a cyber incident response director at Monsanto and captain in the Missouri National Guard.

“Emerging trends include the rise of ransomware and botnets as easy-to-use tactics that offer big rewards for cybercriminals,” Johnson is expected to say. “Ransomware, which consists of malware that encrypts data until the user pays a fee, is becoming more profitable and popular, even among less-sophisticated criminals. Internet of Things devices have been used to block access to some of the world’s most popular website and can be compromised in a variety of cyber-attacks. Email is routinely used as a way to deceive users into opening the door for criminals to steal data and money.”

Johnson will say: “Regardless of the motivations or identities of the attackers, cyber threats are real and growing. As a country, we must acknowledge and assess these threats and decide how to effectively respond.”

Greene will discuss Symantec's 2017 cyber threat report, released in late April and including such top-line findings as a five-year high in emails containing malicious links – one in every 131 – that the U.S. was the most targeted country for ransomware, and that “CIOs have lost track of how many cloud apps are used inside their companies – when asked most will say up to 40 when in reality the number nears 1,000.”

The report also delves into threats to the emerging Internet of Things, an issue that has captured the attention of Chairman Johnson.

“While ransomware and financial fraud groups continue to pose the biggest threat to end users, other threats are beginning to emerge,” the report states. “It was only a matter of time before attacks on IoT devices began to gain momentum, and 2016 saw the first major incident with the emergence of Mirai, a botnet composed of IoT devices such as routers and security cameras. ... Symantec witnessed a twofold increase in attempted attacks against IoT devices over the course of 2016 and, at times of peak activity, the average IoT device was attacked once every two minutes.”

On the positive side, Symantec did find successes in law enforcement efforts against cyber crime.

“While cybercrime continues to be profitable, the number of significant takedowns and disruptions in 2016 demonstrated that it is no longer a risk-free enterprise,” according to Greene's prepared testimony. “In particular the extradition of the alleged Bayrob masterminds from Eastern Europe to the US sent a strong message that cybercriminals cannot work with impunity from remote locales.”

Greene, in an interview with Inside Cybersecurity, said his top recommendations for policy action by lawmakers would be to push forward on government IT modernization and DHS reorganization, while also focusing closely on oversight of federal agencies' cyber efforts and looking at whether the government's vaunted continuous diagnostics and mitigation – CDM – system is “living up to its potential.”

Live-streaming is available for today's hearing. – Charlie Mitchell (cmitchell@iwpnews.com)

On August 15, 2017, Fortinet published the Threat Landscape Report Q2 2017. The report lays out the cybersecurity threats Fortinet discovered throughout the second quarter of 2017, such as WannaCry and NotPetya. The report noted there was a rise in encrypted records and communications online, and a majority of firms surveyed were infested with three or fewer botnets.

A new report on cyber threats by computer firm Symantec finds that ransomware attacks on businesses have dramatically increased during the first half of 2017, in part driven by the WannaCry and Petya attacks.

“WannaCry, which was the first to appear, caused global panic due to its ability to spread itself across the networks of infected organizations and then spread to other organizations across the internet,” according to a Symantec blog post on Wednesday, which summarizes the company's latest threat analysis report.

There have been 319,000 ransomware infections that Symantec has blocked in the first six months of 2017, a number that will likely exceed the 470,000 infections blocked in 2016 -- a number that was bolstered by the WannaCry and Petya ransomware attacks, according to the blog post.

These findings are based on Symantec's Internet Security Threat Report published in July, which goes in-depth on the impact of ransomware attacks on corporate businesses. The report found that 42 percent of ransomware attacks in the first half of 2017 were on corporate businesses, a significant increase, with 30 percent of ransomware attacks in 2016 aimed at businesses.

The 2017 ransomware attack known as NotPetya did not constitute cyber warfare due to the scope and impact of the incident, according to an “Insights” paper published this week by global insurance and risk management group Marsh.

“More is required to reach the conclusion of warlike activity,” Marsh wrote, even though NotPetya was attributed to the Russian military by both the U.S. and British governments and it inflicted damage on multiple companies.

Among the reasons for Marsh's conclusion: the consequences of NotPetya were mostly economic; its victims worked in “civilian tasks” and not in the field of combat; and NotPetya was not a “weapon that supported a military use of force.”

This conclusion could have a major impact on companies with cyber insurance, since most of these policies have a “war exclusion” which could have prevented coverage for NotPetya or a similar attack. Marsh advocated that the “wording” involved in the war exclusion clause in cyber insurance be “reformed to make clear the circumstances required to trigger it."

“As cyber-attacks continue to grow in severity, insurers and insurance buyers will revisit the issue of whether the war exclusion should apply to a cyber incident,” Marsh wrote. “For those instances, reaching the threshold of 'warlike' activity will require more than a nation-state acting with malicious intent.”

Homeland Security Secretary Kirstjen Nielsen discusses her priorities for DHS at two events this week, while the National Institute of Standards and Technology's Information Security and Privacy Advisory Board meets to discuss new guidelines and standards on IT and privacy.

Nielsen will give her 2019 “State of the Homeland” address today at George Washington University. Nielsen will discuss her “vision for a safer, more secure homeland,” along with her priorities for the year at the event, which is being officially hosted by Auburn University's Center for Cyber and Homeland Security. The event will be streamed live.

DHS' Science and Technology Directorate hosts its 2019 “Cybersecurity and Innovation Showcase” today through Wednesday in Washington, DC. Nielsen will speak at the conference on Tuesday, along with Christopher Krebs, the director of DHS' Cybersecurity and Infrastructure Security Agency; Douglas Maughan, the director of DHS' Cyber Security Division; and William Bryan, the senior official performing the duties of under secretary for DHS' S&T.

Other speakers at the three-day event include Deborah Frinke, the research director at the National Security Agency; Jeff Moss, the founder of the Black Hat and DEF CON security conferences; Brian Gattoni, the chief technology officer at DHS' Office of Cybersecurity and Communications; Alma Cole, the chief information security officer at U.S. Customs and Border Protection; Natalie Vanatta, the deputy chief of research at the Army Cyber Institute; and Greg White, the executive director of the Information Sharing and Analysis Organization's Standards Organization.

NIST's ISPAB meets on Wednesday and Thursday in Washington, DC to discuss a range of cyber-related topics, including the development of NIST's privacy framework, the President's National Security Telecommunications Advisory Committee's cybersecurity “moonshot” initiative, health industry cyber practices, and the developments of security standards around fifth generation wireless connectivity, or 5G.

Speakers at ISPAB will include Charles Romine, the director of NIST's Information Technology Laboratory; Naomi Lefkovitz, the senior privacy policy advisor at NIST; Kevin Stine, the chief of NIST's Applied Cybersecurity Division; and Allan Friedman, the director of cybersecurity initiatives at the National Telecommunications and Information Administration.

The U.S.-China Economic and Security Review Commission hosts its third hearing of the year on Thursday, with the focus on the “emerging China-Russia axis,” and the implications for the U.S. stemming from this. Speakers will include officials from the Center for a New American Security, the U.S. Naval War College, the Hudson Institute, the Carnegie Endowment for International Peace, GW University, and the American Foreign Policy Council.

The Department of Defense's Defense Innovation Board meets Thursday in Arlington, VA. The DIB, which provides the DOD secretary with “recommendations on innovative means to address future challenges,” will discuss issues including artificial intelligence, the “viability” of 5G use by DOD, and software acquisition practices.

The Department of Health and Humans Services' Health Information Technology Advisory Committee meets Wednesday in Washington, DC. HITAC “identifies priorities for standards adoption and makes recommendations to the national coordinator for Health Information Technology.”

The Association for Federal Information Resources Management hosts a “cybersecurity summit” on Thursday in Arlington, VA. The conference will feature panels on securing the nation's critical infrastructure and on recruiting a cyber workforce for the federal government, with speakers to include Adrienne Lotto, the principal deputy assistant secretary of the Department of Energy; Jason Gray, the CIO of the Department of Education; Tiina Rodrigue, the CISO of the Consumer Financial Protection Bureau; and Glenn Hernandez, the national director of the U.S. Cyber Challenge.

AFCEA holds its 2019 Spring Intelligence Forum in Springfield, VA Tuesday and Wednesday. Topics of discussion will include “the rise of AI,” cyber warfare, and the weaponization of social media. Speakers will include Maj. Gen. Michael Groen, the director of intelligence for the Joint Chiefs of Staff; Norman Hayes, the former director of intelligence at U.S. European Command; George Barnes, the deputy director of the National Security Agency; Jim Richberg, the national intelligence manager for cyber at the Office of the Director of National Intelligence; and senior officials from Google, IBM, and FireEye.

NIST hosts a webinar Wednesday on “considerations for a core Internet of Things cybersecurity capabilities baseline.” Moderators will discuss a recently published NIST essay on “IoT device security.”

NIST's National Initiative for Cybersecurity Education will also host a webinar Wednesday, with the focus of this event on creating a foundation for science, technology, engineering, math, and cybersecurity education.

The Institute for Critical Infrastructure Technology hosts a webcast Wednesday to give an updates on “cyber legislation and federal initiatives.” The webcast is meant to provide an overview of federal government activity on cyber, privacy, technology, and national security issues.

The Center for Strategic and International Studies hosts an event Wednesday on “China's rise,” which will center on China's “growing technological leadership” and include discussion of 5G issues. Bob Schieffer, former anchor of “Face the Nation” and current CSIS trustee, will be among the speakers, along with Michael Collins, the deputy assistant director of the East Asia and Pacific Mission Center at the CIA.

The Wilson Center will examine how Japan is working to secure the upcoming 2020 Summer Olympics from cyber threats during an event on Tuesday. The event will also include discussion of U.S.-Japan cooperation in cyberspace.

The Economic Club of Washington, DC hosts a discussion Wednesday with AT&T chairman and CEO Randall Stephenson, who will touch on the state of technology, the development of 5G technology, and net neutrality.

HITRUST and Microsoft hosts a “community extension program” event Wednesday in Reston, VA. The event will focus on implementing the HITRUST cybersecurity framework, leveraging the HITRUST Threat Catalogue, and certification.

And the Heritage Foundation hosts an event Thursday on “China, Huawei, and the challenge of 5G.” John Hemmings, the director of the Asia Studies Centre at the Henry Jackson Society, will be among the speakers.

Congress is on recess this week. -- Maggie Miller (mmiller@iwpnews.com)

With all eyes on a pending Commerce Department ICT supply-chain rule, a top CISA official explained the three-part test for assessing risky information and communications technology, while DHS’ cyber agency presses ahead with nuts-and-bolts cybersecurity initiatives aimed at protecting critical infrastructure.

Cybersecurity and Infrastructure Security Agency Assistant Director Jeanette Manfra said at a recent event the federal government will assess the level of risk based on whether a foreign company making ICT equipment is located in a country where the law requires it to turn over information it collects to the government, the “level of access” to data in a given product, and the “market penetration” of a product. “We will focus on things that are used a lot,” she said.

CISA crafted the risk assessment that Commerce is using in its ICT supply-chain rule, which was mandated under President Trump’s May 15 executive order. The due date for that rule is Oct. 12, but sources in recent days said it almost certainly will slip into next week at the earliest.

The European Union this week is expected to issue its “synoptic overview” of member states’ national risk assessments related to 5G networks, and a key official says it won’t name names, something that might have helped U.S. officials’ campaign to remove Chinese suppliers like Huawei from the shared global digital infrastructure.

“An analysis is going to be shared, without having to cite a particular country or a particular company,” Julian King, the European Commissioner for the Security Union, said last week.

Meanwhile at the cybersecurity working level, CISA is seeking public comments on a revised form used by companies and critical infrastructure operators to report cyber incidents including malware, a move intended to provide greater specificity on the causes and sources of an attack.

“The Incident Reporting Form was updated to add reporting options; and updated to improve user-friendliness by having the form be directional,” according to a Federal Register notice. “The changes include: Adding structured, distinct options for reporting incidents, major incidents, breaches, and events under investigation; and adding fields to collect expanded information on topics including attack vectors, indicators of compromise, communications from compromised systems, critical infrastructure sectors, memory captures, system and network logs, and unattributed cyber intrusions.”

Also in recent days, the second annual meeting of information sharing and analysis centers, or ISACs, stressed the importance of distributing threat information across industry sectors in an effort to address risks from third-party vendors, an issue at the top of CISA’s agenda.

On the CISA leadership agenda this week, Director Christopher Krebs and Manfra are on the program at Palo Alto Networks’ Ignite conference Thursday in Washington, DC, and Krebs will be appearing the same day at the FireEye conference. Acting Homeland Security Secretary Kevin McAleenan appears Thursday at the U.S. Chamber of Commerce cyber summit. – Charlie Mitchell (cmitchell@iwpnews.com)

A report from consultant Booz Allen Hamilton offers mitigation advice on threats to industrial systems, supply chains and more as fifth-generation networks are rolled out, while the Center for American Progress calls for developing robust alternatives to Chinese suppliers of 5G technologies and strong U.S. participation in standards-setting bodies.

The Booz Allen report, “Establishing a Secure and Resilient 5G Ecosystem,” says it “offers a unified strategy that integrates expertise, tools, and assets at each stage of 5G development, enabling the organizations to securely design, build, and operate 5G networks and reap the benefits of this emergent technology.”

It includes recommendations for network operators and for program managers, including steps to mitigate data theft across network slicing, Internet of Things compromise, and attacks on industrial process devices.

The Center for American Progress also released a report on 5G, “The U.S. Should Broaden Its Lens on Huawei,” by Melanie Hart and Jordan Link.

The report notes, “The Trump administration is trying to convince other nations that these risks warrant banning Huawei from their 5G networks. Thus far, few are signing on to that approach. The reason: the mobile network equipment market is an oligopoly with just four vendors to choose from -- none of which is a U.S. company -- and Beijing deploys powerful industrial policies to make Huawei cheaper to deploy than the three alternatives.”

CAP says, “The shift from fourth to fifth generation (5G) mobile telecommunications creates an opportunity for the United States to not only tackle China’s market-distorting industrial policies but also help U.S. firms play a much bigger role.”

Among its recommendations, CAP focuses on standards-setting bodies and promising technology like open Radio Access Networks:

• Engage the key 5G standardization partners--the European Union, Japan, India, and South Korea -- to improve leadership transparency and diversity at the International Telecommunications Union (ITU). The ITU should not allow Chinese government officials to move directly from the nation’s telecom ministry to key ITU positions or serve in the same positions without term limits.
• Provide targeted financial support to increase U.S. participation in ITU standardization forums. Empower smaller vendors to increase their voice, particularly those working on interoperable or disruptive solutions and those doing their research, development, and manufacturing in the United States.
• Push the Third Generation Partnership Project (3GPP) to adopt the ORAN front haul interface as a common global standard. A truly open interface is needed to give smaller vendors -- including disruptive U.S. vendors -- a foothold in the 5G ecosystem.

CAP is holding an event today to discuss U.S.-China competition on 5G. Senate Armed Services ranking member Jack Reed (D-RI) will participate in an opening discussion. -- Charlie Mitchell (cmitchell@iwpnews.com)

NIST has announced its tech-sector partners for a project on supply-chain integrity, which is intended to produce practical guidance for companies and other organizations on how to ensure components inside purchased devices are genuine and haven’t been altered.

“The National Cybersecurity Center of Excellence (NCCoE) has invited seven technology providers and industry experts to collaborate on the Supply Chain Assurance Project,” NIST announced on Wednesday. The collaborators are Dell, Eclypsium, Hewlett Packard Enterprise, HP Inc., Intel, RSA, and Seagate.”

The NCCoE “will produce example implementations to demonstrate how organizations can verify that the internal components of their purchased computing devices are genuine and have not been altered during the manufacturing and distribution processes. Additionally, this project will demonstrate how to inspect the processes that verify that the components in a computing device match the attributes and measurements declared by the manufacturer,” according to NIST.

In this project, NIST says “These collaborators will work with the NCCoE project team to provide a practical solution for distinguishing trustworthy computing products. The result will be a freely available National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide that includes a reference design and a detailed description of the practical steps needed to implement the solution based on the NIST Cybersecurity Framework and industry standards and best practices.”

According to NIST, “Each of these organizations responded to a notice in the Federal Register to submit capabilities that aligned with desired solution characteristics for the project. The accepted collaborators were extended a Cooperative Research and Development Agreement, enabling them to participate in a consortium where they will contribute expertise and hardware or software to help refine a reference design and build an example standards-based implementation.” -- Charlie Mitchell (cmitchell@iwpnews.com)

Huawei, the Chinese telecommunications giant that has found itself subject to a litany of U.S. security restrictions, is hoping the Biden administration will allow it to buy some inputs from U.S. companies but not expecting to be removed from the Commerce Department’s Entity List, company founder Ren Zhengfei told reporters in China.

The Trump administration placed Huawei on the Entity List in May 2019, requiring U.S. exporters to apply for export licenses under presumption of denial. However, Commerce repeatedly granted extensions to a temporary general license issued shortly after Huawei’s initial designation, allowing for exporters to continue sell certain products to the company. The temporary general license expired last August. Commerce does not make public individual export licenses.

Ren told reporters on Tuesday he hopes the Biden administration will allow U.S. businesses to act in their own interests and allow them to sell to products to Huawei. “I believe the new administration will weigh and balance these interests as they consider their policies. We still hope to be able to buy a lot of U.S. components, parts, and machinery so that U.S. companies can also develop with the Chinese economy,” he said, according to reports of his remarks. “I hope the new U.S. administration will come up with more open policies that are in the interests of U.S. companies and the U.S. economy as a whole.”

But Ren made clear that he is not expecting the Biden administration will remove Huawei from the Entity List. “I won't say it's impossible, but it's extremely unlikely,” he said. “We basically aren't considering it a possibility.”

Huawei’s inclusion on the Entity List has become a hot-button political issue.

Sen. Ted. Cruz (R-TX) has placed a hold on President Biden’s Commerce secretary nominee, Rhode Island Gov. Gina Raimondo, because she didn’t explicitly promise to keep Huawei on the list. Raimondo, answering questions posed by senators after her confirmation hearing, said there was no reason to believe Huawei or any other Chinese company would be removed from the Entity List. But she hewed to the administration’s line that policies implemented by the previous administration are under review and said she wants a full briefing on the issue.

Huawei on Tuesday sued the Federal Communications Commission over its rule that companies receiving money from the FCC’s Universal Service fund, which subsidizes telephone service, cannot use Huawei products over national security concerns.

Congress continued to press Biden nominees this week when Sen. Josh Hawley (R-MO) asked Office of Management and Budget Director nominee Nina Tanden whether she, as the head of federal acquisition policy, would “ensure that Chinese-based products are removed from sensitive government networks, considering the security threat that these can pose due to the spying activity of the Chinese Communist Party.”

Tanden said she would. “I absolutely believe that we have to ensure real security in our supply lines from products from China and elsewhere,” she told the Senate Home Security and Government Affairs Committee during her confirmation hearing on Tuesday. “But China, there are products like Huawei [where] there have been real concerns about the security.”

Chinese officials have repeatedly claimed that U.S. restrictions on Huawei are abuses of national security measures. -- Brett Fortnam (bfortnam@iwpnews.com)

Industry groups on Monday quickly affirmed they are working closely with federal partners on cybersecurity as the Biden administration issued a blunt warning that Russia may be setting the stage for a cyber attack against U.S. critical infrastructure.

The White House said Russia is “exploring options” for launching cyber attacks against U.S. critical infrastructure. Deputy National Security Advisor for Cyber Anne Neuberger took the podium at the daily White House press briefing to urge companies to “lock your digital doors, make it harder for actors, make them do more work.”

Neuberger told reporters the U.S. has “evolving threat intelligence” showing that Russian state actors may be preparing for an attack on critical infrastructure in response to economic sanctions imposed on Moscow. She said several federal agencies have held confidential briefings with critical infrastructure operators to share threat information.

“Today’s advisory from the Biden administration, while not identifying specific threats, suggests a change in the government’s threat assessment for cyberattacks,” Christopher Roberti, senior vice president for cyber at the U.S. Chamber of Commerce, said in a statement. “In our ongoing conversations with businesses, the U.S. Chamber has been highlighting the importance of maintaining a heightened state of alert, implementing enhanced security controls, and lowering thresholds on reporting cyber incidents to incident response firms. The Chamber will continue to work collaboratively with the government and private sector to ensure the safety of our critical networks.”

Another industry source told Inside Cybersecurity, “The energy sector was briefed back in December and has been on alert since then. All critical infrastructure has been provided solid cyber defense advice and recommendations from CISA.”

Information Technology Industry Council president and CEO Jason Oxman said: “Today’s warning by the Biden Administration underscores the very real nature of the evolving cyber threats facing all businesses and individuals, but especially U.S. critical infrastructure owners and operators. In an intensifying geopolitical environment, businesses cannot risk being caught off-guard or underprepared. Cybersecurity continues to be a top priority for the tech industry, and we take this notice seriously. We will continue to work with the administration, state and local governments, and partners in the business community to help stay ahead of this rapidly changing cyber situation.”

Biden administration officials and cyber leaders including former CISA Director Chris Krebs suggested that Moscow may reach into its cyber war chest as its ground offensive continues to struggle in Ukraine and with global economic sanctions becoming increasingly painful.

Krebs said on Twitter: “USG is doing what it can to support Ukraine & blunt Russian efforts. Remember cyberattacks aren’t always about the technical impact, but also the psychological effects. Part of Russia’s plan may be to create fear, stoke division, and undermine US support for UKR.”

Krebs said, “Against this backdrop, it can’t be business as usual and industry has an obligation to heed the government’s warnings and make themselves harder targets and notify of detected activity.”

Homeland Security Secretary Alejandro Mayorkas said in a statement:

As the Russian Government explores options for potential cyberattacks against the United States, the Department of Homeland Security continues to work closely with our partners across every level of government, in the private sector, and with local communities to protect our country’s networks and critical infrastructure from malicious cyber activity. Organizations of every size and across every sector should continue enhancing their cybersecurity defenses. Organizations can visit CISA.gov/Shields-Up for best practices on how to protect their networks, and they should report anomalous cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870, or to an FBI field office. DHS will continue to share timely and actionable information and intelligence to ensure our partners and the public have the tools they need to keep our communities safe and secure, and increase nationwide cybersecurity preparedness.

CISA Director Jen Easterly said, “The President’s statement today, noting evolving intelligence that the Russian Government is exploring options to conduct potential cyberattacks against the United States, reinforces the urgent need for all organizations, large and small, to act now to protect themselves against malicious cyber activity. As the nation’s cyber defense agency, CISA has been actively working with critical infrastructure entities to rapidly share information and mitigation guidance that will help them protect their systems. We will continue working closely with our federal and industry partners to monitor the threat environment 24/7 and we stand ready to help organizations respond to and recover from cyberattacks.”

Separately, senior administration officials met Monday “with 16 CEOs of major companies across several industries including energy, food, and manufacturing to provide a briefing on the latest developments on Putin’s unprovoked and unjustified war against Ukraine,” the White House said in a statement.

“The President joined for part of the discussion,” according to the statement. “They conveyed the Administration’s commitment to continue imposing heavy costs on Putin to degrade Russia’s war machine and support the people of Ukraine, while taking concrete actions to mitigate the price increases on American consumers caused by Putin’s action. Participants also discussed the need to work together to address Putin’s disruptions to global markets and supply chains. … The private sector and the Administration committed to close communication and coordination going forward.” -- Charlie Mitchell (cmitchell@iwpnews.com)

Phishing, software vulnerabilities and “brute-force credentials attacks” account for 77 percent of the initial access points for cyber attacks against businesses, according to a report by Palo Alto Networks, while finance, professional services and manufacturing were the most common industries in the incident response cases examined by the cybersecurity firm.

The “2022 Incident Response Report” was prepared by Palo Alto Networks’ Unit 42 threat intelligence team and released last week. It leverages “a sampling of over 600 Unit 42 IR cases to help CISOs and security teams understand the greatest security risks they face, and where to prioritize resources to reduce them.”

The report urged entities to implement multifactor authentication -- flagged as a top priority by CISA Director Jen Easterly -- and said 50 percent of the targeted organizations that it examined did not use MFA on internet-facing systems.

“Patching vulnerabilities, implementing multifactor authentication and fixing misconfigurations may not be exciting, but these foundational steps reduce an organization’s attack surface and ensure it is not an easy target,” the report said.

"Right now, cybercrime is an easy business to get into because of its low cost and often high returns. As such, unskilled, novice threat actors can get started with access to tools like hacking-as-a-service becoming more popular and available on the dark web," said Wendi Whitmore, senior vice president at Palo Alto Networks and leader of Unit 42. She is also a member of the DHS Cyber Safety Review Board.

"Ransomware attackers are also becoming more organized with their customer service and satisfaction surveys as they engage with cybercriminals and the victimized organizations,” Whitmore said.

The report said, “Attackers follow the money when it comes to targeting industries; however, many attackers are opportunistic, simply scanning the internet in search of systems where they can leverage known vulnerabilities. Unit 42 identified the top affected industries in incident response cases as finance, professional and legal services, manufacturing, healthcare, high tech, and wholesale and retail. Organizations within these industries store, transmit and process high volumes of monetizable sensitive information that attracts threat actors.”

The report also found that “finance and real estate were among the industries that received the highest average ransom demands, with an average demand of nearly $8 million and $5.2 million, respectively.”

“A new ransomware victim is posted on leak sites every four hours,” the report said. “Identifying ransomware activity early is critical for organizations. Typically, ransomware actors are only discovered after files are encrypted, and the victim organization receives a ransom note. Unit 42 has identified that the median dwell time -- meaning the time threat actors spend in a targeted environment before being detected -- observed for ransomware attacks was 28 days.”

Further, “Ransom demands have been as high as $30 million, and actual payouts have been as high as $8 million, a steady increase compared to the findings of the 2022 Unit 42 Ransomware Report. Increasingly, affected organizations can also expect threat actors to use double extortion, threatening to publicly release sensitive information if a ransom isn't paid.”

The report explained, “Cybercriminals used a variety of techniques in business email compromise wire-fraud schemes. Forms of social engineering, such as phishing, offer an easy and cost-effective way to gain covert access while maintaining a low risk of discovery. According to the report, in many cases cybercriminals are simply asking their unwitting targets to hand over their credentials -- and getting them. Once they have access, the median dwell time for [business email compromise] attacks was 38 days, and the average amount stolen was $286,000.” -- Charlie Mitchell (cmitchell@iwpnews.com)

CISA, the FBI and the Multi-State ISAC in a new advisory provide technical details, MITRE ATT&CK techniques and mitigations to counter “LockBit 3.0,” the latest malicious offering from an established ransomware-as-a-service operator.

“This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023. LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit,” CISA said in a release.

The 19-page advisory was posted Thursday. It includes a list of mitigations that “align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).”

“The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs,” the advisory says.

It also recommends “exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.”

CISA and partners say, “Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.”

The report does not link the LockBit threat actor to a region or nation state patron, but does say, “LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. … Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected, LockBit 3.0 will stop execution without infecting the system.”

A February report from Trellix tagged LockBit as “the most impactful ransomware group” in the fourth quarter of 2022.

Palo Alto’s “Unit 42” threat hunting group has been monitoring LockBit for years, noting in reports its successful rebrand efforts and “slick” marketing.

CISA recently announced a new pilot project to provide alerts on ransomware vulnerabilities. – Charlie Mitchell (cmitchell@iwpnews.com)