With General John Kelly appointed as Secretary of Homeland Security, Trump’s administration promises to put border security as its top priority. This means that other priorities, especially cybersecurity, could take a back seat at DHS. Current Secretary Jeh Johnson warns the new administration against losing focus on cybersecurity and calls for it to continue as “a top priority on a bipartisan basis.”
The Presidential Commission on Enhancing National Cybersecurity issued a 100-page report with 16 urgent recommendations on ways that President-elect Trump can improve the nation’s cybersecurity, particularly in his first 100 days of office. Main points include creating a cyber nutritional label to help consumers shop wisely and establishing an international cybersecurity ambassador.
The National Institute of Standards and Technology (NIST) has released a set of guidelines “aimed at helping researchers better understand the Internet of Things (IoT) and its security challenges.”
Data from Privacy Rights Clearinghouse (PRC) found that state and federal government agencies disclosed of 203 data breaches throughout the past five years. What’s more, the 203 breaches resulted in nearly 47 million stolen, compromised, or exposed records, which does not include data breaches where the government agency did not disclose the number of compromised records. However, the number of breaches and exposed records is generally less compared to most private companies, as data maintained by PRC suggest that financial and insurance companies, retailers, and other businesses disclosed 950 breaches accounting for 245 million records. Nonetheless, government breaches often attract more attention due to significance of the information, such as personally identifiable information (PII) and financial information. Click here to see the seven largest government data breaches
Adm. Michael Rogers, head of the National Security Agency (NSA), recently explained to the Wall Street Journal CEO Council that “uneven” cooperation among the private sector and the government has led to a “literal onslaught” of malicious cyber-attacks from both state-sponsored hackers and cybercriminals across the globe. What’s more, the number of hackers is “so large and so diverse” that cybercriminals are nearly impossible to identify before a hacking attempt is made. Nearly two-thirds of hackers are looking to hack personal and financial information for monetary gain while the rest are said to be state-supported hackers. To assist the government in the war against cybercrime, Rogers explained that company execs must personally engage in cybersecurity, which cannot be the sole responsibility of IT departments in this day in age. “You need to shape the discussion,” he said. “I don’t pretend that this needs to totally dominate your life, but there is a significant role for you to play.”
In a poll at the CEO conference, just 9 percent said they would never trust the government with their information during a cyber-attack. However, 34 percent said they would cooperate only if it was their own company being attacked. Lastly, 57 percent would “readily cooperate.” While the government has made recent efforts to increase cyber threat information sharing, particularly through the Cybersecurity Information Sharing Act (CISA) and DHS’ free Automated Indicator Sharing (AIS) capability, private entities have so far been slow to participate. Nonetheless, Rogers explained to the group of CEOs, “If you want me to defend something, I can’t do it from the outside,” he said. “I can’t defend something if I don’t have access to the network structure – it’s like fighting with one hand tied behind your back.”
An 18-year-old named Meetkumar Hiteshbhai Desai created a malware bug that was designed to send DDoS attacks to public service answering points (PSAPs). The virus worked by first compromising iPhones and from there contacting various emergency personnel services. As a result, 911 call centers were unable to tell which calls were coming in from the malware and which were actual calls for help. In total, The Department of Homeland Security revealed that call centers in up to 12 different states were affected by the bug before it was shut down. Desai had attached the virus to a link on social media, which resulted in nearly 150,000 views prior to the page being shut down. He was arrested on three counts of computer tampering. In a world where social media is the largest platform for communication, Desai’s malware highlights the growing ability for malware to reach a multitude of hosts in a very short amount of time.
The recent distributed denial of service (DDoS) attack on internet service provider Dynamic Network Services Inc. (Dyn), which disabled the websites for major corporations such as Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, The New York Times and many others, not only serves as a wake-up call for organizations of all sizes, but a warning as well, according to the FBI. The agency has warned private companies that cyber-attacks through thousands of connected devices, known as the Internet of Things (IoT), will only increase in number. “The exploitation of the IoT to conduct small-to-large scale attacks on the private industry will very likely continue,” explained the FBI in an October 26 bulletin to private organizations.
Further, an FBI spokeswoman explained, “In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cybercriminals.” The reason this threat will remain, the FBI explained, is because the source code used in the attack, known as Mirai, is publically available. Anyone with technical skills can set up their own “botnet” of hacked IoT devices to overload websites with tens of thousands of IP addresses. Director of National Intelligence James Clapper said Russia is not believed to be the culprit, as the attacks do not appear to be government-based.
Former Homeland Security and intelligence officials are backing a report from George Washington University that lays out a policy framework, recommending government “certification” of private organizations, for companies to defend against foreign hackers. The report aims to offer concrete policy proposals to address the issue of legalities of private companies defending against notion-state supported cyberattacks, and the federal government’s role in supporting those defenses. Among the various policy recommendations is a call to the Department of Justice to issue guidance to the private sector regarding the legality of active defense as well as a recommendation that the White House’s independent Privacy and Civil Liberties Oversight Board conduct a review to ensure personal information is protected.
According to a draft of the annual U.S.-China Economic and Security Review Commission, Chinese intelligence has continually “infiltrated U.S. national security entities, and extracted information with serious consequences for U.S. national security.” Stolen intelligence includes information on the plans and operations of U.S. military forces, and the designs of U.S. weapons and weapons systems. The identities of undercover government agents are also at stake as 5.6 million classified fingerprints were obtained. The biometric data can be duplicated and give access to classified documents and areas.
These cyber-attacks are believed to have several contributors, including the Ministry of State Security (MSS), the People’s Liberation Army (PLA), the PLA General Political Department, the PLA United Front Work Department and the Communist Party military.
The final version of the report will be released on November 16.
The Federal Trade Commission (FTC) has released a new guide for businesses looking for their next steps after a data breach. Data Breach Response: A Guide for Business, with an accompanying video and blog, is designed to provide businesses with the right moves to recover from a data breach. Steps include securing physical areas, cleaning up your website and providing breach notification – complete with a model data breach notification letter. The guide and video are in the public domain, making it easily shareable with employees and customers.