July 13, 2020 — The Federal Trade Commission is seeking to ramp up mandated cybersecurity efforts for financial institutions by altering the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program.
After collecting public comments throughout 2019, the commission proposed certain alterations to the act, which has been left untouched for nearly two decades since being enacted in 2002.
In a virtual FTC workshop on Monday, David Lincicum, an attorney for the FTC, discussed the changes the proposed rulemaking hopes to bring about with a panel of cybersecurity professionals.
Sam Rubin, vice president at cybersecurity consulting firm The Crypsis Group, said that the two biggest threats to financial institutions currently occur through business email compromise and ransomware attacks.
The amendments the FTC has proposed aim to alleviate these issues, protecting consumers and decreasing overall risk, he said.
Current rules maintain that financial institutions must design safeguards to control risks and must regularly test the effectiveness of those safeguards.
The new proposal seeks to maintain the flexibility of the current rule, while providing more guidance about the contents of an information security program, according to Lincicum.
Under the proposed rule, financial institutions would be required to designate one qualified individual to be responsible for overseeing the program.
This individual would be responsible for ensuring that the program is constructed off of a written risk assessment.
Panelists agreed that this is an important issue currently being overlooked.
“People are not generally doing what we would consider risk assessments,” said Chris Cronin, a partner at HALOCK Security Labs. “Instead, they’ll have an auditor come in and run an audit.”
Financial institutions are not grappling with the real risks, he added.
Cronin argued what FTC regulators are aiming for is not an audit, but an evaluation of the likelihood and magnitude of possible harm.
The proposed rule calls for regularly testing and monitoring the effectiveness of institutions’ defense programs.
“Risk assessments are not something that can be done once and forgotten,” Lincicum said. “New threats arise and new vulnerabilities are discovered.”
Two further consumer protection elements that would require specific action under the proposed rule are encryption and multifactor authentication.
The proposed encryption requirement demands that all customer information held or transmitted be encrypted at all times, both in transit over external networks and at rest.
The proposed multifactor authentication requirement would require any individuals accessing customer information to go through a two-step authentication process.
Some financial institutions would be an exception from aspects of the proposed rule, including institutions that maintain the information of fewer than 5,000 consumers, which are exempt from most of the written requirements.
The participating panelists expressed a shared fear that people may call the proposed rule unreasonable, as the only benefit of implementing these programs is something not happening.
“A lot of people are going to have a hard time demonstrating reasonableness,” Cronin said.
Companies that have not experienced a breach may have a hard time understanding the benefits of conducting risk assessments, predicted panelists.
“It’s hard to explain,” Rubin said. “You don’t get a bonus for not getting hacked.”
Pablo Molina, chief information security officer at Drexel University, argued that many community members currently remain ill-informed on the issue and called for educating employees, clients and society at large.
House Oversight Reveals Details of Investigation into Colonial Pipeline, Other Company Hacks
The committee released a memo stating that “small lapses” led to many prominent cyberattacks this year.
WASHINGTON, November 17, 2021 – A House Oversight and Reform Committee investigation concluded in a staff memo that “small lapses” in cyber security led to hacks of Colonial Pipeline, meat producer JBS USA, and insurance group CNA Financial Corporation that occurred earlier this year.
Additionally, in Tuesday’s memo, the committee stated that the companies’ lack of “clear points of contact with the federal government” hampered response efforts to the attacks and that the companies faced a “huge” amount of pressure to pay hackers. Cyber security officials on Tuesday asked Congress to push legislation that would force companies to notify the government about cyber breaches.
The CNA hack occurred after an employee accepted a fake browser update and hackers gained access to JBS through an old account with a weak password that had not been deactivated. Colonial Pipeline was hacked as a result of just one stolen password linked to a profile, leading to gas shortages in several states.
Employees at JBS and Colonial Pipeline may have been operating on Internet of Things devices, which often only make use of mass-produced factory password settings due to limited processing power. This makes such devices extremely vulnerable to cyberattacks.
“Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack,” reads Oversight’s memo.
Security issues for schools and libraries
Experts say that similar issues with IoT and password security are increasingly threatening cybersecurity in schools and libraries as well. During a School, Health and Libraries Broadband Coalition event Wednesday, leaders in education emphasized data that shows attacks on the educational sector to continue increasing in frequency from a rate that already ranks second among all professional sectors.
Amy McLaughlin, executive director of technical and solutions architecture for Oregon State University, suggested during the event that schools and libraries expand their security beyond basic firewall that is paid for by E-rate funding and change default passwords when possible, avoiding using an administrator login, patch systems, as well as use anti-malware software on all devices.
Similarly, Bob Turner, field chief information security officer for higher education at Fortinet, stated that his organization recommends schools use multi-factor authentication.
The recently signed Infrastructure Investment and Jobs Act specifically allocates funding to be used for the implementation of improved cybersecurity practices in institutions including libraries, cyber security officials said Tuesday.
National security concerns
In June, Oversight and Reform Committee Chairwoman Carolyn Maloney, D-New York, told CNA, JBS USA and Colonial Pipeline via letters that she was “extremely concerned that the decision to pay international criminal actors sets a dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward.”
During an Oversight and Reform panel Tuesday, committee members questioned witnesses on the efforts by President Joe Biden’s administration to push back on recent ransomware attacks by Russian-based cybercriminals.
Cyber Officials Reiterate Need for Private-Public Sector Cyber Threat Information Sharing
Calls are growing louder for mandatory breach reporting for cybersecurity incidents.
WASHINGTON, November 16, 2021 – Cybersecurity officials from the federal government told the House Committee on Oversight and Reform Tuesday that Congress needs to press forward on legislation that would force companies to share information on cyber attacks with the federal government.
In July, Sens. Mark Warner, D-Virginia, Marco Rubio, R-Florida, and Susan Collins, R-Maine, introduced the Cyber Incident Notification Act of 2021, which requires federal and private sector cybersecurity intrusions to be reported to the government within 24 hours.
On Tuesday, the oversight and reform committee, which is studying how the government can crack down on ransomware, heard from three cyber security witnesses that a priority of Congress should be to pass such legislation to force that information sharing so the government is better prepared to respond, and prevent, attacks.
“Passing cyber threat notification legislation is a top priority,” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency. “We need the information because that enables CISA and the FBI to both engage with that victim, offer our assistance, understand what’s happening on their networks, and protect other victims as well as all the threat response and going after the actor and following the money.”
The comments and the calls for legislation come against the backdrop of high-profile cyberattacks, including against oil transport company Colonial Pipeline and software company SolarWinds, which prompted a Senate hearing on the matter. Recently, investment app Robinhood suffered its own data breach.
The attacks also raise even more alarm as the pandemic has made remote work more commonplace.
Wales noted that there have been improvements in terms of public-private partnerships to better deal with cyberattacks, including the launch of the Joint Cyber Defense Collaborative, which will lead development of cyber defense plans and executive plans in coordination with the federal, state, local and tribal governments, as well as the private sector.
Those companies Wales specified were those that have the most “visibility” on these attacks, including major cloud companies, internet service providers and cyber security firms.
“As we work together to spot threat activity, we are able to provide more protection than anyone can do individually,” Wales said.
Last month, Secretary of State Antony Blinken announced the department intends to create a new cyber bureau to help tackle the growing challenge of cyber warfare.
Other legislation before Congress
The signing into law Monday of the Infrastructure Investment and Jobs Act includes cybersecurity grants to state and local governments, which Wales said he is hopeful will help
The House recently passed the Small Business Administration Cyber Awareness Act, which would require only small businesses of their cybersecurity capabilities and notify Congress about cyber breaches.
Before that, Senator Angus King, I-Maine, called for the crafting of legislation that would require all companies to report cyber breaches to the federal government, which backed by a Department of Justice official in further testimony before the Senate judiciary committee earlier this year.
A Unified Framework for Security of the Software Supply Chain Can Prevent Disruptions, Event Hears
Discussion has emerged about the pandemic’s impact on the physical supply, but software is important, too.
WASHINGTON, November 2, 2021 – The conversation on the security of the global supply chain should include the integrity of the software used to drive those products to market, and that will require leaders to align incentives to minimize risks of disruptions, an event heard Friday.
The supply chain is normally associated with the physical aspects of bringing products to consumers, including the facility, employees and management.
But panelists at an event held by the Commerce Department’s Bureau of Industry and Security Friday said there needs to be a security framework for the digital software supply chain as well.
Tom Quillin, who leads security and trust policy at Intel, said he supports a proposal by Google for a digital software supply chain security framework as a model for increasing the cohesiveness of the chain. Google’s proposal addresses risks to software systems that threaten the chain’s integrity and formalizes the criteria for its security, Quillin said.
Supply chain resiliency is critical to the Joe Biden Administration’s Build Back Better agenda. Aimed in part on improving U.S. economic competitiveness, structural weakness in the supply chain threatens national security, experts say.
The pandemic has wrought havoc on the global supply chain, which has seen shortages in things including routers, chips, and materials for fiber builds.
Aligning incentives to produce greater innovation
When asked about what the U.S. can do to promote wider adoption of integrity-boosting supply chain practices, Quillin said aligning incentives across the supply chain will help clarify the most important areas for future research and development. “Ensuring schedules and cost targets are met can lead to tradeoffs between security and trust,” Quillin said.
He said he thinks the U.S. should have a stronger focus on building incentives to ensuring security and trustworthiness amongst the supply chain. “With improved trust comes increased value to the consumer,” he said. “There are additional costs associated with transparency efforts, but the value added to the customer can cover the cost of added transparency.” Quillin believes that as the benefit of these solutions get built out, they become easier to implement and maintain over time.
- FCC Watchdog Finds Evidence of Fraud in Emergency Broadband Benefit
- Date Set for Sohn Hearing, Criticism of Tech Legislation, New ILSR Leadership
- TPI New Broadband Map, Justice Dept. Stands for Section 230, Ericsson Looks to Acquire Vonage
- Verizon, TracFone Deal Gets FCC and California Approval
- Broadband Breakfast on December 15, 2021 — Public-Private Partnerships and Broadband Deployment
- Broadband Breakfast on December 8, 2021 — Implementation of the Infrastructure, Investment and Jobs Act
Signup for Broadband Breakfast
Section 2304 months ago
Facebook, Google, Twitter Register to Lobby Congress on Section 230
Broadband Roundup4 months ago
Senators Intro App Bill, Groups Drop TracFone Buy Complaint, States Want Shorter Robocall Deadline
Antitrust4 months ago
Daniel Hanley: Federal Communications Commission Must Block Verizon’s Acquisition of TracFone
Broadband Roundup3 months ago
Mapping Comment Deadline Extended, AT&T Gets Federal Contract, 5G and LTE Drive Microwave Demand
#broadbandlive3 months ago
Broadband Breakfast on September 1, 2021 — What’s Next for Broadband Infrastructure Legislation?
Broadband Roundup3 months ago
FCC and FTC Announce Open Meeting Agendas and AT&T Signs Deal with OneWeb
Broadband Roundup2 months ago
Cox’s Wireless Deal with Verizon Dies, Apple Appeals Epic Games Case, AT&T’s Fiber Investment
Expert Opinion4 months ago
David Stokes: Optimizing Network Performance Through Segment Routing and Traffic Engineering