More than a third of organizations globally experienced a ransomware attack or breach that blocked access to systems or data in the past 12 months, and for those that fell victim, it was "not uncommon to have experienced multiple ransomware events,” reported IDC Thursday. Ransomware is now the “enemy of the day” and the “topic of conversation on Main Street," said analyst Frank Dickson. Ransomware threats have “evolved in sophistication” by actively “evading detection” and “leveraging multifaceted extortion,” he said. IDC analyzed ransomware attacks for the past year, finding the “incident rate” was lower for U.S.-based companies (7%) than the global worldwide rate (37%). The manufacturing and finance industries took the biggest ransomware hits, transportation, communications and media the fewest, it said. Only 13% of organizations experienced a ransomware attack without having to pay a ransom. Average ransom payments approached $250,000, but a few payments exceeding $1 million “skewed the average,” it said.
McAfee’s closing on the sale of its enterprise business to Symphony Technology Group for $4 billion cash on July 27 began McAfee’s “journey” as a “pure-play consumer cybersecurity company,” said CEO Peter Leav on an earnings call Tuesday for fiscal Q2 ended June 26. McAfee added 556,000 “net new core” direct-to-consumer subscribers, closing the quarter with 19.4 million subs, compared with 16.6 million in Q2 a year earlier. “It's very clear that the behavior for consumers is forever changing,” said Leav. “We've seen that again and again in the digitization of all of our lives, and that's not a one-off,” he said. There’s also “a greater degree of focus from those who are trying to exploit that,” he said. “It's unfortunate, but the world of cyber-criminal behavior continues to expand as well.”
The Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security launched a task force Thursday to collaborate with government agencies and the private sector on cyber defense. CISA’s Joint Cyber Defense Collaborative will “integrate unique cyber capabilities” across agencies and companies. It will design U.S. cyber defense plans, implement coordinated defense efforts and support “joint exercises to improve cyber defense operations.”
Nearly two-thirds of experts who experienced ransomware threats in the past year witnessed “partnerships” among bad actors, reported VMware Monday. It canvassed 123 “incident response professionals” globally in May and June, finding defenders are “looking for new ways to fight back,” it said. Victims now experience “destructive/integrity attacks” more than half the time, said VMware. “Cybercriminals are achieving this through emerging techniques, like the manipulation of time stamps, or Chronos attacks,” which nearly 60% of respondents have witnessed, it said. “Catalyzed by the shift to remote work, 32% of respondents also experienced adversaries leveraging business communication platforms to move around a given environment and launch sophisticated attacks.”
President Joe Biden signed a national security memorandum Wednesday directing the Department of Homeland Security and National Institute of Standards and Technology to “develop cybersecurity performance goals for critical infrastructure.” DHS’ Cybersecurity and Infrastructure Security Agency will work with NIST and other agencies. Those standards will help companies providing services for utilities to strengthen cybersecurity, the White House said. The NSM established the President’s Industrial Control System Cybersecurity (ICS) Initiative, a voluntary program between government and industry “to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings.” CISA issued an advisory Wednesday with the Australian Cyber Security Centre, U.K.’s National Cyber Security Centre and the FBI. It listed “top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020 and those vulnerabilities being widely exploited thus far in 2021.” Four of the “most targeted vulnerabilities in 2020 involved remote work, VPNs, or cloud-based technologies,” CISA said. Federal agencies need to “strengthen efforts to address high-risk areas” in cybersecurity and information technology, GAO said Wednesday. The auditor noted agencies implemented about 73% of about 5,100 recommendations on cyber and IT since 2010: About 950 cybersecurity and approximately 300 IT recommendations remain.
Cybersecurity fears abound in the U.S. and U.K. on the use of COVID-19 digital vaccination cards, a Harris poll found. Analytics firm Anomali hired Harris to canvass a combined 3,000 adults in the two countries June 30-July 7, finding 80% of Americans and 76% of Brits expressed cybersecurity concerns about storing vaccine certifications on their smartphones. Identity theft topped the list of worries for both groups at 51%. The survey found 64% fear that digital vaccination cards will spawn cyberattacks that cause “moderate to major” disruption to business, government and consumers.
Senate legislation Thursday would require the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to act to better identify cyberattacks against critical infrastructure. Introduced by Rob Portman, R-Ohio; Gary Peters, D-Mich.; Mark Warner, D-Va.; and Marco Rubio, R-Fla., the DHS Industrial Control Systems Capabilities Enhancement Act would require CISA to ensure “it can better identify and mitigate threats to Industrial Control Systems.” Companion legislation introduced by House Homeland Security Committee ranking member John Katko, R-N.Y., passed the House unanimously.
FCC Commissioner Brendan Carr hailed House Commerce Committee advancement of the Secure Equipment Act (HR-3919). The committee also cleared seven other telecom cybersecurity measures (see 2107210064). HR-3919 and Senate companion S-1790 would ban the FCC from issuing new equipment licenses to Huawei and other companies the commission considers a national security risk. It “would help ensure that insecure gear from companies like Huawei, ZTE, and others can no longer be inserted into America’s communications infrastructure,” Carr said Thursday. “We have already determined that this gear poses an unacceptable risk to our national security” (see 2106090063) and HR-3919/S-1790 “would ensure that the FCC closes this Huawei loophole.”
Bipartisan legislation introduced Wednesday would require agencies, contractors and critical infrastructure operators to report cyberhacks within 24 hours of discovery (see 2103040066). Introduced by Senate Intelligence Committee Chairman Mark Warner, D-Va.; Vice Chairman Marco Rubio, R-Fla.; and Sen. Susan Collins, R-Maine, the Cyber Incident Notification Act includes liability protection in certain circumstances. Warner has predicted a bipartisan cybercrimes reporting bill (see 2106100053). Senate Environment and Public Works Committee members told a hearing the federal government should invest in resources to defend against cyberthreats to critical infrastructure. Cyber is a long-term, constantly evolving challenge, said Chairman Tom Carper, D-Del.: It requires “sustained federal investment, not one-time solutions.” Ranking member Shelley Moore Capito, R-W.Va., backed training exercises and information sharing between agencies. She’s looking forward to including cyber policies in committee legislation. The Cyberspace Solarium Commission’s March 2020 report concluded water utilities remain largely unprepared to defend networks against cyber disruption, testified Rep. Mike Gallagher, R-Wis., commission co-chair with Sen. Angus King, I-Maine. It's an “extremely dangerous” situation, said King, saying the next Pearl Harbor or Sept. 11, 2001, attack will be cyber-related. The private sector should have liability protection when sharing information because delays don’t work, said King. The government hasn’t made the necessary investments to protect transportation systems, which begins with cybersecurity, said ITS America CEO Shailen Bhatt. ITS recommended a more robust transportation cybersecurity strategy with requirements for transportation agencies to meet certain “marks” determined by the National Institute of Standards and Technology and the Center for Internet Security.
The House Commerce Committee is to mark up the Secure Equipment Act (HR-3919) and seven other cybersecurity measures Wednesday, the panel said Monday. The other security measures on the docket: the Understanding Cybersecurity of Mobile Networks Act (HR-2685), Information and Communication Technology Strategy Act (HR-4028), Open Radio Access Network Outreach Act (HR-4032), Future Uses of Technology Upholding Reliable and Enhanced Networks Act (HR-4045), NTIA Policy and Cybersecurity Coordination Act (HR-4046), American Cybersecurity Literacy Act (HR-4055) and Communications Security Advisory Act (HR-4067). The partly virtual meeting begins at 10 a.m. in 2123 Rayburn. The House Communications Subcommittee examined the measures in June (see 2106300077). HR-2685 would require NTIA to report on cybersecurity of wireless networks and vulnerabilities to cyberattacks and surveillance by adversaries (see 2104210070). HR-3919 and Senate companion S-1790 would ban the FCC from issuing new equipment licenses to Huawei and other companies the commission considers a national security risk. HR-4028 would require the Commerce Department to create a whole-of-government strategy to bolster U.S. information and communications vendors’ economic competitiveness and reduce their reliance on foreign resources. HR-4032 would direct NTIA to provide outreach and technical assistance to small communications network providers on how to use ORAN technologies. HR-4045 would direct the FCC to establish a 6G Task Force to provide recommendations on how to ensure U.S. leadership in developing that technology’s standards. HR-4046 would create an Office of Policy Development and Cybersecurity within NTIA. HR-4055 would require that NTIA establish a cybersecurity literacy campaign to increase public knowledge and awareness of cybersecurity risks. HR-4067 would make the Communications Security, Reliability and Interoperability Council permanent and require the council to report to Congress every two years with recommendations on “network security, resiliency, and interoperability” issues it examines.