The U.S. hasn't done a good job responding proportionately to cyberattacks, House Homeland Security Committee ranking member John Katko, R-N.Y., told an American Enterprise Institute webinar Friday: "The bad guys don't take you seriously unless you whack the hell out of them." Diplomacy doesn't work because countries that enable attacks understand only strength and power, which the U.S. isn't projecting, he said. Until recently, cyberattacks had little visible public impact, but the Colonial Pipeline hack let people see the disruption that stopped them from buying gas, he said. Katko criticized President Joe Biden's budget request for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, saying it doesn't appear to match Biden's rhetoric on cybersecurity. Information-sharing in the cybercommunity is in its infancy, and the U.S. needs better reporting of cyber incidents, Katko said. One key issue is how to encourage the private sector to share information without worrying about lawsuits and immunity from liability, he said. Colonial Pipeline, SolarWinds and other incidents show malefactors are ratcheting up attacks and have figured out that going for critical infrastructure is "where the rubber meets the road." Asked about possible regulation, Katko said it's under discussion. One idea would be to require companies to certify in SEC 10-K filings they're adhering to cybersecurity best practices. Katko has floated legislation aimed at beefing up cybersecurity standards in the critical infrastructure industry, and said such other measures could be rolled out sector by sector. Lack of chips is also a serious threat the U.S. must address by bringing some manufacturing home, he said. Asked what responsibility industry bears to balance security with new technologies such as 5G and quantum computing, the lawmaker sought standards. U.S. companies paid $350 million in ransomware payments in 2020, up 171% from 2019, said AEI Resident Fellow Klon Kitchen.
The growing number of connected devices on the home network, combined with increased threat of IoT malware and hijacking, is driving a new model of whole-home cybersecurity that monitors for abnormal activity and stops bad actors, said Parks Associates Tuesday. Some 37% of broadband households are interested in such a service, and 16% say network problems disrupted their work-from-home activities during the pandemic. A whole-home protection system “doesn’t require consumers to install, update, or whitelist programs,” said analyst Kristen Hanich, saying they can be “hands off,” key to their success. ISPs that partner with cybersecurity vendors to implement such solutions report “very high take rates” that exceed traditional antivirus offerings, with a much lower cost per activated customer, she said.
Consumer identity breaches surged an “unprecedented” 450% last year from 2019, reported ForgeRock Monday. The digital identity platform evaluated electronic data breaches in Australia, Germany, Singapore, the U.K. and the U.S., finding unauthorized access was the leading cause for the third straight year, rising 43% from 2019. “Questionable yet common security practices, like sharing or reusing passwords, gave bad actors an easy path to gaining access to personally identifiable information,” such as dates of birth and Social Security numbers, which ForgeRock found recurring in a third of 2020 breaches. Phishing (25%) and ransomware (17%) were the second and third most frequent causes. Healthcare was the most targeted industry for a second straight year, but tech “paid the highest aggregate cost of recovery from breaches at $288 billion,” it said.
Though remote working regimens are causing cyberattacks to spike, corporate security officers aren’t treating the threats with the urgency they need, reported VMware Thursday. The company commissioned Opinion Matters to canvass 3,500 chief technology officers and chief information security officers from 14 countries and regions in December, finding 81% report a security breach in the previous 12 months, and 41% “updated their security policy and approach to mitigate the risk.” Three-quarters of respondents said attack volume increased, most citing employees working from home, while 79% said attacks became more sophisticated. Cloud-based attacks were the most frequently experienced type, and third-party apps were the leading causes.
With ransomware attacks like Colonial Pipeline “in the spotlight recently,” Palo Alto Networks data shows the average ransom paid in 2020 tripled from 2019, “and in 2021 it's more than doubled again,” said CEO Nikesh Arora on a Thursday call for fiscal Q3 ended April 30. Organized groups with “near-nation state discipline” are perpetrating “coordinated attacks,” he said. Healthcare corporations are a common target, as are government entities and “shared infrastructure,” he said. Especially vulnerable are organizations that “run their operations on technology that is decades old, sometimes predating the internet,” said Arora. “They continually bolt on new technologies to automate facilities, and make them compatible with the modern internet, but those platforms are inherently insecure.” Cyber defenses are fragmented, “making it very challenging to block sophisticated attacks,” and extending the time “to discovery and repair,” he said: “More and more businesses and consumers are coming online without a baseline of productive protection.” Q3 revenue of $1.07 billion grew 24% year over year, ahead of guidance for 21% to 22% growth. Its fiscal Q4 outlook is for revenue to grow 22% to 23% again. The stock closed 5.8% higher Friday at $362.45.
The U.S. government should establish an international coalition to combat ransomware attacks, U.S. Chamber of Commerce Senior Vice President-Cyber Christopher Roberti said Friday. The chamber urged the administration and Congress to update “a national signaling strategy to communicate through diplomatic and other channels that ransomware attacks” are a priority. The chamber asked policymakers to disrupt ransomware payment systems, enhance international law enforcement resources and create a cyber response and recovery fund for cyber victims.
Cyberattacks such as SolarWinds and Colonial Pipeline shouldn't become a norm, said European Member of Parliament Eva Maydell, of the European People's Party Group and Bulgaria, Wednesday at a webcast on the European Commission's proposed network and information security directive update (NIS2). Maydell, who's writing the legislative response to the proposal for the Industry, Research and Energy Committee, said Europe needs a clear, robust defense and high cyber-resilience. Cybersecurity requires trans-Atlantic cooperation, she said. Asked what common ground could be explored, Cisco Head-EU Public Policy Chris Gow listed use of internationally recognized standards; investment funding for governments and industry; better cyber skills for employees; and to "go after the bad guys." If cybercrime losses were an economy, they would be No. 3, Gow said. Major incidents made people fully aware of what's at stake, said Jakub Boratynski, head of unit-cybersecurity and digital privacy policy, EC Directorate-General, communications networks, content and technology. EU cybersecurity strategy began slowly when the original NIS became effective in 2013 and it needs improvement, he said. There's a "mismatch" between the regulatory framework at the EU level and what happens on the ground, said European Network and Information Security Executive Director Juhan Lepassaar: NIS2 is an effort to catch up, and it must also capture the future. The proposal is "evolution, not revolution," Gow said: NIS2 could help create more harmonization, and a more consistent overall approach is needed.
Consumer Reports uncovered 11 security vulnerabilities in four video doorbells and home security cameras that it said could expose owners to hacking and leaks of personal data, including email addresses and Wi-Fi passwords. The issues were discovered during a test of 13 devices, CR said Thursday. Devices with security issues were the Bosma Sentry video doorbell and X1 security camera, Eufy’s Video Doorbell 2K and the Nooie Cam doorbell. Other brands in the evaluation were from Arlo, Blink Logitech, Ring and Wyze. Consumers Reports didn’t disclose full findings “since revealing the vulnerabilities would put consumers who own the affected cameras at risk of being hacked,” said Glen Rockford, CR program manager-product testing and privacy. It will report again “when we’ve verified that fixes are in place.” Bosma and Eufy devices received “Fair” ratings for data security. The brands “don’t claim to conduct internal security audits, nor do they have vulnerability disclosure programs, where hackers and researchers are encouraged to disclose security flaws to the company, sometimes in exchange for a fee,” said CR. It posted responses from the affected companies. Bosma takes a “very serious approach to the safety and security of our products and our user’s privacy” and will release firmware and app updates to fix the vulnerabilities by the end of next month, it said. Eufy was aware of the issue and said software updates will roll out "soon.” Updates to the Eufy Security app for iOS and Android will also be released soon, the company told CR, which said consumers should keep checking Apple’s and Google’s app stores for updates to fix the vulnerabilities. A Nooie spokesperson acknowledged the vulnerabilities CR found and said the issues will be fixed soon. Nooie said it already patched one high-risk vulnerability via a firmware update, which CR confirmed, but other lower-risk vulnerabilities remain, it said. CR said users should keep checking the Nooie Cam app for firmware updates to resolve the issues.
The Colonial Pipeline ransomware attack exposed “obvious willful ignorance to take cybersecurity seriously,” reported ABI Research Monday. “That there is a sophisticated, organized cybercriminal market for ransomware shouldn’t be news" in the industry, it said. “This hack is a harbinger of cyberthreats to come.” Expanded connectivity brings “continuously increased threat vectors,” it said: Organizations "should always be prepared for an eventual attack, which means architecting their infrastructure so that it can continue to operate despite an ongoing attack.”
The Commerce Department, National Institute of Standards and Technology and FTC will lead a pilot consumer labeling program to educate the public on the security of IoT devices under President Joe Biden’s cybersecurity executive order. Sen. Ed Markey, D-Mass., and Rep. Ted Lieu, D-Calif., praised the IoT provision in the EO, saying it follows their legislation, the Cyber Shield Act. The EO directs Commerce to develop cyber benchmarks for devices like baby monitors, home assistants, smart locks, cameras, cellphones and laptops, the lawmakers noted.