Panasonic and McAfee will partner on joint development of SoCs to enable commercialization of vehicle security monitoring services, said the companies Tuesday. The SoCs will be designed to protect connected vehicles worldwide against cyberattacks by enabling “accurate detection and early response” to threats, they said. “With the innovative development of autonomous driving, the advancement of digitalization, and the increasing number of connected cars, the risk of cyber-attacks against automobiles is increasing every year.”
Sen. Ed Markey, D-Mass., and Rep. Ted Lieu, D-Calif., refiled their Cyber Shield Act Wednesday to improve IoT cybersecurity. The bill, first filed in 2017 (see 1710270043), would form an advisory committee to create data security standards for certifying IoT devices. IoT “will also stand for the Internet of Threats until we put in place appropriate cybersecurity safeguards,” Markey said. The lawmakers cited endorsements from the Center for Democracy & Technology, Cybereason, Internet Association, Institute for Critical Infrastructure Technology, Massachusetts Tech Leadership Council and Rapid7.
More than half of the “COVID-19 generation of remote workers” admitted using company devices for personal reasons, increasing their employers’ cybersecurity risk, reported AT&T Tuesday. It hired Opinium Research to poll 3,500 remote workers in the U.K. and Germany, finding that more than a third use work equipment to connect to smart home devices such as voice assistants, smart speakers, fitness monitors, smart lighting and smart kitchen appliances. Workers “understand the problem,” it said. Two-thirds were more aware of cybersecurity threats since shifting to working from home, and nearly half believe they and their companies are at increased risk of cyberattacks. About three in 10 say their companies weren’t doing enough to protect them from cyberattacks.
U.S. government cyber coordination “has never been stronger,” Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) acting Director Brandon Wales told the Senate Homeland Security Committee during a hearing Thursday on the SolarWinds hack (see 2103040066). Ranking member Rob Portman, R-Ohio, expressed skepticism, noting the “most massive attack” in U.S. history went undetected for more than a year before the private sector, not government, discovered it. If everyone's in charge, no one is, said Portman, citing cyber leaders at CISA, the FBI, OMB Federal Chief Information Security Officer Chris DeRusha and a cyber director position soon to be installed in the White House. Everyone has a key role, and we “work quite well together,” said DeRusha. Portman noted that CISA’s Einstein program, which is supposed to detect and block cyberattacks against the federal government, has cost about $6 billion. “Clearly, it was not effective in stopping the SolarWinds breach or even recognizing that it occurred,” he said: Einstein expires at the end of next year, so “it’s a good time to consider its utility and how it can be improved.” Part of the challenge is that you can only “secure what you can see,” said Wales. Adversaries move quickly from server to server, and their attacks are designed to stop the U.S. from knowing where they’re coming from, he said: Traditional systems aren’t working, so the U.S. needs to deploy new types. The FBI is working to understand who did this activity and why, while coordinating with CISA, said the FBI Cyber Division's Tonya Ugoretz. The agency will deliver an after-action report to Congress, she said. The process for responding to cyberattacks “desperately needs to be modernized,” including improvements to the Federal Information Security Modernization Act, which hasn’t been updated since the creation of CISA, said committee Chairman Gary Peters, D-Mich. Stakeholders need a centralized, transparent and streamlined process for sharing information, he said.
SolarWinds and other recent cyberthreats prove that “stopping a breach is no longer just about protecting end points” but also “encompasses cloud workload security and identity protection,” said CrowdStrike CEO George Kurtz on a Tuesday call for fiscal Q4 ended Jan. 31. Organizations globally “are shedding legacy and inferior next-gen security technologies and accelerating their move to modern cloud-native technologies to meet the demands of today's threat landscape,” said Kurtz. “Legacy tech is no match for today's adversaries.” SolarWinds “raised awareness at the board level and will serve as an additional tailwind to the industry over the long term,” he said. CrowdStrike was a beneficiary of the trend, getting 77% subscription revenue growth in the quarter, with a record 1,480 net new subscription customers, he said. SolarWinds and the more recent Hafnium cyberthreat (see 2103030023) are driving “a crisis of trust within the Microsoft customer base,” said Kurtz. “Customers are looking to de-risk their security architecture by choosing an alternative vendor to Microsoft.” CrowdStrike is seeing fallout “across the board,” he said. “Just about every incident response we do involves Microsoft technology. So obviously we're focused on being able to protect it, but there's a lot of customers that are looking at this and saying, ‘Hey, we need to de-risk our environment, and we need another provider.’” Microsoft declined comment Wednesday.
Silicon Labs received PSA Certified Level 3 Status for its EFR32MG21 wireless SoC with Secure Vault, said the company Tuesday. The certification lowers the risk of IoT ecosystem security breaches and revenue loss from counterfeiting, by guarding against scalable local and remote software attacks and hardware attacks, said the company. The PSA Certified program was co-founded by Arm in 2017 to provide a framework for securing connected devices. “As attacks on IoT applications continue to rise and grow in complexity, the importance of securing devices at the chip level remains crucial,” said Andy Rose, chief system architect at Arm, saying Silicon Labs is the first chipmaker to receive Level 3 status.
The Telecommunications Industry Association is developing a standard to ensure information and communications technology supply chain security. “The SCS 9001 standard will provide the means for service providers and manufacturers to demonstrate and ensure that their supply chains meet the critical benchmarks needed,” TIA said Monday: “This will ultimately increase trust in the ICT supply chain, while preventing exposure to cyberattacks.”
Organizations prefer buying from tech firms that “are transparent and proactive” in helping them manage cybersecurity risk, a survey found. Intel hired Ponemon Institute to canvass nearly 1,900 individuals in the U.S., U.K., Latin America, Europe, the Middle East and Africa who are involved in overseeing their organizations’ IT infrastructure security. About three-quarters said it’s highly important that their technology provider offer “hardware-assisted capabilities to mitigate software exploits.” A similar proportion said their organizations are more likely to buy technologies and services from providers that proactively fight security vulnerabilities. Forty-eight percent said their tech providers don’t do this.
The Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security must fully complete Congress-mandated organizational planning to effectively “identify and respond to cybersecurity incidents” like the Russia-linked SolarWinds hack (see 2012170050), GAO reported Wednesday. Senate Intelligence Committee Chairman Mark Warner, D-Va., and others are drafting a cyber hack reporting measure (see 2103040066). CISA “completed the first two of three phases of its organizational transformation initiative” before Congress’ December deadline but had completed only “about a third of the tasks planned for the final phase” by then, GAO said. Tasks not completed include “finalizing the mission-essential functions of CISA's divisions and issuing a memorandum defining incident management roles and responsibilities across CISA. Tasks such as these appear to be critical to CISA's transformation initiative and accordingly its ability to effectively and efficiently carry out its cyber protection mission.” DHS agreed with GAO’s assessment of CISA’s progress but didn’t fully specify its plans for completing its organizational efforts, the office said.
Roughly 75% of small and medium-sized businesses have experienced a cyber breach at least once, and 45% were hacked in the past year, reported USTelecom and CyberRx Thursday. SMBs took an average of five months to fully recover and spent $170,000 to resolve each cyber breach. About six in 10 report breaches that stopped daily productivity; 46% reported lost customers. "SolarWinds and the recent attack at a water plant in Florida demonstrate that companies need to immediately take stock of their cyber defenses -- and get ready" (see 2103040066), said Robert Mayer, USTelecom senior vice president-cybersecurity and innovation.