The House passed an Energy Department spending bill Thursday with $120 million in cybersecurity funding, clearing the way for President Donald Trump’s signature. The Senate passed its version of HR-5895 Wednesday. The money is authorized for “purchase, construction, and acquisition of plant and capital equipment, and other expenses necessary for energy sector cybersecurity, energy security, and emergency response activities.”

The State Department should adopt basic cybersecurity measures like multifactor authentication and regular security audits “to protect against phishing, hacks and other” attacks, senators wrote in a letter released Wednesday. Ron Wyden, D-Ore.; Cory Gardner, R-Colo.; Ed Markey, D-Mass.; Rand Paul, R-Ky.; and Jeanne Shaheen, D-N.H., signed the letter to Secretary Mike Pompeo. “The Department of State’s Inspector General (IG) found last year that 33 percent of diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular reviews and audits,” the group wrote. “The IG also noted that experts who tested these systems ‘successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems.'” The department got the letter, a spokesperson emailed: "Congressional correspondence is carefully reviewed before an appropriate response is provided.”

Equifax failed on multiple fronts in 2017, when hackers exploited data of more than 145.5 million Americans (see 1805080045), GAO reported Friday. That included failures with identification, detection, segmentation and data governance. The IRS, Social Security Administration and U.S. Postal Service “identified a number of lower-level technical concerns that Equifax was directed to address,” it said. Sen. Elizabeth Warren, D-Mass., and Rep. Elijah Cummings, D-Md., who sought the report, cited the findings as evidence Congress should pass the Data Breach Prevention and Compensation Act. Equifax would have been penalized at least $1.5 billion under the law. Citing similar remarks in the report, an Equifax spokesman emailed that the company has “taken significant steps to strengthen data security protocols and controls, evaluate and adjust data governance processes and adjust our organizational structure to enhance management of cybersecurity risk.”

A North Korean was charged for involvement in the 2017 WannaCry cyberattacks (see 1712190043) and other “malicious activities,” DOJ announced Thursday. It alleged Park Jin Hyok was involved with North Korean government-sponsored campaigns including the $81 million theft from Bangladesh Bank in 2016 and a Sony Pictures Entertainment attack in 2014. Park was charged with “one count of conspiracy to commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years,” Justice said. Senate Intelligence Committee ranking member Mark Warner, D-Va., called the indictment "the result of years of hard work” and “an important step in making clear to our adversaries that these kinds of criminal activities are unacceptable.” A bill for combating state-sponsored cyberthreats passed the House by voice vote Wednesday. Cyber Deterrence and Response Act (HR-5576) from Rep. Ted Yoho, R-Fla., creates a three-step process for identifying, deterring and responding to state-sponsored cyberthreats. S-3378, a companion bill, awaits Senate consideration.

The next meeting of the FCC Communications Security, Reliability and Interoperability Council VI -- its sixth -- is Sept. 28, 1-5 p.m., in the Commission Meeting Room, said a notice set for Wednesday's Federal Register.

The FTC cleared the way for Cisco to buy Duo Security, said an early termination notice dated Friday and released Monday. That ends the $2.4 billion deal's (see 1808020041) Hart-Scott-Rodino waiting period.

The Department of Homeland Security should transition a key cybersecurity vulnerability program from contract-based funding to a dedicated agency line item in its annual budget, House Commerce Republicans told the agency Monday after a yearlong investigation. Chairman Greg Walden, Oregon; Gregg Harper, Mississippi; Marsha Blackburn, Tennessee; and Rep. Bob Latta, Ohio, sent letters to DHS and Mitre, which operates the Federally Funded Research and Development Center. FFRDC has managed the Common Vulnerabilities and Exposures (CVE) program since 1999. DHS and Mitre should perform biennial reviews to “ensure the program’s stability and effectiveness,” the lawmakers said: “The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society.” DHS didn’t comment.

AT&T said it wrapped buying cybersecurity company AlienVault. With the acquisition (see 1807100006), the new AT&T cybersecurity business division will be led by AlienVault CEO Barmak Meftah, AT&T said Wednesday. “AT&T’s new standalone … business division will focus on making AT&T’s extensive cybersecurity capabilities and technologies accessible to businesses of all sizes around the globe.”

CTIA said it's launching the CTIA Cybersecurity Certification Program for cellular-connected IoT devices. The program is the first of its kind for the national wireless carriers, CTIA said Tuesday. “By offering certification for IoT devices built from the ground up with cybersecurity in mind, the program will protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth and other IoT applications,” CTIA said. The program “harnesses CTIA's network of authorized labs and reflects our commitment to securing networks and devices in an increasingly connected wireless world,” said Tom Sawanobori, CTIA chief technology officer.

The Senate Crime and Terrorism Subcommittee's hearing Tuesday will examine cyberthreats to U.S. critical infrastructure. Witnesses are Sens. James Lankford, R-Okla., and Richard Blumenthal, D-Conn.; Associate Deputy Attorney General Sujit Raman; Office of the Director of National Intelligence Cyber Threat Intelligence Integration Center Deputy Director Michael Moss; Department of Homeland Security National Protection and Programs Directorate National Risk Management Center Director Robert Kolasky; Southern Co. CEO Thomas Fanning; and Center for Strategic and International Studies Senior Vice President James Lewis. The hearing will be at 2:30 p.m. in 226 Dirksen.