Cyber criminals will steal more than 33 billion records in 2023, a 175 percent increase from the more than 12 billion records projected stolen for 2018, said Juniper Research in a new report. The projections are based on the amount companies plan to spend on cyber defense. According to the research, more than half the attacks in 2023 will take place in the U.S. Small business is projected to account for 13 percent of overall cybersecurity market in 2018, despite more than 99 percent of all companies being small businesses, the report said.

The Senate should pass legislation creating a new cybersecurity agency focused on critical infrastructure within the Department of Homeland Security, said House Homeland Security Committee Chairman Michael McCaul, R-Texas, Wednesday. The House-passed Cybersecurity and Infrastructure Security Agency Act (HR-3359) (see 1712110058) provides “the direction and support needed to best combat an ever-evolving cyber threat landscape to keep the American people and our democracy safe and secure,” McCaul said. The chairman also voiced support for HR-5074, the DHS Cyber Incident Response Teams Act, which he said codifies and improves DHS’s cyber incident response teams.

U.S. cybersecurity defense isn't keeping pace with enemy capability, and to catch up the private sector must collaborate with the government by sharing data in real time, said Department of Homeland Security Secretary Kirstjen Nielsen in a commentary Monday for CNBC. DHS is promoting collaborative efforts through its new National Risk Management Center (see 1807310052). Nielsen described the center as an “initiative driven by industry needs and focused on fostering a better way to bring government and the private sector together to defend our nation's” critical infrastructure. “In an era when our digital enemies are crowd-sourcing attacks, we must crowd-source our response,” she said, arguing the U.S. is in crisis mode.

Devices, applications and services with geolocation capabilities present “significant risk” to Defense Department personnel on and off duty, Deputy Defense Secretary Patrick Shanahan said in a Friday memorandum prohibiting the use of geolocation features and functionality on devices in operational areas. Geolocation capabilities can expose personal information, locations, routines and numbers of DOD personnel, creating potential “unintended security consequences and increased risk to the joint force and mission,” Shanahan said. Deployed personnel are in “operational areas,” and commanders will make a determination on other areas where the policy may apply, the memo said. Devices falling under the restriction are "physical fitness aids, applications in phones that track locations, and other devices and apps that pinpoint and track the location of individuals." Military personnel use devices and applications to track pace and run routes, which are stored and uploaded to central servers. That data, along with information on military operations, can be shared with third parties, including enemies, it warned.

Three Ukrainian nationals linked to FIN7, a prolific cyber hacking group from Eastern Europe, were arrested and charged for their roles in allegedly attacking more than 100 U.S. companies, said DOJ Wednesday. Dmytro Fedorov, Fedir Hladyr and Andrii Kopakov are in custody facing charges filed in the U.S. District Court in Seattle. DOJ alleged since at least 2015 the group targeted more than 100 U.S. companies, mainly in the restaurant, gaming and hospitality industries. The perpetrators “hacked into thousands of computer systems and stole millions of customer credit and debit card numbers,” said DOJ.

The Department of Homeland Security launched the National Risk Management Center, an access point for defending against cyberthreats, said Secretary Kirstjen Nielsen Tuesday. Instead of calling 911, companies and individuals should call the center when they believe they are under cyberattack, she said at the National Cybersecurity Summit in New York. “We will be able to take a piece of intelligence, and with the help of the private sector, ask ourselves ‘so what’ and determine what we’re going to do about it together.”

Like the House, the Senate should pass legislation creating a new cybersecurity agency focused on critical infrastructure within the Department of Homeland Security, said the U.S. Chamber of Commerce and a coalition of tech groups Thursday. The Cybersecurity and Infrastructure Security Agency Act (HR-3359) (see 1712110058) would “foster stronger public-private partnerships to better address cyber risks that could jeopardize America’s national security and economic prosperity,” said the Chamber. ACT|The App Association, BSA|The Software Alliance, CTIA, Information Technology Industry Council, Software & Information Industry Association and TechNet were among groups signing the letter to Senate leadership.

Research found evidence cybercriminals are targeting Oracle and SAP vulnerabilities in enterprise resource planning applications, noted the U.S. Computer Emergency Readiness Team, part of the Department of Homeland Security. "An attacker can exploit these vulnerabilities to obtain access to sensitive information," said US-CERT Wednesday. It linked to a report by Digital Shadows and Onapsis. Oracle and SAP didn't comment right away.

House Homeland Security Committee subcommittees plan two separate hearings Wednesday on federal cybersecurity risk determination and efforts to bolster emergency response technology. The National Institute of Standards and Technology will testify at the latter hearing, which is scheduled for 2 p.m. in 210 House Capitol Visitor Center. Scheduled for 10:30 a.m. in the same room, the first hearing will explore the federal government’s cybersecurity risk profile.

Butterfly announced a portable virtual private network router said to turn a public Wi-Fi hot spot into a secure VPN. Users can mark their IP address to prevent tracking of online activities and location, keep sensitive information safe, unblock restricted websites and services and steer clear of online advertisers, said the company. The device, which encrypts users' data, operates in Europe, Asia and the U.S. Price is $99, including a three-year-subscription and one-year hardware maintenance, it said.