Openly tracking third-party code in software products is a “well-understood best practice” that not all software vendors follow, said Administrator David Redl Thursday at NTIA’s third cybersecurity-related multistakeholder meeting (see 1806060036). Vendors, civil society and representatives from the telecom, healthcare, finance, auto, medical device and information security sectors attended. Redl said the multistakeholder process helps NTIA reach consensus from different viewpoints and develop “nimble” solutions “in the face of a constantly evolving risk environment.”
Imprecise language within coordinated vulnerability disclosure (CVD) procedures can give industry and the public a false sense of security, House and Senate Commerce Committee leaders wrote the CERT Coordination Center Tuesday. The letter from House Commerce Committee Chairman Greg Walden, R-Ore., and Senate Commerce Committee Chairman John Thune, R-S.D., follows a recent Senate hearing on Spectre and Meltdown vulnerabilities (see 1807110059). Failing to coordinate the CVD process and give timely notice for industry to test patches “extensively before applying them can significantly increase” vulnerability risks, the lawmakers wrote. “CVD remains a complex and constantly evolving concept, and as should be expected from one of this size and scale, the Spectre and Meltdown CVD showed that additional improvements can and should be made.”
Though 95 percent of global chief information officers say they expect cyberthreats to increase in the next three years, only 65 percent of their organizations have a cybersecurity expert on the payroll, a Gartner survey found. Gartner canvassed 3,160 CIOs in 98 countries, finding 35 percent said their organizations deploy some “aspect of digital security,” and another 36 percent are “actively experimenting” or planning to implement a security plan “in the short term,” it said. "In a twisted way, many cybercriminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data," said Gartner Tuesday. "CIOs can't protect their organizations from everything, so they need to create a sustainable set of controls that balances their need to protect their business with their need to run it."
ZTE signed an agreement with the Department of Commerce that will mean the department's seven-year ban on U.S. companies selling telecom software and equipment to the Chinese company can end as soon as ZTE deposits $400 million in escrow to cover future violations of U.S. sanctions, the agency said Wednesday. The payment was in a deal last month to impose alternative conditions to replace the ban, which Commerce's Bureau of Industry and Security originally announced in April (see 1804170018). Commerce will suspend the ban during a 10-year “probationary period” in exchange for the company's agreement to pay $1.4 billion and other concessions. BIS can reactivate the ban if ZTE again violates sanctions during its probation. “Once the monitor is selected and brought on board, the three-pronged compliance regime ... will be in place,” the department said in a statement. “The ZTE settlement represents the toughest penalty and strictest compliance regime the Department has ever imposed in such a case.” Commerce's advancement of the deal came as Congress begins reconciling the House and Senate-passed versions of the FY 2019 National Defense Authorization Act (HR-5515), which contain differing anti-ZTE provisions (see 1806190051). Senate Minority Leader Chuck Schumer, D-N.Y., and Intelligence Committee Vice Chairman Mark Warner, D-Va., criticized moving forward with the deal. It's “a direct betrayal of President [Donald] Trump’s promise to be tough on China and protect American workers,” Schumer said: Trump "gave away the store to China for nothing, so now it’s entirely up to Congress to right the administration’s wrong. I hope my Republican colleagues in the House and Senate will do the right thing and maintain the Senate’s strong language in [HR-5515] that reverses the administration’s awful ZTE deal.” Warner called it a “sweetheart deal” that “not only ignores these serious issues, it lets ZTE off the hook for evading sanctions against Iran and North Korea with a slap on the wrist.”
Senior executives are “finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation,” and that’s a top “security and risk management trends” to watch, said Gartner Tuesday. Cybersecurity “is a board-level topic and an essential part of any solid digital business strategy,” it said. Business leaders “have not always been receptive to this message,” but a recent string of “high-profile incidents,” including the Equifax data breach, changed all that, it said. “Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement," said Gartner. “Security organizations must capitalize on this trend by working closer with business leadership and clearly linking security issues with business initiatives that could be affected.”
Global distributed denial-of-service attacks rose 16 percent November-April, Akamai reported Tuesday. Reflection-based DDoS attacks rose 4 percent, and application-layer attacks like Structured Query Language injections or cross-site scripting gained 38 percent.
The Wi-Fi Alliance is introducing a new generation of Wi-Fi security, Wi-Fi Protected Access 3 (WPA3), replacing WPA2. “WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets,” the alliance said. Devices containing the old technology will continue to provide “recognized security” as WPA3 is deployed, it said Monday.
Smart home industry leaders are experimenting with blockchain technology to address concerns about data security and protection, Navigant Research reported Wednesday. Increasing high-profile customer data hacks and security breaches are a growing challenge to the smart home market, and blockchain and distributed ledger technologies provide a common platform to support smart devices and boost data security, it said. Although blockchain technology can enhance the smart home experience, “crucial questions need to be addressed before consumers welcome blockchain into their homes,” said analyst Johnathon de Villier. Test programs will be needed to evaluate blockchain-based platforms in connected homes to determine scalability, interoperability and deployment, he said. Smart home companies should be technology-agnostic and explore partnerships to improve cybersecurity for the nascent technology, he said.
Arizona’s self-named “Bitcoin Baron” got 20 months in prison for directing 2015 distributed denial of service attacks at computer networks of Madison, Wisconsin, DOJ said Tuesday. U.S. District Judge Douglas Rayes in Arizona also sentenced 23-year-old Randall Tucker to pay more than $69,000 in restitution to victims, the department said. Tucker pleaded guilty April 17 to one count of intentional damage to a protected computer, admitting to executing DDoS attacks against Madison and other city websites, DOJ said. “The attack crippled [Madison’s] Internet-connected emergency communication system, causing delays and outages in the ability of emergency responders to connect to the 911 center and degrading the system used to automatically dispatch the closest unit."
To improve transparency of software components and digital security, NTIA Administrator David Redl Wednesday launched a multistakeholder process. The agency seeks input from software vendors, IoT manufacturers, medical device manufacturers, civil society and various sectors. The first meeting is 10 a.m. July 19 at the American Institute of Architects, 1735 New York Ave. NW. “This initiative will highlight the role of enterprise customer to understand how data can be used to better secure organizations,” Redl wrote. “Stakeholders can address the challenges and obstacles in sharing this data.” In Thursday's Federal Register, NTIA says the multistakeholder process is the result of recommendations included in a report to the president on botnets (see 1805300065).