House Commerce Committee ranking member Frank Pallone, D-N.J., said he's “disturbed” by a report Tuesday that said the FCC pushed a false narrative that the system had also been victim of a cyberattack three years previously, when dealing last spring with what it said was a distributed denial-of-service attack on its electronic commenting filing system (see 1705100062). The FCC didn't comment now. Pallone said Gizmodo shows “a concerted effort by FCC employees to mislead the public in the lead up to its vote to repeal” 2015 net neutrality rules. GAO in October began an independent review of FCC DDoS claims after a request by Pallone and Senate Communications Subcommittee ranking member Brian Schatz, D-Hawaii (see 1708170042 and 1710130052). Chairman Ajit Pai told Pallone, Schatz and other lawmakers a “non-traditional” DDoS attack hit the ECFS but the FCC declined to provide details on plans to protect the system (see 1706280044 and 1707310071). Pallone said Tuesday he's "call[ing] on [Pai] to ensure the FCC fully cooperates with” GAO's investigation. Gizmodo said the Office of Media Relations and FCC former Chief Information Officer David Bray in 2017 alleged the agency's commenting system ran into trouble in 2014 due to DDoS attack when there was no independent proof. Bray, who left the agency last year, didn't comment.
The FCC is willing to investigate alongside the Department of Homeland Security if “particularized evidence” of unlawful use of cellsite simulators, often called StingRays, is found, FCC Chairman Ajit Pai wrote Friday to Rep. Eliot Engel, D-N.Y. (see 1806010056). Engel, Sen. Ron Wyden, D-Ore., and other lawmakers repeatedly pressed the FCC to investigate StingRay use in the U.S. and particularly Washington, D.C., with mounting evidence of activity from DHS. Pai told Engel, ranking member of the House Foreign Affairs Committee, DHS “has taken the lead in assessing the potential threat from certain uses of cell-site simulators,” and the agency identified the technology as “an existing and emerging threat.” If "we had particularized evidence that certain devices were being unlawfully used within the United States, we would of course investigate the matter alongside our federal partners and take all appropriate enforcement actions,” Pai wrote, noting DOJ and the FBI also are addressing the issue. Commissioner Jessica Rosenworcel responded that “cell phone surveillance devices have been detected in Washington near the White House. Today the @FCC declined to investigate. This makes no sense.” An FCC spokesman declined further comment.
The federal government needs private sector collaboration to maximize cybersecurity defense, said Assistant Attorney General-National Security John Demers Thursday. Speaking at a FedScoop/FireEye event, Demers cited successful public-private cybersecurity efforts with Yahoo, Google and other private entities that shared cybersecurity interests with law enforcement. Those efforts led to enforcement action against criminals from Russia, Iran, the Islamic State and the Chinese People’s Liberation Army, he said. “We will continue to work with other agencies to use all elements of national power to meet this ever-changing and growing challenge,” Demers said. “To adequately protect our shared national cyber security against persistent attack, we will need your help as well.”
Comcast says a problem with a company website used by subscribers to set up home internet and video service was shut down after ZDNet reported Monday the site could be tricked into displaying the home address of where a router is located, plus login information. "There’s nothing more important than our customers’ security," Comcast emailed Tuesday. "Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
A federal jury convicted a Latvian resident of three counts of cybercrime involving his “Scan4You” program, an online counter-antivirus service targeting U.S. businesses, DOJ announced Wednesday evening. It said Ruslans Bondars, 37, a citizen of the former USSR and therefore a Latvian "non-citizen," was convicted of one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of conspiracy to commit wire fraud and one count of computer intrusion with intent to cause damage and aiding and abetting. Sentencing is set for Sept. 21.
The White House this week eliminated its top cyber policy adviser position in a move a National Security Council spokesman said will "improve efficiency, reduce bureaucracy" and promote accountability. “The National Security Council’s cyber office already has two very capable Senior Directors. Moving forward, these Senior Directors will coordinate cyber matters and policy,” he emailed. FCC Commissioner Jessica Rosenworcel tweeted: “This does not seem like a good idea.” Sen. Mark Warner, D-Va., called the decision “mind-boggling”: “Our adversaries are investing heavily in 21st century cyber warfare capabilities, and if we only view national security through a conventional 20th century lens, we’re going to find ourselves unable to respond to increasingly asymmetric cyber threats down the road.”
The House passed the Small Business Development Center Cyber Training Act by voice vote Tuesday. Introduced by Rep. Steve Chabot, R-Ohio, HR-3170 would require cyber strategy counseling certification for certain Small Business Administration's Small Business Development Center employees through existing SBA programs. Sen. Jim Risch, R-Idaho, introduced companion legislation.
Georgia Gov. Nathan Deal (R) vetoed a cybercrime bill that he said raises national security concerns and “may inadvertently hinder the ability of government and private industries” to prevent online attacks. SB-315 would have made it a crime to knowingly and intentionally access a computer or network without authorization. “After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cyber security legislation,” Deal said Tuesday. Legislators should work with cybersecurity and law enforcement “to develop a comprehensive policy that promotes national security, protects online information” and advances Georgia technology, he said. “Victory!” declared Electronic Frontier Foundation Senior Investigative Researcher Dave Maass. The bill “would have threatened independent research and empowered dangerous ‘hack back’ measures,” he blogged. Such a law could treat security researchers as criminals even if they have no criminal motives and intend to disclose security problems ethically, he said.
Though the Consumer Product Safety Commission inquiry into the “potential safety issues” of IoT devices ruled out plans to address “personal data security and privacy issues” as part of its review (see 1803290032), the Cybersecurity Coalition believes “safety and security standards for IoT devices are inextricably linked and should be addressed in tandem,” said May 2 comments (document ID CPSC-2018-0007-0031) posted Monday in docket CPSC-2018-0007 and "withdrawn" on Wednesday because it was deemed a "duplicate of material" previously submitted. “A common feature across all IoT devices is their ability to communicate across information networks and to act on the physical world, which makes securing these communications and controlling access to device functionality central to maintaining both the safety and security of the device, said the coalition, whose members include AT&T, Cisco, Intel, McAfee, Microsoft, Mozilla and Symantec. For example, shipping an IoT device to consumers with a factory-default password or other “known vulnerabilities” is both a security risk, “as this could give attackers access to consumers’ information,” and a safety risk “if attackers are able to gain control of device functionality,” it said. The coalition has a long history of “using a voluntary, consensus-based, industry-led approach to setting security standards,” and encourages CPSC to “use this approach to set safety standards for IoT devices,” it said. Comments in CPSC's review are due June 15, and a hearing is planned for Wednesday. The agency said it will use the feedback to better “inform future Commission risk management work.”
Individual privacy, specifically protection for personally identifiable information, is emphasized in the National Institute of Standards and Technology’s updated draft cybersecurity Risk Management Framework (RMF). The update integrates the RMF with NIST’s Cybersecurity Framework. It “provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF,” NIST Computer Scientist Ron Ross said. “Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”