Cybersecurity, including prevention of data breaches and ransomware threats, has become a top priority for the Department of Health and Human Services, officials plan to tell the House Commerce's Subcommittee on Oversight and Investigations at a hearing Thursday. Emery Csulak, chief information security officer with the Centers for Medicare and Medicaid Services; Steve Curren, director-division of resilience within HHS' Office of Emergency Management; and HHS Chief Information Officer Leo Scanlon jointly submitted prepared testimony. Since 2014, the healthcare and public health sector has been hit with breaches, with a rise in ransomware attacks last year, they will tell lawmakers. "These attacks shifted the threat landscape considerably, as they no longer threatened just personal information but also the ability of health care organizations to provide patient care." Partnerships across HHS, government and private sectors helped provide expertise to fight the threat, they plan to say. In response to the WannaCry ransomware attack (see 1705180032, 1705160038, 1705160008 and 1705150008), which hit hospitals in the U.K. (see 1705120055), HHS worked with the Department of Homeland Security's National Cybersecurity and Communications Integration Center to develop an "immediate response" to help the healthcare sector's security experts respond to and report the WannaCry intrusions, they say. This was the first time HHS organized itself to respond to a cybersecurity incident, setting a standard, they say. Working groups and initiatives are underway to improve cybersecurity across the department and health sector, according to the testimony, citing HHS' Healthcare Cybersecurity Communications Integration Center aimed at improving collaboration among entities and strengthen reporting and threat awareness. The center helped coordinate the WannaCry response, the officials say. On May 11, a government-driven healthcare industry cybersecurity task force released a report with recommendations on improving protections across agencies, the HHS officials note. Recommendations include that improvements are needed in the security and resilience of medical devices and health IT, healthcare workers and industry need to be more aware of cybersecurity and make it a priority, and there should be greater information sharing.
The House Communications Subcommittee plans a hearing 10 a.m. Tuesday in 2322 Rayburn on wireless security. “In today’s increasingly digital and wireless world, cyber criminals continue to adapt, discover, and exploit vulnerabilities in our networks to gain unauthorized access and cause harm to consumers and businesses around the country,” Chairman Marsha Blackburn, R-Tenn., said in a statement: The hearing "will provide our members an opportunity to learn more about these threats, what stakeholders are doing to combat and prevent these attacks, and what policies could be helpful.”
Short, low-volume distributed denial-of-service attacks aimed at masking “more serious network intrusions” are the “greatest DDoS risk” for most entities, Corero Network Security reported Monday. Ninety-eight percent of DDoS attack attempts that Corero measured during Q1 were less than 10 Gbps in volume and 71 percent lasted 10 minutes or less, the cybersecurity firm said. “Short DDoS attacks might seem harmless, in that they don't cause extended periods of downtime,” said CEO Ashley Stephenson in a news release. “IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions.”
Cybersecurity needs board oversight and isn't just an IT issue, "it’s an enterprise wide risk management issue," blogged Internet Security Alliance Senior Director Stacey Barrack. "Most corporate boards are comprised of 'digital immigrants'" who "need to learn how to understand cyber-risk," she wrote Friday. Such risk management takes "strategic thinking" that doesn't treat information security as a "siloed" issue, Barrack wrote. She noted, as did another expert in a blog Thursday (see 1706010018), that "several significant cyberbreaches did not actually start within the target’s IT systems, but rather from vulnerabilities in one of its vendors or suppliers."
Target's 2013 data breach with a record $300 million in damages should be a wake-up call on cybersecurity, blogged Shane Tews of the American Enterprise Institute. She noted the company recently settled with 47 states over the credit card incident. "If Target had taken IT management seriously ... it could have saved itself hundreds of millions of dollars and a damaged reputation," wrote the AEI Center for Internet, Communications and Technology Policy visiting fellow Thursday. She sought "clear, responsible guidelines for IT management and data security" for companies sharing data on customers. Senior executives should understand that such protections are "part of their management responsibilities," Tews wrote. "A company’s incident-response plan can make the difference between a momentary slow down and a full day or weeks-long fiasco." Target didn't comment.
Senate Communications Subcommittee ranking member Brian Schatz, D-Hawaii, led a letter to the FBI Wednesday requesting an investigation of the alleged distributed denial-of-service attacks on the FCC website, which may have affected comments in the net neutrality proceeding (see 1705170067). “We ask that the FBI prioritize this matter and investigate the source of this attack,” said the Democrats, also including Sens. Al Franken, D-Minn., Patrick Leahy, D-Vt., Ed Markey, D-Mass., and Ron Wyden, D-Ore. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.” They requested a briefing by June 23. "The FBI received the letter," a bureau spokeswoman said, "and will provide a response to the members of Congress."
The FCC plans to upgrade auction systems to make them more resilient to attack, its FY 2018 budget proposal said. “As recent news headlines have emphasized, the threat of cyber-attacks and security vulnerabilities are very real, and the Commission takes these threats and vulnerabilities very seriously. The FCC will proactively engage security engineers and architects to ensure the modernization of systems in the cloud are secure and adhere to Federal mandates and regulations to include two factor authentication.”
Sens. Maggie Hassan, D-N.H., and Rob Portman, R-Ohio, jointly filed the Hack Department of Homeland Security Act Friday in what they said is a bid to strengthen the department's cyber defenses. The bill would establish a “bug bounty” pilot program at DHS that would encourage hackers to identify and disclose to the department any undiscovered vulnerabilities in DHS' IT systems. Eligible hackers would need to register with DHS and go through a background check before being allowed to participate in the program, Hassan's office said. The bill would require DHS to work with the attorney general to ensure program participants don't face prosecution for their program-specific hacking activities. The program would be similar to those DOD and major tech companies use, Hassan's office said. Senate Homeland Security Committee ranking member Claire McCaskill, D-Mo., and Sen. Kamala Harris, D-Calif., are co-sponsors. The Hack DHS Act is the “first step to utilize best practices from the private sector to harness the skills of hackers across America as a force multiplier against these cyber threats,” Hassan said.
Acting FTC Chairman Maureen Ohlhausen said Wednesday she wants the agency to take a "fresh look" at identity theft to improve efforts to tackle the problem. During a daylong FTC event, Ohlhausen said she wants the agency to do more research on the issue, with assistance from academia, consumer advocates, industry and governments, to provide a foundation that addresses harmful conduct. She said the FTC needs to share information and coordinate cybersecurity efforts with other agencies and state governments. She noted the agency's work with the Small Business Administration to launch a website to help companies deal with cyberthreats and data breaches. Ohlhausen wants more public-private partnerships and cited FTC work with Equifax, Experian and TransUnion to make it easier for consumers to get free credit reports. FTC economist Keith Anderson cited 2014 data from the Bureau of Justice Statistics that said 17.6 million Americans 16 and older were ID theft victims. He said synthetic ID theft is a recent trend, in which thieves construct a "pseudo individual" using information from several people. Sean McCleskey, a retired Secret Service agent who works for the University of Texas-Austin's Center for Identity, said thieves take "bits and pieces" of data -- maybe a fake date of birth, a real Social Security number, or a real or fake address -- making it more difficult to investigate and to notify potential victims. Experts said thieves steal people's credit card and financial information and medical and tax data. Danny Rogers, CEO of Terbium Labs, said ID theft undermines trust in the internet.
TechFreedom Executive Director Austin Carson endorsed the Protecting Our Ability to Counter Hacking Act. HR-2481/S-1157 would codify the vulnerabilities equities process (VEP) for government stockpiling and disclosing software and hardware vulnerabilities and make it transparent and accountable. Rep. Ted Lieu, D-Calif., and Sen. Brian Schatz, D-Hawaii, led sponsorship of the bill last week, after the WannaCry ransomware attacks (see 1705120055, 1705150008 and 1705170025). “Codifying the VEP process and adding oversight mechanisms will put the VEP on solid footing, removing the threat of policy changes at the whims of the executive branch and giving Congress the chance to more fully evaluate the tradeoffs,” Carson and TechFreedom Legal Fellow Ashkhen Kazaryan blogged. “In this era where cyber attacks are edging ever-closer to becoming cyber wars, the United States government should lead the way in balancing the interests at stake and addressing the cybersecurity concerns directly within its control.”