The National Institute of Standards and Technology's long-anticipated draft "Version 1.1" (v1.1) update to the Cybersecurity Framework, released at our deadline Tuesday, includes a new section on developing effective cybersecurity metrics. NIST has been considering potential updates to its existing 2014 framework in response to comments last year from stakeholders who encouraged the agency not to pursue a major revamp of the document (see 1602240065). NIST's framework “can be used as the basis for comprehensive measurement” of the efficacy of cyber risk management practices, the draft said. The framework's implementation tiers and categories are themselves metrics, NIST said. Any metrics on cyber risk management “should be designed with business requirements and operating expense in mind,” the agency said. “The expense of a measurement system may increase as the accuracy of measurement increases. To mitigate undue cost to the organization, the accuracy and expense of a system need only match the required measurement accuracy of the corresponding business objective.” NIST included the metrics section in the draft “to get the conversation started,” said Framework Program Manager Matthew Barrett in a news release. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.” V 1.1 also includes additional information on managing cyber supply chain risks and clarifications of framework terms. NIST said it's collecting stakeholder feedback on the v1.1 draft through April 10.
Secretary of Homeland Security nominee John Kelly didn't discuss his views on cybersecurity issues in a prepared opening statement released before his Tuesday confirmation hearing before the Senate Homeland Security Committee, though those issues were widely expected to come up during the hearing. Senate Homeland Security Chairman Ron Johnson, R-Wis., said at the start of the hearing that “cyberthreats are real and growing, and our critical infrastructure is not adequately secure. As a result, the next secretary of the Department of Homeland Security will be shouldering enormous responsibilities.” The hearing was still ongoing at our deadline.
Commerce Secretary Penny Pritzker's "exit memo" outlined accomplishments on cybersecurity, an open internet and trade during the Obama administration, but warned the government "is currently not properly organized to face the challenges posed by the 21st century digital economy." She said the government should focus on five issues: access, cybersecurity, free internet, emerging technologies and workforce issues. Policies and incentives are needed to encourage investment in broadband access. Pritzker said a there's a "growing global cybersecurity crisis" at the hands of criminals and nation-states and the incoming administration should work to promote strong cybersecurity policies, baseline privacy rules and use of encryption as well as government access to data. The President's Commission on Enhancing National Cybersecurity (see 1612020050) recently delivered recommendations to improve cyber defenses and raise cyber awareness. Pritzker said trade agreements and other policies to "protect cross-border data flows, discourage digital protectionism, and ensure open digital markets" should be pursued. She underscored transfer of the Internet Assigned Numbers Authority functions to a multistakeholder, nongovernment group (see 1610030042), completion of the EU-U.S. Privacy Shield to ensure that the transfer of Europeans' personal data is protected (see 1602020040), and creation of the Digital Economy Board of Advisors (see 1612150069) and digital trade attaches program (see 1612120018). Artificial intelligence, autonomous vehicles and IoT are some emerging technologies that should be encouraged and the department should be an "evangelist" to break down barriers to innovation, she said.
President-elect Donald Trump has said little about cryptography directly, but he made it "very clear" he was on the side of the FBI during its court battle to force Apple to unlock an iPhone used by a mass shooter (see 1607260037), wrote Electronic Frontier Foundation senior staff attorney Nate Cardozo in blog post reviewing crypto law activity in 2016. He quoted Trump as saying, “'To think that Apple won't allow us to get into [the shooter's] cellphone? . . . Who do they think they are? No, we have to open it up.' He also called for a boycott of Apple until Apple caved. But like so much else, Trump has offered no specifics." Cardozo said Sen. Jeff Sessions, R-Ala., Trump's pick for attorney general, "is widely speculated to be anti-crypto," although the senator has offered no specifics. On the FBI vs. Apple fight, Cardozo wrote Monday that if the law enforcement agency had won, the U.S. government could have gotten legal authority to order American tech companies to create back doors into their products (see 1612210005). "Indeed, the FBI’s demand was never about 'just that one phone' and was all about creating legal precedent," he said.
Symantec introduced a Wi-Fi router with security built in in what it calls an “elegant" and "atypical artisanal design.” Norton Core is available for preorder now ($199) with a suggested retail price of $279, said the company in an announcement. A one-year complimentary subscription to Norton Core Security Plus is included with the router, offering protection for up to 20 computers, smartphones and tablets, plus unlimited IoT devices, said the company. Norton Core was built to secure and protect connected homes and has a unique antenna array mounted inside a geodesic dome of “interlocking faces,” which the company said was inspired by defense and weather radar systems deployed in far reaches of the globe. The design is intended to encourage users to place the router out in the open, as part of their home decor, where it can provide a strong, unobstructed Wi-Fi signal. The routers come in gray and gold colors and are to ship in summer. Parental controls are included.
President-elect Donald Trump was scheduled to meet with officials involved in cybersecurity and mergers and acquisitions, transition spokespeople told reporters Thursday. One meeting was to involve Tom Bossert, a cyber-risk fellow at the Atlantic Council and president of risk management firm Civil Defense Solutions Consulting. Bossert was an official in the George W. Bush administration, working on homeland security issues and for the Federal Emergency Management Agency. Another meeting was to involve Jay Clayton, an attorney with Sullivan & Cromwell focused on M&A. Elsa Murano, a former Texas A&M University president and Agriculture Department official under George W. Bush, is “going to be a candidate for Agriculture,” said transition spokesman Sean Spicer.
The Electronic Frontier Foundation is warning the tech community about the threat President-elect Donald Trump poses to the internet, in a full-page advertisement in the January issue of Wired magazine released Tuesday. "He has praised attempts to undermine digital security, supported mass surveillance, and threatened net neutrality," reads the ad on page 63 about Trump. "He promised to identify and deport millions of your friends and neighbors, track people based on their religious beliefs, and suppress freedom of the press." EFF said it wants the tech community to employ end-to-end encryption and HTTPS for all communications and transactions, delete logs so they can't be provided, publicly disclose government requests to monitor users and censor speech, and advocate for users rights in Congress, the courts and elsewhere. EFF Activism Director Rainey Reitman in a news release said the internet shouldn't be "conscripted into a tool of oppression. But if we are going to protect the Internet, we need a lot of help." The transition team didn't comment.
In 2016, data breaches and cyberattacks resulted in more than 2.15 billion records being compromised, including the more than 500 million Yahoo user accounts that were stolen two years ago, said cybersecurity firm IT Governance in an updated blog post Tuesday. Last year, breaches totaled 480 million, wrote Lewis Morgan, a social media marketing executive who compiled the list. He said he initially didn't include the breach at Yahoo in his count because it occurred in late 2014, but decided to add it because the incident was first reported in September (see 1609220046).
National Security Adviser Susan Rice pressed during a meeting Thursday with Chinese Minister for Public Security Guo Shengkun for China to fully adhere to the anti-cybertheft agreement that President Barack Obama and Chinese President Xi Jinping reached in 2015 (see 1509250059), the National Security Council said. Rice also told Guo that U.S. officials are concerned “about the potential impacts” of a newly enacted Chinese cybersecurity law that includes data localization rules, NSC said. Opponents claim the law has the potential to bar foreign-based tech firms from industries that China deems “critical” and could increase China’s online censorship. During an official joint dialogue a day earlier, Guo and Attorney General Loretta Lynch acknowledged continued progress on China-U.S. cybersecurity cooperation.