The deadline for applications to join a working group of the FCC Communications Security, Reliability and Interoperability Council is Nov. 1, said a Public Safety Bureau public notice Thursday. It said the six working groups and chairs are: WG 1: 5G Signaling Protocols Security, co-chaired by AT&T Assistant Vice President-Standards and Industry Alliances Brian Daly and Oracle Cybersecurity Director Travis Russell; WG 2: Promoting Security, Reliability and Interoperability of Open Radio Access Network Equipment, co-chaired by Mavenir Chief Product Security Officer Mike Barnes and Rural Wireless Association member George Woodward, CEO of Trilogy Networks; WG 3: Leveraging Virtualization Technology to Promote Secure, Reliable 5G Networks, co-chaired by Microsoft 5G Policy and External Engagements Director Micaela Giuhat and Dell EMC Global Chief Technology Officer John Roese; WG 4: 911 Service Over Wi-Fi, co-chaired by Intrado Vice President-Government and External Affairs Mary Boyd and APCO Government Relations Manager Mark Reddish; WG 5: Managing Software & Cloud Services Supply Chain Security for Communications Infrastructure, chaired by VMware Head-RAN Intelligence and Chief Architect Rittwik Jana; and WG 6: Leveraging Mobile Device Applications and Firmware to Enhance Wireless Emergency Alerts, co-chaired by Qualcomm Engineering Director Farrokh Khatibi and Harris County, Texas, Office of Homeland Security and Emergency Management Deputy Emergency Management Coordinator Francisco Sanchez.
New global “policy regimes” embracing cybersecurity incident reporting are a “potentially appropriate tool to provide greater visibility” into cyberattacks -- if “carefully crafted,” said the Information Technology Industry Council Monday. It urged policymakers to heed new recommendations “on limiting incident reporting to confirmed or verified incidents.” ITI asked security authorities to craft policies that “allow for at least a 72-hour reporting window after an entity has verified an incident” and to limit incident reporting “to confirmed or verified incidents.” Effective reporting regimes also need to “establish or maintain appropriate liability protections and ensure information provided is exempt from public disclosure,” said ITI. It seeks measures that “ensure confidentiality and appropriate protections around sensitive information shared with or by competent authorities within the government, including against regulatory use.” Senate Homeland Security Committee Chairman Gary Peters, D-Mich., hopes soon to introduce bipartisan legislation that would require critical infrastructure owners and operators to report “significant” cyberattacks (see 2109230065).
“Workforce professionals” are more pessimistic than a year ago about the “general state” of cybersecurity in the U.S. economy, reported CompTIA Tuesday. The association canvassed 400 U.S. respondents online in Q3, finding 69% say cybersecurity was improving, down from 80% in its 2020 survey, it said: “Prolonged pandemic uncertainty, ransomware attacks on critical infrastructure, and supply chain attacks rippling through the business landscape were all likely contributors to a more pessimistic sentiment.” CompTIA found “less satisfaction” on how corporate America was handling cyberthreats, it said. In 2020, 82% of professionals said they were satisfied with their company’s approach to cybersecurity, dropping to 70% in this year’s survey, it said: “Given everything happening on the world stage, practices that were previously considered good enough might not be cutting it anymore.” The numbers “tell the tale” about why cybersecurity has become a “top priority” for U.S. enterprises, said CompTIA. “Attacks are coming at a ferocious pace, and a single data breach could cost a company millions of dollars along with massive amounts of time.” The “ultimate threat” from bad actors is a ruined corporate reputation “that can damage business prospects for years,” it said.
Senate Homeland Security Committee Chairman Gary Peters, D-Mich., hopes soon to introduce legislation with ranking member Rob Portman, R-Ohio, that would require critical infrastructure owners and operators to report “significant” cyberattacks, Peters said during a hearing Thursday. The bill would require entities to report incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Accountability on who’s in charge will be an important element, said Portman: “Cyber reporting legislation might better inform that strategy. I think we can get that right. I think we can get a bipartisan product.” Senate Intelligence Committee Chairman Mark Warner, D-Va., said previously he and co-authors of his own legislation were in conversations with Peters and Portman (see 2108020033). It’s long past time to pass cyber incident reporting legislation, testified CISA Director Jen Easterly: The bill would allow CISA to aid victims directly and share information across sectors. The information would be “profoundly useful” for determining strategy and informing investments, said National Cyber Director Chris Inglis. OMB Federal Chief Information Security Officer Christopher DeRusha said it’s important to have a universal standard rather than a state patchwork.
The reconstituted Communications Security, Reliability and Interoperability Council met virtually for a little more than an hour Wednesday, getting an update on the work it’s expected to do under its charter that expires in June 2023 (see 2103100054). CSRIC last met in March, wrapping up reports started during the previous administration (see 2012090055). “Every day in our lives, there are too many cyber events that have the potential to harm the safety and well-being of people and businesses all across the country,” said acting FCC Chairwoman Jessica Rosenworcel. “No entity is immune from this threat," she said. "It is time to turn resolve into action.” The need for tighter security is more critical as 5G launches, she said. The promises of 5G will come “only if we properly secure our networks and the communications supply chain,” she said. Rosenworcel, who has made collaboration with other agencies a priority, said it's “really important” that the group will be co-chaired by Billy Bob Brown from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (see 2109140057). “It really does take a constellation of partners all working together in order to achieve security and resilience for the nation,” Brown said. Co-chair Nasrin Rezai, Verizon chief information security officer, briefly discussed each of the six working groups and asked members to volunteer for assignments. They are: 5G Signaling Protocols Security; Promoting Security, Reliability and Interoperability of Open Radio Access Network Equipment; Leveraging Virtualization Technology to Promote Secure, Reliable 5G Networks; 911 Service Over Wi-Fi; Managing Software & Cloud Services Supply Chain Security for Communications Infrastructure; and Leveraging Mobile Device Applications and Firmware to Enhance Wireless Emergency Alerts. The working groups all focus on real world problems that face industry, Rosenworcel said: “These issues are evolving fast and it can often feel like we’re playing catch up.”
Well-organized, well-funded cyber adversaries “are becoming harder to detect, as they take advantage of the latest technologies to hide in the shadows,” said Cognyte Software CEO Elad Sharon on a call Monday for fiscal Q2 ended July 31. The company markets an “open analytics” security platform. There’s a growing volume and diversity of “structured and unstructured data” for bad actors to attack, said Sharon. Data is being “augmented and spread across organizational silos, making investigations more difficult,” he said. “Many customers recognize that homegrown solutions can no longer keep pace with these evolving security challenges.” Cybercriminals are attacking more frequently, with methods “becoming more and more sophisticated, making verifying bad actors much more difficult,” said the CEO.
The FBI needs to provide a complete briefing to the Senate Homeland Security Committee on why the agency held back the digital key associated with the Kaseya cyberattack (see 2109010005), Chairman Gary Peters, D-Mich., said during a hearing Tuesday. Director Christopher Wray said the bureau will work with the committee to provide more information, but some of the communication should be done in a classified setting. Peters questioned why the FBI reportedly held back the digital key for unlocking computers of hundreds of businesses and organizations subject to the Kaseya attack. He asked why the FBI didn’t share the key sooner, which might have helped avoid some recovery costs. Wray said the investigation is ongoing so he’s limited in what he can say, but generally, encryption keys require a lot of testing and validation: “That takes time.” Decisions are made jointly with agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said Wray. Ranking member Rob Portman, Ohio, agreed with the “necessity” for the committee to have all information “on the cyber front.”
The reconstituted Communications Security, Reliability and Interoperability Council will be co-chaired by an official from the Cybersecurity and Infrastructure Security Agency and a Verizon executive, FCC acting Chairwoman Jessica Rosenworcel said Tuesday. They are Billy Bob Brown, CISA executive assistant director-emergency communications, and Nasrin Rezai, Verizon chief information security officer. Other members are in this issue's personals section. Collaboration with CISA "will help advance a whole-of-government approach to security and ensure that the relevant federal expertise is informing policymaking at the FCC,” Rosenworcel said: More participation by public interest groups “means that the public and consumers also will have a voice on issues that ultimately affect their safety and security.”
Massachusetts Attorney General Maura Healey (D) opened a probe into the T-Mobile data breach, her office said Tuesday. Healey is asking if the company had enough safeguards to protect consumer and mobile device information. T-Mobile said last month a hacker used brute force to hack into the carrier’s system and steal customer data (see 2108270043). T-Mobile didn’t comment by our deadline.
The cyberthreat environment “remains fierce,” as “inherent vulnerabilities” in widely used operating systems “leave companies of all sizes open to attack and provide a rich feeding ground for sophisticated and novice e-criminals alike,” said CrowdStrike CEO George Kurtz on a call Tuesday for fiscal Q2 ended July 31. “The lessons learned from recent attacks emphasize that a breach involves more than just malware.” Companies “overly relying” on malware prevention have the biggest vulnerabilities, he said. More than half of recent threat detections “were not malware-based,” evidence that attackers are “exploiting the proliferation of vulnerabilities and abusing systemic weaknesses,” he said. The early July ransomware attack on Kaseya servers should serve as a “reminder to the far-reaching impact of a supply chain breach and the importance of a zero-trust architecture,” said Kurtz. “Most ransomware outbreaks have a compromised identity component. Shoring up this threat vector is critical to stopping breaches.” A new strategic alliance with Verizon positions the CrowdStrike Falcon cybersecurity platform as part of Verizon's business security portfolio “to provide comprehensive endpoint and workload protection that spans prevention, detection and response capabilities,” he said.