Nextgov: Senate-Passed Bill to Hack DHS Heads to House Floor

Nextgov: Senate-Passed Bill to Hack DHS Heads to House Floor

By Joseph Marks

The House Homeland Security Committee forwarded two bills Thursday to make it easier for ethical hackers to share computer vulnerabilities they find in Homeland Security Department websites.

The first bill, sponsored by House Majority Leader Kevin McCarthy, R-Calif., would direct Homeland Security officials to create a vulnerability disclosure policy. That policy would describe which department websites, hackers can legally probe for vulnerabilities, how they can alert the department about those vulnerabilities and when and how the department will respond to and remediate the vulnerabilities.

Homeland Security Sec. Kirstjen Nielsen told lawmakers in April that the department already plans to adopt such a policy, but the department has not made progress since then, Rep. Jim Langevin, D-R.I., said during Thursday’s markup.

The second bill, which has already been passed by the full Senate, would go a step further, requiring Homeland Security to create a formal program, known as a bug bounty, that would solicit vulnerability reports from hackers and pay them for vulnerabilities that checked out.

The Hack the Department of Homeland Security bill, sponsored by Sen. Maggie Hassan, D-N.H. in the Senate, is partly modeled on numerous successful bug bounty programs at the Pentagon and military services.

The bill would mark the first departmentwide bug bounty in the civilian government. The General Services Administration’s Technology Transformation Service also runs an ongoing a bug bounty.

Those Defense Department bug bounties required a lot of time and money, however, and some bug bounty organizers have warned that a full bug bounty may not be a good investment for civilian agencies—especially if they lacks the resources to investigate and patch all the bugs ethical hackers uncover.

Homeland Security’s top cybersecurity and infrastructure security official Chris Krebs initially expressed skepticism about a department bug bounty, worrying it could steal resources from other parts of the department’s cyber mission. He later endorsed the plan, however, during his confirmation hearing.

Cyber Scoop: House passes deterrence bill that would call out nation-state hackers

Cyber Scoop: House passes deterrence bill that would call out nation-state hackers

By Sean Lyngaas

The House of Representatives on Wednesday passed a bipartisan bill aimed at deterring foreign governments from conducting hacking operations against U.S. critical infrastructure.

The Cyber Deterrence and Response Act put forth by Rep. Ted Yoho, R-Fla., calls on the president to identify individuals and organizations engaged in state-sponsored hacking that significantly threatens U.S. interests, and then to impose one or more of a slew of sanctions on them.

That “naming and shaming” approach is an effort to ward off future cyberattacks from China, Russia, Iran, and North Korea — four countries that U.S. officials routinely label as top adversaries in cyberspace.

The bill, which passed the House by voice vote, also calls for a uniform list of foreign hacking groups to be published on the Federal Register. Sen. Cory Gardner, R-Colo., last month introduced companion legislation in the Senate.

“Our foreign adversaries have developed sophisticated cyber capabilities that disrupt our networks, threaten our critical infrastructure, harm our economy, and undermine our elections,” Yoho said in a statement. “Collectively, we must do more to combat this digital menace.”

Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus, said the bill is an “important step forward in recognizing that cyberthreats are the new weapon of choice for states who seek to sow discord and engage in conflict below the threshold of war.”

Lawmakers have long urged the executive branch to delineate a cyber deterrence strategy after high-profile breaches of the Office of Personnel Management in 2015 and the Democratic National Committee in 2016.

In response to the demand for a deterrence strategy, the State Department in May recommended that the U.S. government develop a broader set of consequences that can be imposed on adversaries to deter cyberattacks.

Washington should work with allies to inflict “swift, costly, and transparent consequences” on foreign governments that use “significant” malicious cyber activity to harm U.S. interests, the unclassified version of the State Department report says.

Officials such as Vice President Mike Pence and Homeland Secretary Kirstjen Nielsen have touted the administration’s efforts to crack down on foreign hackers. “[T]his administration is replacing complacency with consequences, replacing nations’ deniability with accountability,” Nielsen said in a speech Wednesday.

Cyber Scoop: DHS supply chain and CDM bills pass the House

Cyber Scoop: DHS supply chain and CDM bills pass the House

By Zaid Shoorbajee

The House passed two bills Tuesday that aim to bolster the Department of Homeland Security’s cybersecurity efforts as they relate to securing the agency’s own vendor supply chain as well as securing other federal agencies’ networks.

Both bills now head to the Senate. One of them, the Securing the Homeland Security Supply Chain Act of 2018, would give the secretary of Homeland Security authority to block IT vendors deemed to pose a supply chain risk from contracting with the agency.

“There is no question that nation-states and criminal actors are constantly trying to exploit U.S. government and private sector systems to steal information or insert potentially harmful hardware or software,” said the bill’s sponsor, Rep. Peter King, R-N.Y., on the House floor before a voice vote.

King cited recent and ongoing U.S. government scrutiny of Russian cybersecurity company Kaspersky Lab and Chinese telecommunications companies Huawei and ZTE as justification for giving DHS this new authority. Those efforts “underscore the threats posed to the federal supply chain and the urgency in developing stronger mechanisms to secure it,” King said.

The bill as passed would only allow DHS to make these decisions for its own contracts.

“I am hopeful, this bill moves through the process, that we will also have an opportunity to consider legislation that provides similar authority to ensure national security vetting is incorporated into the wider government procurement process,” King said.

The other bill, the Advancing Cybersecurity Diagnostics and Mitigation Act, would codify into law DHS’s existing Continuous Diagnostics and Mitigation (CDM) program, which provides other federal agencies with monitoring and threat detection on their networks.

“We need to know what we have before we can try to defend it,” said Rep. John Ratcliffe, R-Texas, who introduced the bill. “[CDM] not only allows the ability to combat our enemies in cyberspace, but also to help federal CIOs manage information technology.”

DHS has been awarding billions of dollars worth of contracts to keep CDM’s various phases going. The bill passed Tuesday would make the program statutorily part of DHS.

Rep. Jim Langevin, D-R.I., also spoke in support of the CDM bill on the House floor, but expressed concern that the bill does not incentivize agencies to actually take advantage of the DHS program.

“This is a good bill, and I urge my colleagues to support its passage. However, I must take this opportunity to mention this bill’s major omission. It does not address the incentive structure at other agencies to actually adopt CDM offerings,” Langevin said.

Langevin lamented that CDM full potential is being hindered by the fact that there are many congressional committees and federal agencies that compete over jurisdiction of cybersecurity issues.

“During hearings and roundtables on the program, we often heard from government stakeholders that internal dynamics at DHS’s sister agencies were actually the biggest obstacle to the program’s success,” Langevin said. “I urge my colleagues to consider the wisdom of having so many committees involved with cybersecurity jurisdiction often to the detriment of making real progress.”

Nextgov: Critical Update- Cyber Leadership Has to Come from the Top

Nextgov: Critical Update- Cyber Leadership Has to Come from the Top

By Joseph Marks

The biggest problems in federal cybersecurity start at the top and fixes need to come from the top too, Rep. Jim Langevin, D-R.I., told Nextgov’s Critical Update podcast.

When Defense Secretary Ash Carter made cybersecurity a top Pentagon priority during the Obama administration, for example, Carter’s subordinates showed the same passion for the issue, said Langevin, who co-founded the Congressional Cybersecurity Caucus.

“You had everyone, all hands on deck, doing more to step up our cybersecurity at the Pentagon,” he said.

By 2018, among other cyber initiatives, the Defense Department had launched five bug bounty contests, which loose troves of ethical hackers to search for vulnerabilities in Pentagon computer systems.

When National Security Adviser John Bolton eliminated the position of White House cybersecurity coordinator in May, by contrast, it marked “an enormous step backward” for federal cyber efforts, Langevin said.

Among other things, the lack of a White House point person on cybersecurity prevents the administration from speaking with a clear and singular voice about issues such as Russian election meddling and foreign efforts to penetrate U.S. critical infrastructure, said Langevin, who has co-sponsored legislation to restore and elevate the cyber coordinator position.

“I’m very concerned about having a lack of coordination and oversight from the top,” he said.

Langevin has criticized President Donald Trump for failing to consistently acknowledge Russian government efforts to undermine the 2016 election and for acceding to the elimination of the cyber coordinator position, but he has also praised some Trump administration moves, such as appointing highly qualified Homeland Security cyber officials and continuing Obama-era cyber policies.

Going forward, Langevin said, he holds out hope the president will make cybersecurity a priority and urge his cabinet secretaries to do the same.

“The president would serve the government well by having his cabinet secretaries around the table and … asking what they’re doing to step up their game in preventing cyber vulnerabilities,” he said.

On the Ash Carter model, he said, more cabinet secretaries may then make cyber a priority “and their subordinates will make it happen.”

You can listen to the full episode [here] and subscribe through the Apple store or Google Play.

Cyber Scoop: House defense bill would usher in cybersecurity changes at DOD

Cyber Scoop: House defense bill would usher in cybersecurity changes at DOD

By Sean Lyngaas

The House of Representatives this week overwhelmingly passeda defense policy bill with several cybersecurity measures aimed at better securing Pentagon networks.

The legislation — the fiscal 2019 National Defense Authorization Act (NDAA) — seeks closer collaboration between the departments of Defense and Homeland Security in defending against hackers, asks for quick notification of data breaches of military personnel, and continues to crack down on foreign-made telecom products that are deemed security threats.

The NDAA is an annual ritual that lawmakers use to shape Pentagon policies and budget plans while throwing in some pet projects to boot. The House bill — a $717 billion behemoth — eventually will be merged with the Senate’s version, which that chamber’s Armed Services Committee also approved this week. It’s unclear when the Senate bill will have floor votes.

One key provision of the House bill, according to the Rules Committee print, would set up a pilot program for the Pentagon to dispatch up to 50 cybersecurity staff to support the DHS’s mission to secure civilian networks. The deployment of the DOD personnel, potentially to DHS’s prized round-the-clock threat-sharing hub, would be a reminder of the overlapping turf that agencies compete for and try to reconcile in cyberspace.

While DOD may find itself loaning out a small group of its experts, lawmakers want to boost the department’s own workforce by giving the Defense secretary direct hiring authority through September 2025 for “any position involved with cybersecurity.” The Pentagon has boosted its ranks of computer gurus in recent years through U.S Cyber Command, but lawmakers and military brass are wary of losing these experts to lucrative private-sector jobs.

In the event of a “significant” breach of service members’ personal information, the Defense secretary would be required to promptly notify Congress. That issue came to the fore in January when it was revealed that GPS company Strava had published a map online that showed soldiers’ locations via devices like Fitbits.

Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus, backed the defense bill’s provisions to improve “our ability to deter adversaries in cyberspace.” In response to the Russian influence-operation to disrupt the 2016 U.S. presidential campaign, the bill would ask President Donald Trump for a report to Congress on what his administration is doing to protect against “cyber-enabled” information operations.

The House bill also keeps the pressure on Chinese telecom companies ZTE and Huawei by barring federal agencies from buying their products, and an amendment from Texas Republican Michael McCaul extends that ban to any use of federal grant money and loans.

The Senate version of the bill also tightly restricts the Pentagon’s use of technology considered a risk to national security. For example, an amendment from Sen. Jeanne Shaheen, D-N.H., would require DOD vendors to reveal if they’ve let foreign governments inspect their source code.

Senators seem intent on putting more language around offensive cyber-operations in their version of the bill compared to the House’s. According to a summary of the Senate bill, it stipulates a U.S. policy to use “all instruments of national power, including the use of offensive cyber capabilities” to deter cyberattacks that “significantly disrupt the normal functioning of our democratic society or government.”

PBN: Five Questions With: James R. Langevin

PBN: Five Questions With: James R. Langevin

By Susan Shalhoub

The National Institute of Standards and Technology released an update to the Framework for Improving Critical Infrastructure Cybersecurity this spring, the group’s first such update. Rep. James R. Langevin, D-R.I., is co-founder and co-chair of the Congressional Cybersecurity Caucus and a senior member of both the House Committee on Armed Services and the House Committee on Homeland Security.

PBN: Why is it important for different sectors, such as academia and businesses, to partner on cybersecurity defense?

LANGEVIN: Cybersecurity is a challenge that everyone faces. Computers and other information technology are pervasive in every sector of the economy … no one has a monopoly on cybersecurity talent or techniques. That’s one reason it’s been so important for the National Institute for Standards and Technology to bring together a broad set of stakeholders to develop its cybersecurity guidelines.

In updating the Cybersecurity Framework, NIST consulted with experts from business, academia and government to develop guidelines that draw upon the unique experiences of people in each of these fields and ensure that the guidelines are applicable to any organization.

PBN: What has changed most since the Framework for Improving Critical Infrastructure Cybersecurity was first created?

LANGEVIN: NIST published a major update to the Cybersecurity Framework. … The new version improves some of the original technical guidelines and better explains how to manage supply-chain cyber risks. The Russian NotPetya attack, for instance, while originally targeted in Ukraine, has cost U.S. corporations [such as] Merck and FedEx hundreds of millions of dollars and was enabled by a supply-chain vulnerability.

Every business should think about how it works with its vendors and service providers and whether sensitive data may be inadvertently exposed. One of the biggest changes, though, is that NIST has made the Framework easier to use. An organization using the revised Framework will have more information to select the levels of cybersecurity it wishes to implement and to self-assess its progress in reaching those levels.

NIST has also worked to provide more resources to make the Framework immediately relevant to small and medium businesses, which often do not have dedicated risk managers. Beyond the content of the Framework, a lot has changed with respect to awareness and adoption since it was first published in 2014. The word has gotten out.

PBN: In a press release recently, you said: “Cybersecurity is not just a technical issue, and an understanding of the economics of controls is essential if we expect companies to adopt them voluntarily.” Can you elaborate?

LANGEVIN: Of course, technology is at the core of cybersecurity. In a broader sense, however, cybersecurity is just part of risk management. Businesses generally excel at assessing competitive and market-driven risks, [such as] the risk that a disruptive technology will reduce demand for their product or service.

Unfortunately, we still lack the ability to describe cybersecurity risks in similar business terms. The NIST Cybersecurity Framework describes steps organizations can take to reduce their risk, but that guidance needs to be coupled with better cost-benefit information to help executives – and board members – prioritize cybersecurity investments.

PBN: What do you think is most generally misunderstood about the topic of cybersecurity?

LANGEVIN: There are, unfortunately, some who believe they have nothing to worry about because no malicious cyber actor has a reason to target them. Conversely, there are doomsayers who insist that no amount of cybersecurity will protect you from a determined adversary. The reality is somewhere in between.

There are basic defensive steps – often called “cyber hygiene” – that we should all take to improve our cybersecurity. Using unique passwords – or even better, a password manager, keeping software up to date with patches, maintaining offline backups of valuable data and scrutinizing links in emails or texts before clicking on them are a few examples. Everyone should realize that they’re a target. But they should also feel empowered to take steps to protect themselves.

PBN: What more needs to be done?

LANGEVIN: One thing I hear over and over again is that we need to strengthen our cybersecurity workforce, because the demand for cyber skills in every sector is staggering. That’s why I’ve been proud to introduce and co-sponsor several bills to expand cybersecurity scholarships, apprenticeships and training. I also believe we need a national standard for notifying consumers when their private data has been breached, which is what my Personal Data Notification and Protection Act would provide.

Susan Shalhoub is a PBN contributing writer.

Bloomberg: Election Security a Top Concern, Trump Officials Assure Lawmakers

Bloomberg: Election Security a Top Concern, Trump Officials Assure Lawmakers

By Nafeesa Syeed and Anna Edgerton

The Trump administration sought to assure lawmakers on Tuesday that it’s working with states to ensure the security of U.S. elections after Democrats raised concerns that the government isn’t doing enough.

“This is an issue that the Administration takes seriously and is addressing with urgency,” according to a joint statement Homeland Security Secretary Kirstjen Nielsen and FBI Director Christopher Wray released after top intelligence officials briefed House members behind closed doors. The officials said they highlighted efforts to protect “critical infrastructure” for elections.

Democrats have questioned whether the Trump administration has acted forcefully enough to prevent other countries from meddling with U.S. election results after intelligence agencies concluded that Russia sought to help President Donald Trump and hurt Democrat Hillary Clinton in the 2016 presidential contest. Russia denies the accusations.

Raja Krishnamoorthi, an Illinois Democrat, said after the meeting that “I don’t feel confident” that the Homeland Security Department and other agencies are doing enough to secure future elections. Much of the briefing focused on Russia, but there are “others out there” seeking to do the same thing, he said.

“I didn’t walk away thinking that we’re there yet” in terms of being prepared, he said.

Read more: Hack-Resistant Vote Machines Missing as States Gird for ’18 Vote

The briefing comes as primary elections are underway Tuesday in Arkansas, Georgia Kentucky and Texas.

James Langevin, a Democrat from Rhode Island, said after the briefing that “states have had better interaction with the federal government than they did prior to the 2016 election but there are still weaknesses in the system,” especially making sure there’s a paper trail. He said about 50 lawmakers attended the meeting and some raised questions about specific information the government has about efforts by Russia to interfere with elections.
Nielsen said after Tuesday’s meeting that Russians have sought to “manipulate public confidence on both sides” and that “we see them continuing to conduct influence campaigns.”

Michael McCaul, a Texas Republican who is chairman of the Homeland Security Committee, said Russia’s goal is to “create chaos” and not help a specific candidate.

Cyber Scans

House Speaker Paul Ryan organized the classified meeting. Trump held his own briefing May 3 with Director of National Intelligence Dan Coats, Wray and others to discuss efforts to bolster the country’s election systems and how to work with states.

DHS is offering states voluntary cyber services, including remote checks of their election systems and on-site vulnerability assessments. It’s also granting security clearances to election officials, though they haven’t all been finalized.

States are now deciding how to use their share of $380 million in federal election security grants that came with the omnibus spending package earlier this year. But it’s hardly enough to update aging voting equipment in most states ahead of the November polls, and many state officials are hoping Congress will approve more dollars.

Also this month, the Senate Intelligence panel issued its first interim report on election security. While confessing its members lacked a firm grasp on the extent of hacking into voter systems in 2016, the committee said the U.S. should “clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.”

A group of former U.S. and European officials, including ex-Vice President Joe Biden, who say governments haven’t sufficiently addressed election security threats have started the Transatlantic Commission on Election Integrity, which plans its first meeting in Copenhagen on June 21-22. The group aims to conduct studies on how to better reduce risks to elections from Russian cyber threats, including looking at new technologies, and share their findings with governments.

Every House seat is on the ballot in November general elections, along with a third of Senate seats.

FCW: House Dems look to salvage cyber coordinator post

FCW: House Dems look to salvage cyber coordinator post

Written by Derek B. Johnson

Amid reports that the White House has officially eliminated its cyber coordinator position, a group of Democratic lawmakers have filed a bill to restore the job.

The bill, introduced by Reps. Jim Langevin (D-R.I.) and Ted Lieu (D-Calif.), would establish a “National Office for Cyberspace” within the White House and create a director-level position appointed by the President and confirmed by the Senate. The office will serve as “the principal office for coordinating issues relating to cyberspace” and have responsibility over recommending security measures and budgets for federal agencies.

The bill so far has attracted 10 other co-sponsors, all Democrats.

Politico reported on May 15 that new national security advisor John Bolton eliminated the position following the departure of Rob Joyce, who had filled the spot since March 2017. Joyce, who left shortly after his boss Tom Bossert stepped down the day after Bolton started, has since returned to the National Security Agency where previously managed the agency’s elite hacking unit.

Langevin told FCW in a May 15 interview he was “very disappointed” in the Trump administration’s decision. Up until this point, he had been relatively pleased with the Trump administration’s cybersecurity moves, listing off positives like continuity with Obama administration initiatives, delivering a cyber doctrine, hiring Tom Bossert and Rob Joyce as homeland security advisor and cyber coordinator and nominating Chris Krebs to lead the Department of Homeland Security’s cyber wing.

However, he characterized the elimination of the cyber coordinator position as “a clear step backwards.”

“I think that’s a bad move. It’s a very shortsighted decision,” said Langevin. “In my mind, that decision was made by someone who clearly does not understand the threats we face in cyberspace and doesn’t understand that cybersecurity is the national and economic security challenge of the 21st century.”

Bank Info Security: SEC Fines Yahoo $35 Million Over 2014 Breach

Bank Info Security: SEC Fines Yahoo $35 Million Over 2014 Breach

Photo By Scott Schiller

Written By Jeremy Kirk

The U.S. Securities and Exchange Commission says Yahoo has agreed to a $35 million civil fine to settle accusations that it failed to promptly notify investors about a December 2014 data breach.

The enforcement action puts public companies on notice that the SEC doesn’t look kindly upon efforts to conceal or downplay data breaches.

Yahoo, which has renamed itself Altaba, has neither admitted nor denied the allegations – as is typical in such enforcement actions, the SEC says.

But the SEC says that despite Yahoo learning within days of a December 2014 breach that it had been attacked by Russian hackers, the search giant waited nearly two years to disclose the breach to investors. The regulator’s probe into Yahoo’s breach notification speed reportedly launched in December 2016 (see SEC Reportedly Probing Yahoo’s Breach Notification Speed).

“Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
—Jina Choi, director of SEC’s San Francisco office

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” says Jina Choi, director of the SEC’s San Francisco regional office. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

Altaba couldn’t be immediately reached for comment.

The SEC’s enforcement action has been praised by some lawmakers. “Investors have a right to know whether companies are taking cybersecurity seriously,” says Rep. Jim Langevin, D-R.I. “[The] announcement of a $35 million fine in response to Yahoo’s failure to disclose its massive 2014 data breach is a long overdue first step toward providing real protections for investors. I agree that we should ‘not second-guess good faith exercises of judgment’ by executives, but the bias should be toward disclosing a breach, not burying it.”

Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned breach notification service, says that the $35 million fine will “surely cause organizations to think a bit more” about data security.

Many organizations publicly say that security is a top priority, but that often is not necessarily reflected in their IT spending, Hunt says. “There seems to be a degree of lip service [to security],” he says.

‘Crown Jewels’ Stolen

Yahoo disclosed the 2014 breach in September 2016 as it was negotiating its sale to Verizon. Due to the severity of the breach, Verizon closed its acquisition of Yahoo in June 2017 for $4.48 billion, around $350 million lower than the initial asking price.

Under the terms of the acquisition, Yahoo must pay half of all costs related to government investigations and third-party litigation. Yahoo did not carry cybersecurity insurance.

The December 2014 breach affected 500 million users. The SEC’s order says the stolen data included Yahoo’s “crown jewels,” including email addresses, user names, phone numbers, birthdates, hashed passwords as well as unencrypted security questions and answers.

“The bias should be toward disclosing a breach, not burying it.”
Rep. Jim Langevin

Following the breach, Yahoo filed regular SEC reports in which it only outlined the risks of a data breach without disclosing that it had been attacked. The SEC alleged that Yahoo did not share information about the breach with outside auditors or counsel “in order to assess the company’s disclosure obligations in its public filings.”

The SEC adds: “Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.”

Repeatedly Breached

Yahoo has a complicated breach disclosure history. After Yahoo disclosed the 500 million breached accounts in September 2016, it revised that tally in December 2016 to 1 billion accounts. It also said at that time attackers had forged cookies, allowing them to directly access some accounts.

In March 2017, four men, including two Russian FSB agents, were indicted on charges related to intrusions into Yahoo, Google and other webmail providers (see Russian Spies, Two Others, Indicted in Yahoo Hack).

Former Yahoo CEO Marissa Mayer told a Congressional committee in November 2017 that it was tough for any corporation to defend against nation-state attackers. She testified that Russian intelligence officers and state-sponsored hackers were responsible for sophisticated attacks on the company’s systems (see Former Yahoo CEO: Stronger Defense Couldn’t Stop Breaches).

“Even robust defenses … aren’t sufficient to protect against the state-sponsored attack, especially when they’re extremely sophisticated and persistent,” Mayer testified.

Just a month prior to Mayer’s testimony, Yahoo disclosed that a 2013 breach compromised virtually its entire user base, encompassing some 3 billion accounts (see Yahoo: 3 Billion Accounts Breached in 2013).

A class-action lawsuit against Yahoo is still winding its way through federal court in San Jose, California. Similar to the SEC’s allegations, the plaintiffs allege Yahoo waited too long to disclose breaches. Some of the plaintiffs allege the Yahoo breaches resulted in fraudulent charges on their cards and spam in their accounts (see Federal Judge: Yahoo Breach Victims Can Sue).

One of the four men who was charged, Alexsey Belan, has been accused of using his access to Yahoo to search for credit and gift card numbers. He has also been accused of using Yahoo account information to facilitate spam campaigns.

Executive Editor Mathew Schwartz also contributed to this report.

Federal Times: NIST publishes update to its cyber framework

Federal Times: NIST publishes update to its cyber framework

The new version 1.1 of the Cybersecurity Framework, which was developed through public feedback collected in 2016 and 2017, includes updates to authentication and identity, self-assessing cyber risk, managing cybersecurity within the supply chain and vulnerability disclosure.

“This update refines, clarifies and enhances version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the internet of things.”

NIST also plans to release an updated Roadmap for Improving Critical Infrastructure Cybersecurity later this year as a companion to the framework.

The NIST Cybersecurity Framework has featured heavily in recent government IT and cybersecurity initiatives, and received a callout in the White House IT Modernization report released in December 2017.

In a news release, Rep. Jim Langevin, D-R.I., applauded the update for keeping the framework relevant in the face of a changing cyber landscape:

“In the four years since its release, countless organizations have used the NIST Cybersecurity Framework to voluntarily assess their cybersecurity risk posture, identify gaps, and prioritize security best practices. As demonstrated by the Russian government’s targeting of our election systems, however, the cybersecurity threats to our critical infrastructure continue to evolve. Today’s release marks an important evolution of the Framework that will ensure it remains relevant as risk management practices change to keep pace with the threat.”

Langevin added that, while the framework now has many positive additions, the update process did miss out on an opportunity to offer more concrete guidance on ways to quantify risk.

Industry, too, offered support for the new changes.

“There’s a lot to like in the new Framework, but one area where they made big strides is on supply chain risk management,” said David Damato, chief security officer at Tanium.

“2017 was the year of the supply chain attack, with attacks from NotPetya to CCleaner originating with a breach of a company’s third-party partner. The increasing attention NIST is bringing to this issue, and the standardized language they offer, will go a long way in helping organizations better understand the risks associated throughout their supply chain.”

NIST plans to host a webcast on the updated framework April 27, 2018, and the framework will also feature heavily at the agency’s Cybersecurity Risk Management Conference in November 2018.