In this month's NewsJacker episode, Mike covers the InfoSec news you need to know in 7+ minutes.
IT Security Events
- Twitter Deleted 10K Bot Accounts before the Midterm Election
- Healthcare Orgs Lacking Full Cybersecurity Programs
- U.S. Prepares for Cyber Attack
- Proposed Data Privacy Law Targets Execs
- Social Media Privacy and Gun Background Checks
Greetings again, from fabulous Bremerton, WA. Here in Kitsap County, we're part of WA Congressional District 6, which has one of the highest concentrations of military anywhere in the country. It’s intentional we are here—because fundamentally the problem we solve for our customers is a people problem, and we therefore have inherited that responsibility.
Transitioning military is a huge resource and differentiator for us. We have Navy, Army, Air Force, Marines, and US Coast Guard in our SOC operation, and we're really proud of that. I didn't serve; this is how I serve.
On to the news. Today we’re going to talk politics, privacy, and stick around for one of my favorite phrases, “collateral cyber damage.”
Events around the Midterm Elections
Starting with a Couple Events around the Midterm Elections: Prior to the midterm vote, it seems Twitter deleted more than 10,000 accounts that sought to discourage US people from voting. This is a little teeny drop in a very large bucket. Twitter in particular seems to have trouble knocking down all the bot and Russian troll activity, despite it being right out in the open—c’mon Jack. Bigger problem: voter gullibility, but that’s not my swim lane. Facebook also set up a ‘war room’ to review and remove content, but that seemed to be more PR move than seriously addressing the problem.
Also, around the election, there’s been a lot of talk about our need to elect fewer lawyers, and start thinking about people that have backgrounds in technology. Problematically, our ability to create policy around technology severely lags the rate of change of technology itself, and this is going to bite us. It already has. We got 9 new lawmakers with backgrounds in STEM, which is another small drop in a large bucket, but the change is going in the right direction.
Health Sector and Regulatory News
A poll of 618 health sector organizations suggests that about 30% don’t have full IT security programs. Covered entities are still checking many of the compliance boxes, but the requirement for a CISO—someone responsible and accountable for IT security who routinely reports to an executive committee—is a foundational step that is going unaddressed.
This is not surprising, given the difficulty many health organizations have in just keeping the lights on… but it’s also another example of management by landmine. The inevitable event will occur, and the lack of leadership and reporting is not going to be received well, once the toothpicks and q-tips come out in a regulatory audit.
As an aside, this has made the ‘virtual CISO’ quite popular, and a way of meeting requirements while managing costs of recruiting and retention. Which, by the way, is one of the reasons I created Critical Insight—I don’t want to see all of those organizations go without a CISO, whether they be virtual or not.
Also—check out our CISO acquisition checklist downloadable from the criticalinsight.com site. With all the consolidation going on in the health sector right now, this is a bit of guidance that may help you avoid inheriting an IT security nightmare as you expand your network of clinics or hospitals.
Finance Sector News
The SEC is getting serious about enforcing IT security as it relates to internal financial controls and fraud activity. We’ve talked here before about New York’s statute for the financial sector, the FTC as an enforcement vehicle using ‘deceptive trade practices’ as a hammer, the FFIEC examiners looking hard at third party security management and efficacy, and now here comes the SEC.
The report released on October 26 articulates the SEC’s new strategy to enforce the Exchange Act’s internal control provisions against public companies that fail to adjust their controls to account for the pervasive use of digital technology that has increased the risk of cyber fraud. Essentially, this means that public corporations need to start using the fraud detection controls that banks routinely use.
Nation-State and Military
The US has prepared plans for a cyberattack against Russia. More correctly, we let it be known that we’d specifically prepared a response for signs of election tampering. More significantly, US assets were authorized to start establishing the beach head – gaining access to systems, so that if we needed to ‘pull the logical trigger,’ everything would be in place. Did that serve as any type of deterrent? I guess we’ll never know, but the new norm is now upon us. If you cyber us, we’re going to cyber you right back, and it will be worse.
Along those same lines, the US has actually conducted a drill to determine our course of action during an all-out cyberattack by the Chinese government. This could take on different forms – my favorite is large-scale financial fraud using data collected over the numerous breaches over the past years including the Office of Personnel Management… everyone starts simultaneously having problems with credit accounts being opened, inaccessible funds, and more.
The consensus is that if and when we retaliate, the private sector is going to feel the brunt of these actions, and there’s a reluctance from the private sector to allow the military to escalate… the military says yes, business says please don’t. My takeaway – get used to the term, “collateral cyber damage”.
Privacy and Surveillance
New York lawmakers have proposed legislation to give law enforcement the authority to review 3 years of social media and internet search history before allowing them to buy a firearm. Would that make our militias ‘well-regulated’? No, but the intent is clear here – keep firearms out of the hands of those that would do harm to innocent people. Privacy-wise it sounds creepy on the face of it, as I assume this would involve review of materials and activities that people have NOT made public. Expect to see this go up through the courts.
Finally, Senator Wyden has proposed legislation that would make company executives subject to criminal fines and imprisonment in the unregulated market for private data. If a consumer opts out of having his/her data sold and it happens anyway, executives can be “fined not more than $5,000,000 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period from the covered entity, prisoned not more than 20 years, or both”.
This is a real sign of the times – consumers are fed up with being constantly mined for information that makes us more compliant consumers. This is a great idea, and probably won’t be turned into law. But combine with more tech-savvy lawmakers and this is not going away (and it’s about time).
Exclusive: Twitter deletes over 10,000 accounts that sought to discourage U.S. voting
The US desperately needs tech-savvy lawmakers but the midterms are unlikely to deliver
Only 29% of Healthcare Entities Have Full Cybersecurity Program
The CISO's Checklist for Mergers and Acquisitions [Webinar Recording, White Paper]
SEC Poised to Ramp up Cybersecurity Enforcement
The Pentagon has prepared a cyber attack against Russia
How the U.S. might respond if China launched a full-scale cyberattack
New York Lawmakers Want Social Media History To Be Included In Gun Background Checks
Proposed data privacy law could send company execs to prison for 20 years