ICD Brief 44.
05.06.2017. – 11.06.2017.
Our week’s global updates are dominated by expansion, competition, increased regulatory controls and more bi lateral and public private sector partner working agreements. In the US, the New SEC Enforcement Chiefs See Cyber Crime as Biggest Market Threat; Europe Strong on Cyber Hiring aims to increase hiring by 15% a year. Israeli firm Cyberbit is partnering with engineering firm IABG to Open Germany’s Advanced Cyber Range Training Facility. NATO, Leonard Team for Cybersecurity Initiatives to share cybersecurity information with private sector companies in NATO and allied countries. Rockstart About to Kick-Start Europe’s Largest AI Accelerator in Amsterdam.
The International Cybersecurity Dialogue (The ICD) was founded in 2012 by Anne Bader and Richard Stiennon to promote dialogue and a working relationship between technologists and policy makers in business, government and academe. Our goal is to add value while convening informal networks to enhance understanding and “Bridge the Gap.”
A year ago, most activity concerning cyber was still mired in plans and frameworks. In frustration, I decided to create a weekly newsletter to focus on what was working and share it with a few friends and colleagues. Today, our readers are in 42 countries and each comes to us through an introduction or reference. Articles are linked with a few including summaries.
“The education division of the government’s cybersecurity standards agency is days away from releasing a request for public input about how best to train the next generation of cybersecurity professionals, an official said Monday. The information request follows an executive order President Donald Trump released in May that required a report within four months with recommendations for how to grow and sustain the nation’s cybersecurity workforce in the public and private sectors.”
“By the end of June, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) will get a cousin focused on healthcare cyberthreats. The Department of Health and Human Services (HHS) plans to launch the Health Cybersecurity and Communications Integration Center (HCCIC) in the next few weeks, according to multiple reports. The HCCIC will likely involve increased investment in cybersecurity equipment and personnel for HHS and elevate the importance of cybersecurity within the department.”
“If the Homeland Security Department’s decision to cancel its $1.5 billion contract for agile services wasn’t shocking enough, the details of the missteps and problems the agency detailed in its “motion to dismiss” left long-time federal procurement attorneys and vendors with their collective mouths agape. DHS filed the “motion to dismiss” with the Government Accountability Office on May 26, saying it was cancelling the small business procurement known as Flexible Agile Support for the Homeland (FLASH) and thus ending the six-month series of awards and protests over the contract vehicle.”
“Homeland Security Secretary John Kelly told senators on Tuesday that he would review legislation to create a “bug bounty” program to probe vulnerabilities in the Department of Homeland Security’s (DHS) networks. The measure, introduced by Sens. Rob Portman (R-Ohio) and Maggie Hassan (D-N.H.), would establish a pilot program offering incentives for third-party researchers to find undiscovered vulnerabilities in DHS networks and data systems.”
“Hackers are increasingly breaking into brokerage accounts to steal assets or make illegal trades, prompting U.S. securities regulators to start tracking cyber crimes more closely, two newly appointed enforcement officials said in an interview on Thursday. On Thursday, the U.S. Securities and Exchange Commission named Stephanie Avakian and Steven Peikin as new co-directors of enforcement. In an exclusive interview ahead of the formal announcement, the two said they were deeply concerned about cyber threats and see the topic as a major enforcement priority.”
“The two countries will conduct joint cyber security exercises, among a raft of measures to secure critical infrastructure and bolster cyber security knowhow. Singapore and Australia are forging closer ties in cyber security through joint efforts to build a secure and resilient cyber space that will contribute to the progress of both countries.”
“Less than six months into his new role, the Australian Cyber Security Growth Network’s CEO Craig Davies is on a mission to ramp up the success of Australian-born cyber talent. Davies, who was previously the head of security for Australian startup darling Atlassian, wants to see a future where cybersecurity firms in Australia can “thrive and grow”.”
“To protect itself from cyberattacks, Estonia is about to open a “data embassy” outside its borders. The country’s critical infrastructure will be stored in Luxembourg, reports Isabelle de Pommereau from Tallinn.”
“The Czech Republic’s Parliament June 7 cleared an amendment to the country’s cybersecurity law that would subject hundreds more companies to strict security requirements and regulatory oversight. Under the present 2015 law, only critical infrastructure companies in the energy, transportation, water management, and banking sectors are obligated to manage cybersecurity risks and to report security incidents to regulators. The amendment expands those sectors to include financial market, digital, health services and chemical industry infrastructures, and adds a broad new category of digital service providers that includes online marketplace services, search engines, and cloud computing services.”
“The finals of the Czech National High School Cyber Security Competition organized by the Czech Cyber Security Working Group and a number of government, academic and professional organizations ended in June at the International Defense and Security Technologies Fair in Brno, Czech Republic. Twenty-nine students from 17 secondary schools took part in the finals.”
“The largest-ever global survey of over 19,000 cybersecurity professionals heads shown that European organisations are planning the fastest rate of cyber security hiring in the world. The survey conducted by (ISC)2′ showed 38 per cent of hiring managers across Europe wanting to grow their workforce by at least 15 per cent in the next year. This is despite the fact that two-thirds of organisations state that they currently have too few cybersecurity workers, as the region faces a projected skills gap of 350,000 workers by 2022.”
“The European Union unveiled proposals for joint military and security operations that it said won’t duplicate the role of NATO but would enable the region to be less reliant on the U.S. amid questions over President Donald Trump’s commitment to the trans-Atlantic alliance. In a wide-ranging options paper published on Wednesday, the European Commission floated the possibility of the bloc launching operations against terrorist groups and working with the North Atlantic Treaty Organization in areas such as maritime and cyber security.”
“Kaspersky Labs complains to the EU, claiming Microsoft deliberately obstructs third party vendors to the detriment of users and security. Kaspersky claims Microsoft is abusing its dominant position in the operating system market to stop people purchasing third party security software and boost Windows Defender. In complaints to both the European Commission (EC) and the German Federal Cartel Officer, the Russian cybersecurity firm alleges that the behaviour of Windows 10 and how it suppresses antivirus software eliminates choice, weakens protection and results in losses for both users and vendors.”
“IABG, the leading German engineering services and technology provider, and Cyberbit, the company protecting the world’s most sensitive networks, announced the planned opening of the country’s advanced cybersecurity training facility in June of 2017. The center, located at IABG Ottobrunn in the Munich area, will be managed by IABG and powered by the Cyberbit Range, the world’s most widely deployed cybersecurity training and simulation platform. The multi-year agreement between IABG and Cyberbit will help Germany in addressing the shortage in cybersecurity talent and developing a world-class cybersecurity workforce.”
“In his modest office in one of Budapest’s innovation parks, Szabolcs Kun reels off an eclectic list of clients: law firms, commodity traders, television celebrities and dealers in gemstones and precious metals. “Oh, and we recently got an inquiry from a top European football club,” he adds. All want the same thing: completely secure telephone calls.”
“If anybody understands a thing or two about cyber security, it is former National Security Agency director and former US Cyber Command commander General (reserves) Keith Alexander. The NSA, the official US government intelligence agency, is responsible for signals intelligence, global monitoring, and developing encryption and signals methods for foreign intelligence and counter intelligence. The NSA is also responsible for protecting US government communications and information systems against foreign penetration and cyber warfare. Alexander served in these positions for eight and a half years, before retiring in early 2014. He will visit Israel in order to take part as a special guest in the Rethink Cyber conference that will take place on June 25. Keith Alexander: These two countries realize that someone who can’t wage physical war will try to fight in the cyber sphere.”
“50 years after the Six Day War, Israel seems to be equally innovative as was back then. Veterans of elite units have founded companies such as Check Point Software, the cyber security group; ThetaRay, which combs big data to spot anomalies that might signal hacking or fraud at banks or power plants; and Windward, which analyses data on global shipping activity for hedge funds and other clients. Cyber security exports are worth upward of $4bn to $6bn a year.”
“Rockstart is about to kick off a new AI-focused accelerator in Amsterdam, with generous supports for European start-ups. The startups selected for by Rockstart will receive €20,000 cash and €80,000 of in-kind funding, office space in Den Bosch for the duration of the programme, support from mentors from relevant industries, and more than 50 perks and deals worth some €600,000.”
“Global defense and cybersecurity company Leonardo has signed an Industrial Partnership Agreement (IPA) with the NATO Communications and Information Agency (NCI Agency) to share cybersecurity information with private-sector companies that operate in NATO and allied countries in order to mutually enhance situational awareness and the protection of NATO’s networks and systems.”
“Just when the cybersecurity world thinks it’s found the limits of how far Russian hackers will go to meddle in foreign elections, a new clue emerges that suggests another line has been crossed. Even now, nearly a year after news first broke that Russian hackers had breached the Democratic National Committee and published its internal files, a leaked NSA document pointing to Russian attempts to hack a voting-tech firm has again redefined the scope of the threat. Taken with the recent history of Russia’s digital fingerprints on foreign elections, it points to a disturbing trend: Moscow’s habit of hacking democratic processes has only gotten more aggressive and technically focused over time.”
“If you’re a Russian cybersecurity firm these days, you’re not going to be very popular in some circles in the United States. In fact, just this month, top US intelligence chiefs have publicly expressed doubts about the global cybersecurity firm, Kaspersky Labs, because of its roots in Russia. The statements come hot on the heels of the “WannaCry” virus attack which left critical organisations in over 150 countries – including Russia – reeling from the effects of the malicious “ransomware.”
“CheckRecipient was announced winner of the Most Innovative, Small Cyber Security Company of the year at Infosecurity in London. Twenty small cybersecurity companies showcased their products in thought leadership presentations at the UK Cyber Innovation Showcase Theatre at Infosecurity Europe in April in hope to win one of fourteen prized exhibitions stands at the UK Cyber Innovation Zone. The four finalists that got through to the final (CheckRecipient, iProov, Immersive Labs and Dynarisk) then attended the Most Innovative Small Cybersecurity Company competition on the 7 June 2017 at Infosecurity, where expert judging panels chose the final competition winner.”
“On 5 June, in the wake of the third terrorist attack in the UK in as many months, UK prime minister Theresa May declined to rule out using Chinese-style censorship to help control the web. “What we need to do is see how we can regulate,” she told the Evening Standard. For tech firms, already shackled by the UK’s new spy law, the Investigatory Powers Bill (IPBill), it was likely a shocking admission. This week, during a keynote at 2017’s Infosecurity conference in London (6 June), two security experts addressed the controversial subject head-on.”
“Cybersecurity insurance has been gaining prominence over the past couple years across a variety of sectors. Now it’s poised to be the next big thing for consumers. For a barometer, look no further than American International Group Inc.’s newest consumer product called Family CyberEdge. According to AIG executives who spoke to press, it “offers coverage for expenses that arise from online bullying, extortion and other digital misdeeds.” They said Family CyberEdge would include “public relations and legal services, as well as at-home assessments of family electronic devices.”
“Public agencies and businesses around the world are making cyber risk a top priority. Insuring companies against data breaches is becoming a huge industry even as its nascent role and impact in security operations continue to unfold. North American policyholders dominate the market, but Europe and Asia are expected to grow rapidly over the next five years due to new laws (e.g., EU data privacy regulations) and significant increases in targeted attacks like ransomware. Various experts predict the $3 billion global cyber insurance market will grow two-, three-, or even four-fold by 2020.”
“Insurance companies are worried more than ever about cybersecurity, which is rated one of the top three risks the global industry faces for the first time in a recent survey. Insurance Banana Skins 2017, published last week by London-based think tank the Centre for the Study of Financial Innovation, is the sixth biennial survey of its kind, conducted with support from professional services firm PwC. The survey, of 836 insurance practitioners and observers in 52 countries, found growing levels of anxiety in the industry.”
“After the huge Target breach of 2013, you’d have thought retail companies would have figured out how to protect their cash register systems from malware that attempts to steal customers’ data. Then came Home Depot. Then Neiman Marcus. Then Wendy’s. In the past few months, Chipotle, Arby’s and Kmart were all hit. Why are these attacks still happening?”
“With the ‘economy’ for stolen data exploding, it should be easy to inform the government of cybersecurity vulnerabilities. But security researchers are complaining that is not the case. Speaking to BSides London, industry veteran Chris Kubecka said it is too difficult to contact both the private and public sector to safely inform them if their systems are at risk.”