The SEC had a busy day on cybersecurity Wednesday: It filed a complaint against a former bitcoin trading venue for failing to disclose a cyberattack and defrauding its users, and it announced updated cybersecurity guidance for public companies.
The new elements of the updated 2011 guidance emphasizes that companies should maintain comprehensive cybersecurity policies that allow them to make “accurate and timely disclosures of material events,” and to prevent insider trading after a breach. Both of those issues came under the microscope following the massive Equifax breach: The company endured criticism for not swiftly disclosing the breach and faced allegations that executives sold stock around the time the breach was discovered, although the company’s investigation of the stock sales found no wrongdoing.
Story Continued Below
“The guidance highlights the disclosure requirements under the federal securities laws that public operating companies must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents,” SEC Chairman Jay Clayton said. “It also addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures.”
Democratic Commissioner Kara Stein, though, found fault with the updated guidance. She supported advancing it, but with reservations. She said the SEC could have done more, like exploring potential rules that would establish a timeframe for companies to disclose a breach to investors. “While it may have the potential of providing both companies and investors with incremental benefit, the guidance does not sufficiently advance the ball — even in the context of disclosure guidance,” she wrote. “Even more, it may provide investors a false sense of comfort that we, at the commission, have done something more than we have.”
Stein got backup on Twitter from Democratic Rep. Jim Langevin, co-founder of the Congressional Cybersecurity Caucus. “It’s good to see @SEC_News continue to place focus on #cybersecurity guidance,” Langevin tweeted. “However, I agree wholeheartedly with Commissioner Stein: there’s a lot more that can — and must — be done.”
HAPPY THURSDAY and welcome to Morning Cybersecurity! Anything that makes Rick Pitino unhappy makes your MC host the opposite. Send your thoughts, feedback and especially tips to email@example.com and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
NEW REPORT: DON’T HACK FOR CROSS-BORDER DATA — Law enforcement agencies developing their offensive hacking capabilities is not the solution to the problem of accessing data stored in other countries, according to a report out today from the New America think tank written by a pair of notable government officials. One author of the report is Matthew Noyes, director of cyber policy and strategy at the Secret Service and a major in the U.S. Army Reserve assigned to cyber policy office within the Defense secretary’s office. Another is Jonah Force Hill, an internet policy specialist at the Commerce Department and a fellow at New America.
The traditional system for cross-border data requests, or mutual legal assistance treaties, are struggling to keep up with data globalization, and some countries — notably China and the United States — are looking for answers in the wrong place, the report concludes as part of its sweeping look at data flow controls.
“Some governments are expanding their police power in a more problematic direction,” the report states, “by seeking to provide their law enforcement agencies with authority to forcefully infiltrate (i.e. to hack) the computer systems of companies overseas. Troublingly, these authorities are often granted with little regard for the laws of other countries or the privacy and property rights of foreign companies and individuals.” The approach also undermines global cybersecurity, the authors wrote.
INVEST TO BE THE IN-BEST — Increased federal spending on cybersecurity research may be the key to reducing cyber risk, the White House’s economic advisers told President Donald Trump in a report published Wednesday. The report ran the gamut of issues affecting the American economy and included a chapter devoted to cyber threats. “Direct government investment in [cyber] research may be a way to leverage economies of scale that ultimately benefit private firms across industries,” the Council of Economic Advisers said in the report. When research is left solely to the private sector, they said, “companies generally do not have incentives to share this basic research with each other, and this may result in duplicative investment efforts across companies.”
The report also praised the technical standards agency NIST’s cybersecurity framework, but it warned against being overly prescriptive with cyber standards because “they could be very costly to implement and thus lead companies to use a compliance-based rather than risk-based cybersecurity approach.” And in a nod to the intersection of economic security and national security, the report expressed concern about America’s “dependence on foreign workers and foreign companies to help meet much of the United States’ domestic cybersecurity needs.” The report said the discussion over the use of Russian cyber firm Kaspersky Lab’s products highlighted “the critical need to increase the domestic supply of cyber workers, and reduce American dependence on foreign cyber products.”
The report also mentioned only one cybersecurity bill — the Cybersecurity Disclosure Act. The bipartisan measure, which the report doesn’t take a stance on, would require public companies to disclose whether they have cyber experts on their board.
THIS TIME FOR REAL — Intel has fixed its initial buggy patches for the Meltdown and Spectre security flaws that stunned the world in early January. The patches cover the sixth, seventh and eighth generation of Intel’s Core processors for consumer devices, along with the newer-generation Core X products, according to a company blog post. They also protect Intel’s Xeon processors for enterprise data center products. “This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production,” wrote Intel Executive Vice President Navin Shenoy, in a nod to the issues with its first round of patches.
TEAM-UPS ARE FUN — NATO’s cyber hub announced it’s partnering with the Munich Security Conference to put on a cybersecurity conference this May. The NATO Cooperative Cyber Defence Centre of Excellence — based in Tallinn, the Estonian capital, where the proposed summit would take place — is not part of NATO but is accredited by the military alliance. The conference would happen the day before the 10th annual International Conference on Cyber Conflict, or CyCon.
“We are proud to continue this partnership on the year that our center and our conference CyCon celebrate their 10th anniversary,” Merle Maigre, director of the NATO unit, said in a statement, noting that the center now has 20 nation-state members.
RECENTLY ON PRO CYBERSECURITY — A federal appeals court ruled the FBI improperly used a powerful kind of search warrant to hack into suspects’ computers and violated their Fourth Amendment rights. … Congressional Democratic leaders called for more than $300 million in new funding to help safeguard the 2018 elections against Russian meddling. … Special Counsel Robert Mueller filed new charges against former Trump campaign chairman Paul Manafort and aide Rick Gates. … President Donald Trump suggested the Obama administration should be under federal investigation for not stopping Russian efforts to interfere in the 2016 presidential election. … A new report found that artificial intelligence could fuel new security risks and make attacks more fragmented and difficult to track.
TWEET OF THE DAY — We’d like to think this person is the exception, not the rule, but…
— Among U.S. federal IT leaders surveyed, 57 percent said their agency had suffered a data breach last year, according to a new report out from security firm Thales today. That’s an increase from 34 percent in the 2017 report and 18 percent in 2016. Only 26 percent of non-U.S. government organizations said they had suffered a breach last year. Sixty-eight percent said they were either “extremely” or “very” vulnerable, another jump from the 2017 report, where 48 percent considered themselves that vulnerable. The new report also shows that most federal IT leaders are highly confident — 93 percent — that their budgets will increase.
— Raytheon’s cybersecurity “megatrends” report out today polls senior IT practitioners and finds that 82 percent believe an unsecured, internet-connected device will lead to a data breach in their organization. Sixty percent also predicted that nation state cyberattacks will get worse and might lead to cyber war.
— Scammers, likely from Nigeria, have been targeting Fortune 500 companies using phony emails to lure accounts payable personnel into fraudulent wire transfers, IBM X-Force revealed. The operation has resulted in the loss of millions of dollars, and focuses on credentials stolen from companies that rely on single-factor authentication, the company concluded.
— The Trump administration is contemplating sanctions in response to Russian election interference and last year’s NotPetya attack. Reuters.
— “Researchers say Kaspersky web portal exposed users to session hijacking, account takeovers.” SC Magazine.
— More on the insecurity of voting machines. New York Times Magazine.
— A Russian Embassy official confronted U.S. government security folk at a public event. CyberScoop.
— Microsoft’s technical design decisions have exacerbated a fight over email warrants, a Georgetown Law professor opines. Just Security.
— The severity of cyberattacks is increasing. The Register.
That’s all for today. Spoiler alert: This is near the ending of “Wrath of Khan.”
Stay in touch with the whole team: Cory Bennett (firstname.lastname@example.org, @Cory_Bennett); Bryan Bender (email@example.com, @BryanDBender); Eric Geller (firstname.lastname@example.org, @ericgeller); Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).