Two tech behemoths this week took a series of steps to bolster their cybersecurity posture. Here’s a look:
— FACEBOOK BRINGS ON CYBER POLICY CHIEF: Reeling from its role in the spotlight of the 2016 Russian interference campaign, Facebook stepped up its focus on cybersecurity by tapping Nathaniel Gleicher, a former White House cyber official, as its first director of cybersecurity policy. “We’re pleased that Nathaniel joined us recently to help support our security efforts,” a Facebook spokesperson told MC. Gleicher will join Facebook’s product policy team, working closely with executives and the social media giant’s security engineers to design security policies.
The move fits with Facebook’s previous announcements about recruiting more security employees as it grapples with objectionable content from ISIS propaganda to fake news. On Tuesday, Facebook invited people to submit proposals for ways to combat phishing and other security threats to the broader internet, promising up to $100,000 per project. CyberScoop first reported that Facebook had hired Gleicher, who was previously the head of cybersecurity strategy at Illumio.
— GOOGLE DEBUTS CYBERSECURITY OUTFIT: Alphabet, the parent company of Google, announced Wednesday that it has formed a new cybersecurity company called Chronicle. Details on how it would go about its business were a little vague but it did offer some overarching goals and specifics on what it plans to bring to a crowded marketplace.
The problem, according to Stephen Gillett, who will lead the new company, is that hackers sometimes go unnoticed in networks for months. So Chronicle wants to increase “the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find,” he wrote. “Chronicle has a significant asset: We’re building and running it on the same fast, powerful, highly scalable infrastructure that powers a range of other Alphabet initiatives that require enormous processing power and storage.”
The company also will fold in the services of malware intelligence unit VirusTotal, which Alphabet purchased in 2012. Chronicle has been consulting with Fortune 500 companies on its new venture, some of which are testing a preview release of its cybersecurity intelligence platform, wrote Gillett, a former chief operating officer at Symantec.
HAPPY THURSDAY and welcome to Morning Cybersecurity! Longtime readers of MC are familiar with your host’s preference for humanity’s eventual overlords: octopuses, not robots. This is a reminder to technologists: Please stop teaching robots how to do things, like crawl. Send your thoughts, feedback and especially tips to email@example.com and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
WATCH LIVE TODAY AT LUNCH — Driverless Cars: Who’s Making Sure They’re Safe — At the Washington Auto Show, POLITICO will host a live panel to compare approaches on autonomous vehicle regulation. Speakers include Gov. Rick Snyder (R-Mich.) and Heidi King, National Highway Traffic Safety Administration deputy administrator. TODAY, Jan. 25 at noon. Livestream: here.
BREACHES ON THE RISE, PART I — Cyber incidents targeting businesses nearly doubled in 2017 compared to 2016, totaling 159,700, according to a report out this morning from the Online Trust Alliance. The big reason? Ransomware, the organization concluded. Ransomware incidents also doubled to 134,000 from 2017 to 2016. “Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” said Jeff Wilbur, director of the OTA initiative at the Internet Society. “This year’s big increase in cyberattacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack.” Another report finding: 93 percent of all breaches could’ve been prevented with easy steps such as updating software.
BREACHES ON THE RISE, PART II — A survey out today found that 36 percent of organizations suffered a data breach within the past year, a leap from the last such survey when 27 percent said they had been breached. The report from Thales and 451 Research also explored organization’s attitudes toward encryption: 44 percent say it’s a top tool for increased usage of the cloud, 35 percent believe it’s essential for adoption of big data, and 48 percent say it’s the No. 1 tool for securing internet-connected devices.
But other poll results suggest companies are relying on old-fashioned security methods in response to the threat, the report concludes. “While times have changed, security strategies have not — security spending increases that focus on the data itself are at the bottom of IT security spending priorities, leaving customer data, financial information and intellectual property severely at risk,” said report author Garrett Bekker, the principal security analyst for information security at 451 Research.
FERC EXPANDS REACH OF CYBER REGULATIONS — The Federal Energy Regulatory Commission is taking action to include a broader range of vital power plant assets in its cybersecurity rules. FERC’s new “Reliability Standards,” which were formally posted in the Federal Register for public comment today, will require electric companies to apply the agency’s cyber risk management requirements to three new types of assets: Electronic Access Control and Monitoring Systems, Physical Access Controls and Protected Cyber Assets. “There remains a significant cyber security risk associated with the supply chain,” FERC said in the new rulemaking document, because the current Reliability Standards exclude those three categories of systems. FERC noted that Electronic Access Control and Monitoring Systems are among a plant’s most sensitive assets because, if compromised, a hacker could “gain control” of power systems without physical access.
HACK FOR THE GOLD — The Russia-linked hacking group “Fancy Bears’ HT” is claiming to have dumped documents from the International Luge Federation onto the web. The group, which might be related to the infamous group Fancy Bear, released the emails and other documents, which it claims show violations of anti-doping rules, and comes just a few weeks before the Winter Olympics kick off in South Korea. Cybersecurity firm ThreatConnect earlier this month warned that the international event was being targeted after the group released emails that appeared to belong to officials from the International Olympic Committee. “While we cannot verify the legitimacy or provenance of those leaked emails, ThreatConnect has identified spoofed domains imitating the World Anti-Doping Agency (WADA), the U.S. Anti-Doping Agency (USADA), and the Olympic Council of Asia (OCASIA),” the company wrote in a blog post.
RECENTLY ON PRO CYBERSECURITY — Top Republicans on the House Energy and Commerce Committee want tech companies to explain why they embargoed news of two chip security flaws for months. … The Army Reserve hopes to boost its cyber skills by tapping into Silicon Valley and other tech hubs.
TWEET OF THE DAY — Same.
— Metrolinx, an Ontario transit agency, said North Korean hackers launched a cyberattack against it. CBC.
— Electron, a popular web application writing platform underlying some extremely widespread software including Skype and Slack, is vulnerable to a critical remote code execution vulnerability. CyberScoop.
— The Pentagon should consider waiving some standards to recruit cyber soldiers. War on the Rocks.
— The military is holding an industry day next week for developing a cyber training exercise. CyberScoop.
— A report found that projects supported by initial coin offerings face a lot of cyberattacks. Reuters.
— The PCI Security Standards Council announced a new standard for secure applications supporting PIN entry on mobile device screens.
That’s all for today. Baby robot overlords. Just creepy. (h/t to POLITICO’s own Maggie Chan, who shares my fear of Skynet, for the crawling robot link.)
Stay in touch with the whole team: Cory Bennett (firstname.lastname@example.org, @Cory_Bennett); Bryan Bender (email@example.com, @BryanDBender); Eric Geller (firstname.lastname@example.org, A@ericgeller); Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).