Tag Archive for: commission

“You need to beat all of us to beat one of us.” The US Cyberspace Solarium transitions to a not-for-profit. US Federal Trade Commission plans 2022 rule-making.

/in


At a glance.

  • “You need to beat all of us to beat one of us.”
  • The US Cyberspace Solarium transitions to a not-for-profit.
  • US Federal Trade Commission plans 2022 rule-making.

National Cyber Director speaks at Cyber Beacon 2021.

The Cyber Beacon 2021 conference was hosted (virtually) by the National Defense University’s College of Information and Cyberspace, aka the “Cyber War College.” The US Department of Defense reports that recently confirmed National Cyber Director Chris Inglis appeared at the conference to discuss his new office’s objectives and undertakings. The goal of the office, he stated, is to “bring coherence, connectivity [and] leverage for all the parts that are already in this space, such that we propose, if you’re a transgressor in this space, you’ve got to beat all of us to beat one of us.” He went on to say that this approach indicates a shift in how the nation has been defending against cyberthreats in the past. “You need to beat all of us to beat one of us,” he stated, coining what some are calling a new motto. 

Cyberspace Solarium Commission plans transition to not-for-profit organization.

The Cyberspace Solarium Commission closed out its term on Tuesday night and, as SC Media reports the cybersecurity policy development effort accomplished what it set out to do, having codified approximately forty measures into law. With the commission’s term, agreed upon in the 2019 National Defense Authorization Act, now completed, leadership announced plans to convert the group into a nonprofit, affectionately called Cyber Solarium 2.0, in order to continue its work of pursuing recommended measures. Co-chairman Representative Mike Gallagher stated, “There’s no question it’s not going to be the same as 1.0…but I think because we’ve gotten the ball rolling with our colleagues…because we’re not starting from scratch. I’m still fairly confident that we’re going to be able to make progress next year.” That said, he admitted the group had already tackled most of the simpler measures, so future recommendations might be more difficult to codify. Future focus will be on Systemically Important Critical Infrastructure, as well as the establishment of a bureau of cyber…

Source…

Federal Trade Commission publishes final updated Safeguards Rule | Thompson Coburn LLP

/in


On October 27, 2021, the Federal Trade Commission (“FTC”) announced significant updates to the Safeguards Rule. The FTC asked for comments on the Rule in 2019, and held a public workshop on the Rule in 2020. The Final Rule was published in the Federal Register on December 9, 2021. The Rule is effective on January 10, 2022, however, most of the substantive provisions of the Rule take effect a year from the publication date.

Per the final rule summary, the amended Rule contains five primary changes:

  • “First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption. 
  • Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies. 
  • Third, it exempts financial institutions that collect less customer information from certain requirements. 
  • Fourth, it expands the definition of ‘financial institution’ to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds ‘finders’–companies that bring together buyers and sellers of a product or service– within the scope of the Rule. 
  • Finally, the Final Rule defines several terms and provides related examples in the Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule (‘Privacy Rule’).”

Substantively, the amended Rule generally follows the approach outlined in the 2019 proposal with certain amendments and clarifications.

The 2021 changes to the Safeguards Rule passed by a 3-2 vote by the FTC with the three “yes” votes coming from Democrats and 2 “no” votes from Republicans. Commissioners Noah Joshua Phillips and Christine S. Wilson dissented. Commissioner Rebecca Kelly and Chair Lina M. Khan also released a joint statement. The split vote on the final Rule, as well as on the 2019 proposed Rule, reflect a change from prior rulemakings in the security…

Source…

Toronto Transit Commission still recovering from ransomware attack

/in


IT staff at the Toronto Transit Commission (TTC) were still dealing with the effects of a ransomware attack on Saturday afternoon, approximately 40 hours after suspicious network activity was detected.

Asked if the TTC has determined how the attack started, and identified the strain of ransomware involved, Shabnum Durrani, head of corporate communications said, “We are still looking into the situation.”

She stressed that the impact on the bus and subway service of the nation’s biggest transit system so far has been minimal, although its Vision communications system used to communicate with drivers, has been knocked offline. Operators have been forced to communicate with Transit Control with radios.

In addition, those needing to use the Wheel Trans van service for transit can’t book online. Instead they have to phone to reserve pickup.

Also offline is the TTC ‘next vehicle’ information service, which displays when the next bus or subway train will arrive on platforms and on trip planning apps.

The TTC’s internal email service is also offline. Durrani couldn’t say if the attackers were able to copy emails of employees, nor could she said if any corporate data was copied. These issues are still being investigated, she said.

Durrani also wouldn’t say if the TTC has been in contact with the attackers. “I cannot comment on that at this time,” she said.

When asked if the TTC has brought in more IT resources to help investigate and restore service, she said the commission is working with other partners, and on the question of whether the Ontario government has been asked for help, she responded that “all levels of government are aware of the situation. We are working with the Toronto Police.”

She added, “The TTC has business continuity plans in place, but as you know, cyber attacks are evolving very quickly.”

Not the first attack on a transit system

A number of transit systems have been impacted by ransomware in recent years, noted Brett Callow, a British Columbia-based threat analyst for Emsisoft. These include British Columbia’s TransLink which was hit with a $7.5 demand late last year.

In 2016 San Francisco’s transit system was hit by ransomware,…

Source…

Federal Trade Commission Reaches Settlement with Zoom, Requires Improved Security for Users Personal Info

/in


requires Zoom to live up to its privacy and security promises

Daily life has changed a lot since the pandemic started. Because face-to-face interactions aren’t possible for so many of us, we’ve turned to videoconference for work meetings, school, catching up with our friends, even seeing the doctor. (FTC image)

BREVARD COUNTY, FLORIDA – Daily life has changed a lot since the pandemic started.

Because face-to-face interactions aren’t possible for so many of us, we’ve turned to videoconference for work meetings, school, catching up with our friends, even seeing the doctor.

When we rely on technology in these new ways, we share a lot of sensitive personal information. We may not think about it, but companies know they have an obligation to protect that information.

The FTC just announced a case against video conferencing service Zoom about the security of consumers’ information and videoconferences, also known as “Meetings.”

The FTC claimed that Zoom failed to protect users’ information in a variety of ways:

  • Zoom said it provided end-to-end encryption — a way to protect communications so only the sender and the recipient can see it — for Zoom Meetings. It didn’t.
  • Zoom said it secured Meetings with a higher level of encryption than it actually provided.
  • Zoom told users who recorded a Meeting that it would save a secure, encrypted recording of the meeting when it ended. In reality,
  • Zoom kept unencrypted recordings on its servers for up to 60 days before moving them to its secure cloud storage.
  • Zoom installed software, called ZoomOpener, on Mac users’ computers. This software bypassed a Safari browser security setting and put users at risk — for example, it could have allowed strangers to spy on users through their computer’s web cameras. Or hackers could have exploited the vulnerability to download malware onto — and take control of — users’ computers. If users deleted the Zoom app, the ZoomOpener remained, as did these…

Source…