Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

CyberInsecurity News has merged with TAG Cyber. We will continue to bring you news lawyers and their colleagues need to know, only now as part of a growing leader in this exciting field. 
March 2020
Beware of Coronavirus Hooks—They Could Be Traps
Hackers are taking advantage of the global obsession with one virus to implant another in the computers of nervous individuals looking for the latest on COVID-19. One scam promises that you can download the popular Johns Hopkins coronavirus tracking map. But following the directions will infect your computer. Similarly, emails that appear to be from the Centers for Disease Control (but are not) ask people to click a link for more information about the virus. Other emails ask people to click links for information about cures. Read more from MarketWatch.
10 Things In-House Lawyers Need to Know to Deal with the Coronavirus
Use the crisis to lead your troops. Get good, accurate information. Take care of your employees. Look over all of your important contracts. Check your insurance. Plan for the way the virus will affect your litigation schedule. Figure out what you need to communicate to your shareholders and how you will do that. (Virtual shareholder meeting?) Establish procedures for working from home. Decide how to handle privacy and security issues, especially as they relate to employee health. Read more from Ten Things You Need to Know As In-House Counsel.
Almost Half of Cloud Databases Aren’t Encrypted

Cloud technology is often marketed as a great way to instantly upgrade security. But a report released last month by Palo Alto Networks raised serious questions about just how secure a move to the cloud is. Palo Alto found that vulnerabilities are common because the technology is often riddled with misconfigurations. In fact, misconfigurations were the cause of 65 percent of cloud incidents, the firm’s research showed. And what causes these problems? In a word, automation. Companies are building the technology with infrastructure as code (IAC) templates. There’s nothing wrong with that, Palo Alto said, as long as the right building tools and processes are used. When they’re not, the results are “rampant vulnerabilities.” Two additional statistics were eye-opening: 43 percent of cloud databases are not encrypted, and  60 percent of cloud storage services have logging disabled. Read more from Palo Alto Networks.
Are Your Ready for the CCPA ... uh CPRA?
Now that you know something about the California Consumer Privacy Act (CCPA), are you up to speed on the law that could replace it? Alastair Mactaggart, the California real estate magnate turned privacy advocate, was the individual most responsible for pushing his state’s legislature to pass the CCPA in 2018. His leverage then was a ballot initiative he was backing that forced the tech companies and pols to come up with a bill that he would accept in return for withdrawing his initiative. Now he’s collecting signatures to put his new California Privacy Rights Act (CPRA) on the ballot in November. The biggest single change: it would create a standalone agency called the California Privacy Protection Agency that would take over rulemaking from the attorney general’s office, which is still finalizing enforcement for the CCPA. If you’re feeling dizzy, there will be time to catch your breath. If the bill makes the ballot and passes, it won’t go into effect until 2023. Read more from Protocol.
Alastair Mactaggart
The Crypto Wars Return to Capitol Hill
The U.S. Department of Justice has given up hope of negotiating an agreement with tech companies over encryption. The federal government hasn’t convinced companies to build backdoors that law enforcement can use to break into devices used by terrorists and criminals. Even after politicians warned tech moguls during congressional hearings in recent months that if they failed to agree voluntarily, legislation would force their hands. And so the Justice Department has called off the talkfest and turned its attention back to Washington, hoping that Congress will legislate what the lawyers were unable to negotiate. Read more from The Washington Post.
The Debate over Section 230
Section 230 of the Communications Decency Act of 1996 has been getting a lot of press over the past several months. It’s been controversial for years, but in a geeky way that hasn’t proved a hot topic at cocktail parties. It likely never will be, but it’s surely a sign of something that it’s entered the conversation in the democratic presidential campaign. Joe Biden complained that political ads running on Facebook contained false information about him, yet Facebook refused to reject them. The company knew it was protected by Section 230, which shields internet companies from liability for hosting content produced by third parties. In the wake of this dispute, the issues were given a higher profile airing than they have for some time. And boosters of both sides had a chance to weigh in. Read more from TechRepublic. 
February 2020
DC 2018 Cybersecurity Report Still Hasn’t Been Released
By now we’re used to hearing about politicians’ power struggles and tussles with the media in Washington, D.C. But the battle over a cybersecurity report that was supposed to be released more than a year ago still left observers shaking their heads. In January, two members of the DC Homeland Security Commission publicly questioned the refusal by District leaders to release the 2018 Commission report that, by law, was supposed to be made public. After months of inquiries from NBC4 (WRC-TV) in Washington, District leaders insisted that the reason they were withholding the report was security concerns after the country’s recent conflict with Iran. Read more from NBC4.
State Cyber Security Coordinators
A new bill called the Cybersecurity State Coordinator Act of 2020 would assign to each state a cybersecurity coordinator to prepare for, respond to and remediate cyberattacks. The program would be housed in the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and CISA would appoint the coordinators. The bill was introduced in January by a bipartisan group of four U.S. senators. The impetus was the group’s concern that, without assistance, the states lack the knowledge, skill and resources to protect their systems. Read more from MSSP Alert.
Pentagon Rolls Out New Cyber Security Rules for Industry
At the end of January, the Defense Department announced that companies will have to adhere to new standards if they want to work for the Pentagon. The new Cybersecurity Maturity Model Certification is aimed at pressing firms to better protect their networks from cyberattacks and theft by foreign adversaries. The rules will only apply to new contracts and will be phased in over the next five years. Companies will be placed in different tiers depending on the work they do. Those in tier one will have to meet only the lowest standards while tier five companies will be required to meet the highest. Read more from National Defense.
Successful CEO Scams in Denmark
So-called CEO fraud scams have been growing globally. Three in quick succession last year seemed to have been conducted by the same hacker, and each netted millions of dollars from companies in Denmark. Here’s how they worked. A partner or subcontractor who worked with a target company was compromised. The hacker followed the correspondence between the target and the business partner, and noted when they reached an agreement on an amount for a service. The hacker then created a fake URL and forwarded an invoice with his own account number to the buyer. After receiving the money, the hacker continued to monitor communications between the business partners to delay their recognition that they had been defrauded. Read more from Nixu Cybersecurity.
January 2020
5 Cybersecurity Trends for 2020
As companies move more data into the cloud, security there is growing. Cloud-based platform sales are expected to hit $450 million in 2019. Look for rising sales in 2020. As cyberattacks have multiplied, data encryption has become more important to companies. A recent study showed that 45 percent of companies surveyed have an encryption strategy that’s applied consistently across the enterprise. And that will grow. The cyber insurance market also looks ready to explode. It stands at about $2.4 billion in premiums in 2019, but that should double or even triple in 2020. Read more from Entrepreneur.
The Decade in Cybersecurity
This was the decade when cybersecurity went mainstream. It became a household word. And even some phrases were recognizable. Like the phrase of the decade: We take your privacy and security seriously. And the excuse of the decade: Sophisticated attackers bypassed security controls. The latter part of the decade was known for ransomware attacks. WannaCry and NotPetya were the champions. The hacks that had the biggest impact victimized Target, the Office of Personnel Management and Sony. Read more from Forbes.
The Year’s Biggest Stories in Cybersecurity
The stories that stand out are not necessarily new, but their impact continues to be felt. Start with Russia’s interference in the 2016 presidential election. The hacking and disinformation campaigns continue to influence politics in the United States in multiple ways, including the impeachment of the president. Add to that the threat from China. The United States is still  absorbing the impact of China’s vast theft of intellectual property from U.S. companies. And that background has played a role in the fear that Huawei’s participation in the creation of the coming 5G infrastructure could lead to another cybersecurity disaster. Read more from The Washington Post.
The Marriott Hack Has Spurred Innovation
The hack of Marriott and other big hotels has demonstrated how vulnerable personal data may be when people travel. More than 22 million Americans have reported that they were victims of cyber crime at hotels. This has created opportunities for cybersecurity vendors to provide services to protect them on the road (and beyond). And hotels see an opportunity to separate themselves from their competitors. The Martinique Hotel, part of Hilton’s Curio Collection, is planning to test a pilot program in 2020 in collaboration with Cino Ltd. and Strikeforce Technologies. Read more from ​Skift.
December 2019
Lessons from the Huge Ransomware Attacks in Texas
In August, there was a massive and coordinated ransomware attack in Texas. In all, 23 small cities were hit in a single day. Looking back, cybersecurity experts pointed out lessons that should be learned from these attacks—lessons that can benefit towns and companies anywhere. The cities all had incident response plans—and they implemented them. Each city had an agency that was affected, and an important part of the response was that they communicated with, and were supported by, 10 government entities. The Texas Department of Information Resources communicated advice that proved helpful. And the cities all refused to pay the ransom. Read more from TechRepublic.
More Countries Inclined to Limit Huawei’s Participation in 5G
The United States government has been working hard to try to convince other countries to block Huawei from contributing to the next-generation 5G telecom network. But the U.S. argument that Huawei would provide the Chinese government with a conduit it could use for spying or cyberattacks seemed to be falling on deaf ears. Until recently, that is. In November, the European Union, the German parliament and Brazil’s national security body all adopted measures that seem to be moving closer to aligning with the U.S. position. And there were signs that Canada may yet do the same. Read more from The Washington Post.
Another Way to Think About Cybersecurity Training
Analogies can be useful tools for cybersecurity training. And this applies not only when a trainer is trying to simplify a complex topic for the individuals being trained. Analogies can also help clarify issues for the people doing the training. For example, if you were home alone with your young child, and she answered the door when you were in the shower because she’d never been told this was dangerous, what would you do? Would you scold and punish her? Well, according to one expert in the field, too often companies fail to properly train their employees and then punish them if they click on a dangerous link. Rather than a punitive approach, companies would do much better to try one that incentivizes good behavior. Read more from Security.
A Blasé Attitude Toward Cybersecurity?
Testimony in November during the House impeachment hearings underscored what national security experts have long worried about as an obvious weak link. President Trump and some of his top advisers and diplomats often conduct important telephone conversations on unsecure phones. A prime example was the one he engaged in with Gordon Sondland, his ambassador to the EU, who testified at the hearings that he was talking to Trump on his cell phone while sitting with others at a crowded restaurant in Kyiv. The subject, he said, was pressuring Ukraine to investigate former Vice President Joe Biden. Read more from The Washington Post.
Gordon Sondland
November 2019
With All the IT Turnover, Better Hire the Right CISO
It’s no secret that it’s hard to hire and keep employees in tech. What’s most worrisome is that it’s particularly hard to hold onto a key employee who is central to the entire operation: the chief information security officer (CISO). A recent report found that, on average, a CISO sticks around for only 18 to 24 months. Their most common reasons for leaving? Stress and the urgency of the job. And it’s no wonder. The demands on them are increasing as the role itself is expanding. These days, companies often expect the CISO to make presentations to the board, and to speak to them about cybersecurity in terms of business performance. Given these pressures, it’s more important than ever for companies to make the right choice when they hire a CISO. Read more from CNBC.
Think IOT Devices Are Tricky? Think About In the Military 
A lot has been written about the cybersecurity risks associated with internet-connected devices. And there are plenty of concerns about the so-called internet of things (IoT) at companies. But they pose a different level of concern when they’re used by the military. Though the armed services can scarcely avoid them, one big problem is that the military has virtually no control over the security built into them. At a recent panel discussion on this topic, the participants expressed no hope that the situation will change soon. “As cybersecurity practitioners,” said speaker Jean-Paul Bergeaux from Guidepoint Security, “what we need to do is to put IoT in a place that separates it from what is important, to continue to ‘DMZ’ it off, and treat it as a hostile device.” Read more from Signal.
Above: Cyber experts (l-r) Will Bush, Jean-Paul Bergeaux and Lisa Lee discuss the risks of IoT devices during AFCEA Quantico-Potomac’s Annual Cyber Security Panel event on Oct. 31.
Tax Credits for Investing in Cybersecurity?
John Leitch has an idea that he thinks could help small businesses improve their cybersecurity. He believes the government should offer tax incentives to encourage them to invest in this area. And he points to two laws Maryland passed recently that could serve as national models. Leitch isn’t a lobbyist. He’s the CEO of Winquest Engineering Corporation in Maryland. And his company offers cybersecurity services as part of its business. He knows that small businesses are particularly vulnerable to attack, and yet they rarely seem to do anything about it. With some financial encouragement from the government, he thinks that could change. Read more from ​PR Newswire.
Congressman Charles Ruppersberger (D-Maryland) and (right) John Leitch
Capture the Flag
On October 11, which was Cyber Security Awareness Day, Central Michigan University hosted events to encourage students to consider a career in the field. In addition to a panel discussion, the school decided to have a little fun. They held a Capture the Flag simulation game. Students had to both hack and defend against hacks in order to gather information and answer questions. Correct answers led them to digital flags that were planted around the world. Each flag was worth a certain number of points, and the team that accumulated the most points won. More than 50 students registered to play. One was Joshua Marzic, president of the school’s Cyber Security Club, who recounted what he liked about the event. “You get to be the bad guy without consequences,” he said. “And there’s prizes, of course.” There was also real learning: “It’s OK to read something, but reading something doesn’t make it stick.” Read more from Route Bay City.
October 2019
California Privacy Regulation’s Double Whammy
Just as companies are preparing to deal with the California Consumer Privacy Act (CCPA), which goes into effect on January 1, the prospect of a new regulation that’s even more stringent suddenly materialized in September in the form of a ballot initiative that, if it gets enough signatures, could be voted on by Californians in November 2020. And its chief sponsor is Alastair Mactaggart. If that name sounds familiar, it should. It was Mactaggart who put together a ballot initiative in 2018 that forced the California Legislature to pass the CCPA in order to convince Mactaggart to withdraw it. His new one would create additional rights and protections concerning the use and sale of personal information, bolster the protections for children’s privacy and establish a new privacy regulator. Read more from The (IAPP) Privacy Advisor.
Alastair Mactaggart
How Secure Are Those Election Machines?
Ethical hackers were in Washington, D.C., last month to talk about a test they took during the summer at the DEF CON cybersecurity conference. It was one that they passed with flying colors. The only problem was that the test was less for them and more for the voting machines that states will use in the 2020 elections. And those machines flunked. The hackers succeeded in breaking into every machine they tested. And that got the attention of members of Congress, who are seeking more funding in advance of next year’s election. “The best way we can make the case,” said Rep. Jackie Speier (D-Calif.), “is by scaring the living bejesus out of every member of Congress that the system can be fixed against them.” Read more from ​The Washington Post. 
L.A. Claims It’s the First City to Launch a Program to Share Cyber Threats
In September, Los Angeles announced it had released a free threat-sharing platform to help keep the public safe from cyberattacks, along with a free app that will help identify malicious email. Mayor Eric Garcetti said that his city is the first in the nation to freely provide these tools to its citizens. The initiative is part of a public-private partnership housed in a nonprofit called L.A. Cyber Lab. IBM is one the Lab’s partners and will provide data and technology. The Lab also received a $3 million grant from the Department of Homeland Security. In addition to the threat-sharing platform, anyone can submit suspicious emails to the Lab, which will analyze and flag them based on the risk severity for the recipient. The Lab will also compare and incorporate the information into larger patterns that threaten the community. Garcetti sees these developments as potential models for other cities. Read more from the Los Angeles Sentinel.
Another Way to Make Money from Home
As more and more industries are disrupted and people lose their jobs, the gig economy seems to grow. Many who are still employed are looking for side hustles to back them up in case the economy hits a speed bump. Now there seems to be a new way to add income without a huge investment or learning curve. In fact, you can apparently buy a package for well under $100 that includes everything you need to get started. The business is phishing. And it’s available in bite-size phishing-as-a-service kits with low monthly fees for website and hosting services. You can download tools from the dark web for as little as $50. Read more from Security Boulevard.
September 2019
Security Analysts Overwhelmed by Alerts
It’s well established that there’s a labor shortage in the field of cybersecurity. But a recent survey reported just how that is reducing the security of companies. And spoiler alert: It’s scary. The survey queried more than 50 professionals who work in the security operation center (SOC) at their companies, and they’re fielding a lot more security alerts than they were a year ago. Last year 45 percent said they were receiving 10 or more a day. This year 70 percent are. Perhaps you see this as a good sign—a sign that their companies are getting better at detecting problems. But what happens next offers no such comfort. Almost 40 percent said they spend no more than 10 or 15 minutes on each alert. Nearly 60 percent said that when they get too many alerts, they simply modify the equipment settings to reduce the volume. And 57 percent admitted that they tell their clients little to nothing about any of this. Read more from ​TechRepublic.
Delta Airlines, Sued for Data Breaches, Sues Its Vendor
Last year Delta Airlines suffered a data breach that left the data of hundreds of thousands of customers exposed. The company was then hit with a class action lawsuit. Now Delta has sued the company that it says was responsible for the breach. It was caused by the security vulnerabilities of a vendor that provided the airline with the ability to conduct live chats with its customers. The California vendor, called [24]7.ai, allegedly represented that it had strong security controls in place and was even GDPR compliant. But Delta learned of a host of vulnerabilities when it began its investigation, according to its complaint. And to make matters worse, it took the vendor five months after it discovered the breach to say something to Delta. And even then it did not, and still has not, formally reported the breach to Delta, which only heard about it through a LinkedIn communication one of its employees received, it said. Read more from DataBreaches and see the complaint at BloombergLaw.
Hack Our Fighter Jet. Please.
We’ve written about college courses called Hacking for Defense and Hacking for Diplomacy that encourage students to consider going to work for the government. But recently the military added a literal twist. In August, the U.S. Air Force sent officials to the DefCon cybersecurity conference in Las Vegas and asked seven carefully vetted white hat hackers to hack one of its F-15 fighter jets. They were even allowed to tamper with the plane’s hardware. By the end of the two-day experiment, the hackers had done quite a number on the plane. They’d found plenty of vulnerabilities and injected malware into the system.  And, for good measure, they prodded with pliers and screwdrivers and left wires dangling out of a big metal box. The Air Force pronounced itself more than pleased. It had realized it needed lots of help to identify problems. And things went so well this year that officials suggested they’re going to greatly expand the project next year. Read more from The Washington Post.
Huawei Exploring 6G Research in Canada
If at first you don’t succeed….  Actually, it’s not at all sure that Huawei will fail to secure a place for its equipment in 5G network development. But it has been a quite a battle. The United States government has tried mightily to prevent that from happening, citing the security risk the company represents. The administration, and others, fear that Huawei could be pressured some day by the Chinese government to provide it with backdoor access to infiltrate a network. It was in this context that we noted that Huawei already seems to be working on a Plan B. It has reportedly begun research in its R&D center in the suburbs of Ottawa. Despite the fact that 5G is only now in development and 6G probably won’t start ramping up until 2028. But they say that the early bird… Read more from TechRepublic.
August 2019
U.S. Mayors Resolve Not to Pay Ransoms
The recent spate of ransomware attacks on U.S. cities and municipalities has gotten a lot of attention. It has also provoked a group of mayors to take action—at least in the form of a resolution. It came at the end of the annual U.S. Conference of Mayors, which was held in Honolulu from June 28 through July 1. More than 250 mayors declared themselves “united against paying ransoms.” Read more from The Verge.
The Biggest Cybersecurity Incidents of the First Half of 2019
These aren’t all breaches and they’re not based on money lost or even necessarily on specific incidents. They’re based on size, impact and threat. A surveillance contractor for the U.S. Customs and Border Protection suffered a breach that exposed photos and license plates of about 100,000 travelers. Ransomware attacks keep growing and expanding into new industries. Industrial and manufacturing firms were particularly hard hit this year. Read more from Wired.
British Airways and Marriott Fined Under the GDPR
Large fines always get lots of attention. But these days there’s extraordinary interest in observing what results from violations of the EU’s General Data Protection Regulation (GDPR). Two fines were announced in July. British Airways will be socked for $230 million, and Marriott International will be hit up for $123 million. Both companies suffered large data breaches. Read more from The National Law Review.
Cybersecurity Breaches Cost Businesses $45 Billion
The number of data breaches reportedly dropped in 2018, but the cost to businesses still rose to a record $45 billion. The big ticket items were the cost of ransomware attacks, which rose by 60 percent last year, and the financial impact of business email compromise, which doubled. The mixed results left experts wondering whether there’s anything to celebrate. Read more from TechRepublic.
July 2019
Warner Blasts Administration on 5G Missteps
China has taken the lead on developing a next-generation 5G wireless network. And unless the United States government does a better job, there may be a large price to pay.
     That was the message that Sen. Mark Warner (D-Va.) delivered in a speech in June at the Council on Foreign Relations. Warner blamed both the Trump and Obama administrations for complacency.
     Unless the federal government ramps up its efforts and invests more resources in cybersecurity and technology research, Warner said, American companies may be more susceptible to Chinese spying, and China could also take the lead on the development of artificial intelligence and quantum computing.
     Warner also urged intelligence agencies to share more information about Chinese hacking with U.S. companies to help them protect themselves.
     Read more from The Washington Post.
Florida City Pays Big Ransom
We keep reading about cities that are hit with ransomware attacks, but then hold the line and refuse to pay. One could get the impression that no municipalities capitulate.
    But that would be wrong.
    In June, the city of Riviera Beach, Fla. (population 35,000) paid a $600,000 ransom to unlock its computer systems.
    The development highlights the surge of ransomware attacks, and the tricky calculations that go into deciding how to respond. The payment may sound quite large, but the cost of not paying is almost always much larger.
     This is not to say, however, that paying is necessarily smarter or more cost-effective.
     Read more from The Washington Post.
Baltimore’s Response to Ransomware
Hampered by Lack of Cooperation
There are lots of ways that cooperation can benefit victims of ransomware attacks. And failure to cooperate can just as often hamper them. A closer look at the recent attack on Baltimore suggests that there was a missed opportunity—and lessons from which other cities can learn.
     The issue came up during a Maryland Cybersecurity Council meeting in May, not long after the attack on Baltimore made headlines. Maryland’s chief information security officer said that the state’s IT department was ready and eager to help the city in the wake of the attack, but it was difficult to communicate with Baltimore’s team during the first week.
     It wasn’t due to crippled technology, the CISO explained. It was because they had never established a working relationship before the attack, and so there was a lack of trust.
     The result was that the city struggled to respond with a relatively small team and budget, and was not able to take advantage of the state’s enhanced resources in a timely fashion.
     Read more from Government Technology.
AI to Counter Phishing
Phishing attacks can be hard to counter. Training can be effective, but there are always new employees between trainings. And there are always others who somehow miss the boat. And research suggests that training is only effective if it’s repeated every few months.
     Sounds grim. But what if they can be defeated electronically? 
     Three cybersecurity startups are betting that they can. And each uses artificial intelligence to anticipate scams before they’re sprung. The gambit is that machine learning will allow the startups to stay ahead of the bad guys.
     There’s money that says the startups are on to something. All three have secured venture capital.
     Read more from Fortune.
June 2019
Cybersecurity Vendors Are Sharing Intel
Corporations have begun to share cyber threat information with each other, often with the encouragement of government agencies with which they also exchange intelligence. But there’s another important alliance of sometime-competitors that hasn’t gotten much publicity.
     Cybersecurity companies have formed a nonprofit of their own specifically to share information they can pool to help protect their clients. It’s called the Cyber Threat Alliance (CTA), and its members are some of the biggest companies in the industry. They include Cisco, Fortinet, McAfee, Palo Alto Networks and Symantec.
     It started as an informal agreement in 2014 among four companies in 2014. They wrote a white paper about their idea, which attracted lots of attention in the field, and in early 2017 they launched the nonprofit.
     As nation-states began to pose the largest threats, the companies realized that they were not going to be able to thwart them alone. Nor is the U.S. government likely to be able to do so without help, the CTA maintains. That’s why the alliance may prove crucial in the cybersecurity battles ahead.
     Read more from The Washington Post.
The Business Case for Cybersecurity
A consensus seems to be building that cybersecurity is not just a good practice and the right thing to do, but good for business. And that seems to be buttressed by all the new regulations like the EU’s General Data Protection Regulation and the California Consumer Privacy Act.
     But there’s one problem. How do you prove it?  How do you measure it?
     If one indication of cybersecurity is the absence of breaches or losses, is this the data we should be counting?
     It’s a particularly thorny topic for insurance companies, which depend on their actuarial tables.
     Read more in Business 2 Community.
The Trump Administration Indicts Alleged Chinese Hackers
It’s hard to remember all of the companies that have been hit by cyberattacks. But the health insurer Anthem still stands out. In 2015, a massive data breach compromised the personal information of 78 million patients.
     Last month two Chinese citizens were indicted by the U.S. Department of Justice, which alleged that they were part of a “sophisticated China-based hacking group.”
     The indictments are the fourth time that the Trump Administration has indicted Chinese nationals in the past 18 months. That is the most of any nation.
     While the accused hackers are unlikely to travel to the United States, and thus will almost certainly never face prosecution, the indictments were intended to send a message to the alleged hackers, and their government, that they are being held accountable.
     Read more from The Washington Post.
CISA Employees Asked to Work on the Border Crisis
The Cybersecurity and Infrastructure Security Agency (CISA) has a daunting job to do, given the vulnerability of the country’s infrastructure and the volume of cyberattacks. But now it has another problem: holding onto its employees.
     It’s difficult enough for federal agencies involved in technology to retain their top people, given the salaries they can often command if they leave for jobs in the private sector. And CISA has had to deal with that challenge. But now a new twist has come from within.
     In May, Acting Secretary Kevin McAleenan of the U.S. Department of Homeland Security asked CISA to send “volunteers” to help deal with the country’s border crisis. And the agency has begun to comply.
     CISA Director Christopher Krebs testified at a recent House hearing that 10 CISA employees had deployed to the border.
     Democrats on the House Homeland Security Committee were critical of the request. Committee Chairman Bennie Thompson (D-Miss.) told reporters that CISA already has 360 vacancies, and questioned the wisdom of creating more by deploying existing employees elsewhere.
     Read more from The Hill.
CISA Director Christopher Krebs
May 2019
The Cybersecurity Dance on the Hill
The challenges cybersecurity poses can give rise to strange scenarios. We depend on government agencies to encourage companies to secure their data, and to penalize them when they’re negligent. But we frequently learn that some government agencies are negligent themselves.  
     It was particularly troubling to learn that one of them is the U.S. Department of Health and Human Services, since health care data contains so much sensitive information. But an Office of Inspector General report seems to leave little doubt that HHS has serious deficiencies.
     The other part of the story is that we know that many of our aging politicians are far from knowledgeable about, and comfortable with, technology. But they are frequently the ones who must call to account entities with poor security.
     And so it was that in April, Senate Finance Committee Chairman Chuck Grassley (R-Iowa) sent a letter to HHS Secretary Alex Azar demanding that he provide information about the department’s cybersecurity policies, and asking him to explain the lapses.
     Read more from Health IT Security.
Chuck Grassley
IBM Study Reveals Widespread Cybersecurity Deficiencies
In April, IBM Security announced the results of a global study of cybersecurity preparedness, and the news was not encouraging. IBM hired the Ponemon Institute to conduct the research, and it found that 77 percent of the respondents do not have an incident response plan that is consistently applied across the company.
     That wasn’t all. More than half said they don’t test their plans regularly.
      “Failing to have a plan is a plan to fail,” said Ted Julian, VP of product management and co-founder of IBM Resilient.
     Read more from CISOMAG.
KKR’s Phishing Experiment
Private Equity giant KKR has been investing in cybersecurity companies for a while. And doing quite well. But in an April story in Fortune, there was an interesting revelation about its own vulnerability.
     In a Q&A that was part of the article, KKR Managing Director Vini Letteri was talking about the high percentage of breaches that result from human error.  Then he said this:

"I think I can share this; as part of our diligence, we worked with our [chief security officer] to actually launch a phishing attack on a subset of KKR employees. We think this place is full of high-integrity, intelligent people—and even then, over a third of the employees that we sent it out to went ahead and clicked on the malicious email. We brought that up in the investment committee meeting, and it became so obvious that if, in a place like this, people still need to go through that sort of training, then it’s got to be broadly applicable out in the marketplace."

Read more from Fortune.
Vini Letteri
The Big Problem with Cybersecurity Research
How do companies defend themselves against cyberattacks? And what seems to be most effective?
     Great research topics, right? But there’s a very big problem with cybersecurity research. Companies are not providing enough raw data to researchers. They claim they have concerns about privacy.
     And to make matters worse, researchers who do manage to get ahold of data rarely share it with other researchers when they’re done—which is not the norm, scientists say.
     The dearth of quality research may explain in part why the state of cybersecurity has shown few signs of improvement in recent years, and may be getting worse.
     Read more from The Washington Post.