us congress - X-Industry - Red Sky Alliance2024-03-28T09:56:44Zhttps://redskyalliance.org/xindustry/feed/tag/us+congressNTIA to Protect ‘highly sensitive’ Domain Registrationhttps://redskyalliance.org/xindustry/ntia-to-protect-highly-sensitive-domain-registration2022-09-25T17:27:39.000Z2022-09-25T17:27:39.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10826720674,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10826720674,RESIZE_400x{{/staticFileLink}}" width="195" alt="10826720674?profile=RESIZE_400x" /></a>Several members of the US Congress called on the National Telecommunications and Information Administration (NTIA) on 21 September to do more to protect the privacy of domain registration information. US Senator Ron Wyden (D-Ore.) and US Representative Anna G. Eshoo (D-Calif.) led a group of lawmakers in criticizing the NTIA for not protecting the “highly sensitive” personal information used to register for .US domains. The records contain usernames, addresses, phone numbers and email addresses.</p>
<p>The US Congress members said it is “highly concerning” that NTIA has not directed its contractors administering .US domains to adopt any protections for this sensitive information since at least 2005. “The automatic public disclosure of users’ personal information puts them at enhanced risk for becoming victims of identity theft, spamming, spoofing, doxxing, online harassment, and even physical harm,” the lawmakers said in a letter to NTIA Assistant Secretary and Administrator Alan Davidson. They also wrote that “anonymity is a necessary component of the American right to free speech.” The NTIA did not respond to requests for comment.</p>
<p>The lawmakers claimed there was no reason for the information to be disclosed publicly, and suggested the agency automatically offer privacy free of charge upon registration. NTIA should also require users to provide affirmative consent “for transferring user data to third parties, including public disclosure,” the letter said.</p>
<p>According to the US lawmakers, government entities, including in the US, should be forced to seek a warrant to request access to .US user data, and users should be alerted if such access is granted. The letter argues that the government should set an example for the rest of the world by creating a “more secure and private system for registering internet domains through its control of .US.”</p>
<p>Alongside Wyden and Eshoo, Senators Brian Schatz (D-Hawaii) and Elizabeth Warren (D-Mass) joined U.S. Representatives Ted Lieu (D-Calif.), Sara Jacobs (D-Calif.), Zoe Lofgren (D-Calif.), Ro Khanna (D-Calif.), Tom Malinowski (D-N.J.), and Stephen F. Lynch (D-Mass.) in signing the letter.</p>
<p>The letter comes after several government agencies globally have highlighted domain cybersecurity as an area of concern in recent weeks, with domain registrars having been hacked in the past. A spokesperson for Wyden said that there was no international coordination on the announcements but noted that this has been a longstanding concern among privacy experts.</p>
<p>Last year, a .US advisory body asked NTIA for increased privacy among .US domains, the spokesperson noted. “In the broader ICANN [International Corporation for Assigned Names and Numbers] community, debates continue on how to protect privacy for domain name registrants,” the spokesperson said. “This letter signals that Senator Wyden and other privacy leaders want to ensure that the interests of folks that want access to this data do not trump the privacy rights of individuals registering domain names.”</p>
<p>In a parallel discussion on the same day, despite having taken “significant steps” to strengthen the country’s defenses against digital threats, the progress must be a “prelude” to further changes, the Cyberspace Solarium Commission urged. “Even as we issue this progress report, we know that assessing implementation is not enough,” commission co-chairs Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wisc.) wrote in the panel’s second annual assessment report. “Lasting improvements in national cyber resilience will take sustained attention, investment, and agility to address the ever-shifting threat landscape,” they added.<a href="#_ftn1">[1]</a></p>
<p>The Commission report follows several actions taken by the executive branch and Capitol Hill to bolster the country’s cyber resiliency in the wake of major ransomware attacks, including on Colonial Pipeline, meat processor JBS and software company Kaseya, as well as the massive SolarWinds breach carried out by Russian hackers. Most notably, landmark cyber incident legislation became law, and just last week the first US cyber ambassador was confirmed.</p>
<p>The Commission made 116 policy recommendations in its original report and published six follow-on white papers. Of those, 33 have been implemented; 30 are close to implementation; 31 are “on track” in some fashion; 20 have experienced limited progress; and two suggestions, less than 2% of the overall figure, face “significant barriers” to becoming reality, according to the latest report.</p>
<p>US Presidential directives and the National Defense Authorization Act (NDAA) have become major vehicles for executing the group’s ideas, with the US House of Representatives version of this year’s bill containing a pair of key Solarium proposals.</p>
<p>The first would designate “systemically important entities” status to the most vital US critical infrastructure, requiring operators to enact strong digital security standards and share threat intelligence with the government in return for increased federal support. However, last week, a coalition of industry groups sent a letter opposing the idea, arguing it would create “programmatic redundancies” and that the information gleaned through the effort could lead to an “elevated risk of exploitation by America’s foreign adversaries.”</p>
<p>The second would create a “Cyber Threat Environment Collaboration Program,” a portal intended to increase data sharing among members of the Cybersecurity and Infrastructure Security Agency’s growing Joint Cyber Defense Collaborative — the organization’s public-private coordination hub that was relied on during the Log4j crisis. The Senate draft of the policy roadmap doesn’t contain either provision. Senate Majority Leader Chuck Schumer (D-N.Y.) on the 20<sup>th</sup> said the chamber would be in session next month and would take up its draft of the must-pass legislation then.</p>
<p>Yet two recommendations have faced so much pushback that the commission sees little hope of them being implemented anytime soon: creating congressional committees devoted to cybersecurity; and establishing liability of “final goods assemblers” of software and hardware for breaches and hacks resulting from the exploitation of known or unpatched vulnerabilities. “We urge readers to consider this report as a mid-course check, laying a path for the many stakeholders in government and industry charged with a task that we cannot afford to fail; protecting our national cybersecurity,” wrote King and Gallagher.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/cyberspace-solarium-commission-calls-for-sustained-investment-in-defense/">https://therecord.media/cyberspace-solarium-commission-calls-for-sustained-investment-in-defense/</a></p></div>The FBI's out in the Coldhttps://redskyalliance.org/xindustry/the-fbi-s-out-in-the-cold2021-11-17T21:53:03.000Z2021-11-17T21:53:03.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9817896295,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9817896295,RESIZE_400x{{/staticFileLink}}" width="250" alt="9817896295?profile=RESIZE_400x" /></a>There was an old 60’s movie called, <u>The Spy who came in from the Cold</u>. Well the FBI could be sidelined in new cybersecurity legislation and left out in the cyber security cold. In the view of America’s most powerful law enforcement agency, that could be a big problem.</p>
<p>In testimony to the US Congress, the current assistant director of the FBI’s Cyber Division, said that the Biden administration is “troubled” by legislation proposed by the US Senate and House Homeland Security committees requiring a wide range of companies to report intrusions to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) but not simultaneously to the FBI. “Current incident reporting legislation being considered fails to recognize the critical expertise and role that DOJ, including the FBI, play when it comes to cyber incident reporting,” the FBI said in a statement for the record provided to the House Committee on Oversight and Reform. “Cyber is the team sport, and the Department of Justice and the FBI are a key player. It is time for legislation to reflect this reality,” they stressed. The Biden administration’s stance now throws a last-minute wrench into a year’s long effort to require key companies to disclose cyberattacks.</p>
<p>The House’s annual must-pass defense bill includes language requiring critical infrastructure operators and federal contractors to alert CISA if they are hacked. Similar language is likely to make it into the Senate’s version of the bill. The provision — the result of weeks of negotiations between the leaders of the Senate homeland security and intelligence panels — would represent the most sweeping cyber regulation ever imposed on the private sector.</p>
<p>One of the biggest problems facing government cyber defenders is their lack of insight into many of the digital attacks on private companies. Unlike in some other countries, the US does not directly monitor or defend most critical private sector networks. That means government agencies rely on companies to voluntarily disclose hacks so they can assemble a complete picture of the threat environment and develop security recommendations accordingly.</p>
<p>In the wake of high-profile ransomware attacks on Colonial Pipeline, the meat processing giant JBS and the IT software vendor Kaseya, Biden administration officials have been adamant that Congress should mandate cyber incident reporting for the nation’s most important companies. “The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” the CISA Director told the Senate Homeland Security Committee last September.</p>
<p>While CISA leads what officials call the government’s “asset response” work by addressing specific vulnerabilities and helping victims upgrade their networks, the FBI oversees the “threat response” mission by identifying and deterring the hackers. For that reason, the US Justice Department and FBI officials want rapid access to any incident reports. “We urge Congress to create a national standard for reporting significant cyber incidents and to require that the reported information be shared immediately with the Justice Department,” the Attorney General said during a November 8th news conference announcing actions against ransomware gangs.</p>
<p>The administration’s call for simultaneous reporting to CISA and the FBI could derail efforts to slip the incident reporting language into the defense policy bill unless lawmakers quickly embrace the idea.</p>
<p>A NY congressperson (D-N.Y.), who chairs the House Homeland Security cyber subcommittee and was a lead sponsor of her chamber's reporting mandate, said she didn't favor changing the program. "We took seriously the disparate, yet complementary, roles played by agencies across the federal government," she said. "But, ultimately, we believe that CISA ... should lead the federal government's cyber incident reporting program."</p>
<p>Spokespeople for the reporting legislation's other chief sponsors did not provide comments on the administration’s call for legislative changes. It is also unclear whether the bureau’s position reflects any strain between the FBI and CISA, which have tried to form a close working relationship in the three years since CISA’s creation. Also unclear is whether a mandatory reporting requirement to the FBI would trigger heated opposition from the private sector.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p></div>Federal Privacy Bill Reintroduced in US Congress, Againhttps://redskyalliance.org/xindustry/federal-privacy-bill-reintroduced-in-us-congress-again2021-03-29T12:53:45.000Z2021-03-29T12:53:45.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8728826652,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8728826652,RESIZE_400x{{/staticFileLink}}" width="250" alt="8728826652?profile=RESIZE_400x" /></a>A US Congressional Representative from the State of Washington recently reintroduced a bill that would create a nation-wide data privacy standard, to be enforced by the Federal Trade Commission (FTC), that in its latest version is intended to gather bipartisan support by addressing specific Republican concerns. The Information Transparency and Personal Data Control Act, if passed, would replace a patchwork of current state laws and provide an influx of $350 million to the FTC’s budget to enforce these proposed regulations.</p>
<p>"The new DelBene bill marks an interesting start for the relaunch of the effort to advance federal privacy law," says the International Association of Privacy Professionals (IAPP). "Specifically, while coming from the Democrats' side of the aisle, the bill is largely preemptive of state privacy laws and would not allow a private right of action." These two issues have been a lightning rod for Republicans in the past and hindered any attempt to bridge the gap between the two sides in the US Congress this year. "So, it's worth noting that Democrats supporting this bill are making a significant stride to meet Republicans' demands," reports the IAPP.</p>
<p>This current bill is designed to protect a wide swath of personal information by requiring businesses to obtain consumer consent prior to sharing their data, and companies would also be required to write their privacy policies in easy-to-understand language. "With states understandably advancing their own legislation in the absence of federal policy, Congress needs to prioritize creating a strong national standard to protect all Americans," says the US Representative.<a href="#_ftn1">[1]</a></p>
<p>This is the fourth time DelBene has attempted to have this legislation enacted. The bill currently has no Republican co-sponsors. If passed, the bill would require the FTC to hire 500 additional employees who would focus on privacy and data security issues, 50 of whom must have technical expertise in the area. Exactly what this would entail, however, is not further defined. The bill also calls for the FTC to receive $350 million to implement the plan. "This will place the FTC at the forefront of the global regulatory effort to implement data protection laws and develop privacy policies," the IAPP says.</p>
<p>The sensitive information covered by the bill includes financial, health, genetic, biometric and geolocation data; sexual orientation; citizenship and immigration status; Social Security number and religious belief. It would also offer extra protection to the data of children under 13 years old. If passed, the bill calls for creating a balanced, high-standard digital privacy framework that complements global standards and a strong national standard to combat anti-consumer practices. It also requires the federal government to provide guidance on the proper collection, processing, disclosure, transmission and storage of sensitive data and ensure enforcement authorities have the resources needed to protect consumers. Businesses would be required to submit to a privacy audit every two years conducted by an independent third-party. If adopted, the Information Transparency and Personal Data Control Act would also supplant any similar state legislation currently in use, the bill states.</p>
<p>Unlike the California Consumer Privacy Act and the EU's General Data Protection Regulation, DelBene's bill does not include a fine structure or a breakdown of the type and size of businesses affected. The CCPA, which went into full effect in January 2020, calls for a maximum penalty of $7,500 and is reserved only for intentional violations of the CCPA. Unintentional violations remain subject to a preset $2,500 maximum fine. GDPR, which went into effect May 2018, empowers EU regulators to levy fines of up to 4% of an organization's annual global revenue or 20 million euro ($22.2 million) whichever is greater if they violate Europeans' privacy rights. Under the CCPA and GDPR, individuals also have the right to take civil action against a company, a point that is lacking in the DelBene bill. This proposed bill does, however, give the FTC and all state attorneys general enforcement powers. Once a violation has been brought before the FTC, the offending business has 30 days to rectify the problem before any enforcement action is undertaken.</p>
<p>A state may also bring an action in a case on behalf of a state or its residents after submitting written notification to the FTC, according to a draft of the bill.</p>
<p>Specific Action Items. The bill has six primary requirements:</p>
<ul>
<li><u>Plain English</u>: Requires companies to provide their privacy policies in plain English.</li>
<li><u>Opt-in</u>: Allows users to opt-in before companies can use their most sensitive private information in ways they might not expect.</li>
<li><u>Disclosure</u>: Increases transparency by requiring companies to disclose if and with whom they will share the consumer's personal information and the purpose of sharing the information.</li>
<li><u>Preemption</u>: Creates a unified national standard and avoids a patchwork of different privacy standards by preempting conflicting state laws.</li>
<li><u>Enforcement</u>: Gives the FTC strong rulemaking authority to keep up with evolving digital trends and the ability to fine bad actors on the first offense. It also empowers state attorneys general to pursue violations if the FTC chooses not to act.</li>
<li><u>Audits</u>: Establishes strong "privacy hygiene" by requiring companies to submit privacy audits every two years from a neutral third party.</li>
</ul>
<p>In the absence of federal regulations, privacy legislation is in motion this year in Minnesota, New York, Washington and Oklahoma. If the other bills are passed, this would bring the number of states with their own privacy standards to eight, as California, Nevada and Maine have previously adopted such standards, and Virginia passed its Consumer Data Protection Act on 2 March. Most bills being considered at the state level are modeled on the recently instituted California Privacy Rights Act and Washington state's privacy.</p>
<p>Red Sky Alliance has been has analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge. Many past tactics are often dusted off and reused in current malicious campaigns – like REvil.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/federal-privacy-bill-reintroduced-in-congress-a-16178">https://www.bankinfosecurity.com/federal-privacy-bill-reintroduced-in-congress-a-16178</a></p></div>