Uncategorized

Administration Releases Federal Information Security Modernization Act (FISMA) Annual Report to Congress

Today the Administration released the Fiscal Year 2016 FISMA Annual Report to Congress.  The Office of Management and Budget (OMB) publishes this report annually and in accordance with the Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283, § 3553 (Dec. 18, 2014) (codified at 44 U.S.C. § 3553). OMB obtained information from the Department of Homeland Security (DHS) and Chief Information Officers and Inspectors General from across the Executive Branch to compile this report. This report primarily includes Fiscal Year 2016 data reported by agencies to OMB and DHS on or before November 13, 2016 in accordance with 44 U.S.C. § 3553.

Read More

President Trump’s Preliminary Cyber Focus

President Trump's second Week of Action included meeting with cyber security experts during a “listening session” with cyber security experts to help fulfill his campaign promise of securing America against cyber threats. Later in the month, White House National Economic Council Director announced Senior Staff appointments including that of Grace Koh who will serve as Special Assistant to the President for Technology, Telecom, and Cyber-Security Policy. Koh previously served as Deputy Chief Counsel to the Subcommittee on Communications and Technology of the Energy and Commerce Committee in the U.S. House of Representatives. READ MORE

Never Waste A Good Breach! — Lessons Learned at the 2016 NetDiligence Cyber Risk and Privacy Liability Forum

By Sarah Austin and George K. Sarris     NetDiligence held its annual Cyber Risk and Privacy Liability Forum on June 6-8th in Philadelphia.  The event primarily focused on providing practical advice for cybersecurity insurance brokers, attorneys and Chief Information Security Officers (CISOs). eWhite House Watch was invited to cover the forum as part of the NetDiligence Press Corps.   On June 6th, the event opened with a session called “Cyber Claims & Loss Updates” where leading experts in cybersecurity insurance discussed the types of claims being covered, examination costs, and claims notice and handling. The panel discussed how policyholders of cyber insurance can improve their methods of dealing with privacy and notice issues after a breach. The panel stated that within the risk pool, only twenty-percent to thirty percent of organizations at risk are covered.  This is largely due to the misconception that breaches are targeted. Chris Novak, the co-founder and Managing Principal of the Verizon Investigative Response Unit, emphasized that recent studies indicate that the “majority of the breaches are opportunistic and not targeted.” Further, the panel discussed how the security industry has not reached the level of maturity needed to combat cybersecurity risks.  For example, the industry struggles to “patch” IOT devices after they are breached.

Read More

OFAC Issues Cyber-Related Sanctions Regulations

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) published the Cyber-Related Sanctions Regulations that became effective on December 30, 2015. The new regulations implement Executive Order 13694 and authorize the imposition of economic sanctions on those found to be responsible for, as well as those who significantly benefit from, malicious cyber attacks or cyber theft. The regulations do not identify specific individuals or entities who will be sanctioned, nor do they indicate any sort of immediate compliance obligations for U.S. companies. Some notable regulations include: Sanctions on identified entities who participate in cyber-enabled activities that are reasonably likely to have resulted in a significant threat to the national security, foreign policy, economic health or financial stability of the United States. Sanctions on identified entities who trade or engage in other transactions with people named on OFAC’s SDN List pursuant to E.O. 13694.     You can find more details about the Cyber-Related Sanctions Regulations here.

Georgetown’s Third Annual Cybersecurity Law Institute – A Recap of Informative Programming

The Georgetown University Law Center held its annual Cybersecurity Law Institute on May 20 and 21, 2015.  The event, billed as the only cybersecurity conference geared primarily for attorneys, focused on providing both practical how-to advice for attorneys working on cybersecurity while also discussing the future of cybersecurity.  eWhite House Watch had the opportunity of attending the conference as part of the Institute’s Press Corps, and found the sessions and networking opportunities fascinating.   The highlight of the event came on its first day when both James B. Comey, the director of the FBI, and Leslie Caldwell, Assistant Attorney General in charge of the DOJ Criminal Division, spoke to the assembled conference goers.  Director Comey demonstrated a solid understanding of the cybersecurity threats facing the nation.  He repeatedly emphasized the importance of private companies' collaborating with the FBI to address the most pressing of cyber threats.  He noted that even though the FBI has not always had a stellar record in working with the private sector, it hastaken great steps to improve its relationship with private enterprise since the financial attacks of 2012.

Read More

House Faces Both Support and Criticism over Cybersecurity Bills Discussed this Past Week

As reported by The Hill this past week, the House was set to discuss two important Cybersecurity Bills, both expected to pass. According to the proposed bill, the Protecting Cyber Networks Act is intended “to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” Separately, the National Cybersecurity Protection Advancement Act is an amendment to the Homeland Security Act of 2002 and according to that proposed bill it is expected “to enhance multi-directional sharing of information related to cyber-security risks and strengthen privacy and civil liberties, protections, and for other purposes.. On the surface, neither of the proposed bills seems problematic. There is some significant support for the bill, as noted in The Hill’s piece Tech will be watching cyber vote – in that the Information Technology Industry Council (ITI) has already sent a letter to the House expressing its support for the bills. In the letter ITI said that it “firmly believe[s] that passing legislation to help to increase voluntary cybersecurity threat information and sharing between the private sector, is an important step Congress can take to enable all stakeholders to address threats, stem losses, and shield their systems, partners and customers.”

Read More