NSI Security NewsWatch Banner

A weekly roundup of news, trends and insights designed exclusively for security professionals. This publication is intended for security staff only.


In this issue — June 12, 2019

  • DoD to Unveil New Cybersecurity Maturity Model Certification for Defense Contractors
  • OMB Chief: Contractors Need More Time to Cut Ties With Huawei, ZTE
  • Customs Subcontractor Breach Illustrates Cyber Dangers Of Data Ecosystems
  • DHS Agency Issues New Guidelines on Bag-Search Training in Venues
  • Feds Arrest NYC Man who Allegedly Wanted to Shoot Up Times Square
  • Lawmakers Question FBI’s Facial Recognition Program
  • IG: Nuclear Energy Regulators Need More Cyber Experts
  • Facebook Gave Data Access to Chinese Firm Flagged by U.S. Intel
  • State Department Proposes New Cybersecurity Bureau
  • Audit: Pipeline Security Plans Weak on Cybersecurity, Coordination
  • Russia Effort in 2016 U.S. Election Was 'Vast,' 'Professional'  

Pentagon to Unveil New Cybersecurity Maturity Model Certification (CMMC) for Defense Contractors

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors. It is named the “Cybersecurity Maturity Model Certification” (CMMC). Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.

The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule. Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171. According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.  More

OMB Chief: Contractors Need More Time to Cut Ties With Huawei, ZTE (NextGov, 6/10/19)
The head of the Office of Management and Budget is asking the Trump administration and Congress to give government contractors and federal grant recipients more time to cut ties with Chinese telecom providers like Huawei.  If officials don’t grant the extension, there may be “a dramatic reduction” in the number of contractors able to legally do business with the government, acting OMB Director Russel Vought wrote in a letter to Vice President Mike Pence and congressional leaders.
The 2019 National Defense Authorization Act prohibited the use of federal funds to purchase products from Huawei, ZTE, and other Chinese telecom firms after intelligence officials warned the Chinese government could use the companies to spy on the U.S.  The measure not only bans agencies from doing business directly with the firms, but also bars government contractors and federal grant recipients from working with the Chinese companies or any other group that uses their tech. More

Customs Subcontractor Breach Illustrates Cyber Dangers Of Data Ecosystems (Forbes, 6/10/19)
This week, the U.S. Customs and Border Protection Agency acknowledged a massive data breach suffered by one of its contractors that resulted in unauthorized access to photographs and license plate details of those crossing U.S. borders.  The CBP’s own networks were not breached.  Instead, one of its subcontractors had quietly copied the data to its own servers without CBP’s knowledge and against CBP policy.
While much is still unknown about the breach, one of the biggest takeaways is that for all their investments in their own cybersecurity, the massive data supply chains that support large organizations can offer back doors to their most valuable data.  Most of the details of the CBP subcontractor breach are still unknown.  To date, Customs has said only that a subcontractor “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network” in violation of CBP policy, and that the subcontractor was subsequently breached through a “malicious cyberattack.”  More


Effective Security Starts on the Inside

Technology may be one aspect of cyber security, but the real challenge is managing the human element. It’s your people who are the first and best line of defense. Today there are more threats, more vulnerabilities, more portable storage devices, and there’s increased mobility.  That means educating employees about cyber security is more difficult, demanding and necessary than ever before.

So, how do you make sure that your company's information assets are protected? The first line of defense is employee awareness – the critical "humanware” component of your cyber security armor. NSI’s SECURITYsense awareness program gives employees the tools and information they need to make security second nature. Find out how this valuable resource can help protect your hard-earned reputation and ensure that your employees are part of the solution and not part of the problem. Click here https://www.nsi.org/securitysense/what-is-securitysense.shtml for more information.


DHS Agency Issues New Guidelines on Bag-Search Training in Venues (Homeland Security Today, 6/7/19)
Venues need to ensure that employees and contractors are properly trained to search bags and spot potential accompanying suspicious behaviors or substances, states a new guide released by DHS’s Cybersecurity and Infrastructure Security Agency.  The Public Venue Bag Search Procedures Guide applies to a variety of events with controlled access that can be targets for would-be attackers, including concerts, festivals, and sporting events.  Training goals include education to deter people from bringing forbidden items, how to interact with patrons who are having their bags searched, how to properly conduct the bag search itself and identify or handle items of interest, and the proper response when a no-go item is confirmed.
Training can include how to watch for people who may be trying to evade security checkpoints, how to recognize harmful substances such as bomb-making materials, how to coordinate a response among bag-checkers and potentially law enforcement if an item is discovered, how to converse with and indirectly question people in line who may be acting suspicious, how to deal with someone angry about their bag being searched, and how to respond quickly to an active assailant. More

Feds Arrest NYC Man who Allegedly Wanted to Shoot Up Times Square (Homeland Security Today, 6/7/19)
A man is under arrest after being investigated by the New York FBI Joint Terrorism Task Force for allegedly wanting to shoot up Times Square, after speaking about explosives, suicide vests and hand grenades, a senior law enforcement official familiar with the investigation said.  The officials say the Queens man was under surveillance for some time and was being closely monitored by authorities; an undercover helped track him. 
He had allegedly spoken of wanting to get or use a suicide bomb vest and wanting to attack politicians in New York City and Washington, D.C.  But the senior official says he eventually came around to wanting to shoot up the Crossroads of the World — and he allegedly tried to buy guns last week, which prompted his arrest.  Sources say he was trying to buy guns with their serial numbers removed. More

Lawmakers Question FBI’s Facial Recognition Program (Defense One, 6/6/19)
Lawmakers last week grilled federal law enforcement officials on the integrity and legality of the government’s facial recognition programs, and criticized the nearly nonexistent oversight Congress has over those programs.  During a hearing, members of the House Oversight Committee questioned witnesses on the steps being taken to ensure the facial recognition tools used by their agencies aren’t infringing on individuals’ privacy and civil liberties.  By and large, lawmakers on both sides of the aisle seemed unsatisfied with their answers.
And while the committee criticized law enforcement’s facial recognition efforts en masse, much of their attention focused on the FBI’s use of the tech.  Lawmakers criticized Kimberly Del Greco, deputy assistant director of the FBI’s Criminal Justice Information Services division, over the bureau’s failure to correct multiple flaws in the way it evaluates its primary facial recognition tool.  In 2016, the GAO issued six recommendations to ensure the tech, known as the Next Generation Identification-Interstate Photo System, meets federal privacy and accuracy standards.  More

IG: Nuclear Energy Regulators Need More Cyber Experts (NextGov, 6/6/19)
The Nuclear Regulatory Commission is facing a mass exodus of cybersecurity experts in the years ahead, which could limit its ability to ensure the nation’s nuclear power plants are safe from digital attacks, an internal watchdog found  Nearly one-third of NRC’s cybersecurity inspectors will be eligible for retirement by the end of fiscal 2020, and agency officials worry they aren’t training enough people to take their place, according to the NRC Inspector General.
With nuclear power stations becoming increasingly popular targets for online adversaries, the shortage of cyber expertise could leave the agency struggling to do its job, auditors said.  “If staffing levels and skill sets do not align with cybersecurity inspection workload requirements, NRC’s ability to adapt to a dynamic threat environment and detect problems with [nuclear power plants’] cyber security programs could be compromised,” they wrote in a recent report.  In 2009, the NRC started explicitly requiring nuclear power stations, most of which are privately owned, to defend their IT infrastructure against cyberattacks. More

Facebook Gave Data Access to Chinese Firm Flagged by U.S. Intel (CNBC, 6/5/19)
Facebook has data-sharing partnerships with at least four Chinese electronics companies, including a manufacturing giant that has a close relationship with China’s government, the social media company said last week.  The agreements, which date to at least 2010, gave private access to some user data to Huawei, a telecommunications equipment company that has been flagged by American intelligence officials as a national security threat, as well as to Lenovo, Oppo, and TCL.
The four partnerships remain in effect, but Facebook officials said in an interview that the company would wind down the Huawei deal by the end of the week.  Facebook gave access to the Chinese device makers along with other manufacturers — including Amazon, Apple, BlackBerry and Samsung — whose agreements were disclosed by The New York Times on Sunday.  More

State Department Proposes New Cybersecurity Bureau (Cyber Scoop, 6/5/19)
The State Department has sent to Congress a long-awaited plan to reestablish a cybersecurity-focused bureau it says is key to supporting U.S. diplomatic efforts in cyberspace.  The department’s new plan would create the Bureau of Cyberspace Security and Emerging Technologies (CSET) to “lead U.S. government diplomatic efforts to secure cyberspace and its technologies, reduce the likelihood of cyber conflict, and prevail in strategic cyber competition.”
The new bureau, with a proposed staff of 80 and projected budget of $20.8 million, would be led by a Senate-confirmed coordinator and “ambassador-at-large” with the equivalent status of an assistant Secretary of State, who would report to the Undersecretary of State for Arms Control and International Security.  The idea comes nearly two years after then-Secretary of State Rex Tillerson announced he would abolish the department’s cybersecurity coordinator position and put its support staff under the department’s economic bureau. More

Audit: Pipeline Security Plans Weak on Cybersecurity, Coordination (FCW, 6/5/19)
The Transportation Security Administration's plans for pipeline security aren't keeping up with rising threats in cyberspace, according to the GAO.  An audit released last week found that the agency, which has primary responsibility for monitoring and securing the nation's 2.7 million miles of gas and oil pipelines, hasn't updated two plans that formally outline how agencies and other stakeholders should respond to security incidents in years.
TSA last issued its Pipeline Security and Incident Recovery Protocol Plan, which outlines roles and responsibilities for federal agencies and the private sector in the wake of a pipeline security incident, in 2010.  Auditors said the plan hasn't been revised since then to account for the rising importance of cybersecurity threats to critical infrastructure.  A similar agreement between TSA and the Department of Transportation's Pipeline and Hazardous Materials Safety Administration outlining specific roles and responsibilities for pipeline security hasn't been updated since 2006. More

Russia Effort in 2016 U.S. Election Was 'Vast,' 'Professional' (AFP, 6/5/19)
Russia's efforts to sow misinformation on Twitter ahead of the 2016 U.S. election were more extensive and professional than earlier believed, security researchers said last week.  A report by the security firm Symantec said some of the accounts linked to Russia's Internet Research Agency dated back as far as 2014 and that the manipulation effort involved a vast effort that included both automated "bots" and manual operations.
"While this propaganda campaign has often been referred to as the work of trolls, the release of the dataset makes it obvious that it was far more than that," said Gillian Cleary of Symantec's Security Technology and Response team in a blog post.  "It was planned months in advance and the operators had the resources to create and manage a vast disinformation network.  It was a highly professional campaign."  Twitter said the Symantec analysis was based on its data released to researchers last year of some 10 million tweets.  While the Russian campaign used Facebook and other channels, Twitter's data availability makes it easier for independent researchers to study these campaigns. More

Keep Getting This Newsletter

To ensure delivery to your inbox (not bulk or junk folders), please add NSI@nsi.org to your address book.

SUBSCRIBE: If you were sent this by a colleague and wish to subscribe to NSI's complementary Security NewsWatch e-newsletter, visit http://nsi.org/newsletter.html.


Please feel free to share this e-mail with your colleagues and encourage them to sign up to get their own copy at http://nsi.org/newsletter.html

ADVERTISERS: For information about sponsoring this e-letter, contact sburns@nsi.org or call

NSI LogoNational Security Institute
165 Main Street, Suite 215
Medway, MA 02053
Tel: 508-533-9099
Fax: 508-507-3631
Internet: http://nsi.org



Who's Worse:
Employees or Hackers?

Experts agree, well intentioned but careless employees pose just as much of a danger to your organization as faceless hackers on the outside. In fact, 95 percent of successful hack attacks or incidents are attributed to human error.

Learn how to mitigate the accidental insider threat and empower your employees to think securely with these valuable lessons:

  1. How to recognize and respond to social engineering attacks
  2. How to avoid spear-phishing and email scams
  3. How avoid becoming an easy target for hackers
  4. How to prevent human errors that cause security breaches
  5. How to protect sensitive data from hackers, spies and ID thieves

Learn More Button