At a glance.
- US Congress considers breach laws and cloud procurement polices, post-Solorigate.
- Private databases used where other investigation won't go?
- SEC halts trading in some social-media-hyped securities (bots seem to be involved in some of the pumping).
Post-Solorigate, US Congress considers new breach laws and cloud procurement policies.
iTnews observes a “new appetite” among some US lawmakers and companies for Federal regulation of breach reporting. Microsoft President Brad Smith told a joint House Homeland Security and Oversight and Reform hearing, “Silence is not going to make this country stronger. So I think we have to encourage - and I think even mandate - that certain companies do this kind of reporting.” Current cyber incident disclosure laws primarily come into play when medical or financial information is exposed.
Nextgov reviews Representative Langevin’s (Democrat of Rhode Island) argument that cybersecurity “basics like logging shouldn’t be an ‘upcharge’” in Federal cloud contracts and the Government should “use its substantial bulk purchasing power to make sure we’re not getting a raw deal.” Representative Maloney (Democrat of New York) stressed that the Oversight and Reform Committee will be taking a close look at Federal procurement practices, while Representative Thompson (Democrat of Mississippi) commented, “We need to find ways to change behavior in the private sector—particularly those in the government supply chain—so executives value security as much as earnings statements.”
Lawmakers’ ire was in part directed at Microsoft Azure, which does not offer free unlimited logging, as the Cybersecurity and Infrastructure Security Agency pointed out. Smith noted in response that Microsoft is a for-profit firm, and hinted that it would send the wrong message to penalize Microsoft—instead of, for example, Amazon—for disclosing the intrusion. Another lawmaker replied that Microsoft doesn’t deserve special treatment for reporting.
The outdated security standards and complicated recovery protocols of Active Directory products also came under fire. “[S]hould Microsoft address the authentication architecture limitations…a considerable threat vector would be completely eliminated,” CrowdStrike CEO George Kurtz remarked.
US Immigration and Customs Enforcement use of private databases questioned.
Immigration and Customs Enforcement (ICE) personnel are taking advantage of an Equifax-powered commercial database with hundreds of millions of utility records, according to the Washington Post. The database, CLEAR, is marketed by Thomson Reuters as a “legal investigation software solution.” CLEAR customers range from law enforcement agencies to credit unions and include the Departments of Defense, Justice, and Homeland Security. ICE’s subscription is worth $21 million, and complements other tools in the agency’s arsenal like license plate databases and location data from phones. Although CLEAR is not covered by the 1974 Privacy Act, the House Committee on Oversight and Reform has requested more information from Equifax and Thomson Reuters executives.
SEC suspends trading in stocks with suspicious social media hype.
Reuters and Bloomberg report that the Securities and Exchange Commission has halted trades for a total of twenty-one firms following irregular activity and what appears to be a coordinated social media campaign to drive up prices. An executive at PiiQ Media, a cybersecurity firm that flagged unusual patterns on Twitter, Instagram, Facebook, and YouTube, noted that “undermining the integrity of U.S. markets is a known goal of hostile state actors.” PiiQ approximates that tens of thousands of bots have been plugging stocks like GameStop and Dogecoin. (A Twitter spokesperson noted that not all bots are bad.)