Overnight Cybersecurity: Trump proclaims 'Cybersecurity Awareness Month' | Equifax missed chance to patch security flaw | Lawmakers await ex-CEO's testimony | SEC hack exposed personal data

Overnight Cybersecurity: Trump proclaims 'Cybersecurity Awareness Month' | Equifax missed chance to patch security flaw | Lawmakers await ex-CEO's testimony | SEC hack exposed personal data
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...



--IT'S NATIONAL CYBERSECURITY AWARENESS MONTH: Sunday marked the start of October, and with it comes the beginning of National Cybersecurity Awareness Month. October offers no shortage of cyber-focused events, as organizations look to put the spotlight on threats to digital systems. The focus is timely, in light of breaches recently disclosed by Equifax and the U.S. Securities and Exchange Commission (SEC). In a statement late last week proclaiming October National Cybersecurity Awareness Month, President Trump highlighted the threat to the public and private sectors: "My Administration is committed to protecting Americans against these threats," Trump said. "Keeping our Nation secure in the face of cyber threats is our shared responsibility.  Our agility and resilience in responding to these threats will improve as our collective awareness about their nature improves." Various government entities have put out statements contributing to the national cyber awareness campaign, including the Department of Homeland Security (DHS) and the National Security Agency (NSA).


--US FIRM LET RUSSIA REVIEW SOFTWARE SOURCE CODE: U.S.-based Hewlett Packard Enterprise (HPE) complied with a Russian defense agency's request to review a cybersecurity product used by the Pentagon in order to gain access to the Russian market, Reuters reported on Monday. The company is said to have allowed Russia to review source code for ArcSight, a cyber-defense software produced by HPE that is used broadly in the U.S. private sector and the U.S. military to secure its networks. Reuters, citing a review of Russian regulatory records, reported that the company permitted the review last year in order to be certified to sell the security software to Russian government entities. The revelation comes amid heightened scrutiny of Russia's use of cyberattacks, as lawmakers and the federal government continue to investigate Russian interference in the 2016 U.S. presidential election. The ArcSight review was conducted by Echelon, a Moscow-based company that certifies whether security software complies with guidelines for various Russian defense entities, including Russia's intelligence service, the FSB. The review was conducted on behalf of Russia's Federal Service for Technical and Export Control, an agency within Russia's defense ministry.

To read the rest of our piece, click here.

--CONGRESS READIES FOR EQUIFAX CEO TESTIMONY: It's going to be a busy week of cyber hearings on Capitol Hill. Chief among them are a slate of hearings focused on the Equifax data breach, in which as many as 143 million Americans had their Social Security numbers and other personal information accessed by hackers. Former Equifax CEO Richard Smith is due to appear before congressional committees on Tuesday, Wednesday, and Thursday, a week after resigning from his top post at the company amid continuing blowback over the breach, which was disclosed in early September. According to testimony prepared for a House hearing that was released Monday evening, Smith will say that the credit bureau botched a critical opportunity to patch the security vulnerability hackers would eventually use to gain access to its files. Smith will say that he was "ultimately responsible for what happened on my watch" as CEO. Smith is due to appear before the House Energy and Commerce Committee, the Senate Banking Committee, and the House Financial Services Committee this week.

To read the rest of our piece, click here.



--BILL WOULD REQUIRE PENTAGON TO ASSESS CYBER RISKS TO ELECTRIC GRID: A bill introduced by a bipartisan group of House lawmakers late last week would require the Pentagon to report to Congress on significant security risks to the U.S. electric grid and their impact on the U.S. military.

The bill would require the Pentagon, in coordination with the Energy Department, Homeland Security Department and the director of national intelligence, to issue a report identifying "significant security risks" that malicious cyber actors pose to critical defense electric infrastructure, and the potential effect of those threats on the U.S. armed forces.

The report would also have to assess the benefits and challenges of isolating U.S. military infrastructure from the electric grid. Finally, the Pentagon would be required to recommend measures to mitigate these security risks.

The legislation was introduced by Rep. Jacky Rosen (D-Nev.) and is cosponsored by Reps. Elise Stefanik (R-N.Y.), Brian Fitzpatrick (R-Pa.) and Dan Lipinski (D-Ill.).

"I'm proud to work across the aisle to introduce this legislation that will help ensure America's military readiness by requiring top officials to identify and report any vulnerabilities that might jeopardize our core defense missions," said Rosen, who is a member of the House Armed Services Committee.

Similar legislation has already been introduced in the Senate by Sens. Elizabeth WarrenElizabeth Ann WarrenTrump's SEC may negate investors' ability to fight securities fraud Schatz's ignorance of our Anglo-American legal heritage illustrates problem with government Dems ponder gender politics of 2020 nominee MORE (D-Mass.) and Thom TillisThomas (Thom) Roland TillisPrison sentencing bill advances over Sessions objections Kimmel writer tweets amount NRA has given lawmakers in response to shooting prayers Both sides of immigration fight unhappy with Senate debate MORE (R-N.C.), both members of the Armed Services Committee.

To read the rest of our piece, click here.

--SMALL BIZ CYBER BILL CLEARS SENATE: The Senate passed legislation late last week that would require the federal government to offer more tools to small businesses to guard their networks from cyber threats.

The legislation offered by Sens. James Risch (R-Idaho) and Brian SchatzBrian Emanuel SchatzSchatz's ignorance of our Anglo-American legal heritage illustrates problem with government Dem senator trolls Trump over Mueller indictments: 'This is a VERY well done hoax' Trashing our Anglo-American legal tradition does no one any favors MORE (D-Hawaii) directs the National Institute of Standards and Technology (NIST) to publish and disseminate resources to small businesses that choose to use the cybersecurity framework produced by the institute.

NIST, a standards laboratory under the Department of Commerce, produces and updates a cybersecurity framework for public and private entities.

Both Risch and Schatz cheered the unanimous passage of the bill in a voice vote late Thursday, citing the massive Equifax data breach earlier this month as the most recent reminder of stark cyber threats to businesses and other organizations.

The bill, swiftly approved by the Senate Commerce Committee in April, has a slate of bipartisan cosponsors, including Sens. John ThuneJohn Randolph ThuneFlake to try to force vote on DACA stopgap plan Congress punts fight over Dreamers to March The 14 GOP senators who voted against Trump’s immigration framework MORE (R-S.D.), the committee chair, and Bill NelsonClarence (Bill) William NelsonGingrich says arming teachers only long-term solution to school shootings Florida students turn to activism in wake of shooting CNN invites Trump to town hall with parents, students of Florida high school MORE (D-Fla.), the ranking member.

To read the rest of our piece, click here.



MTV is reviving "TRL" for the social media generation. (Wired)



Only about half of IT and business leaders globally think that their boards and executives are doing everything they can to safeguard their companies' digital systems, according to new research released Monday.

ISACA, a professional association focused on IT governance, polled hundreds of its members serving in high-level leadership and IT positions at organizations worldwide in order to take their temperature on the elevation of tech issues to the boardroom level.

Among the most interesting findings, 55 percent of respondents said that their leaders are doing everything to safeguard their respective companies' digital assets, while 21 percent said they are not.

Twenty-one percent reported that top leaders at their organizations are briefed on cybersecurity and other risk issues at every high-level meeting, while 39 percent said they are briefed at "some" of these meetings and 34 percent said their leaders are briefed "as needed."

One in three organizations reported assessing risks related to technology use every month.

Still, the research indicates that executives acknowledge the need to put a greater focus on technology issues and are working to do so. Two-thirds of organizations surveyed said they have boosted spending on risk management over the last year; more than 90 percent of those surveyed also agreed that better IT governance produces better economic outcomes.

ISACA's "Better Tech Governance is Better for Business" survey relied on responses from 732 ISACA members across the globe, the majority of them serving in high-level leadership and IT positions at their respective organizations.



SEC BREACH: Monday offered a new tidbit about the breach of the Securities and Exchange Commission last year that Chairman Jay Clayton said last month may have allowed hackers to profit from stolen insider information. Clayton, who testified before Congress last week that the full extent of the breach was still not known, revealed Monday that hackers accessed the personal information of two individuals by breaching the SEC electronic filing system in 2016.

Clayton said in a Monday statement that hackers accessed the birthdates and Social Security numbers of two people by breaching the SEC's EDGAR electronic filing system, through which publicly traded companies make public and private disclosures about their financial affairs.

The two individuals have been contacted and provided with identity theft prevention and assistance, Clayton said.

SEC officials previously said that no personal information was revealed during the breach, making Monday's revelation a notable change in the severity of the hack. Officials think the hackers may have profited by trading on insider information stolen from the EDGAR system.

Companies and investors send scores of forms through EDGAR on securities sales, initial public offerings, corporate financial information and structural plans. While much of the system is publicly accessible, it also contains private financial records that only regulators can see.

The SEC said Clayton learned about the personal information breach last Friday.

To read the rest of our piece, click here.



Links from our blog, The Hill, and around the Web.

Facebook to give Russian ads to Congress on Monday. (The Hill)

Opinion: Small businesses are cyber targets whether they know it or not. (The Hill)

SEC goes after two cryptocurrency scams. (The Hill)

GOP rep: Void in permanent IT roles won't hurt modernization push. (The Hill)

Facebook introduces new ad policies amid Russia probe. (The Hill)

Russian cybersecurity magnate Kaspersky slams Congress. (The Hill)

Top House Intel Democrat: Make Russian Facebook ads public. (The Hill)

Trump directive instructed Cyber Command to amp up pressure on North Korea. (Washington Post)

The NSA warned the White House about using personal email. (Politico)

Intel leaks spell difficulty for insider threat crackdown. (CyberScoop)

If you'd like to receive our newsletter in your inbox, please sign up here.