Friday Five: 4/19 Edition
Possible new regulation for the supply chain space, hijacking DNS, and another Facebook privacy misstep. Catch up on the week's news with this roundup!
1. Federal CISO floats potential for new supply chain regs by Derek B. Johnson
Always interesting to hear insight from inside, or even slightly outside the beltway, as it pertains to cybersecurity. Such was the case at one event held this week by the Intelligence National Security Alliance, in which Grant Schneider, the Federal Chief Information Security Officer and Senior Director for Cybersecurity, National Security Council, shed some light on on supply chain security and how regulations may be necessary to better outline risks in purchasing and acquisition. "As much as we are from an administration standpoint focused on reducing regulation, I will tell you that with the two [regulations] out for every one that comes in [rule], we … have headspace if we need to bring a regulation in around cybersecurity, and I actually think this is a place where we could do that, if it makes sense," Schneider said at the event, the INSA Spring Symposium: Managing the Evolving Cyber Landscape.
2. Cyberspies Hijacked the Internet Domains of Entire Countries by Andy Greenberg
A handful of publications got the embargo on this one but we're linking this one because it has the wildest headline. It's true though: It's based on Cisco Talos research, published Wednesday, that says a new, nation state-backed group of hackers, dubbed Sea Turtle, have been targeting organizations, 40 in total, by changing websites’ DNS settings so they redirect traffic to a different man-in-the-middle server that intercepts it and spies on users. Per Cisco, the majority of the victims are governmental organizations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, based in the Middle East and North Africa. Countries like Albania, Armenia, Cyprus, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates were among those hit. While DNS hijacking operations like this aren't unheard of – DNSpionage, a similar attack campaign that ultimately prompted the US Department of Homeland Security to urge network admins to verify their DNS settings, was found targeting domains last year – it’s fascinating that this group has been in action so long; some attacks date back to January 2017.
3. Filling the Cybersecurity Void by Josephine Wolff
Another good Josephine Wolff piece from Slate here; this one digs into the Canadian Privacy Commissioner office's findings on Equifax, namely what Canada did that the U.S. hasn't: Recommend the company's Canadian division “identify Canadians’ personal information that should no longer be retained by Equifax Inc. according to its retention schedule and delete it,” and provide a third-party security assessment and audit to the Canadian government every two years for the next six years. Wolff also points out how last week's Yahoo settlement - $117.5M for the three billion accounts affected between 2013 and 2016 - poses as a warning for Equifax: "The Yahoo settlement should be a clear warning for Equifax, which still faces major class-action lawsuits in the U.S. It’s a sign that even in the absence of serious regulatory intervention, there may still be ways for it to be held accountable for its actions and—much more importantly—be forced to strengthen its data security efforts moving forward."
4. Facebook says it 'unintentionally uploaded' 1.5 million people's email contacts without their consent by Rob Price
Stop me if you've heard this one before but Facebook did something with its users’ data that it's apologizing for this week. The latest foible, uncovered by Business Insider, is that the company “unintentionally uploaded” the email contacts of 1.5 million of its users without informing them. The company first started doing so way back in May 2016, whenever new users opened an account. If a user entered their email password - a way of verifying user accounts prior to 2016 - it siphoned up contact data without any warning. “These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings,” the company told the publication this week. The contacts were used to bolster Facebook's ad targeting, build its web of social connections, and recommend friends to add, according to Business Insider. This, of course, is just the latest misstep by Facebook, a company that’s had so many, it’s getting a little difficult to keep track of them all. Related reading: Wired’s nearly 13,000 word cover story this month on the turmoil inside the social network.
5. IAPP FAQs: Are GDPR-compliant companies prepared for CCPA? by Caitlin Fennessy
Not an article per se but an enormously helpful Q&A via Caitlin Fennesy, CIPP/US, the International Association of Privacy Professionals' senior privacy fellow. In this 10-part FAQ, Fennessy evaluates the California Consumer Privacy Act (CCPA) and how it will affect consumers, companies outside of California, nonprofit organizations, and small businesses. She also illustrates key differences between the CCPA and GDPR, and whether or not it enters into force on January 1 or July 1 of next year. It all relatively straight to the point but it's worth noting, as the IAPP does, that it shouldn't be mistaken for legal advice.