Friday Five 7/30
Securing the nation's critical infrastructure, CISOs in high demand, and a new record GDPR fine - catch up with the week's infosec news with this week's Friday Five!
1. Biden orders voluntary cybersecurity performance goals for electric utilities, other critical sectors by Robert Walton
The Biden administration outlined plans to better secure the nation's critical infrastructure this week in the form of a presidential memorandum. In the notice, issued on Wednesday, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Commerce's National Institute of Standards and Technology (NIST) were tasked with developing cybersecurity performance goals for organizations that oversee critical infrastructure like the power, water, and transportation grids. While the goals will be voluntary, an unspecified senior administration official stressed on Tuesday that the federal government can't [secure our critical infrastructure] alone and that the country's current posture is "woefully insufficient given the evolving threat we face today."
2. Cybersecurity Chiefs Are in High Demand as Companies Face Rising Hacking Threats by Catherine Stupp
The Wall Street Journal breaks down a new report that looks at the drive to hire chief information security officers, or CISOs. The report, via Heidrick & Struggles International, queried CISOs around the world, 354 in total, and asked them if they were in a global role (86% were) and how long they've been in the role (28% said they've been a CISO for more than five years). While only 11% said they directly report to the CEO, the majority, 90%, said they at least present directly to the company's board, 75% of them on a quarterly basis. CISOs have been in demand, worldwide, lately, especially in order to keep up with an increase in cybersecurity threats like ransomware that can add pressure and stress to an organization’s board room.
3. Amazon Gets Record $888 Million EU Fine Over Data Violations by Stephanie Bodoni
The data protection world saw a new record set this week when CNPD, Luxembourg's data protection authority, announced that earlier this month it fined Amazon $888 million - 746 millon euros - for violating the European Union's General Data Protection Regulation. The penalty, the highest GDPR fine in history, comes as a result of a 2018 lawsuit on behalf of 12,000 people, the French group La Quadrature du Net, launched shortly after the GDPR was established. Amazon rejected the news and said it plans to appeal the fine. "There has been no data breach, and no customer data has been exposed to any third party,” the company said in a statement.
4. A Controversial Tool Calls Out Thousands of Hackable Websites by Andy Greenberg
Great story, as usual, via Wired’s Andy Greenberg, on Punk Spider, a web vulnerability search engine from a few years ago that's getting revamped and relaunched at Defcon, the hacker conference in Las Vegas, next week. The idea is the site can be used to identify vulnerabilities in websites and let anyone review those sites - a potentially dangerous thing to do - but also something that should hopefully get website operators to fix the problems once they've been highlighted. "It's a controversial project. It’s not black and white. But we need to try something new," Caceres, one of Punk Spider’s creators told Greenberg. "If I created a monster here, it’s because I had to try something."
5. A Tech Firm Has Blocked Some Governments From Using Its Spyware Over Misuse Claims by Daniel Estrin
For those keeping up with the ongoing NSO Group/Pegasus saga, the latest domino to fall has seen the company, which essentially peddles spyware, block some of its government clients from using their technology as it investigates potential misuse. NPR digs into the news further and recaps some of the recent Pegasus Project stories that have linked NSO's Pegasus to at 155 people – journalists, politicians, civilians, etc. - who were either targets or potential targets for surveillance.