Generic

Cybersecurity News

 

OPM suspends background check system to patch security bug
Security Week
06/30/15

The U.S. Office of Personnel Management (OPM) announced June 29 that it has temporarily suspended its Electronic Questionnaires for Investigations Processing (e-QIP) system after discovering the existence of a security bug. Following the recent OPM data breach, the agency started conducting a comprehensive security review of its IT systems which revealed the existence of a vulnerability in e-QIP, a web-based system used to conduct background checks for federal security, fitness, suitability, and credentialing purposes. According to the OPM, the temporary shutdown of the e-QIP system is not related to the recent breach; it is a proactive step taken to ensure the security of the organization’s network.


After hack, officials pull plug on Pentagon and OPM background check systems
Next Gov
06/29/15

A Defense Department Web system that tracks employee background investigations will be offline for an unspecified amount of time, while officials fix security holes in a civilian agency database connected to the tool, according to department officials. A vulnerability in an Office of Personnel Management tool that links to the Pentagon's "Joint Personnel Adjudication System" was discovered during a probe into one of the worst known hacks to hit the U.S. government. On June 29, officials announced that OPM's e-QIP system, the online tool used for submitting background check forms, would be taken offline for four to six weeks, during security improvements.


I helped invent the Internet of Things. Here’s why I’m worried about how secure it is.
Politico
06/30/15

Sanjay Sarmamechanical, an engineering professor at MIT who, 17 years ago, was part of a time that helped launch the research effort that laid some of the groundwork for the Internet of Things (IoT), writes about his concerns over security threats facing that environment.


Should FedRAMP be the standard for all public sector?
FCW
06/30/15

The Federal Risk and Authorization Management Program is the law of the land for federal agencies looking to the cloud, but could FedRAMP become a broader standard for other governments as well? Private-sector cloud providers have expressed a desire to leverage FedRAMP approval in other markets, and Canadian officials are looking at how Canada might adopt that approach. And while GSA has neither the authority nor the desire to mandate FedRAMP compliance at other levels of government, GSA's FedRAMP director said voluntary adoption was certainly something to encourage and that, at the state level, "GSA and FedRAMP have worked with the National Association of State CIOs since inception.


CIO Scott seeks new framework for government cloud
FCW
06/30/15

The devastating hacks of the legacy systems at the Office of Personnel Management are a reminder that government needs to move off of antiquated IT and into modern systems built with integrated security. Federal CIO Tony Scott is urging cloud vendors to come up with solutions that operate at the government scale.


DHS group wants Homeland Security to share database of cyber incidents with private sector
Next Gov
06/29/15

A Department of Homeland Security working group is coming up with reasons to create a "cyber incident data repository," in which federal agencies and key industries could anonymously share information about cyber risks. The effort builds on a 2015 White House executive order encouraging more cyberthreat information sharing between the public and private sectors, especially through new groups called "information sharing and analysis organizations."


OPM contractors in the crosshairs
FCW
06/24/15

During congressional hearings over the past few weeks, both OPM's leadership and federal contractors have been sharply criticized by lawmakers for their failures related to the series of breaches that have plagued OPM over the past several years. But despite harsh language and a panel of top leadership, many tough questions – on issues ranging from how the breaches occurred to how many people have been affected – remained unanswered.


Warren: Cyber won't suffer in VA budget crunch
FCW
07/01/15

Despite a looming $2.5 billion shortfall, efforts to maintain cybersecurity at the Department of Veterans Affairs won't face budget cuts, according to the agency's top tech official.


McCaul says OPM hack should push Senate to act on cyber
FCW
06/24/15

The recently disclosed theft of information on federal employees from government systems should provide the Senate with the necessary urgency to pass cybersecurity threat information sharing legislation, according to one of bill's key sponsor in the House, Rep. Michael McCaul (R-TX), chairman of the House Homeland Security Committee.


Parsing the cyber bills in the 114th Congress
FCW
06/19/15

Congress is looking at several cybersecurity bills that try to accomplish the same thing in different ways: to make the sharing of cyber-threat information between the private sector and the government easier. The Congressional Research Service has analyzed two bills that have passed the House – the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA) – along with the Senate’s Cybersecurity Information Sharing Act (CISA).CISA and PCNA are similar to each other, while NCPAA focuses on DHS' role in information sharing. PCNA focuses more on the intelligence community and the nascent cyber intelligence agency being stood up at the Office of the Director of National Intelligence.


Halvorsen's Silicon Valley trip shakes up JRSS
FCW
07/01/15

A visit by the Defense Department’s top IT official to Silicon Valley in April has altered the software makeup of a key DoD-wide IT security project. The forthcoming request for proposals for Joint Regional Security Stacks (JRSS) software will ask vendors to incorporate big-data analytics capabilities that DoD Chief Information Officer Terry Halvorsen observed firsthand in Northern California. Specifically, the next iteration of the software known as the Joint Management System should be able to harvest security insights from data that is not intuitively security-related.


JIE's behind-the-scenes tug of war
C4ISR & Networks
06/29/15

The Joint Information Environment, the Defense Department's massive undertaking to unify military IT equipment and services, has been both a major point of focus and a lightning rod in recent years. One top DoD official recently blasted a lack of progress and territorial disputes over the network, pointing to cultural resistance in the services. Among the issues under dispute are localized control of parts of the DoD network, the ongoing transition to joint regional security stacks designed to provide better DoD-wide network visibility, and overall ceding of network management over to a more-centralized DoD IT approach to network command and control.


Cyber Guard exercise expands to whole-of-nation defense
Defense Systems
07/02/15

Over 100 organizations from government, academia, industry and the international community recently conducted the fourth annual Cyber Guard exercise, which focused on building a whole-of-nation approach to defending networks, protecting infrastructure and sharing information across established lines. Among the objectives of Cyber Guard are to: 1) Improve the ability of forces to defend DoD networks, secure data and mitigate risks to missions; 2) Be prepared to defend the U.S. homeland and vital interests from disruptive or destructive cyberattacks; 3) Improve shared situational awareness between government agencies, the private sector and allied partners; and 4) Improve the ability to rapidly detect and effectively respond to a cyberattack on critical infrastructure, which requires whole-of-nation effort.


Army giving cyber warriors a training range of their own
Defense Systems
06/26/15

The Army has been building up its cyber workforce, but once those soldiers are in the door they still have to be trained. In order to help speed up the process, the service’s Communications Electronic Command, or CECOM, is launching a new training range dedicated to cyber operations. The Cyber Battle Ground is expected to be open to all units in late 2015.


Smaller companies seek cybersecurity
NorthJersey.com
06/28/15

When it comes to hacker attacks and data breaches, small businesses are targets, too.Cybersecurity consultant Karl Kispert told a recent gathering of about 70 information technology professionals and small-business owners at a New Jersey cybersecurity conference that, "If I’m a hacker, the weakest link is a vendor with few, if any, controls around their IT environment."

The event emphasized the risks and the potential for financial liabilities at smaller companies, which experts said are real and growing, and business owners need to be prepared.

U.S. intelligence chief calls China ‘leading suspect’ in OPM breach
Federal News Radio
06/26/15

James Clapper, the director of National Intelligence, said June 25 that China was the likely culprit in a cyber attack which stole millions of employee records from the Office of Personnel Management. He stopped short of directly blaming the Chinese government, but said Beijing was the “leading suspect.” Clapper’s somewhat-offhanded attribution for the attack came in the context of a question and answer session following a speech at the annual GEOINT symposium in Washington. He was the first administration official to publicly assign suspicion for the OPM breach to any particular actor, but his answers also indicated that the intelligence community is operating under the assumption that China was responsible.


Committee grills DHS official over EINSTEIN's failure to prevent OPM attack
Next Gov
06/24/15

House members on June 24 pointedly asked a Department of Homeland Security official why the department's multibillion-dollar cyber traffic-monitoring system known as EINSTEIN failed to prevent intruders from breaching the Office of Personnel Management and extracting sensitive files on millions of federal employees.


OPM breach may have exposed feds’ sex lives, info about security clearance references
Government Executive
06/25/15

The total number of people affected by the cybersecurity attacks on Office of Personnel Management databases and the entire universe of information exposed to hackers remains unknown – one of the few concrete takeaways from a congressional hearing June 25, the week’s third public discussion on the massive security breach. Hackers could have obtained a vast array of personal information, not just about federal employees, but about their friends and family members as a result of a breach related to security clearance information provided on the SF-86 questionnaire.


Kaspersky software reverse engineered by NSA, GCHQ: Report
ZDNet
06/23/15

Edward Snowden, the former NSA contractor and whistleblower, has leaked documents that claim the US National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ) have actively reverse engineered security and anti-virus software to obtain intelligence, according to a report by The Intercept. The documents obtained reportedly highlight the Russian software security firm, Kaspersky Lab, as one of the main targets, with GCHQ reverse-engineering Kaspersky's anti-virus software looking for vulnerabilities that could be subverted.


U.S., China agree to cybersecurity code of conduct
SC Magazine
06/26/15

After a tumultuous couple of years of exchanging accusations and expressing distrust over cyberespionage and spying – most recently with Director of National Intelligence (DNI) John Clapper laying responsibility for the Office of Personnel Management (OPM) breaches squarely at the feet of the Chinese – the U.S. and China said they've reached an accord of sorts, a code of conduct for cybersecurity going forward. The code emerged after a three-day U.S.-China Strategic and Economic Dialogue.


What city officials need to know about cybersecurity
Government Technology
06/23/15

Recent highly publicized cybersecurity breaches in both the private and public sectors have captured the attention of local government agencies, raising awareness of these challenges. Consequently many city officials are looking at how to address historically underfunded municipal cyberdefense programs.


Theft of Saudi documents suggests an Iranian hack
The Washington Post
06/26/15

The purported theft of confidential Saudi documents that have been released by WikiLeaks bears the hallmarks of Iranian hackers linked to cyberattacks in more than a dozen countries, including the United States, according to cybersecurity experts and Middle East analysts.


NIST issues final guidance on federal contractor cybersecurity standards for controlled unclassified information
JD Supra
06/24/15

On June 19, NIST published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.Special Publication 800-171 is step two in a three-part plan to ensure the confidentiality of sensitive federal information no matter where it is stored.As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected.


DHS rushes to complete cyber defense programs for agencies
Federal News Radio
06/25/15

The Department of Homeland Security says it is ramping up its efforts to detect cyber threats against agencies both inside their networks and at the points at which they intersect with the public Internet. DHS’s current plan would buy enough hardware and software to cover 97 percent of all non-defense agencies’ IT systems with the first phase of its Continuous Diagnostics and Mitigation (CDM) program by the end of this year; so far, CDM has been implemented at just eight agencies, representing about half the users on the civilian side of the government. DHS also says it is pushing for faster governmentwide adoption of the latest iteration of its EINSTEIN program.


The cloud, FedRAMP and FISMA compliance
Help Net Security
06/25/15

Many federal agencies and government contractors are migrating to cloud-based computing, a trend that will pick up speed as the cloud becomes more efficient, more affordable, and more secure, and Deltek estimates the Federal Cloud market will grow by $6.4 billion by 2019. The push for FedRAMP is a concerted effort by the government to deploy a ‘do once, use many’ strategy to better secure all regulated data. But relinquishing jurisdiction over platforms, storage, and applications makes government security officers nervous, and rightfully so. Agencies and government contractors are responsible for FISMA compliance, and moving to the cloud shifts a significant amount of that responsibility and risk to the Cloud Service Provider (CSP).


Einstein the only winner from another flaying of OPM on the Hill
FCW
06/25/15

Obama administration officials on June 25 took another round of verbal flaying from Congress over IT security practices in the aftermath of the devastating hack of the Office of Personnel Management. The only winner from the Senate Homeland Security and Governmental Affairs Committee hearing was a federal cybersecurity program known as Einstein: the committee’s ranking Democrat said he was readying fresh legislation to accelerate the program. While noting that Einstein is “not a panacea” for cyber vulnerabilities, Sen. Tom Carper (D-DE) said he and Chairman Ron Johnson (R-WI) were working on a bill to increase adoption of the program at civilian agencies while requiring that leading security technologies be deployed.


OPM chief’s new cyber defense operation has potential, private investigators say
Next Gov
06/28/15

A cyber strategy announced last week by the head of the agency that hackers robbed of sensitive dossiers on federal employees has potential to deter future attacks, say private investigators who probe computer espionage campaigns.During multiple Capitol Hill appearances, Katherine Archuleta, director of the Office of Personnel Management, referenced 15 actions OPM will take to safeguard and upgrade the agency’s information technology systems.


OPM fires back at hack criticism, vows further reform
Federal Times
06/24/15

The Office of Personnel Management fired back June 24 against criticisms that it dropped the ball on guarding the personal and background check information of millions of current and former federal employees. The agency has released a security action report of all the cybersecurity improvements it has made over the last few years as well as a plan to boost its cybersecurity posture in the future.


OPM goes on offensive with 15-step cyber improvement plan
Federal News Radio
06/25/15

The Office of Personnel Management has released an eight-page, 15-step plan to make a host of cyber improvements over the next six months. The steps including hiring a new cybersecurity advisor that will report directly to the administrator, holding a summit with private sector security experts in the coming weeks to help learn from their experiences and see if there are things OPM can borrow from their successes and failures, completing deployment of two-factor authentication using smart identity cards for all employees to log-on to the network by Aug. 1, and planning to encrypt all databases that are on modern technology platforms and can accept encryption by July 15. But OPM's Inspector General is not satisfied with these steps.


OPM hack may finally end overuse of 'privileged' user access
The Christian Science Monitor – Passcode
06/26/15

Office of Personnel Management attackers entered the agency's network with a username and password belonging to an external contractor. As a result, security experts are renewing calls for stricter limits on this kind of privileged access.


DHS restructures CIO office
Next Gov
06/26/15

The Department of Homeland Security plans to restructure its Office of the Chief Information Officer, including adding a new position to help the agency better procure technology.DHS is creating a new deputy chief information officer position, whose responsibility will be to oversee enterprise operations monitoring, service operations and service improvement, among other spheres.


Defense officials: Times are good for small business contractors
National Defense
06/28/15

According to the fiscal year 2014 small business federal scorecard, the federal government overall awarded 24.9 percent of all prime contracts to small businesses in 2014, or about $91.7 billion. And defense contracts accounted for more than half, at $54.3 billion.The Pentagon has made a deliberate effort over the past five years to boost small business contracting, said a key DoD official, and the Department’s “better buying power” procurement guidelines specifically promote the use of small businesses.


Joint Chiefs official blasts cultural resistance to major IT projects
FCW
06/28/15

Two of the Pentagon's major IT security initiatives face stiff cultural resistance, a key Pentagon official lamented at a June 24 event. In a blunt tour de force of the state of Defense Department IT security, Lt. Gen. Mark Bowman -- the Joint Chiefs of Staff's director of command, control, communications and computers (J-6) -- declared himself unhappy with progress on command and control of DOD Information Networks (DODIN), and with the Joint Regional Security Stacks, a major cybersecurity initiative.


DISA debuts new classified mobile access and devices
GCN
06/25/15

Defense Department mobile users can now access classified voice and data, up to the secret level, from anywhere in the world. Now operational, the Defense Mobile Classified Capability – Secret (DMCC-S) provides better performance, a mobile device management system and a new secure mobile device withenhanced graphics, improved sound quality and a longer battery life than earlier devices, according to Kim Rice, the Defense Information Systems Agency’s mobility portfolio manager. DMCC-S mobile devices are commercial smartphones with some features, such as the camera, GPS and Bluetooth, disabled.


DoD advancing JIE via joint regional security stacks
C4ISR & Networks
06/18/15

The Defense Information Systems Agency is moving forward with implementation of the joint regional security stacks that comprise the highest-profile pieces of the Joint Information Environment.JRSS, in its current "1.0" iteration, is up and running at Joint Base San Antonio, with Fort Bragg or Fort Hood up next for stateside implementation and ongoing progress at global locations.


5 things you probably missed in the Verizon DBIR
Information Week
06/25/15

This year's massive Verizon Data Breach Investigations Report (DBIR) came with the usual popular data and rare insight on real-world incidents and breach cases, but with the addition of loads of data contributed by 70 other organizations from around the world.Unless you've been combing the DBIR regularly since it was published in April, there's a good chance you missed a few things in it. Marc Spitler, co-author of the DBIR and senior risk analyst with Verizon, shares what may have been some of the possibly lesser-noticed or publicized nuggets from the report.


How to find the best cyber security insurance for your firm
Reuters (opinion)
06/26/15

Interest in cyber insurance has surged over the past year following a number of high-profile hackings. In response, many industries and the financial services industry in particular, have stepped up their vigilance against cyber crimes. But a robust cyber security insurance policy can be tricky to procure, even for the most meticulous wealth management firms.About 50 insurance carriers offer cyber insurance in the United States -- here are some tips on finding the best policy for your firm.


CAC change aids visually color impaired security officers
Department of Defense News
06/25/15

The Defense Department’s common access card is undergoing a federally mandated modification to make it easier for visually color-impaired security officials to identify bearers who are military, government or contractor civilians, or foreign nationals.


Tractica predicts facial recognition technology on 122 million devices by 2024
BiometricUpdate.com
06/26/15

Tractica gas published a new report entitled “Facial Recognition,” which predicts that annual facial recognition devices and licenses will increase from 28.5 million in 2015 to more than 122.8 million worldwide by 2024. The report examines the market for facial recognition biometrics hardware and software, including 10-year forecasts for the period from 2015 through 2024.