Focusing on the “why” of cybersecurity and not just the IT components involved is the only way to manage attacks like the recent Equifax hack (see 1710020021), Internet Security Alliance President Larry Clinton blogged. It has been 10 years since October was declared “Cybersecurity Awareness Month,” he said. “We can spike the football on the issue of cybersecurity awareness. Understanding the cybersecurity problem? Not so much.” Not only is the cyber system inherently vulnerable, criminals also stand to gain hugely from large-scale attacks, and Clinton wants more work on understanding why attacks occur. Friday, the White House said President Donald Trump declared October cybersecurity awareness month.

The FTC scheduled a Dec.12 workshop on injuries to consumers when their information is misused, as expected (see 1709190040), said a Friday news release. The workshop will address how to characterize and measure such harms, their prevalence, and the factors businesses and consumers should consider in collection and use of information that could risk consumer injuries. The agency seeks comment by Oct. 27. The event starts at 9 a.m. at 400 7th St. SW.

The National Institute of Standards and Technology is floating a draft updating guidelines for applying the risk management framework to information systems and organizations. A Thursday notice said the update to Special Publication (SP) 800-37, Revision 2 would provide closer linkage and communication between corporate-level risk management processes to operations and system activities, would demonstrate how NIST's Cybersecurity Framework can be implemented using the agency's risk management processes, and would integrate privacy concepts. It said institutionalizing risk-management preparatory activities would help identify and develop security and privacy baselines, reduce complexity of IT infrastructure and prioritize assets. NIST seeks comments by Oct. 3, anticipates publishing an initial public draft in November, a final draft in January and a final document in March.

Google received nearly 49,000 government requests globally for user data involving more than 83,000 accounts for the first half of 2017, it reported Thursday. Richard Salgado, director-law enforcement and information security, blogged that the information includes requests for user data in criminal case and national security matters. In the first six months of 2016, Google received nearly 45,000 requests globally for data involving more than 76,700 accounts. In the U.S., Google received more than 16,800 requests -- including subpoenas, search warrants, court orders and emergency disclosures -- for user data from more than 33,700 accounts in the first six months of 2017. In the year-ago period, the company got nearly 13,700 requests about more than 27,200 U.S. accounts.

Most of two dozen federal departments and agencies continue to inadequately protect their information systems in FY 2016 due to ineffective implementation of security policies and practices, GAO reported Thursday. It said all or most had weaknesses in access controls, configuration management controls, segregation of duties, contingency planning and security management. GAO covered all cabinet departments, except Defense, and agencies such as NASA, the Office of Personnel Management and Small Business Administration. From FY 2006-15, information security incidents rose 1,303 percent to 77,183. In FY 2016, the number decreased to 30,899, probably due to changes in reporting guidelines. GAO said they "no longer required agencies to report noncyber incidents or incidents categorized as scans, probes, and attempted access." It said use of the National Cybersecurity Protection System that detects or blocks potential malicious network traffic also may have been a reason.

The Broadband Internet Technical Advisory Group launched a review of technical aspects of internet data collection and privacy, with a report expected early next year. In a Wednesday news release, BITAG, an advisory group of engineers and technologists, said the report will try to explain collection practices, such as types of data collected, where and how it takes place and what it's used for. The report will show the varied collection and use practices among ISPs, edge providers, advertising networks, app developers, equipment manufacturers and others and the tools and methods they apply, BITAG said.

A court-filed stipulation indicates the White House won't contest the assertion that President Donald Trump blocked Twitter users because they criticized him and his policies, said the Knight First Amendment Institute at Columbia University in a Wednesday news release. The institute sued the president in July on behalf of seven people blocked from the @realDonaldTrump account (see 1706060062). The stipulation (in Pacer) which was filed Monday with the U.S. District Court for the Southern District of New York, said: "Defendants have agreed that they will not contest Plaintiffs’ allegation that the Individual Plaintiffs were blocked from the President’s Twitter account because the Individual Plaintiffs posted tweets that criticized the President or his policies." Knight Institute Executive Director Jameel Jaffer said: "The White House’s concessions here amount to an acknowledgment that the president and his aides have engaged in viewpoint discrimination in violation of the First Amendment." Other defendants named are White House Social Media Director Dan Scavino, who has access to the president's Twitter account, and Communications Director Hope Hicks and Press Secretary Sarah Huckabee Sanders, neither of whom have access to the account, according to the stipulation. The White House didn't comment. It's scheduled file an opening brief Oct. 13 with the institute set to file one Nov. 3.

Almost half of consumers in U.S. broadband households rank security and privacy as biggest concerns about connecting devices to the internet, said Parks Associates Tuesday. "Smart home devices bring immense value, but they also create new vulnerabilities and added stress," said analyst Brad Russell.

It costs $11.7 million on average for an organization to manage cybercrime incidents or to spend to recover disruption this year, an increase of 23 percent from 2016, said research Tuesday by Accenture and the Ponemon Institute. Based on a global survey of 2,182 security and IT professionals from 254 organizations, the study found that an organization, on average, experiences 130 breaches a year, up 27 percent from last year. The four main impacts to organizations are business disruption, loss of information, loss of revenue and damage to equipment, said a news release. It said malware and web-based attacks are the costliest types, with companies spending, on average, $2.4 million and $2 million, respectively. Incidents involving "malicious insiders" take about 50 days to mitigate, and ransomware takes about 23 days, the study said. Globally, among seven industrialized countries, U.S. companies reported the highest total average cost in cybercrime, while Australia reported the lowest.

The Department of Education is committing at least $200 million in grant funding beginning at the start of FY 2018 to back K-12 training in the subjects of science, technology, engineering and math (STEM), “particularly among historically underserved groups,” President Donald Trump’s administration said Monday. The DOE funds will bolster private-sector contributions that will be announced later this week, an administration official said during a conference call with reporters. The White House noted concerns about a lack of access to tech education, with estimates showing fewer than half of U.S. high schools offer computer programming and lower participation in STEM subjects in rural communities and among women and minorities. The Internet Association believes the White House’s commitment, “in concert with other efforts, will expand computer science education pipeline for underserved groups, helping to fix these inequities and boost our economy,” said President Michael Beckerman in a statement.