REPORT: CYBERCRIME COSTS RISING – The cost of cybercrime to U.S. businesses is up again this year, according to a new report. In news that’s less surprising than it is stark, the average cost to a U.S. company of cybercrime is up nearly 10 percent from last year, according to the study from HP Enterprise Security and Ponemon Institute. Researchers put the average cost to U.S. businesses at $12.69 million, up from $11.1 million in last year’s report. The U.S. saw the highest cost of any country. But the report also found that security measures taken in advance by companies could significantly cut the costs. Companies were grouped based on Ponemon’s Security Effectiveness Score Index, which rates companies based on 24 measures of cybersecurity. The cost to the companies with the worst SES scores was nearly three times as high as the companies with the best SES scores. Deploying certain technologies or governance practices like having a CISO and certified professionals on staff each could save companies millions. The story: http://politico.pro/1ndxHN8
TODAY’S HOT TICKET: CATCHING UP ON CYBER WITH THE WH – The White House’s cyber czar will be the center of attention this morning when he addresses recent cyberattacks on financial institutions, including JPMorgan. Michael Daniel’s remarks this morning at the Center for National Policy will come the day after a New York Times report that President Barack Obama was regularly updated on the JPM investigation and had some questions about it (more on that below.) At the event he’s headlining today, Daniel will address “government concerns about the latest breaches in the financial sector,” according to a preview provided by CNP, in addition to one of his pet issues — the cyber workforce. If that isn’t enough, the event will also feature a who’s who of cyber experts: George Washington University’s Frank Ciluffo, Black Hat’s Jeff Moss, New America Foundation’s Peter Singer and Northrop Grumman’s Vern Boyle. Say hi to Dave if you’re there, or catch the livestream at 9:30: tkopan).
YAHOO WHITE HAT: YES, THE FBI VISITED ME – The security researcher who found that servers at Yahoo, WinZip and Lycos were compromised got a visit from the FBI after making his findings public — a case that he says illustrates the shades of gray in which he and other white-hat hackers operate. Jonathan Hall set up a trap for attacks using the Shellshock vulnerability, one of which he discovered was coming from a WinZip server, according to Wired. Hall traced the attack back, finding a network of infected computers run by Romanian hackers. Not only did he follow the attacks, he accessed one of the WinZip servers and executed a “kill” command that terminated the program. But in his work to, as he sees it, protect the Internet, Hall may have run afoul of anti-hacking laws himself.
After Wired published its story on Hall’s work, he put up a blog post expanding on the topic. He acknowledged he was operating in a gray area, but argued that the feds should not expend resources prosecuting him. “There’s a piece of it that’s really missing to qualify it as being worth prosecuting, in my opinion: criminal intent,” Hall wrote. He compared himself to a woman who stopped her car to let ducks cross the highway, which caused a chain-reaction fatal crash. And then he put the ball back in the FBI’s court: “So, yes. The FBI visited me. That’s sorta what happens when you email them two times and call them three, then publicly announce that you’re very disappointed in the reachability and response time.” The Wired story: http://wrd.cm/1qhJViZ and Hall’s blog: http://bit.ly/1yOmcRx
HAPPY THURSDAY and welcome to Morning Cybersecurity, where (shameless plug alert) your host today will be moderating a discussion with Crowdstrike co-founder Dmitri Alperovitch at Financial Services Roundtable’s Global Financial Summit. It’ll be livestreamed, if you want to tune in to the conversation about cybersecurity in the financial industry. As always, send your thoughts, tips and feedback to tkopan and follow @talkopan, @POLITICOPro and @MorningCybersec. Full team info is below.
NIST: RFI RESPONSES IN, JUST NOT UP – NIST is rejecting speculation that the agency hasn’t received any responses to the request for information it put out in August regarding experiences in implementing the cybersecurity framework. Although it has yet to post online any of the responses, it has received them, a NIST spokeswoman told MC. But asked to enumerate the responses or explain why none have been posted, the spokeswoman had no further comment. NIST has a reputation for transparency, so its refusal to post comments or say why it hasn’t done so is out of character. Comments will be posted after the RFI closes this Friday, the agency said. Here’s the RFI: http://1.usa.gov/1u8u0Hf and here’s the webpage where comments should appear http://1.usa.gov/1vNWjgf
DRIP, DRIP, DRIP: WHITE HOUSE MONITORED JPM ATTACK – The New York Times had the big story of the day yesterday, reporting that President Obama and his national security staff were briefed periodically on the attacks on U.S. financial institutions this summer. Asked about the report, the White House told Dave that “the president is regularly briefed on matters of national security importance.” Obama pressed officials on whether the attacks were politically-motivated Russian attempts at retaliation against U.S.-led sanctions against Russia implemented following Russian aggression against neighbor state Ukraine, the Times said. One senior official told the paper: “The question kept coming back, ‘is this plain old theft, or is Putin retaliating?’ … ‘And the answer was: We don’t know for sure.’” The story: http://nyti.ms/1seQMjJ