Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

8/27/2015
03:45 PM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cybersecurity Under FTC Authority: What Does it Mean?

Consumers can now expect the same level of security and privacy in the digital realm as they do in the physical.

Earlier this week, a U.S. appellate court granted the Federal Trade Commission (FTC) authority to regulate corporate cybersecurity. While this isn’t the first time the U.S. government has stepped in to mend the issues overlapping several industries, this is significant progress.

In 2008, the CSIS Cybersecurity Commission for the 44th Presidency called for immediate action based on research findings and proposed recommendations to secure cyberspace and guide policy-making. However, without regulating power or creating new laws, no enforcement was put into place.

This can largely be attributed to the fact that many view cybersecurity as a problem that can be resolved through the market with the presumption that there is adequate technology, as well as supply and demand. However, the reality is the market has failed. When this occurs in economic theory, it is necessary for the government to intervene through public policy, i.e. regulation or legislation. In this instance, the courts have ruled the FTC is the ideal authority to preside over the digital security of Americans beyond just privacy. This mentality is very much in line with the European model that makes no distinction between privacy and security – they simply cannot be separated.

Under its new powers, the FTC will continue to “prevent business practices that are anticompetitive, deceptive or unfair to consumers; enhance informed consumer choice and public understanding of the competitive process; and accomplish this without unduly burdening legitimate business activity.” But, the agency now has been given the mantle to protect online security.

What the future holds

What does this all mean? The FTC can now take action if the agency claims a corporation lacks “due diligence” in protecting the digital security of Americans. The standard of care will lean on best practices in place for that industry at the time. Gone are the days when companies can simply adopt security measures they choose to protect the privacy of their customers.

A great example of this can be found in Wyndham Worldwide Corporation’s failure to protect customers’ sensitive data from three breaches, which resulted in more than $10.6 million dollars in fraudulent charges. Clearly, Wyndam cares deeply about the physical security of its customers inside their hotels; when a guest walks into a Wyndham property they expect to feel safe. The ruling extends this to the cyber realm in that consumers can now expect the same standard of personal security when they enter Wyndham’s digital environment.

A corporate brand is fundamental to the tangible value of that organization. Reputational risk for failing to protect a brand from cyber attacks is dramatic, even more so with the new FTC polices which can instate additional financial punitive measures. Now more than ever, not factoring reputational risk of brand protection through adequate investment in cybersecurity is a deeply flawed business practice.

In a similar case, Anthem, the largest healthcare provider in the U.S., is being prosecuted by the FTC based on the exact same rationale from a headline-grabbing breach last year.  Whether this is justified will be left up to the experts. However, the resolution of this case will be significant because the provider appears to have been compliant with HIPAA. Therefore, the question is if the current healthcare security standards are sufficient in light of these cyber attacks.

Currently, many people are under the mistaken impression that compliance equals security. This is simply not the case. Best practices change and evolve based on the cyber-threat landscape, which is constantly evolving. In fact, today,  the majority of compliance standards do not take into account the risks posed by mobility or cloud.

It’s clear that an overarching policy, with teeth, is essential for the establishment of strong cybersecurity standards that business of all sizes across industries must achieve.  We applaud the move to position the FTC as this governing body. Trend Micro already works closely with law enforcement and government agencies to share valuable information and ideas to thwart the growing avalanche of cybercrime we all face.  We look forward to working with the FTC, and others, as well.

Tom Kellermann is the chief cybersecurity officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017 Tom was appointed the Wilson Center's Global Fellow for Cyber Policy in 2017. Tom previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DDORMADY322
50%
50%
DDORMADY322,
User Rank: Apprentice
8/28/2015 | 9:38:36 AM
We are so screwed
Like "childproof caps"* on medicines, it will make people more complacent.  

And as a result, more vulnerable.  

Not that the government has been that good a watchdog on cyber anyway...but I expect things to get worse, not better, for the average cyberconsumer.

 

---

* incidents of accidental child poisonings increased afterwards because people felt that the cap was all that was necessary and no longer did even the basics for keeping things where children couldn't get them.

Just too special, huh?

Typical governmental "Sounds good...let's legislate it!" without any valid studies showing that such an event will actually make things better.  Ex: Gun Free Zones...all emotional, not rational.

 
SgS125
50%
50%
SgS125,
User Rank: Ninja
8/28/2015 | 2:26:40 PM
So.... OPM will be fined heavily?
Gosh I can hardly wait to see how many federal agencies it takes to secure the crazy patchwork of government overlap.  Will the Inspector Generals office also help the FTC secure the gvernments failure to adhere to NIST  "suggestions"?
macker490
50%
50%
macker490,
User Rank: Ninja
8/29/2015 | 7:55:33 AM
where the trail leads
corporations today will be scurrying to follow "best practice" guides as the consequences for failing to do so are becomming costly: civil settlements as in the Target case -- executive jobs as in OPM and Ashley-Madison -- amd fines as in the hotel case discussed here

the Best Practice guide will fail though: you cannot build a castle upon a foundation of sand and as the foundations continue to fail the legal actions against software security problems will expand, and reach the OEM,-- which is where the trouble begins.

just as Mr. Schneier noted: when sloppy work costs more than quality we will see a shift to a zero-defect policy for software .
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:52:14 AM
Regulation?
hen did we see regulations take us a place we want to go? This helps government contractors to gain more profit and lets all the rest struggling though outdated rules and restrictions in long term, in my view.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:54:41 AM
Re: We are so screwed
I agree but didn't we hear one of the major hacking on government systems recently?  Who is regulating the government? I would ask. :--))
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:55:56 AM
Re: So.... OPM will be fined heavily?
Agree. Also, no need to regulate further, There is PCI, HIPAA, FERPA, SOX, GLBA, ... obviously they did not work so they need more of them :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:58:29 AM
Re: where the trail leads
Agree. I also think we tend to not follow best practices. If we do, there would not be SQL Injection hacking obviously,  that can be avoid by following secure software development guidelines.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 9:01:34 AM
compliance vs. security
The article is quite informative. I agree that we should not assume compliance equals security, simply because the compliance is driven by regulations / laws and that is always behind what is happening in the real world.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.