Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

8/27/2015
03:45 PM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cybersecurity Under FTC Authority: What Does it Mean?

Consumers can now expect the same level of security and privacy in the digital realm as they do in the physical.

Earlier this week, a U.S. appellate court granted the Federal Trade Commission (FTC) authority to regulate corporate cybersecurity. While this isn’t the first time the U.S. government has stepped in to mend the issues overlapping several industries, this is significant progress.

In 2008, the CSIS Cybersecurity Commission for the 44th Presidency called for immediate action based on research findings and proposed recommendations to secure cyberspace and guide policy-making. However, without regulating power or creating new laws, no enforcement was put into place.

This can largely be attributed to the fact that many view cybersecurity as a problem that can be resolved through the market with the presumption that there is adequate technology, as well as supply and demand. However, the reality is the market has failed. When this occurs in economic theory, it is necessary for the government to intervene through public policy, i.e. regulation or legislation. In this instance, the courts have ruled the FTC is the ideal authority to preside over the digital security of Americans beyond just privacy. This mentality is very much in line with the European model that makes no distinction between privacy and security – they simply cannot be separated.

Under its new powers, the FTC will continue to “prevent business practices that are anticompetitive, deceptive or unfair to consumers; enhance informed consumer choice and public understanding of the competitive process; and accomplish this without unduly burdening legitimate business activity.” But, the agency now has been given the mantle to protect online security.

What the future holds

What does this all mean? The FTC can now take action if the agency claims a corporation lacks “due diligence” in protecting the digital security of Americans. The standard of care will lean on best practices in place for that industry at the time. Gone are the days when companies can simply adopt security measures they choose to protect the privacy of their customers.

A great example of this can be found in Wyndham Worldwide Corporation’s failure to protect customers’ sensitive data from three breaches, which resulted in more than $10.6 million dollars in fraudulent charges. Clearly, Wyndam cares deeply about the physical security of its customers inside their hotels; when a guest walks into a Wyndham property they expect to feel safe. The ruling extends this to the cyber realm in that consumers can now expect the same standard of personal security when they enter Wyndham’s digital environment.

A corporate brand is fundamental to the tangible value of that organization. Reputational risk for failing to protect a brand from cyber attacks is dramatic, even more so with the new FTC polices which can instate additional financial punitive measures. Now more than ever, not factoring reputational risk of brand protection through adequate investment in cybersecurity is a deeply flawed business practice.

In a similar case, Anthem, the largest healthcare provider in the U.S., is being prosecuted by the FTC based on the exact same rationale from a headline-grabbing breach last year.  Whether this is justified will be left up to the experts. However, the resolution of this case will be significant because the provider appears to have been compliant with HIPAA. Therefore, the question is if the current healthcare security standards are sufficient in light of these cyber attacks.

Currently, many people are under the mistaken impression that compliance equals security. This is simply not the case. Best practices change and evolve based on the cyber-threat landscape, which is constantly evolving. In fact, today,  the majority of compliance standards do not take into account the risks posed by mobility or cloud.

It’s clear that an overarching policy, with teeth, is essential for the establishment of strong cybersecurity standards that business of all sizes across industries must achieve.  We applaud the move to position the FTC as this governing body. Trend Micro already works closely with law enforcement and government agencies to share valuable information and ideas to thwart the growing avalanche of cybercrime we all face.  We look forward to working with the FTC, and others, as well.

Tom Kellermann is the chief cybersecurity officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017 Tom was appointed the Wilson Center's Global Fellow for Cyber Policy in 2017. Tom previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DDORMADY322
50%
50%
DDORMADY322,
User Rank: Apprentice
8/28/2015 | 9:38:36 AM
We are so screwed
Like "childproof caps"* on medicines, it will make people more complacent.  

And as a result, more vulnerable.  

Not that the government has been that good a watchdog on cyber anyway...but I expect things to get worse, not better, for the average cyberconsumer.

 

---

* incidents of accidental child poisonings increased afterwards because people felt that the cap was all that was necessary and no longer did even the basics for keeping things where children couldn't get them.

Just too special, huh?

Typical governmental "Sounds good...let's legislate it!" without any valid studies showing that such an event will actually make things better.  Ex: Gun Free Zones...all emotional, not rational.

 
SgS125
50%
50%
SgS125,
User Rank: Ninja
8/28/2015 | 2:26:40 PM
So.... OPM will be fined heavily?
Gosh I can hardly wait to see how many federal agencies it takes to secure the crazy patchwork of government overlap.  Will the Inspector Generals office also help the FTC secure the gvernments failure to adhere to NIST  "suggestions"?
macker490
50%
50%
macker490,
User Rank: Ninja
8/29/2015 | 7:55:33 AM
where the trail leads
corporations today will be scurrying to follow "best practice" guides as the consequences for failing to do so are becomming costly: civil settlements as in the Target case -- executive jobs as in OPM and Ashley-Madison -- amd fines as in the hotel case discussed here

the Best Practice guide will fail though: you cannot build a castle upon a foundation of sand and as the foundations continue to fail the legal actions against software security problems will expand, and reach the OEM,-- which is where the trouble begins.

just as Mr. Schneier noted: when sloppy work costs more than quality we will see a shift to a zero-defect policy for software .
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:52:14 AM
Regulation?
hen did we see regulations take us a place we want to go? This helps government contractors to gain more profit and lets all the rest struggling though outdated rules and restrictions in long term, in my view.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:54:41 AM
Re: We are so screwed
I agree but didn't we hear one of the major hacking on government systems recently?  Who is regulating the government? I would ask. :--))
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:55:56 AM
Re: So.... OPM will be fined heavily?
Agree. Also, no need to regulate further, There is PCI, HIPAA, FERPA, SOX, GLBA, ... obviously they did not work so they need more of them :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:58:29 AM
Re: where the trail leads
Agree. I also think we tend to not follow best practices. If we do, there would not be SQL Injection hacking obviously,  that can be avoid by following secure software development guidelines.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 9:01:34 AM
compliance vs. security
The article is quite informative. I agree that we should not assume compliance equals security, simply because the compliance is driven by regulations / laws and that is always behind what is happening in the real world.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...