Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

8/27/2015
03:45 PM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Cybersecurity Under FTC Authority: What Does it Mean?

Consumers can now expect the same level of security and privacy in the digital realm as they do in the physical.

Earlier this week, a U.S. appellate court granted the Federal Trade Commission (FTC) authority to regulate corporate cybersecurity. While this isn’t the first time the U.S. government has stepped in to mend the issues overlapping several industries, this is significant progress.

In 2008, the CSIS Cybersecurity Commission for the 44th Presidency called for immediate action based on research findings and proposed recommendations to secure cyberspace and guide policy-making. However, without regulating power or creating new laws, no enforcement was put into place.

This can largely be attributed to the fact that many view cybersecurity as a problem that can be resolved through the market with the presumption that there is adequate technology, as well as supply and demand. However, the reality is the market has failed. When this occurs in economic theory, it is necessary for the government to intervene through public policy, i.e. regulation or legislation. In this instance, the courts have ruled the FTC is the ideal authority to preside over the digital security of Americans beyond just privacy. This mentality is very much in line with the European model that makes no distinction between privacy and security – they simply cannot be separated.

Under its new powers, the FTC will continue to “prevent business practices that are anticompetitive, deceptive or unfair to consumers; enhance informed consumer choice and public understanding of the competitive process; and accomplish this without unduly burdening legitimate business activity.” But, the agency now has been given the mantle to protect online security.

What the future holds

What does this all mean? The FTC can now take action if the agency claims a corporation lacks “due diligence” in protecting the digital security of Americans. The standard of care will lean on best practices in place for that industry at the time. Gone are the days when companies can simply adopt security measures they choose to protect the privacy of their customers.

A great example of this can be found in Wyndham Worldwide Corporation’s failure to protect customers’ sensitive data from three breaches, which resulted in more than $10.6 million dollars in fraudulent charges. Clearly, Wyndam cares deeply about the physical security of its customers inside their hotels; when a guest walks into a Wyndham property they expect to feel safe. The ruling extends this to the cyber realm in that consumers can now expect the same standard of personal security when they enter Wyndham’s digital environment.

A corporate brand is fundamental to the tangible value of that organization. Reputational risk for failing to protect a brand from cyber attacks is dramatic, even more so with the new FTC polices which can instate additional financial punitive measures. Now more than ever, not factoring reputational risk of brand protection through adequate investment in cybersecurity is a deeply flawed business practice.

In a similar case, Anthem, the largest healthcare provider in the U.S., is being prosecuted by the FTC based on the exact same rationale from a headline-grabbing breach last year.  Whether this is justified will be left up to the experts. However, the resolution of this case will be significant because the provider appears to have been compliant with HIPAA. Therefore, the question is if the current healthcare security standards are sufficient in light of these cyber attacks.

Currently, many people are under the mistaken impression that compliance equals security. This is simply not the case. Best practices change and evolve based on the cyber-threat landscape, which is constantly evolving. In fact, today,  the majority of compliance standards do not take into account the risks posed by mobility or cloud.

It’s clear that an overarching policy, with teeth, is essential for the establishment of strong cybersecurity standards that business of all sizes across industries must achieve.  We applaud the move to position the FTC as this governing body. Trend Micro already works closely with law enforcement and government agencies to share valuable information and ideas to thwart the growing avalanche of cybercrime we all face.  We look forward to working with the FTC, and others, as well.

Tom Kellermann is the Head of Cybersecurity Strategy for VMware Inc.  Previously Tom held the position of Chief Cybersecurity Officer for Carbon Black Inc. In 2020, he was appointed to the Cyber Investigations Advisory Board for the United States Secret Service and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 9:01:34 AM
compliance vs. security
The article is quite informative. I agree that we should not assume compliance equals security, simply because the compliance is driven by regulations / laws and that is always behind what is happening in the real world.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:58:29 AM
Re: where the trail leads
Agree. I also think we tend to not follow best practices. If we do, there would not be SQL Injection hacking obviously,  that can be avoid by following secure software development guidelines.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:55:56 AM
Re: So.... OPM will be fined heavily?
Agree. Also, no need to regulate further, There is PCI, HIPAA, FERPA, SOX, GLBA, ... obviously they did not work so they need more of them :--))
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:54:41 AM
Re: We are so screwed
I agree but didn't we hear one of the major hacking on government systems recently?  Who is regulating the government? I would ask. :--))
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
8/29/2015 | 8:52:14 AM
Regulation?
hen did we see regulations take us a place we want to go? This helps government contractors to gain more profit and lets all the rest struggling though outdated rules and restrictions in long term, in my view.
macker490
50%
50%
macker490,
User Rank: Ninja
8/29/2015 | 7:55:33 AM
where the trail leads
corporations today will be scurrying to follow "best practice" guides as the consequences for failing to do so are becomming costly: civil settlements as in the Target case -- executive jobs as in OPM and Ashley-Madison -- amd fines as in the hotel case discussed here

the Best Practice guide will fail though: you cannot build a castle upon a foundation of sand and as the foundations continue to fail the legal actions against software security problems will expand, and reach the OEM,-- which is where the trouble begins.

just as Mr. Schneier noted: when sloppy work costs more than quality we will see a shift to a zero-defect policy for software .
SgS125
50%
50%
SgS125,
User Rank: Ninja
8/28/2015 | 2:26:40 PM
So.... OPM will be fined heavily?
Gosh I can hardly wait to see how many federal agencies it takes to secure the crazy patchwork of government overlap.  Will the Inspector Generals office also help the FTC secure the gvernments failure to adhere to NIST  "suggestions"?
DDORMADY322
50%
50%
DDORMADY322,
User Rank: Apprentice
8/28/2015 | 9:38:36 AM
We are so screwed
Like "childproof caps"* on medicines, it will make people more complacent.  

And as a result, more vulnerable.  

Not that the government has been that good a watchdog on cyber anyway...but I expect things to get worse, not better, for the average cyberconsumer.

 

---

* incidents of accidental child poisonings increased afterwards because people felt that the cap was all that was necessary and no longer did even the basics for keeping things where children couldn't get them.

Just too special, huh?

Typical governmental "Sounds good...let's legislate it!" without any valid studies showing that such an event will actually make things better.  Ex: Gun Free Zones...all emotional, not rational.

 
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36388
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVE-2020-36389
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2021-32575
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
CVE-2021-33557
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.