Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

12/21/2017
08:55 AM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype

GDPR is the biggest thing in IT privacy and security in a decade. Or its not. Joe Stanganelli on what 2018 will hold in GDPR-driven privacy.

Cybersecurity predictions rely on hype -- and GDPR is full of it.

Despite occasionally finding a decent one, I generally don't like the batches of annual InfoSec predictions that infiltrate the Internet en masse this time of year. It seems that most blog posts, reports, and articles bearing cybersecurity predictions are either so broadly stated or so reliant on the obvious that they can't go wrong. In trying to be thought leadership, such pieces wind up being thought followership.

In this series of cybersecurity predictions for 2018, I am attempting to be an InfoSec "anti-prognosticator" of sorts. I have strived to make my own predictions sufficiently wild and sufficiently specific such that there is a genuinely strong chance that they are wrong -- yet grounded in reality enough such that they could come true. I've also tied in some detailed explanations of my reasoning so it doesn't seem too much like I'm just sitting here making stuff up that sounds good as I go along.

In my first prediction, I looked towards Washington bureaucrats -- the FTC in particular -- and what will likely be their overeager approach to cybersecurity in 2018. Now, in Part 2 of this series, I focus the signals of my crystal e-ball on Washington's counterparts in Europe -- but coming up with a vision very different from my last one. (See My Cybersecurity Predictions for 2018, Part 1: Following Trends & the FTC.)

2018 Prediction No. 2: GDPR will be a big, fat nothing.

The EU's General Data Protection Regulation (GDPR) takes effect on May 25, 2018 -- impacting all organizations around the world that collect and/or share data on EU citizens and residents. Those who run afoul of the regulatory scheme, regardless of where they are situated globally, risk fines of up to four percent of their annual revenues or €20,000,000 -- whichever is greater. For companies in the data business (and what company isn't, these days?), May 25, 2018, represents a doomsday countdown similar to that of Y2K.

And, similar to Y2K, nothing will happen.

Indeed, many enterprises in the data-freewheeling US tend to fall into either of two categories when it comes to approaches to GDPR:

  1. Completely losing their minds as they struggle with gearing up for compliance.
  2. Completely not giving a fig.

I mean, sure, right up until the very end there will be policy restructuring and audits galore to ensure compliance. But once GDPR Day gets here, we will find out that Global Datapocalypse by Regulation has been postponed.

GDPR is a long-in-the-making substitute for the Safe Harbor provisions that the European Court of Justice struck down in October 2015 pursuant to a case an Austrian student brought against Facebook after Edward Snowden brought the NSA's high-tech surveillance practices (and Facebook and other tech companies' cooperation with some of those practices) to light. EU regulators raced to promulgate a patchwork regulatory framework a few months later known as Privacy Shield. In the meantime, lawyers and consulting firms began doing a brisk business in drafting oodles of country-specific BCRs (a.k.a. Binding Corporate Rules), pursuant to the EU's 1995 Data Protection Directive, as ad hoc data-transfer agreements that would keep the flow of global commerce running.

It was messy, but the world did not end.

Of course, GDPR looks to be the furthest reaching and most complex data-stewardship regulatory scheme the world has ever seen. But, again, regulation is political. GDPR is the "this is why we can't have nice things" of data stewardship that will be inflicted on the world because a handful of tech companies and the US government intelligence apparatus took things way too far. (See GDPR: Broad, Complex & Coming Soon.)

That handful of tech companies -- the likes of Facebook, Google, Apple, Amazon, Microsoft, etc. -- has a giant target on its back that EU politicos are itching to fire at. This year, Google was hit with a nearly $3 billion fine for unrelated antitrust violations in the EU -- and had to scramble to make prompt concessions to avoid additional fines of up to five percent of parent company Alphabet's annual revenues. When it comes to Big Tech (at least, Big American Tech), EU regulators are out for blood.

But a ten-figure fine for companies of Google's ilk is rather like a parking ticket -- hardly bank-breaking, but obnoxious enough to try to avoid. Consequently, you can expect bigtime Silicon Valley to do its best to dot its compliance i's and regulatory t's -- but even if they do run slightly afoul of GDPR, they'll be fine.

Meanwhile, smaller organizations are unlikely to bring the full governmental might and fury of the EU down upon them so long as they don't do anything outrageous. There may be nips here and there, but -- as with just about every other major regulatory scheme in the world -- everybody will have enough worried trouble figuring it out such that the punishment for most mistakes will mean more paperwork than fines.

Midsize marketing and martech firms will probably be the worst off -- partly because the way they will get things wrong will be just significant enough to garner political antipathy in the joint name of privacy and consumer protection, and partly because (sorry, but it's true) there are a lot of dumb marketers.

But that's how it is stateside, too, with the FTC. GDPR is the EU's FTC Act -- broad, far-reaching consumer-protection regulation that's designed to get some skeezy marketers and the occasional high-profile target into a lot of trouble.

I'm over-simplifying all of this, of course, but one kind of has to when it comes to the intricacies of GDPR. Besides, these are new-year predictions. I'm just making stuff up that sounds good as I go along.

Related posts:

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.