Broad support for federal action and an unprecedented distributed denial of service attack (DDoS), which crippled a host of popular websites across the United States and Europe in October, might not be enough to push the federal government toward implementing national cybersecurity laws in the near future.
For Adam Levin, chairman and founder of identity and data protection company IDT911, the DDoS attack is just another wake-up call on the long road toward action. “We are talking about the recall of thousands of products, and we’re talking about the health of the digital economy, and frankly, national security in the fact of attacks like this. So something has to give; it’s just a question of when or whether or not this is the tipping point. I’m not sure it is yet, but at some point, it will be.”
Richard Martinez, partner and chair of the data privacy and cybersecurity group at Robins Kaplan, likewise notes that it is “unlikely to see any meaningful regulation in this space in the next 12 to 18 months.”
Support for federal action on cybersecurity issues, however, is widespread among U.S. citizens. A pre-DDoS attack survey of 800 registered voters taken by the U.S. Chamber of Commerce’s The Institute for Legal Reform found that 86% supported a national breach notification standard. In addition, 84% agreed that consumer protection laws should be updated to definitively address data privacy and better guide investigations and litigation.
Many survey respondents had intimate experience with breach notifications, with 45% disclosing they have been notified in the past about a potential compromise of their personal data.
Call for National Standard
Bryan Quigley, senior vice president of strategic communications at the Institute for Legal Reform, notes that many consumers see the country’s disparate breach laws as a “complete patchwork quilt that doesn’t serve any purpose,” which puts “notification laws in competition” against one another.
“You can have a customer in one state where the state says you must notify within 24 hours all the people who could be affected, while in another state you could have the exact opposite — you may not notify until you meet [certain] criteria,” he explained.
Broad support for such a national standard, however, does not necessarily translate into legislative action, especially given concerns over how the federal law is crafted.
“We still don’t have a national breach notification law; we may never have a breach notification law, because a number of states feel that their state law is much stronger than the sausage that might come out from Congress that could then technically weaken their laws,” Levin says.
He notes that, aside from breach notifications, the federal government already regulates a host of industries’ data handling and privacy practices. “You have several different federal laws that are involved with privacy, like Health Insurance Portability and Accountability Act (HIPAA), like Children’s Online Privacy Protection Rule (COPPA), Gramm Leach Bliley, which is in the financial world.”
Further, the Consumer Privacy Bill of Rights Act of 2015 , while introduced by the Obama administration, has not been acted upon in Congress.
Beyond regulation on data privacy and best practices for data handling, however, both Quigly and Levin say they were skeptical of action on a national cybersecurity standard for businesses, noting that technology and cyberthreats often evolve too quickly to protect against with codified, set-in-stone rules.
“Every time you think you’ve established a standard, something new happens and the bad guys find a workaround on top of it,” Levin says.
Toward an IoT Standard?
Where cybersecurity experts disagree is whether there can be a standard to better secure Internet of things (IoT) devices — consumer products such as refrigerators, cars and cameras that are connected to the Internet.
In the recent DDoS attack, these devices were accessed and weaponized to overload the servers of domain-name system provider Dyn, which provides critical Internet infrastructure for a multitude of websites.
Despite warnings from the cybersecurity community that such an attack was possible, Isaac Brown, analyst at Lux Research, notes that aside from industry-specific self-regulation, a broad cybersecurity standard for IoT devices is unfeasible.
“It’s easy to develop a standard for a PC or an Android mobile phone because they are all the same,” he says. “But it’s a whole different ballgame when you’re coming up with standards for IoT devices, because they are all so different. They’re made by different people, they serve different functions, and they have different types of imbedded processors and controllers.”
Brown, who co-authored a report in May 2016 that found funding for IoT cybersecurity companies will hit $400 million in 2016, says the pressure was on manufacturers and industry groups to secure their products to protect the integrity of their brands and services.
Levin says he believes that, given the specifics of the DDoS attack, standard processes could have prevented the incident.
The IoT devices used in the attack were accessed by the Mirari malware, he says, which scans the Internet “looking for, in particular, weak manufacturer passwords like ‘admin’ or ‘password,’ or something silly like that.”
If a manufacturer required automatic patching of software or required the user to change an IoT device’s password, Levin says, “it wouldn’t matter how many different devices you have or how many manufacturers you have.”
There are signs that IoT standards might be on the horizon. In March 2016, for example, the bipartisan Developing Innovation and Growing the Internet of Things (DIGIT) Act was introduced in Congress, which among other things promotes the development of IoT privacy and security policies. Across the Atlantic, Martinez notes, the European Union is moving to shore up security in their IoT devices.
“The European Commission is drafting new cybersecurity requirements intended to bolster Internet of Things security. The commission is considering a labeling system for IoT devices that are approved and secure,” Martinez explains. “A current EU labeling regime that rates the energy consumption of appliances could become the template for these cybersecurity ratings.”
While security rules might be some time off and their fate uncertain, what is certain is that, after the recent DDoS, the vulnerability of IoT devices has become much more than a far-off warning for many consumers.
“A lot of consumers all of a sudden realize that their smart devices can get hacked and, while people have sort of known that, this adds that degree that any connected product can end up being hacked,” Brown says.
Ricci Dipshan writes for Legaltech News, an ALM sibling of Cybersecurity Law & Strategy.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.