As we know, in a world staggering under a steady stream of rules and regulations, and despite well founded concern about the growing magnitude of the threat posed by cybersecurity, the United States Congress has yet to adopted broad federal legislation to address the burgeoning cyber threat. Stepping into this breach, 47 states and the District of Columbia have created a mish mash of laws and regulations that at least tell the world someone actually cares. As others have refused to step up, one federal agency, the Federal Trade Commission (FTC), has leapt into the saddle and volunteered to lead the posse in catching some criminals and making the cyber streets safe for the good citizens of this great land.
The FTC has taken the lead in policing corporate cybersecurity practices. It has brought over 60 cases against companies for unfair or deceptive practices that endanger the personal data of consumers. Its actions have not been without controversy. When we last looked in on the FTC we noted that a U.S. Court of Appeals ruled the FTC did have the authority to regulate cybersecurity practices. Plaintiff Wyndham Worldwide subsequently settled with the FTC and agreed to upgrade its cybersecurity practices. In the aftermath of the court decision it was apparent the FTC would be even more aggressive in pursuing companies that had lax cybersecurity practices.
Last week we got another glimpse of how the FTC sees its authority and mandate. The Commission filed a lawsuit against D-Link Corp, accusing the Taiwan-based manufacturer of failing to take reasonable steps to protect its routers and internet-linked security cameras from hackers. That’s right, the FTC is now going after the Internet of Things (IoT). This suit appears to be a step toward a larger effort to improve the security of internet-connected devices, including routers, webcams, digital video recorders, and other widely used consumer electronics devices.
The lawsuit alleges “thousands of Defendants’ routers and cameras have been vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access. In fact, the press has reported that Defendants’ routers and cameras have been vulnerable to a range of such attacks and have been compromised by attackers, including by being made part of large scale networks of computers infected by malicious software, known as ‘botnets.’”
In a cyber land filled with lots of bad guys, someone has to be the good guy. It looks like the FTC aims to fill that role. It has brought other enforcement actions against IoT providers, and likely will bring more. But it’s also taking a more unusual approach. It just invited the public to create a solution that will protect consumers and their homes from IoT security vulnerabilities, and is offering a $25,000 cash reward to whoever comes up with the best solution.
It will pay to continue to keep an eye on the FTC. It appears they intend to use their powers to make a real difference in cybersecurity, which is an interesting and welcome development.
By Tom Davis, SDI Cyber Risk Practice
January 10, 2017