IoT Cybersecurity Regulation: Getting it Right
As I noted in my earlier blog post, there is growing concern about the cybersecurity risks with the Internet of Things (IoT), particularly their effects on third parties as the recent Mirai botnet attack demonstrated. At this year’s RSA Conference in San Francisco, IoT cybersecurity was one of the most discussed topics ranging from policy to the latest exploits. I was fortunate to serve on a panel discussing IoT and ransomware in front of a packed room. While hype is undoubtedly a factor, the massive interest certainly demonstrates the huge market forces at work that are still in their infancy. As Bruce Schneier noted in his RSAC talk, the social, economic, and safety implications of the Internet of Things means that government regulations are not far behind. In fact, Bruce even advocates for the establishment of a government agency to address it while acknowledging that he currently cannot provide the details for how such an agency would operate, what regulations would be needed, or how such regulations would be enforced.
Unfortunately, it is the details that matter. Nowhere is this better demonstrated than how the Federal Trade Commission (FTC) has chosen to regulate cybersecurity. In his book, The Devil Inside the Beltway: The Shocking Expose of the US Government’s Surveillance and Overreach Into Cybersecurity, Medicine and Small Business, Michael Daugherty describes his more than three year battle with the FTC over his 40-person medical testing company’s (LabMD) inadvertent exposure of protected health information over a Peer to Peer Network. As a cybersecurity professional with a law degree, it is easy for me to second guess the actions of his company and the lawyers who advised him on this matter. However, the merits of the case are really tangential to this discussion. What is more relevant is the legal process that his small company was exposed to. For large companies, this is standard fare. A regulatory agency or a plaintiff suggests you’ve done something wrong and starts requesting a massive amount of information. In highly regulated industries like banking or electric utilities, these requests often happen even where no wrongdoing is suspected. In essence, it is built into your business model. But for large companies with powerful trade associations representing them, there is also a fair amount of ability to push back. To its credit, most of the FTC’s targets of cybersecurity investigations have been large companies, which makes their choice to pursue a relatively minor infraction by a small business all the more remarkable. But once again I digress.
Before we dive into IoT, it’s important to understand how regulatory agencies get involved in with cybersecurity matters affecting the private sector. In the United States, there are essentially two ways for the legal system to get involved. The traditional way is for something bad to happen and for the victim to sue whoever is responsible. It’s the equivalent of waiting for a car accident to happen before questioning someone’s driving. Because humans typically overestimate their abilities and underestimate the likelihood that deviations from the norm will lead to harm to others, the traditional Tort system has some serious drawbacks. Moreover, the process takes a long time and tends to be rather expensive with lawyers, courts, and, in the United States, a very liberal discovery process making litigation cost prohibitive in many cases. Instead, employing police officers (and some automated methods like red light and speed cameras) to monitor traffic and issue tickets tend to better incentivize appropriate driving behavior than the risk of litigation.
The same principle is at play with cybersecurity. Additionally, because it is often extremely difficult to link a cybersecurity breach to a specific harm (e.g., theft of personally identifiable information causing a specific person to experience an identity theft and subsequent financial harm), it is often believed that regulators, who are the equivalent of the police officer writing tickets, serve as a more efficient and effective tool to improve cybersecurity behavior and reduce the chances of people being harmed.
Unfortunately, regulating cybersecurity is not as simple as pointing a radar gun at a passing vehicle. In fact, as another panel at RSAC noted, there still is no legal standard of care for cybersecurity for really any industry or kind of business. Few, if any, cases alleging cybersecurity negligence have ever been fully litigated in court, and as Michael Daugherty emphatically proclaims, no company has fully litigated an FTC Enforcement action involving cybersecurity (In FTC v. Wyndham Worldwide Corp., the Third Circuit Court of Appeals confirmed the FTC’s authority to regulate unfair practices for cybersecurity for the first time but did not get to the merits of the case regarding whether the company’s cybersecurity practices were unreasonable as the FTC had claimed; a few months later Wyndham settled with the FTC and agreed to a consent decree). Consequently, we are left with no clear legal guidance in an area that everyone admits changes rapidly. Because of limited resources, the FTC and other regulators must be extremely selective in the matters they investigate. With the exception of LabMD, these are generally high profile data breaches involving particularly egregious behavior that is ongoing and affects a large number of victims. That usually means larger companies. However, these actions so far are largely about privacy and identity theft. The harms, while tragic at times, rarely address life safety issues. Moreover, provable damages are often elusive. For example, in a breach involving Heartland Payment Systems, attackers stole credit card information for 100 million consumers. However, as a result of a settlement costing millions in legal fees, verifiable claims of injury by consumers totaled only $1,925.
This is why many suggest that the bulldog investigations launched by many regulators are adding unnecessary transaction costs to the process with little benefit to those aggrieved. But regulators that impose such costs argue that this results in a deterrent effect resulting in better cybersecurity practices for everyone else. However, because there is no standard of care or even a process for arriving at one for cybersecurity, companies are left guessing as to how much to spend and where to spend it. While those in some parts of the financial services industry, electric utilities, and, to a lesser extent, healthcare are exposed to ongoing regulatory oversight of their cybersecurity practices, every other industry only hears from a regulator when a breach occurs and almost universally, the answer is that their practices were unreasonable despite the fact that nearly all cybersecurity professionals agree that it is impossible to prevent all breaches.
That raises some serious concerns for the Internet of Things. After all, some of these devices can pose a serious threat to human lives if they are attacked by those with malicious intent. Moreover, while breaches of personally identifiable information only tend to make news when the number of potential victims numbers in the millions, a single death resulting from a cybersecurity attack is likely to run as the lead story in many news outlets. There are a lot of small companies that manufacture such devices.
Defining the right amount of regulatory oversight can truly have a huge impact in this rather infant industry. Consequently, we need a process that offers a light regulatory touch while still protecting the lives of consumers. That may mean a complete rethinking of how regulators go about their investigations. The current processes rely too much on lawyers and auditors to conduct investigations and defend those being investigated. While lawyers and auditors have their place, I would argue that the more that they are needed, the more broken the process is. Instead, we should be leveraging automation to both implement and report on cybersecurity practices. Ideally, a regulator should be able to request evidence of reasonable cybersecurity practices and the responding organization should be able to generate that evidence at the push of a button in machine readable format. If a Governance, Risk, and Compliance (GRC) tool can’t do that, it is failing its customers. Moreover, regulators should be working with GRC vendors to ensure their areas of inquiry are incorporated into these tools. Even IoT devices should be able to produce clearly understandable evidence of their adherence to consensus cybersecurity practices and controls. The whole point of DevOps and DevSecOps is to both streamline the development and security testing process while also improving transparency. Dave Shackleford offered an excellent example of this at his RSAC talk, Cloud Security: Automate or Die.
The point of this effort is not to lighten cybersecurity requirements on companies of any size. With IoT the risks are increasing, potentially resulting in some severe consequences. We all need to do more. But those efforts should be focused on identifying and implementing appropriate cybersecurity controls and not constantly seek to prove that those controls exist. While it would be naïve to suggest that regulators should just trust that companies are doing the right thing, no one benefits from an antiquated and punitive investigation process. With that in mind, I would recommend the following steps be taken.
- Regulators should prioritize investigations based on the likely number of victims and the severity of the impact that could result from a breach.
- Investigations should be structured to leverage automation wherever possible by using industry standard questions for cybersecurity controls and minimize the need for lawyers and auditors to be engaged to answer the questions.
- Regulators should regularly report on the efforts they have made to reduce the cost for companies to respond to regulatory inquiries, including providing estimates on the expected costs to respond.
- Expedited review by federal courts should be available for investigative targets to challenge overly onerous costs of responding to an inquiry.
- Regulators should provide testing scripts and sample investigative questions on their web site that can be incorporated into cybersecurity scanning and GRC products to encourage more automation.
- Regulators should offer clear and concise safe harbor options that impose a higher burden on regulators to demonstrate that cybersecurity practices were unreasonable if the options are leveraged (e.g., regular use of static/dynamic analysis for code review, two-factor authentication, application whitelisting, removal of admin rights from user workstations).
- For sector specific regulators, guidance based on the use cases for IoT and the expected controls for those use cases should be provided to ensure that an appropriate cost-benefit analysis, which includes externalities, can be performed.
- Regulators should provide examples of breach investigations, without naming the target, where companies were found to have behaved reasonably and no enforcement action was taken.
- Regulators should incorporate the supply chain into their investigations so that accountability can be appropriately assigned.
- Regulators should be required to harmonize their cybersecurity guidance and determinations of reasonableness across all sector and non-sector specific agencies regulating similar practices.
I fully appreciate that these recommendations will not be trivial to implement. Regulatory investigations and litigation of all kinds are inherently adversarial processes. While government representatives must maintain their focus on the common good and the search for truth, those on the defense have no such obligations. Consequently it’s tempting for prosecutors and regulators to focus on winning rather than doing what is right for the country. That temptation must be resisted and supplemented by a robust set of checks and balances that unfortunately are frequently missing from independent federal agencies. It is only through more transparency, technological innovation, cross agency collaboration, and federal court supervision that we can hope to create a legal environment that is both safe and profitable for IoT vendors, customers, and affected third parties.