The massive DDoS attack that took out the host of several popular websites in the United States and Europe in October still didn’t seem to be enough to get the ball rolling on a set of national cybersecurity laws.
Adam Levin, founder of the data protection company IDT911 sees the recent attack as one of several reasons to implement these laws; and quick:
We are talking about the recall of thousands of products, and we’re talking about the health of the digital economy, and frankly, national security in the fact of attacks like this. So something has to give; it’s just a question of when or whether or not this is the tipping point. Not sure it is yet, but at some point, it will be.
Partner and Chair of the cybersecurity group at Robins Kaplan agreed by saying it will be unlikely to see any real regulations come about within the next two years.
“Many consumers see the country’s disparate breach laws as a complete patchwork quilt that doesn’t serve any purpose, which puts notification laws in competition against one another,” Bryan Quigley, Senior Vice President of Strategic Communications for the Institute of Legal Reform said.
You can have a customer in one state where the state says you must notify within 24 hours all the people who could be affected, while in another state you could have the exact opposite; you may not notify until you meet certain criteria.
Levin addressed the issue of simply broadening the support for such issues by saying that its possible even by doing so that no legislative action would be taken:
We still don’t have a national breach notification law; we may never have a breach notification law, but because a number of states feel that their state law is much stronger than the sausage that might come out from Congress that could then technically weaken their laws. You have several different federal laws that are involved with privacy, like Health Insurance Portability and Accountability Act (HIPPA), like Children’s Online Privacy Protection Rule (COPPA), Gramm Leach Bliley, which is the financial world.
Both Levin and Quigly agreed that they were skeptical of any action toward national cybersecurity for businesses happening in the near future also, noting that cyberthreats can become more sophisticated overnight and it’s hard to combat that with a specific set of rules.
“Every time you think you’ve established a standard something new happens and the bad guys find a way to work around it,” Levin added.
These experts disagree on whether a standard can be set for Internet of Things (IoT) devices as well such as cars, cameras and appliances. In October’s attack such devices were hacked, and loaded to attack Dyn, the host to several websites that were affected. Multiple warnings were issued by those in the cybersecurity community but Lux Research analyst Isaac Brown responded by pointing out that besides from specific self-regulation, no cybersecurity standard for any IoT device isn’t possible.
It’s easy to develop a standard for a PC or an Android mobile phone because they are all the same, but it’s a whole different ballgame when you’re coming up with standards for IoT devices, because they are all so different. They’re made by different people, they serve different functions, and they have different types of embedded processors and controllers.
Brown helped author a report in May and estimated the funding for IoT cybersecurity companies would be in the range of $400 million and that it was up to the manufacturers to secure their products. Levin however believes different. He thinks that based on the specifics of the attack, a broad, standard process could have prevented it from happening:
The IoT devices used in the attacks were accessed by the malware Mirari, which scans the internet looking for weak manufacturer passwords like ‘admin’ or ‘password’ or something like that. If a manufacturer required automatic patching of software or required the user to change an IoT devices password, It wouldn’t matter how many different devices you have or how many manufacturers you have.
In March, it seemed like things might be looking up for IoT cybersecurity when the Developing Innovation and Growing the Internet of Things Act was passed which helped promote the development of IoT privacy and security policies.
The European Union has already started working on strengthening the security with their IoT devices. They have begun drafting new cybersecurity requirements to beef up IoT security. They are also considering implementing a system of labels for devices that indicate the devices security approval level. The Union is considering utilizing the already implemented labeling system that rates energy consumption for appliances.
It’s safe to say that the recent attack has shown consumers that they aren’t as safe as they think, and now they want something done about it.
“A lot of consumers all of a sudden realize that their smart devices can get hacked, and while people have sort of known that, this just adds that degree that any connected product and end up being hacked,” Brown added.