Connect with us

Cybersecurity

Transparency About Data Collection is a Needed First Step of Privacy Regulation, Panelist Say at FTC Event

Published

on

WASHINGTON, June 27, 2019 — Forcing websites and online platforms to be more transparent about the ways in which they collect and utilize consumer data is a step in the right direction, but it’s not enough, said speakers at a Federal Trade Commission conference on Thursday.

Panelists at the fourth annual PrivacyCon discussed emerging issues from new technologies such as the Internet of Things and how companies can quantify the costs and benefits to consumers of maintaining data privacy.

Consumers do not fully understand the myriad of ways in which they are being tracked, and even when they do, they lack the controls to manage it, said Consumer Reports’ Policy Counsel Katie McInnis. Rigorously protecting privacy requires time, effort, and sometimes even money—and even after all of that, some amount of data will still be tracked and used to create a profile of the consumer for marketing purposes.

While increasing transparency is important, we need to find a solution that shifts the burden away from the consumer and onto the providers of the technology, said McInnis, emphasizing the need for stronger federal regulation of online privacy and rules giving consumers access, deletion, and correction rights to their data.

Privacy should be the default and users should not have to understand complicated technical questions in order to ensure it, said Noah Apthorpe., a Ph.D. candidate at Princeton University.

If the government does not take action now, it will lead to long term problems and negative implications for consumers that will ultimately be far harder to solve, said Kristen Walker, a professor at California State University Northridge.

As policymakers work to create new, stronger regulations, it is essential that they include technologists, researchers, and consumer advocates in the process, Apthorpe said. Otherwise, policies are at risk of ending up with loopholes that could have been caught by someone more familiar with the technical details of the issue.

But simply increasing regulations will not solve the problem either, said McInnis, pointing out that many industries still fail to meet the bare minimum standard of regulations currently in place, such as the Children’s Online Privacy Protection Act.

Another issue discussed by the panelists was the monetary value of personal data. Mahmood Sharif, a Ph.D. student at Carnegie Mellon University, shared his research on privacy valuations, which indicated that many people would be willing to sell their personal attributes, especially to federal agencies or research pools.

McInnis vehemently objected to the concept of putting a price on personal data. Such practices would eventually make privacy a luxury rather than a basic human right, she said, and would exacerbate problems of systemic inequality.

The conference, which is held by the FTC as part of its ongoing effort to address evolving data security challenges, brings together academics, industry representatives, consumer advocates, and government regulators to discuss trends and research related to consumer privacy.

“It helps us keep our finger on the pulse of important developments in technology, economics, and consumer privacy so that we can ground our policymaking in real data,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.

(Photo of PrivacyCon panel by Emily McPhie.)

Reporter Em McPhie studied communication design and writing at Washington University in St. Louis, where she was a managing editor for the student newspaper. In addition to agency and freelance marketing experience, she has reported extensively on Section 230, big tech, and rural broadband access. She is a founding board member of Code Open Sesame, an organization that teaches computer programming skills to underprivileged children.

Cybersecurity

Lawmakers Should Incentivize Cybersecurity in Private Sector: Cisco Executive

One weak link can threaten the entire system.

Published

on

Photo of Jeetu Patel of CISCO

WASHINGTON, May 25, 2023 – A Cisco executive urged Congress at a Semafor event Thursday to provide more incentives for companies to ensure their cybersecurity posture is up to date. 

While Jeetu Patel, general manager of security at the information technology giant, didn’t specify what types of incentives can be used, he said the incentives must push private infrastructure to have high security standards. 

Both private and public sectors have a part to play in improving the nation’s security, he noted, adding private companies must build products that are secure by design. 

There is “tremendous” need for cross-nation coordination around cyberattacks, said Patel. He urged lawmakers to democratize cybersecurity by simplifying the process, adding the nation must be united to gain traction against attackers.

The cybersecurity industry has not made conversations simple to follow or technology easy to use, he said. Simplifying cybersecurity is the only way we can democratize it and when it’s democratized, it can be made universal, said Patel. 

He warned that the country cannot let the financial constraints of a few companies put the whole system at risk. Regardless of how affluent a country is, the weakest link controls the strength of the chain, he said. 

Artificial Intelligence will change cybersecurity fundamentally, he noted. It is important to remember that AI tools are also available to attackers. Currently, the majority of attacks stem from fraudulent emails which AI can make more personalized and difficult to discern from real communication, he said.  

Cybersecurity defenses must evolve

We need to develop an idea of civic responsibility for tech innovators and students in STEM fields, added Suzanne Spaulding, senior advisor of Homeland Security at the Center for Strategic and International Studies. Civic responsibility is the antidote to disinformation and is the change central to democracy, she continued.  

Spaulding warned companies against relying on existing cybersecurity measures. Resilience is about having layers of plans and assuming they all will fail, she said.  

This comes at a time of Congressional focus on cybersecurity. In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

In 2021, President Joe Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020.   

Continue Reading

Cybersecurity

Sector Specific Agencies a Resource for Cybersecurity Concerns

Federal agencies are equipped to support sectors dealing with cybersecurity concerns.

Published

on

Photo of Puesh Kumar of Department of Energy

WASHINGTON, May 16, 2023 – Sector specific agencies, federal departments responsible for infrastructure protection activities in a designated critical infrastructure sector, are prepared to address cybersecurity concerns across various industries, said witnesses at a House Energy and Commerce Committee hearing on Tuesday. 

Malicious actors are targeting U.S. infrastructure, said witnesses. In 2021, President Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020. 

In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

The Administration for Strategic Preparedness and Response addresses increasingly sophisticated and frequent attacks on hospital and public health centers by providing each hospital with personalized and specific instruction on mitigation and disaster response best practices. 

Cyberattacks on hospitals have a negative effect on the surrounding area similar to that of a natural disaster, claimed Brain Mazanec, deputy director of the Office of Preparedness at ASPR. There have been more than double cyber-attacks on hospitals from 2016 to 2021, he said. 

The Environmental Protection Agency is responsible for addressing water system cyberattacks, said David Travers, director of Water Infrastructure and Cyber Resilience Division at EPA. The EPA’s Evaluating Cybersecurity guidance is intended to assist states with building their own secure systems for water and sewer systems.  

It is essential that sector specific agencies develop strong relationships with sectors under their jurisdiction well before disastrous incidents occur, said Puesh Kumar, director of the office of cybersecurity at the Energy Security and Emergency Response at the Department of Energy. 

The Energy and Commerce Committee also participated in a markup of the Energy Emergency Leadership Act Tuesday which would amend the Department of Energy Organization Act to elevate the leadership of the DOE’s emergency response and cybersecurity functions. 

“Establishing assistant-secretary leadership at the department will reflect the importance of managing this threat,” said Subcommittee on Energy, Climate, and Grid Security Chair Jeff Duncan. 

The Act passed on unanimous vote to report to the full committee without amendment. 

Duncan also emphasized the importance of a strong domestic supply chain, calling for a “‘Made in America’ system for nuclear fuel” in order to “give the domestic industry the market certainty they need to invest and build out the necessary infrastructure.”

On June 27, Broadband Breakfast’s Made in America Summit will examine energy infrastructure and international supply chain issues in depth.

Continue Reading

Cybersecurity

Charter Suggests Network Authentication Layer for Equipment Certification

The telecom said manufacturers are in the best position to ensure security.

Published

on

Illustration from Security Architect

WASHINGTON, April 5, 2023 – Charter Communications is recommending the Federal Communications Commission require device manufacturers seeking equipment authorization to add a layer of authentication security to protect against cyberthreats.

In a letter to the commission on Friday, the telecommunications company suggested the commission require, as a condition of certification, devices pass a security authentication step to connect to the user’s network. When an internet-connected device connects to a network, it can also access sensitive information being shared on it – leaving the door open to malicious activity.

This “baseline” security “would erect a new barrier to prevent malicious actors from exploiting unauthorized or unidentified devices connected to consumer broadband networks without consumers’ knowledge or consent,” Charter said in its letter, following a meeting with FCC officials. “It would also be a simple and efficient way to address major cybersecurity vulnerabilities without the Commission needing to prescribe detailed cybersecurity requirements.”

“The most vulnerable devices often lack strong passwords and other basic security measures, which make them susceptible to malicious actors and frequent sources of harmful traffic across networks,” Charter added. “Devices that can connect to home networks without first being authenticated are also a significant source of cyber threats. And, despite various educational efforts, many consumers still never change the default passwords that come printed on their devices.”

The company noted that this practice is accepted by industry standards bodies and the broader security community and would relieve consumers of an additional burden when they come to connect their devices.

In conjunction with a November order that halted equipment authorizations from companies on a national security blacklist, the FCC is currently contemplating a proposal that would revamp the equipment authorization program to minimize cybersecurity threats and other malicious activity of foreign agents. The proposal asks whether it should ban component parts of a problematic device, and not just the manufactured product, and if it should require certification applicants to have a U.S.-based representative to ensure compliance.

As ubiquitous 5G connectivity takes hold in the country, more and more internet-connected devices are flooding the market.

“The proliferation of cybersecurity incidents in recent years and, particularly, the growing number of cyber threats that exploit unsecured IoT devices, underscores the need for more proactive efforts to deter and combat vulnerabilities before they reach consumers,” Charter noted in the letter, adding device manufacturers are in the “best position” to address these common security vulnerabilities.

Charter added that a combination of device manufacturer action on the authentication front and user action to additional security layers – through stronger passwords, for example – “will better protect Americans and US networks from the growing harm of cyber threats.”

The company said it actively strives to enhance security measures for its devices, including some of its newer routers requiring users to provide a unique credential to manage their home network instead of a default password. It said its routers also have pre-set security settings and undergo regular software updates.

FCC Commissioner Nathan Simington had previously advocated for mandating ongoing, as-needed cybersecurity updates to mitigate risks on wireless devices already in the hands of consumers.

Continue Reading

Signup for Broadband Breakfast News



Broadband Breakfast Research Partner

Trending