Analysis
Emerging Consensus & Increased Accountability: How Cybersecurity Regulation is Changing
August 15, 2024 |
Already 2024 has witnessed some of the largest data breaches in history. In April, AT&T suffered a breach impacting nearly all 110 million of its customers. Hackers stole customers’ metadata, including call and text logs that potentially reveal sensitive location and other personal information about both AT&T customers and non-customers. Shortly after, in May, Ticketmaster faced a breach affecting approximately 560 million customers. The hackers leaked hundreds of thousands of print-at-home tickets and customer ticket barcodes, and Ticketmaster has since been battling extortion demands. A major commonality between both breaches is that hackers did not steal customer data directly from the companies themselves, but rather from their cloud storage vendor, Snowflake. Hackers used credential stuffing—rapid-fire automated attempts to log into accounts using stolen usernames and passwords—to gain access to AT&T and Ticketmaster’s accounts on Snowflake. Once in, the hackers were then well-positioned to exploit the associated data.
Common themes have emerged across cybersecurity regulation regimes in response to incidents like these, as most breaches are preventable. For example, the Ticketmaster and AT&T breaches underscore supply chain risk management as a key component of a cybersecurity program that safeguards consumer data. Moreover, these incidents reaffirm the broader call for more comprehensive privacy and data security regulation and minimum cybersecurity requirements to defend critical infrastructure. Absent such changes, we can expect breaches to continue to increase in prevalence and severity.
Three Recent Developments in Cybersecurity Regulation and Enforcement
Over the last few years, numerous rulemakings, enforcement efforts, and other standards have shaped the United States’ current cybersecurity policy landscape in response to the staggering growth of data breaches. This section outlines three key developments to take note of: (1) more cybersecurity rules that address supply chain risk and promote greater accountability within companies; (2) industry alignment over specific best practices; (3) the Federal Communications Commission’s (FCC) new Cyber Trust Mark program.
- 1. Addressing Supply Chain Risk & Promoting Greater Accountability Within Companies
First, cybersecurity frameworks have come to reflect a more comprehensive understanding of how security risks manifest. One source of risk is in the supply chain, which includes everything from the hardware to the software to vendors involved with an organization. EPIC has previously submitted comments urging the FTC to clarify how responsibility for implementing data security practices should be allocated between cloud-based service providers and their business customers. Another source of risk is that the executives responsible for implementing their organizations’ cybersecurity programs often lack expertise, which hampers effective implementation. The regulatory trend toward addressing both risks is evident in (1) the NIST Cybersecurity Framework 2.0; (2) the SEC rules on material disclosures; and (3) the National Cybersecurity Implementation Plan.
In February 2024, the National Institute of Standards Technology (NIST), released Version 2.0 of its Cybersecurity Framework (CSF 2.0). One of the key features of NIST’s CSF is the “Framework Core,” which sets out key functions that represent elements of a successful cybersecurity program. Previous versions of CSF contained five functions: Identify, Protect, Detect, Respond, and Recover. However, CSF 2.0 introduced a new function: “Govern.” This function primarily addresses how organizations establish risk management plans and how they transparently communicate these plans from top to bottom and across the supply chain. Though some of the specific subcategories within “Govern” previously existed in CSF 1.1 under “Identify,” NIST’s creation of a separate section signals a greater emphasis on effective governance.
Additionally, the SEC rules adopted in July 2023 also aim to increase accountability for executives in managing their cybersecurity programs. The new rules require public companies to disclose material cybersecurity incidents they experience within four business days. They also require companies to annually disclose “material information regarding their cybersecurity risk management, strategy, and governance.” This includes information about how the company’s board of directors oversees risks from cybersecurity threats, as well as how management assesses and manages material risks. While this is a step forward, and EPIC supports efforts to shape market forces to drive better security, it is worth noting that these disclosures prioritize investors—not necessarily consumers.
The SEC’s disclosure requirements center around providing investors with “decision-useful information they need to make informed investment and voting decisions.” Ultimately, the interests of investors and consumers can differ, and while they may not always be in direct conflict, protections tailored to one do not necessarily protect the interests of the other.
Finally, in May 2024, the Biden-Harris administration released version 2 of the National Cybersecurity Strategy Implementation Plan (NCSIP). The NCSIP is a set of 100 federal-level initiatives, categorized into broader “Pillars,” aimed at improving national cybersecurity. Under Pillar 3, “Shape Market Forces to Drive Security and Resilience,” initiative 3.3.5 proposes that the Office of National Cyber Director (ONCD) will engage stakeholders to develop proposals that establish a liability regime for software services shipping products with security issues and create a safe harbor framework.
ONCD Director Nicholas Leiserson has publicly stated that liability is a tool to incentivize secure software development. Note that this rule targets the relationship between companies and their software vendors, which is distinct from the relationship between companies and consumers. Though consumers may feel the cascade effects of a liability regime that increases accountability for vendors, the consumer’s primary point of contact regarding cybersecurity remains the company they are directly doing business with. Ultimately, this initiative is still in the early stages, but it aligns with the broader trend of minimizing supply chain risk and motivating companies to be more accountable for their cybersecurity practices.
- 2. Alignment Over Specific Best Practices – MFA, Passkeys, & Takeaways from Previous FTC Enforcement
Over the last few years, several security “best practices” have been widely adopted. One trend is the shift from SMS-based multi-factor authentication (MFA) to more secure methods. MFA is a method of user verification that requires the user to provide more than just a password to gain access to their accounts. SMS-based MFA texts users a “one-time code” to verify identity. In 2022, CISA released guidance that SMS-based MFA should be a “last resort” MFA option, relative to other forms like phishing-resistant MFA or app-based authentication. This is because SMS-based MFA can be more easily exploited, for example in a SIM swap attack, as outlined by the Cyber Safety Review Board.
Additionally, in its 2023 Digital Authentication Guidelines, NIST now also discourages the use of SMS-based MFA, pointing to heightened security risks like the potential of text messages being intercepted. Foreign governmental bodies like the National Cyber Security Centre (NCSC) in the United Kingdom and Ireland have also put out similar guidance. Though some websites and apps still only rely on SMS-based MFA, other major industry players have shifted their practices in accordance with regulatory guidance. For example, Microsoft has been encouraging the shift away from SMS-based MFA for a few years now, and Google recently announced plans to discontinue the practice in May 2024. Nonetheless, some websites and apps still require SMS-based MFA and do not offer users another option for authentication.
Another emerging best practice is the shift from passwords to passkeys. Passkeys are login credentials that use public key cryptography to provide a more convenient and secure option than passwords; passkeys often rely on biometric authentication or a PIN. The Fast Identity Online (FIDO) Alliance, an open industry association that promotes the development of standards for authentication, estimates over 8 billion user accounts now allow passkey access. NIST has also endorsed passkeys in a published supplement to its NIST SP 800-63B, Digital Identity Guidelines, noting that passkeys support phishing-resistant authentication with benefits like “simplified recovery, cross-device support, and consumer-friendly platform authentication support.”
Finally, the FTC’s record of enforcement provides valuable insights for companies about the minimum security standards they should maintain. FTC enforcement trends are relevant because the agency’s general authority under Section 5 to prohibit unfair and deceptive practices is frequently applied in the cybersecurity context. The agency has held companies accountable for breaking promises to consumers about their cybersecurity practices and for failing to put reasonable cybersecurity practices in place to protect consumers. In its October 2023 comments to ONCD on harmonizing cybersecurity regulations, EPIC included an appendix breaking down recommended baseline data security protocols that have emerged from FTC enforcement actions, NIST guidelines, and other standards. Measures such as data minimization, access controls, segmentation of systems, vulnerability management, threat detection, incident response, and business continuity have achieved near consensus across different cybersecurity frameworks.
3. FCC Cyber Trust Mark
Many cybersecurity rules and standards are internally focused, regulating whether an organization has adequate security measures in place. Typically, when these rules mention the consumer, it is in a post-breach context where a company is disclosing bad news to the public. However, the new FCC Cyber Trust Mark program is markedly different because it is public facing—i.e., intended to provide consumers with information about a company’s cybersecurity practices before a breach occurs.
In the NCSIP, initiative 3.2.4 called for the FCC to develop an IoT cybersecurity labeling program, where devices and products that comply with certain cybersecurity requirements to display a “U.S. Cyber Trust Mark.” This is a voluntary program, and the Trust Mark would essentially serve as a symbol to consumers that a product is safe as a cybersecurity matter. In March 2024, the FCC unanimously voted to approve the initiative, and the FCC aims to implement the program by late 2024. Though a labeling program is a step towards building public trust and directly engaging with consumers about cybersecurity, many details still need to be ironed out. EPIC submitted comments to the FCC generally supporting the program while also advocating for specific revisions: a simpler two-tiered design for the label, more protections for marginalized groups, and strong post-market auditing practices to ensure companies continue to meet the standards required to use the label.
Looking Ahead
Though there has been progress over the last few years to implement stronger cybersecurity policies, challenges remain. First, cybersecurity regulation needs to continue evolving to be more preventative rather than reactive to ensure that consumers are prioritized and their data is secure. The Supreme Court’s recent decision to overturn Chevron in Loper Bright Enterprises v. Raimondo will undoubtedly impact the cybersecurity landscape by muddying the authority of federal agencies to implement meaningful cybersecurity standards that protect consumers, as courts will not have to defer to each agency’s interpretation of whether its authorities include the ability to promulgate cybersecurity regulations in the manner the agency chose. The decision will affect both existing and future cybersecurity regulations, as agencies like the FTC may face challenges to their previous cybersecurity mandates and bear the burden of defending them with little judicial deference. Agencies may also be more cautious interpreting laws to impose strong cybersecurity obligations without an explicit congressional mandate out of fear that such rules may be struck down. Despite these potential obstacles, the need for improvement is clear and urgent—so that every month is not littered with new breaches on the scale of Ticketmaster and AT&T—and alignment over best practices including attention to supply chain risks suggests that momentum is building towards that improvement.
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate