IoT security watch: Data breach legislation is coming, first stop California
On May 25, the European Union enacted the most stringent data protection and breach fines in the world under the new General Data Protection Regulation. As stated by the EU, the goal is to “protect all EU citizens from privacy and data breaches in an increasingly data-driven world.” Its broad reach will “apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.” And, the penalties are significant: “Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”
Anyone keeping up with the news would have heard about the regulation in the days leading up to its enactment. For IT departments around the globe, the GDPR most likely resulted in a great deal of quiet in the hopes that their systems have been set right to avoid potential breaches that could mount organizations with negative material impact.
For firmware development and third-party software vendors, the GDPR could spell their demise if they are found liable for data breaches. For IoT device manufacturers, the GDPR is a sign that they need to improve the security in their firmware supply chain.
Their hopeful prayers aside, software development, IoT firmware and IT teams cannot ignore the fact that security vulnerabilities continue to be inadvertently created and hackers press on to find ways to exploit them. And, it’s not just the EU that is putting customer data protection legislation into place. Numerous citizen data protection initiatives are arising to various degrees across the U.S. The initiative with the greatest potential impact is taking place in the state of California.
California Personal Data Protection Bill
By a vote of 21-13, the California State Senate recently passed SB-1121 Personal Information, a bill that allows any consumer affected by a data breach to sue for damages. Suits against a company or organization no longer need to be brought by customers, as was previously required. This new bill enables all consumers, regardless of their relationship to the hacked entity, to sue third-party data brokers like Equifax, the poster child for data breach negligence. This key feature extends a company’s responsibility of data privacy to the general public. SB-1121 puts forth hard-hitting measures, allowing people to sue for $1,000 per data breach or for monetary damages — whichever sum is greater.
In July 2017, hackers exploited a known and previously reported security vulnerability in the open source Apache Struts software in the Equifax platform. As the story unfolds, it seems that the thieves got away with the personal information of more than 148 million people in the U.S. The estimated liabilities to Equifax, for the breach, range from $1.5 billion to $7 billion.
The newly enacted bill is significant because California is a state that no business can afford to ignore. It is the largest U.S. state by population and it has the world’s fifth largest economy, having recently surpassed the UK in its size. And it has a distinguished track record of precedent-setting initiatives that have affected numerous industries — like its automotive emissions standards.
Should the bill pass on August 31, it might incite a number of other U.S. states to adopt laws with similar language and penalties. Should a business experience an Equifax-like data breach in this context, it will be forced to address even larger litigations and will undergo major headaches.
Why are data breaches on the rise?
Open source software code pervades operating systems, network platforms and applications. This trend will only continue to grow because, by using open source, developers can lower assembly costs and quickly add innovations. Without it, almost every gadget, cloud platform, banking network and phone system would shut down.
Whether software code is proprietary or open source, it harbors security vulnerabilities. Because of its transparency, open source code tends be better engineered than a comparable piece of proprietary code. And thanks to its flexibility, open source code is extensively used. This means that a security vulnerability in a piece of open source code is likely to exist across a multitude of applications and platforms. Consequently, open source software vulnerabilities become the low-hanging fruit for hackers to target and attack.
Known security vulnerabilities are also prevalent
In 2017, the number of known security vulnerabilities nearly tripled that of 2016, jumping from 6,447 to 14,712. Over 4,800 vulnerabilities related to open source software were reported in 2017, with the number of open source vulnerabilities per codebase having grown by 134% over the course of one year. Based on the reported number of security vulnerabilities in the first six months of 2018, it appears that we will once again set a record this year. Consequently, we can expect to see many more corporate casualties from cyberattacks directed at known security vulnerabilities — unless we take proper, preventative action.
Effective vulnerability remediation
A first line of defense to address open source vulnerabilities is for businesses to know exactly what open source code hides in their software — before and after they procure it. This can be a challenge given that open source code is not well-documented due to the software procurement process and intellectual property issues.
There are new types of fingerprint-based binary code scanners that enable companies to scan their software and firmware in binary code, alleviating the somewhat inaccurate and time consuming practice of reverse engineering their code to make it source code — and then scan it for composition.
Visibility into exactly what open source code elements reside in the current or prospective code give IT departments the ability to assess their investment risks and take proactive measures to ensure security. At that point, instituting an effective open source patch model must be utmost priority.
Open source software development and use are irreversible trends in today’s modern business. The EU market is too large to ignore for most multinationals, and businesses really cannot afford to bypass California either. Given these circumstances software development, IoT firmware and IT teams must investigate and reevaluate, in-depth, the ramifications of GDPR, California SB-1211, their client data and privacy procedures and, of course, their plans and practices for finding and remediating open source security vulnerabilities.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.