Reasonableness-FCC

federal trade commission

The following is taken from the FCC document titled above. Click on the title to see the entire document.  Sections 241-243 address reasonableness.


  1. By clarifying that our standard is one of “reasonableness” rather than strict liability, we address one of the major concerns that providers—including small providers and their associations—raise in this proceeding. WTA, for instance, argues that a strict liability standard “is particularly inappropriate for small providers that lack the resources to install the expensive and constantly evolving safeguards necessary to comply with a strict liability regime.”686 We agree with these parties, and others such as the Federal Trade Commission staff,687 that our rules should focus on the reasonableness of the providers’ practices and not hold providers, including smaller providers, to a standard of strict liability. 
  2. We also agree with those commenters that argue that the reasonableness of a provider’s data security practices will depend significantly on context.688 The rule therefore identifies four factors that a provider must take into account when implementing data security measures: the nature and scope of its activities; the sensitivity of the data it collects; its size; and technical feasibility.  Taken together, these factors give considerable flexibility to all providers.  No one factor, taken independently, is determinative.
  3. We include “size” in part based on the understanding in the record that smaller providers employ more limited data operations in comparison to their larger provider counterparts.  While the other contextual factors already account considerably for the varying data collection and usage practices of providers of different sizes, we agree with commenters that size is an independent factor in what practices are reasonable for smaller providers, particularly to the extent that the smaller providers engage in limited data usage practices.689 For instance, WTA explains that “its members do not currently, and have no plans to, retain customer Internet browsing histories and related information on an individual subscriber basis because the cost . . . would significantly outweigh any potential monetary benefit derived from data relating to the small subscriber bases of [rural carriers].”690  Several small provider commenters also point out that many such providers have few employees and limited resources.691  Accordingly, certain security measures that may be appropriate for larger providers, such as having a dedicated official to oversee data security implementation, are likely beyond the needs and resources of the smallest providers.692  Our inclusion of “size” as a factor makes clear that small providers are permitted to adopt reasonable security practices that are appropriate for their businesses.693  At the same time, we emphasize that all providers must adopt practices that take into account all four contextual factors.  For instance, a small provider with very expansive data collection and usage practices could not point to its size as a defense for not implementing security measures appropriate for the “nature and scope” of its operations.694

686 WTA Reply at 12; see also U.S. Small Business Administration Reply at 3 (“The record in this proceeding would support any effort by the FCC to mitigate the disproportionate compliance burden its proposal would have on small BIAS providers.”).

687 See FTC Staff Comments at 27-28.

688 See, e.g., CenturyLink Comments at 32 (“[A]ll providers should adopt reasonable data security safeguards based [on contextual factors proposed in the NPRM].”).

689 See, e.g., WTA Aug. 22, 2016 Ex Parte at 3 (“WTA also argued that size should be a factor for consideration when assessing the implementation of reasonable security measures in order to avoid unreasonably holding small carriers with only a handful or two of employees to the same standard as providers that employ armies of technical and security professionals and drive industry best-practices.”). 

690 WTA Aug. 22, 2016 Ex Parte at 2-3; see also RWA Reply at 2 (“[U]nlike large or nationwide BIAS providers, [our] members do not generally collect, store, analyze, and exploit [CPNI]”); WTA Comments at 19 (“Small BIAS providers also do not engage in the collection and retention of sensitive consumer information to the extent that other industry participants that are subject to the FTC enforcement do.”); CCA Comments at 33 (“[M]any CCA carrier members that fall under CCA’s proposed definition of small provider do not share customer information with third parties for advertising purposes.”); NTCA Comments at 1 (“As a general matter . . . NTCA members do not broker their customers’ information.”); ACA Comments at 5 (explaining that “ACA members generally do not use their customers’ information for purposes requiring opt-in consent—often because they lack the incentive or resources to do so”).

691 See ACA Comments at 8 (“Most ACA members have few employees: half of ACA’s members have ten or fewer employees.”); Education and Research Consortium et al. Comments at 10; RWA Comments at 10-12; WISPA Comments at 26-27; WTA Aug. 22, 2016 Ex Parte at 3.

692 See RWA Comments at 12 (“Saddling small carrier employees with qualification requirements in rural markets (where workforce demands are often already difficult to meet) is counterproductive and may force small rural carriers into unnecessary additional hires, solely for the purpose of meeting such requirements.”).  ACA Oct. 18, 2016 Ex Parte at 2 (urging the Commission to “[r]ecognize the limited financial resources of smaller ISPs in determining whether their data security practices are ‘reasonable.’”) (internal formatting omitted). Our decision not to adopt minimum required security practices should further allay concerns about the impact of the rule on small providers.  See, e.g., WTA Aug. 22, 2016 Ex Parte at 3 (“Because risk management requires tough decisions regarding which risks are reasonably acceptable in light of an organization’s activities, size and resources, WTA urged the Commission to provide flexibility for small carriers and refrain from imposing specific security requirements beyond a generalized duty to employ reasonable security measures.”); RWA Reply at 11 (citing WTA Comments at 21) (“[A]llow each BIAS provider to determine the particulars of and design its own risk management program, taking into account the probability and criticality of threats and vulnerabilities, as well as the nature and scope of a provider’s business activities and the sensitivity of the underlying data.”); ACA Reply at 44 (“[E]xempt small providers from the specific minimum data security requirements . . . .”); CTIA Reply at 10.

693 See ACA Comments at 23; CCA Comments at 42; WTA Comments at 18-25; U.S. Small Business Administration Reply at 3-4; Letter From Joshua Seidemann, Vice President of Policy, NTCA, to Marlene Dortch, Secretary, FCC at 2-3 (filed Sept. 16, 2016) (NTCA Sept. 16, 2016 Ex Parte).

694 See National Consumers League Reply at 21 (“[P]rotecting consumers’ data is a part of running a modern company.”).  But see ACA Oct. 18, 2016 Ex Parte at 2 (“[The Order] should explicitly state that a higher relative cost for a smaller ISP to implement a practice on a per customer basis compared to a larger ISP is a factor in determining whether an ISP’s implementation of a practices is reasonable.”). 

Internet of Things FBI

fbi cert c3

CYBER ACTORS USE INTERNET OF THINGS DEVICES AS PROXIES FOR ANONYMITY AND PURSUIT OF MALICIOUS CYBER ACTIVITIES

Cyber actors actively search for and compromise vulnerable Internet of Things (IoT) devices for use as proxies or intermediaries for Internet requests to route malicious traffic for cyber-attacks and computer network exploitation. IoT devices, sometimes referred to as “smart” devices, are devices that communicate with the Internet to send or receive data. Examples of targeted IoT devices include: routers, wireless radios links, time clocks, audio/video streaming devices, Raspberry Pis, IP cameras, DVRs, satellite antenna equipment, smart garage door openers, and network attached storage devices.

IoT proxy servers are attractive to malicious cyber actors because they provide a layer of anonymity by transmitting all Internet requests through the victim device’s IP address. Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic.

Cyber actors are using compromised IoT devices as proxies to:

Send spam e-mails;

Maintain anonymity;

Obfuscate network traffic;

Mask Internet browsing;

Generate click-fraud activities;

Buy, sell, and trade illegal images and goods;

Conduct credential stuffing attacks, which occurs when cyber actors use an automated script to test stolen passwords from other data breach incidents on unrelated web-sites; AND

Sell or lease IoT botnets to other cyber actors for financial gain.

Cyber actors typically compromise devices with weak authentication, unpatched firmware or other software vulnerabilities, or employ brute force attacks on devices with default usernames and passwords.

Compromised devices may be difficult to detect but some potential indicators include:

A major spike in monthly Internet usage;

A larger than usual Internet bill;

Devices become slow or inoperable;

Unusual outgoing Domain Name Service queries and outgoing traffic; or

Home or business Internet connections running slow.

Protection and Defense

Reboot devices regularly, as most malware is stored in memory and removed upon a device reboot. It is important to do this regularly as many actors compete for the same pool of devices and use automated scripts to identify vulnerabilities and infect devices.

Change default usernames and passwords.

Use anti-virus regularly and ensure it is up to date.

Ensure all IoT devices are up to date and security patches are incorporated.

Configure network firewalls to block traffic from unauthorized IP addresses and disable port forwarding.

Isolate IoT devices from other network connections.

Additional Resources

For additional information on cyber threats to IoT devices, please refer to “Common Internet of Things Devices May Expose Consumers to Cyber Exploitation,” available at https://www.ic3.gov/media/2017/171017-1.aspx.

Victim Reporting

If you suspect your IoT device(s) may have been compromised, contact your local FBI office and/or file a complaint with the Internet Crime Complaint Center at www.ic3.gov.

Internet of Things US Cert

Securing

us cert dhs

Security Tip (ST17-001)

The Internet of Things refers to any object or device that sends and receives data automatically through the Internet. This rapidly expanding set of “things” includes tags (also known as labels or chips that automatically track objects), sensors, and devices that interact with people and share information machine to machine.

Why Should We Care?

Cars, appliances, wearables, lighting, healthcare, and home security all contain sensing devices that can talk to other machines and trigger additional actions. Examples include devices that direct your car to an open spot in a parking lot; mechanisms that control energy use in your home; control systems that deliver water and power to your workplace; and other tools that track your eating, sleeping, and exercise habits.

This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

What Are the Risks?

Though many security and resilience risks are not new, the scale of interconnectedness created by the Internet of Things increases the consequences of known risks and creates new ones. Attackers take advantage of this scale to infect large segments of devices at a time, allowing them access to the data on those devices or to, as part of a botnet, attack other computers or devices for malicious intent. See Cybersecurity for Electronic DevicesUnderstanding Hidden Threats: Rootkits and Botnets, and Understanding Denial-of-Service Attacks for more information.

How Do I Improve the Security of Internet-Enabled Devices?

Without a doubt, the Internet of Things makes our lives easier and has many benefits; but we can only reap these benefits if our Internet-enabled devices are secure and trusted. The following are important steps you should consider to make your Internet of Things more secure.

Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.

Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.

Connect carefully. Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.

Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.

Additional Information

The following organizations offer additional information about this topic:

Online Trust Alliance: https://otalliance.org/smarthome

Open Web Application Security Project (OWASP):
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project 
https://www.owasp.org/index.php/IoT_Security_Guidance

Atlantic Council: http://www.atlanticcouncil.org/publications/issue-briefs/smart-homes-and-the-internet-of-things

Networks of ‘Things’ (NIST Special Publication 800-183): http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-183.pdf

Department of Homeland Security: https://www.dhs.gov/securingtheIoT

Stop.Think.Connect.: https://www.dhs.gov/stopthinkconnect

Authors

Stop.Think.Connect. and National Cybersecurity and Communications Integration Center (NCCIC)