While lawmakers on Capitol Hill have hemmed and hawed for years about what can be done to improve the nation’s cybersecurity posture, the Federal Trade Commission has decided it will hold the U.S. business community responsible for failing to implement good cybersecurity practices. Two years ago a federal appeals court paved the way for the FTC to become the arbiter of what constitutes good cybersecurity hygiene when it ruled in favor of the agency’s lawsuit against hotel chain operator Wyndham Worldwide for failing to protect consumers’ information.
Now the agency has set its sights on the security industry as it recently filed a lawsuit against D-Link and its U.S. subsidiary alleging that the company used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers. In its’ complaint, the FTC charged that D-Link failed to take “reasonable steps” to secure these products which potentially compromised sensitive consumer information, including live video and audio feeds from cameras.
“Hackers are increasingly targeting consumer routers and IP cameras – and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
D-Link quickly countered the agency’s claims and issued a statement calling the charges “unwarranted” and “baseless.” The company said it believes the processes and procedures related to the security of its devices were more than reasonable. In addition, D-Link says the complaint does not allege a breach of its devicesbut that the agency is merely speculating that consumers were placed “at risk” to hacking without offering proof that actual consumers suffered or are likely to suffer actual substantial injuries.
"The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted," William Brown, chief information security officer, D-Link Systems, Inc., said in the statement. "We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems' products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices."
According to Joe Gittens, director of standards for the Security Industry Association (SIA), the FTC’s cybersecurity enforcement powers could have significant implications for the security industry moving forward depending on what types of penalties it is able levy against companies. D-Link is a SIA member.
“Obviously, if there are serious sanctions, then it might be a shot across the bow at manufacturers,” says Gittens. “It really depends on what the FTC’s policy for being a watchdog is. If there are serious sanctions then, obviously, whether it is physical security or any industry, you will see companies taking cybersecurity concerns a lot more seriously.”
While cyber vulnerability issues surrounding physical security equipment has been a concern throughout the industry for some time, the botnet attacks that occurred last fall against domain name service (DNS) provider Dyn and the website of cybersecurity journalist Brian Krebs, both of which leveraged large numbers of unsecured IP cameras, has brought it to the forefront once again. The attacks even caught the attention of Congress, which held a hearing last November to discuss what the government’s possible role could be securing Internet of Things (IoT) devices.
Gittens says any piece of network equipment needs to be designed with cybersecurity in mind and that as more security manufacturers move to address vulnerabilities found in IP cameras and other internet-enabled devices, the impact of these types of high-profile incidents will be felt less across the industry.
“We’re called the security industry, so security should be front of mind – not only the security of folks who your products are being deployed to secure but the security of your product itself,” Gittens says. “We have many members that are very, very cyber aware and… cybersecurity is one of the first things talked about when we’re looking at developing standards, guidance and guidelines. I don’t think it’s fair to say the entire industry took this lightly, but I do think there have probably been some companies that have been slow to respond to the changing threats in the environment.”
SIA has also taken steps to help its members better protect their products against cyber intrusions. Last year, the association published a "Beginners Guide to Product and System Hardening," which lays out the top 10 causes of cybersecurity failures in systems and how to address them. Among the failures listed include:
- Inadequate security policy and process governance
- Reliance on “Security through Obscurity” – assuming that nobody will ever test security
- Inadequate software and firmware patching; inadequate testing of patches before installation
- Unencrypted, unauthenticated and uncontrolled wireless communications within systems
- Unencrypted, unauthenticated and uncontrolled communications between systems
- Poor password hygiene and insufficient segmentation of control system networks
- Lack of auditing and audit monitoring on networks
- Control system networks shared with other traffic
- Poor coding of control system software causes failures
- Lack of configuration management and tracking for hardware and software
“These are some very basic things that are easily avoidable and could be a quick first step to making sure products are safer,” Gittens says. “When you hear about these hacks and vulnerabilities, eight times out of 10 it’s something that’s a no-brainer fix.”
Click here to learn more SIA’s efforts to address cybersecurity issues in the physical security industry.
