US Senate Calls for Tougher Cybersecurity Standards
Two Senate hearings this week focused on the multiple data breaches that have erupted across the US retail sector.
American politicians, regulators, law enforcement agencies, retailers and banks agree that stronger standards are needed to prevent future incidents. Any new legislation or regulations arising in the wake of the retail data breaches likely will hit all US corporates in the form of increased spending on cybersecurity compliance.
In Monday’s hearing, the US Senate Subcommittee on National Security and International Trade and Finance looked at safeguarding consumers’ financial data. Senator Mark Warner, a Democrat, opened the session by urging retailers, banks and the card industry to avoid engaging in another long-term fight over cybersecurity, like they have over interchange fees. “To better protect consumers, our financial institutions, the networks and merchants should work together to continue to innovate on antifraud technology,” he said.
The US Federal Trade Commission (FTC) is advocating for federal standards for data security and breach notification. Currently, states have laws requiring breach notification, but there are no such laws at the federal level and no civil penalties, explained Jessica Rich, bureau of consumer protection director of the FTC. “While we have tools and we’re using them to enforce data security failures by companies, it would be extremely helpful to have a federal law requiring data security – not just notifications – with civil penalties,” she said.
Establishing data security requirements can be tricky because technology is constantly involving. Therefore, the FTC is in favour of requiring companies to have a process for developing appropriate data security so that the specific technical standards can evolve along with the technology. Rich noted that there is one existing financial regulation that is already a model for this – the Gramm-Leach-Bliley safeguards rule. “You have to put somebody in charge – your chief technology officer [CTO] – and you have to do a formal risk assessment. You have to then implement safeguards in key areas of risks, such as employee training, network and physical security, service providers, etc. It sets up a process and we’re able to use it as a tool for enforcement without mandating levels of encryption and things that change over time,” she said.
Senator Elizabeth Warren, a Democrat, asked Rich if the FTC is powerless to go after a company for deceptive practices – even if its data protection standards are completely inadequate – as long as the company never says that its standards are good. “That’s absolutely right,” Rich replied. “That’s one of the reasons we’re supporting general data security legislation.”
Warren noted that, under the FTC’s authority to go after deceptive practices, it has only settled about 30 data security cases since 2002. That is about three per year – very few, compared to the number of data breaches that have occurred over the last decade. “I think the real problem is that the FTC’s authority is so limited. Congress needs to consider whether to strengthen the FTC’s hand,” she said.
Democrat Senator Robert Menendez believes the FTC and the federal government should play a role in implementing standards. “If there was a standard that was available and companies were not using that standard, then we have to question whether or not they made an investment decision not to go ahead and expend the resources for that higher standard,” he said. “It seems to me that we should be setting a standard.”
Moving to EMV
There was universal support Monday for retailers to move to Europay, MasterCard and Visa (EMV) chip cards. However, Mallory Duncan, senior vice president (SVP) and general counsel of the US National Retail Federation (NRF), emphasised that chip cards are “worthless” without the personal identification number (PIN). “The banks know this combination is very powerful; they promote it all over the world,” he said. “Yet here in the US they are proposing signature and chip cards – chip and choice. It is an ineffective half measure, locking the backdoor, while leaving the front door open.”
Duncan noted that if the retail community is going to be required to spend approximately US$3bn to replace all card readers in the US, then they should not be relying on a ‘1960s relic’ – signature-based security – to combat 21st century threats.
Troy Leach, CTO for the PCI Security Standards Council (PCI SSC), testified that while moving to EMV chip technology is an important step in improving data security, it is not a complete solution by itself. “EMV chip is only one piece of the puzzle,” he said. “Additional controls are needed to protect the integrity of payments online, on the telephone and through any other channels.”
Leach testified that developing standards is something that the PCI SSC is uniquely qualified to do, and government standards would likely not be effective. This drew some criticism from Warren, who stated that American businesses have become targets by being allowed to police themselves. “Why should we leave this to organisations like yours?” she asked. “It sounds to me like we may need some pressure from the government to make sure the toughest standards are used.”
The push for EMV continued in Tuesday’s hearing by the Senate Committee on the Judiciary. John Mulligan, executive vice president (EVP) and chief financial officer (CFO) of Target, reiterated earlier comments that the major US/Canada retailer is investing US$100m to implement chip technology in its stores by early 2015, six months ahead of schedule.
Mulligan emphasised that all participants in the payment card world need to move collectively to chip and PIN technology. “That would have rendered the account numbers that were taken far less useful,” he said. “It is technologies like that we think are important and we’re committed to accelerating our efforts in that particular area.”
Target previously tried to implement chip card technology in 2003, Mulligan explained. “We put guest (customer) payment devices in our stores to read chips. We introduced a new payment card, a Target Visa card with a chip in it, but without broad adoption, there aren’t significant benefits for consumers.”
Target is an advocate for PIN over signature chip cards, though it is taking a gradual approach. “As the industry in total becomes capable of handling that for credit transactions, we will be ready for that as well,” Mulligan said.
Michael Kingston, SVP and chief information officer (CIO) for the upmarket retailer Neiman Marcus, said his organisation is willing to consider anything that will make consumer information safer, including chip and PIN. However, he noted that Neiman Marcus does not currently use PIN pads and addressed some of the issues associated with implementing them. “There’s lots of work to do to make that happen,” he said. “Obviously, there are PIN pads that have to be able to process this, there are software changes that will have to happen, and of course, all the integration with the other actors, such as the banks, the merchant processors, and finally getting all the cards with the chips in the consumers’ hands.”
Kingston made the case for better sharing of information between the public and private sector. “There are a lot of actors in this ecosystem,” he said. “I think collectively, all of those actors, all of those stakeholders who have intelligence and are able to share that with the community – if we can encourage more of that information sharing, I think it could help us try to keep up with this problem.”
Fran Rosch, SVP, security product and services, endpoint and mobility for Symantec, agreed. He does, however, believe it would be helpful for the government to recommend, “in a very flexible way,” some preventative measures that companies can take to protect their systems.
Mulligan also believes that the public and private sector need to work together. “We’ve had ongoing relationships in information sharing with law enforcement. That needs to happen more broadly between our organisation, other organisations and the government to find solutions here,” he said.
Rosch noted that any standards have to be flexible, noting that the war against cybercrime is ongoing, and the types of threats and solutions are changing all the time. “We’re constantly raising the bar, so whatever gets developed needs to allow for that to happen, versus locking in at any particular time what might seem acceptable,” he said.