At the recent ISSA International Conference in Dallas, SearchCompliance editor Ben Cole met with conference speakers to discuss modern data protection threats and how they influence the information security professionals' role. During the conference, Monique Ferraro, Cyber Counsel for Munich Re's U.S. P&C Cyber and Privacy Risk Practice, led a discussion about how information security regulations are targeting rapidly advancing, popular consumer technology such as the internet of things and drones. In this Q&A, Ferraro discusses what stipulations could be included in IoT and drone regulations, and why developing these rules could prove difficult for lawmakers.
How has popular consumer technology like the internet of things and drones changed information security threats?
Monique Ferraro: It's changed them substantially. IoT and drones have different effects and ramifications on information security. IoT has vastly increased the number of devices that are connected to the internet, and there's not always been adequate planning that's gone into the development process as far as security goes.
Do you think information security regulations will be developed that legislate the use of IoT and drones in order to protect data security?
Ferraro: Not necessarily legislation, but you're going to see regulation, and regulation in the same sort of form that IT security regulations take in that it's voluntary, that it's flexible, that it mirrors the complexity of the organization itself: How large it is, what sort of data it has. It will be in the form of frameworks, and not necessarily prescribed that 'If you have this device, do X,' because it has to be flexible enough to allow for development. It's a new scenario that's just developing, so many businesses want to encourage it. And regulators want to encourage its development because IoT is going to be a major component of developing our increasing economy.
As far as drones go, drones are a different story. Drones have lot more statutes directed at the state level in particular, because drones have been employed to commit various acts. Spying, for example. They've also been weaponized in some cases. They've been employed in narcotics trafficking. In particular, California just passed a statute making it illegal to operate a drone over a correctional facility because [drones] were being used to drop narcotics.
Do you think that the type of information security regulations that you were just describing would be effective to protect data?
Ferraro: You can't tell people what to do, no matter what it is. When you have sweeping laws, you have to enforce them, and how would you enforce it? The only way that lawmakers or regulators or law enforcement are going to find out about a problem is when there's a breach. The direction that we've been heading to at the national level is information sharing. If you don't want people to share information about IT security, then don't punish them when something bad happens.
We talked a little bit about drone regulations already, but how do you think future legislation and compliance rules will potentially influence how and where individuals fly drones in order to protect privacy?
Ferraro: There's been some legislation about flying drones over police operations -- crime scenes, things like that. You're going to increasingly see that, but it depends on how much drones are used, and for what purpose. There are some great uses for drones: for instance, dropping off medicines and foods and products; as delivery mechanisms; for inspecting bridges and other places; for adjusting insurance claims. But as they're used for more and more nefarious purposes, there's so many things that can be done that are bad that you and I can't anticipate them. It's the evil geniuses of the world that come up with that, and legislators have to react to it.
Do you think that if cybersecurity and other information security regulations and compliance rules are put in place targeting the IoT and drones, they'll mandate implementation of security precautions during the product development? Should companies be mandated to put those security protocols in place while they're developing these products?
Ferraro: The National Highway Traffic Safety Administration just came out with some draft guidance for automakers developing cyber-connected devices in cars. The other IoT, industrial IoT, government IoT -- all of those different forms of IoT are going to probably be guided by voluntary, multidisciplinary stakeholders that get together, sometimes at the calling of the government and sometimes on their own initiative, in order to increase security.
More from the 2016 ISSA International Conference on information security regulations and strategy:
Ignorance still a big risk for cloud security
Tabletop exercises prove essential to cybersecurity training efforts
IoT data security reliant on 'supply chain of trust'