Access Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Proof of Concept: Apple/Microsoft/Google Back PasswordlessAlso: Cyber Readiness in Wartime; Privacy Regulation Updates
In the latest "Proof of Concept," Lisa Sotto of Hunton Andrews Kurth LLP and Jeremy Grant of Venable join editors at Information Security Media Group to discuss the significance of Apple, Google and Microsoft joining forces to support the passwordless sign-in standard in the FIDO protocol, progress made since Biden's cybersecurity executive order was issued and updates on U.S. cybersecurity and privacy laws.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Anna Delaney, director, productions; Tom Field, vice president, editorial; Jeremy Grant, managing director of technology business strategy, Venable; and Lisa Sotto, partner and chair, global privacy and cybersecurity practice, Hunton Andrews Kurth LLP, discuss:
- Why it's a big deal that Apple, Google and Microsoft are supporting the passwordless sign-in standard in the FIDO protocol;
- Changes to U.S. cybersecurity and privacy laws;
- Progress made since Biden's cybersecurity executive order was issued one year ago.
Named in The National Law Journal's "100 Most Influential Lawyers," Sotto serves on the Hunton Andrews Kurth executive committee. She was voted the world's leading privacy adviser by Computerworld magazine and has earned the highest honor from Chambers and Partners as a "Star" performer for privacy and data security. Recognized as a "leading lawyer" by The Legal 500 U.S., Sotto chairs the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and is the editor and lead author of "Privacy and Data Security Law Deskbook." She has represented the U.S. Chamber of Commerce in Indonesia and has advised the Serbian government on global data protection law. Sotto is co-chair of the International Privacy Law Committee of the New York Bar Association and chair of the New York Privacy Officers' Forum.
Grant was the founding leader of the National Program Office for the National Strategy for Trusted Identities in Cyberspace and senior executive adviser for identity management at the National Institute of Standards and Technology. He led the White House’s initiative to catalyze a marketplace of secure, easy-to-use, privacy-enhancing identity solutions for online services through government and private sector partnerships.
"Proof of Concept" runs semimonthly. Don't miss our previous installments, including the April 12 edition on dealing with the regulation "tsunami" and the May 12 edition on crypto as a new national security threat.
Anna Delaney: Hello, this is Proof of Concept, a talk show where we invite leading experts to discuss the cybersecurity and privacy challenges of today and tomorrow, and how we can potentially solve them. We are your hosts. I'm Anna Delaney, director of productions at ISMG.
Tom Field: I'm Tom Field, senior vice president of Editorial operations. Anna, always a pleasure.
Delaney: Always a pleasure. How are you doing today, Tom?
Field: Very well, thank you. It's always a pleasure to be here and a delight to be able to discuss these issues, and to have the quality of guests that we have today.
Delaney: Yeah, absolutely. And before introducing those guests, Tom, what's the most interesting thing in cybersecurity at the moment?
Field: Well, I don't know the most interesting thing. I would say that today, what's on everybody's mind continues to be for three months now, what's happening in Ukraine, the Russian invasion, the role of cybersecurity. I'll tell you my concern. My concern is that we are a world that likes short stories; we like for crises to come up, for them to explode, for them to be resolved, and for them to go away. That's not happening with Ukraine. This is something that has been with us now for, think about this, almost a quarter of a year. I don't think it's going away in the next quarter of the year. So the concerns that we had from the outset, about potential leakage of nation-state weapons, let's say, in the role of cyber and repercussions for Western countries that get involved with this, those don't go away. People might not have the patience for them. People might want this to go away and be sick of it. But it's not going to. I think that's very much on my mind.
Delaney: And the big question remains, how will this affect the equilibrium of these major cyber powers such as U.S., China, and Russia? I hope our experts today maybe have some ideas and thoughts on this, and how is the conversation needing to change because there is the risk of becoming immune to all that's happening? As you say, we like news stories, news. What should organizations be preparing for? Because there's a lot of unknowns out there, how can they prepare? As I said, how do we need to move the conversation from just talking about the basics and cyber hygiene? Or, do we?
Delaney: Looking forward to that?
Field: Here the concern, Anna, is that you've got other nation-state powers out there, North Korea, Iran, watching what's happening and taking notes. And who's to say that one of them won't take advantage of this activity over there to launch another activity over here? For years, we worried about terrorism in the risk of a dirty nuclear device? Should we be concerned about a dirty cyber device?
Delaney: That's a worrying question, but a good one. Also news this week that unlikely collaborators came together, that is, Apple, Google, and Microsoft. And it seems, they are coming together for passwordless tech. They've joined forces to support the newest developments in the FIDO protocol. So is this the moment when passwordless goes to the masses, comes to us all?
Field: Well, it certainly is a good publicity moment. We've got exactly the person here that can help answer the question of the real significance of this, and what this does mean for people that have been clamoring for passwordless for a generation now.
Delaney: Well, I think it's time to introduce them.
Field: You think?
Field: Okay. Let's bring in our first guest. You know him as the managing director of technology business strategy with Venable LLP, we know him as Jeremy Grant. When it comes to identity, he is, as I say, in the movies. The dude. Well, good to have you here today.
Jeremy Grant: Thanks. Great to be here. Thanks, Tom. Thanks, Anna.
Field: Jeremy, as Anna teed up here, it was big news this past week that Apple, Google, Microsoft come together, and they are supporting the newest developments in the FIDO protocol. It was huge news coming as it did on World Password Day. What is the significance, the real significance of this move?
Grant: Well, I think the main takeaway is it's going to be easier than ever for service providers across the globe to make passwordless the default. A little bit of background; the FIDO standards have been in existence for years now. They've gone through a couple of iterations. FIDO2 is what's most commonly deployed. But a key challenge with FIDO has been if you're deploying it, you're either embracing what I would call a roaming authenticator model, say like a security key like a YubiKey, which I love personally, but maybe isn't going to be the thing that most consumers are going to pick up. Or you could have what would be called an embedded authenticator or platform authenticator built into the laptop I'm using, built into the iPhone I have in my pocket, built into an Android tablet, which I think is going to be much easier for consumers in that you can have a true passwordless model FIDO. Essentially, there's an on-device biometric match or a pin match if you don't want to use a biometric, which then unlocks a asymmetric, private, cryptographic key behind the scenes. But there's always been a challenge with that ladder model, which is while the user experience is great for consumers, you only have one private key for each device. So if you have multiple devices, you quickly get into a key management challenge, which becomes, well, a big challenge for consumers. Think about if the default is 18 months from today, you are logging in on a pad with a passwordless approach using FIDO for hundred different service providers that you do business with online, and then you get a new phone. And all the private keys are stuck on that one phone. And how do you get them to the other one, or the phone is lost or stolen, or anytime you're switching devices, you're not going to spend a week regenerating a hundred private keys. So from a usability perspective, this has inhibited the deployment of FIDO. The announcement this week is that all three of the big platforms are going to enable what's called multi-device credentials, essentially syncing those private keys across multiple devices. So that if I have an iPhone, an iPad, and a Mac, all of those keys will be resident in all of those devices. And just like when I get to a new device everything ports over, those private keys will port over as well. That's a big advancement that you're seeing all three platforms embrace to enable full interoperability.
Field: And again, a context here. In the timeline of FIDO, you've been there from the start, how big of a watershed date is this?
Grant: I think it is the inflection point that's going to allow us to finally make passwordless login by default. People talk for years about killing the password. When I was running the NSTIC program at NIST, we talked about part of our mission was shoot the password dead. Part of it has been getting to this point where you not only have standards, but also buy it. And I think that latter part is important. Already today, given the embrace you've seen by the three big platforms and other big tech companies, banks, chip makers and others, it's literally impossible to go buy a device today, running an operating system from Microsoft, Apple, or Google, that doesn't support FIDO out of the box in the device at the operating system level at the browser. But now the buy in at this next step to enable these multi-device credentials and make it easy and practical for consumers to log in with asymmetric public key cryptography. That's the real news here is that they're all saying, we're not going to compete against each other on this point, or they might compete in the details of the implementation. But we're all going to agree to collaborate here because all three of those companies and I think a lot of others involved in FIDO Alliance realize that for the health of the security ecosystem, killing passwords has to be the priority. So this is from my perspective, a big step forward.
Field: We look to see what happens next.
Grant: It changes some models in terms of how people have traditionally thought about FIDO. I've certainly been getting a lot of questions from different clients and also government agencies. I think there's an education period. And then I think, also what you have seen as an announcement that the companies are going to roll it out, as those capabilities start to show up in the next versions of operating systems and devices. I basically think you'll see probably starting later this year, a big shift from online service providers to start to embrace these new passwordless approaches, to the point of saying by the end of 2023, is what consumers should be looking for as the default when they sign up for an account somewhere.
Field: We're good. Now, speaking of watershed dates. It was almost exactly one year ago that President Biden released his landmark cybersecurity executive order. MFA was a big part of that. As we approach that anniversary, are we more secure today than we were then? Has progress been made?
Grant: Yes, progress has been made. Have we gotten to where we want to be? No, not yet, unfortunately. And I think that's where we've still got some more work to do. The problem with executive orders or other ethics that come from the White House, and by the way, this isn't unique to the Biden administration, this is within the administration is the mandates come out, but they need to be followed by action, which often means providing dedicated budget to agencies to make the changes that they need to acquire the tools that they need in order to comply. And I think, we've seen some good progress there, with more MFA adoption. I can certainly say just being in DC and talking to folks in the agencies like they're focused on this in a way that they weren't a year ago. But that doesn't mean that everything is now locked down with two-factor authentication. We certainly haven't gotten to phishing resistant two factor along the lines of what's called for in the White House zero trust strategy and the OMB memo that accompanied it. So I think that the challenge is translating policy decrees into results. That's going to take a little bit more time. I think we've got a couple of more years to go.
Field: Pretty good. Jeremy, as always pleasure to speak with you. Thank you so much.
Grant: Thank you.
Field: Anna, back to you.
Delaney: Thank you very much, gentlemen. That's great. Welcome, Lisa. I'd like to welcome back Lisa Sotto, partner and chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP. Good to see you, Lisa.
Lisa Sotto: I'm delighted to be here, Anna. Thank you for having me.
Delaney: Lisa, there seems to be quite a bit of movement in the current cybersecurity legal landscape. What are the changes and challenges that are top of mind?
Sotto: Oh my, on the cybersecurity front, the U.S. legal landscape is changing at the speed of light. It's extraordinary to see what's happening here. We have recognized, of course, cybersecurity is a key risk for many years now. But the velocity of change is truly incredible. And it's welcome. I don't want to suggest that it's not welcome. But it is also overwhelming. And companies are now having to beef up their staff not only on the information security technologist front, but also on the legal and compliance front, folks who are well schooled in cybersecurity, on the compliance side of the house.
Delaney: Let's get into some specifics. What are some of the recent changes to reporting requirements?
Sotto: Well, this is where it's quite extraordinary. And this is where we're trying to keep up with what's going on. I'll start with the Omnibus Appropriations Bill that was recently passed that has a meaty and substantive chunk dealing with cybersecurity. The key provisions for the private sector are now the requirement to report covered events within 72 hours of the event. And this is for critical infrastructure, yet to be determined. There's plenty here that requires flushing out. But these are certainly very substantive new rules. In addition, you need to let the system know if you're a covered entity within 24 hours of paying a ransom, if you've been hit with ransomware. Or banks, we now have a 36-hour reporting obligation. We have new rules in some key industries, like for pipelines, there's a 12-hour reporting obligation, for surface transportation, a 24-hour reporting obligation. We have an SEC-proposed rule that will likely be pushed through in some form or another; we're not sure if it's going to look exactly like this. In fact, comments are due today. So we'll get a sense of what the comments are put by tomorrow. There's a four business day notification requirement for public companies. There are requirements for board and management oversight. This is consistent with the trend for high-level oversight by management and the board. But this overlays a whole new set of rules. And then of course, and I'll just reiterate this because it's worth thinking about in the mix of, in the medley of requirements. We have 54 state breach notification laws at the state level; we have breach notification laws at the federal level. Those are our long-standing requirements. And they have deadlines that range from 72 hours to 60 days or so. So to say, we have a cacophony of rules is an understatement. And by the way, we've only talked about the U.S. Things get swirly when we start to talk about international bills.
Delaney: That's the next episode. There's been also recent changes to U.S. privacy laws. Can you update us on some of the changes there?
Sotto: It has been a busy year. It's important to remember that until 2020, we had what was known as a sectoral regime, meaning that we regulated privacy by industry sector. And the best examples of this are the Gramm-Leach-Bliley Act in the financial sector and HIPAA in the healthcare sector. In 2018, everything changed. And I won't say we're getting more into line with the rest of the world. We're not there yet. We will be when we have a federal law, and I hope it's a will and not maybe because of what's happening, and I'll go through that a little bit. California started this trend in 2018. The law there became effective Jan. 1, 2020. It was the first state out of the box to enact a comprehensive privacy law. Now, that did lead to very dramatic changes on the privacy front in the U.S. But not to be outdone, other states followed suit. We then saw in the last couple of years, Virginia, Colorado, Utah, and now Connecticut; I daresay we're going to see a number of other states coming to the fore as well, and nobody's going to want to be left out of this party. So, I would advocate strongly for a federal pre-emptive law; it's the only way that we're going to be able to manage this extremely complex web, because we can't just comply with the highest common denominator law, they're all different. There isn't such a thing as highest common denominator.
Delaney: With all these changes, how do we keep pace? And how should organizations prepare?
Sotto: I think the only way to think about this is to think in terms of principles. Think in terms of the basic underpinnings of all of the privacy laws, the data protection laws globally. Notice choice where appropriate, individual rights, security, and, of course, enforcement, service provider provisions. Those basic principles need to be to undergird every privacy framework in companies now. And if you get that right, then you're going to be about maybe 80% of the way there to comply with all of these laws. And, of course, we have to deal with variations on the theme. There are vagaries in all of these laws that we're going to need to manage. But if we have a good framework in place, I think you can assume that you'll be pretty close to at least out of the starting gate. Let's put it that way. I don't know that you'll be close to the endpoint. But you'll be well on your way.
Delaney: Always helpful and informative. Thank you very much, Lisa.
Sotto: Thank you, Anna.
Delaney: Coming all together now, I mentioned the ongoing and increasing geopolitical tensions at the start, what exactly should organizations be preparing for? And how can they do that? Jeremy, go for it.
Grant: Sure. Well, I'd say for starters, look, whether it's preparing from a compliance perspective along some of the issues Lisa was talking about, or preparing from a risk management perspective, a lot of times it's one and the same. You need to start to have a plan; you need to be thinking about it. And I think what we're certainly seeing on our side with clients coming to us is, between how complicated compliance is getting and the increased global tensions and heightened risks, a lot more companies are taking this seriously. And I think that's probably the best news of all. If the time when you're starting to think about cybersecurity preparedness is after you've had an incident, that's going to be a little bit too late. Although, look, that still represents at least a decent number of the calls, we get; hey, something bad happened, what do we do. I think where I'm feeling more optimistic is, we're seeing more and more companies treating cybersecurity risks as something that they need to be addressing proactively, so that when something happens, they have a plan. And they are architecting systems and processes in a way that they have resilience so that they can overcome an attack. There's a lot of good attention on the space right now, that still doesn't mean that every company is doing the things that they should be doing in terms of proper planning or putting basic controls in place. Things like multi-factor authentication, which, still I would say, the lack of MFA provides the beachhead for almost every major incident we see. Starting there and with a couple of other controls, and then starting to build a broader plan around how you're going to prepare to respond if something does happen. That's the sorts of things that say, the more enlightened companies are doing these days.
Delaney: Don't know how true this is but I read recently that just 22% of organizations currently have MFA deployed. Jeremy, does that sound right to you?
Grant: No, it sounds right. There was a speech from Alex Weinert, who leads Identity Security at Microsoft, at the Identiverse Conference about a year ago. There was a deep dive into what happened with SolarWinds. And, what was stunning to me in the wake of that was, he pointed out even some of their companies they work with, who were impacted by SolarWinds, it was MFA that the organizations weren't using that provided that initial access point; a lot of them still had not turned it on. So, there is a certain amount of being in this business where you're just constantly beating your head against the wall. Getting back to our earlier discussion. This is one of the reasons I'm excited about the FIDO announcement on passkeys, in that we're finally like, why don't people deploy MFA? Well, I have to bolt it on to these systems. And while it's going to slow down my users, and they're going to complain if we can start to bake these controls in, so that it's just the fault that we're not using passwords anymore, and there's nothing to fish. That's, I think, how we start to drive some real improvements in cybersecurity, as opposed to look, we've got sessions like this, where we're all talking about best practices and the right things, but that doesn't mean everybody's going to do it. So we need to make it easier for people to use.
Delaney: Lisa, thoughts on, again, this geopolitical crisis that we're facing, and how organizations should prepare and what they should prepare for?
Sotto: There's going to be times when the cybersecurity landscape is hyperactive. But the basic hygiene that we're talking about should be in place, of course, MFA, complex passwords, until we get to a place where there are no passwords. But, I would absolutely echo Jeremy's thoughts on the fact that it's good that things are a little bit hyperactive now, because it is getting boards and management, senior management, and companies a little bit more exercised about preparedness. And we need, of course, right now to be hypervigilant. So everything kind of on steroids right now. And that means making sure that you are doing your preparatory work, do tabletop exercises, make sure you have a state-of-the-art incident response plan that has protocols for certain exploits like ransomware, which is kind of a different beast and probably needs to be worked through within the organization in advance of something bad happening. We want to make sure that we have a strong vendor management program in place. We need a strong insider threat program as well, because that certainly continues to exist and will continue to exist. Training and awareness, there's no substitute for that. I read recently that something like 90% of these incidents occur because of a human error. So, there it is, training and awareness is everything. And of course, underpinning all of that is risk shifting through insurance. So we have to think about cyber insurance as well. The bottom line here is, the basic hygiene needs to be followed. And then, continue to do those cyber preparedness exercises because there will be a day when you're going to need to exercise them for real.
Delaney: Unfortunately. But thank you. Tom, we're going to go to RSA soon.
Field: RSA Conference first time since 2020. Here we go. The body guard of cybersecurity is back.
Delaney: Indeed. Lisa, Jeremy, are you going? You're going to be there?
Sotto: I will not be at RSA, unfortunately. The conferences are back in full force. There are a lot of them.
Delaney: You're pretty busy yourself, I think, chairing a few and being on panels.
Sotto: It's a little bit crazy. It's good to be a little crazed after two years of quiet.
Grant: Yeah, I can echo what Lisa said. The travel has kicked off starting last week with I don't know where I'm going to be between now and the middle of July most weeks. Part of it's kind of nice that it's coming back. But also looking at this and going back and do with a little bit less somewhere in the middle. I will be in and out at RSA. I'm speaking on Thursday, leading a session looking at voice technology and security implications around it, including how it's been used in different cases, as well as issues like deep fakes that are starting to emerge with voice that might undermine it before we can even recognize the Prime Minister. So should be a fun session.
Delaney: Fascinating stuff. Well, I look forward to meeting you there.
Grant: Most definitely.
Delaney: Okay, well, thank you very much. This has been informative, fascinating, and brilliant. Enjoyed it. Thank you very much, Lisa Sotto and Jeremy Grant. And it's goodbye from us.
Field: Thanks, Anna.
Sotto: Thank you.