Senate Commerce, Science & Transportation Subcommittee Issues Testimony From Consumers Union
"On behalf of
"I appear here today on behalf of
"
I. The Poor State of Modern Data Security and the Importance of Bug Bounty Programs
"As this Committee well knows, the story of data security in recent years is not a pretty one. Massive data breaches have become commonplace, as companies accumulate vast troves of valuable consumer data but frequently fail to put adequate systems in place to protect it. The Target data breach of 2013 compromised the information of an estimated 110 million people, including the payment card information of about 40 million consumers. Hackers 2 obtained the data of about 80 million people in the Anthem data breach of 2015.3 And last year, criminals took advantage of well-known vulnerabilities in software used by
"Bug bounty programs represent a novel and innovative approach to identifying vulnerabilities before they can be taken advantage of by malicious actors. These programs incentivize a diverse third-party ecosystem to probe systems for potential failures. They also provide an alternative to sale of exploits on the black market where they can fetch several hundred thousand dollars -- or more.6 By offering to pay for information directly, companies can offer white- and grey-hat hackers a legal way to monetize their skills, with a far better outcome for companies and consumers. The rapid rise of these programs is evidence of their success. In 2016, Google paid out over
"
II. "John Doughs" and the Uber Bug Bounty Program
"Although open source software development has always depended on external support to identify errors and weaknesses in code, formal bug bounty programs within major technology companies are still a relatively new phenomenon. As such, it is understandable that expectations, norms, and best practices are still developing in this area.
"In 2016, a hacker calling himself "John Doughs" emailed Uber's chief security officer
"In general, we believe it is counterproductive to report participants in bug bounty programs to law enforcement absent a strong indication of malicious intent. We are not convinced there is anything wrong per se with a hacker asking for more money than is originally offered for information on a vulnerability. A hacker may reasonably believe that the value of the information and the time invested in uncovering it merit a higher payment. In the past, others have criticized Uber's bug bounty program for failing to provide reasonable payments for identifying exploitable holes in their code. At some point, a request for more money may convey 13 an implicit -- or explicit -- threat to sell the exploit or compromised data elsewhere if the demands are not met.
"However, from the publicly reported facts, it is not clear that that happened in this case. In any event, Uber had invited persons such as Doughs to look for precisely the type of vulnerabilities that he eventually found. If security researchers have to worry that looking for bugs in code will lead to criminal referral, the efficacy of bug bounty programs will dramatically decrease.
"Nevertheless, Uber had an ethical -- and legal -- obligation to be more forthcoming with its users after it was made aware of its security lapse. Forty-eight states -- as well as the
"While breach notification triggers vary significantly among the states, it seems quite likely that at least some state laws mandated disclosure to Uber drivers about the incident. For example,
"State data breach notification laws were first passed starting in 2002, and were clearly not written with bug bounty programs in mind. Notification laws and bug bounty programs both play an important role in protecting consumers, but there is a potential conflict between the two that needs to be reconciled. Indeed, notifying consumers of breaches created by ethical hacking pursuant to bug bounty programs could unnecessarily alarm consumers without providing any clear benefit.16 Lawmakers seeking to update these protections must be extremely careful to
"balance the security benefits provided by external hacking with the right of consumers to know when their information is truly at risk, perhaps by developing general standards to govern the legitimate use of these programs. In any event, Uber was not entitled to simply decide not to follow consumer protection (and other) laws it believed to be onerous or unnecessary. Uber previously took over six months to announce a different data breach in 2015, making the delay in announcing the 2016 breach all the more difficult to justify. Further, if in fact 17 a condition of the payment to Doughs was that he could not disclose the incident -- even after the vulnerability had been remedied so no one could exploit it -- then the lack of transparency from Uber is still more concerning.18
III. New Laws are Needed to Provide for Better Security Incentives
"Bug bounty programs should continue to play an important role in safeguarding consumers personal information. And Consumer Reports is committed to providing more information to the marketplace about which companies perform best under the Digital Standard, including which companies have the best security practices.
"However, due to a misalignment of incentives, most companies today do not adequately invest in cybersecurity. Many breaches are not detected or publicly disclosed. The likelihood of law enforcement under the current regulatory scheme is low. The potential profits from using consumer data far outweigh any penalties that can be assessed for violations, incentivizing carelessness and misuse. And companies that experience a data breach bear only a portion of the cost -- much of that instead is laid on consumers. As such, we need a much stronger data security law in
"Americans lost an estimated
"
"First, lawmakers should give the
"Moreover, when it does bring a case against a bad actor, it typically lacks the authority to obtain civil penalties to deter potential wrongdoers from similar behavior. As such, deceptive or unfair business practices can be rationalized by companies as a (fairly low) cost of doing business.
"Second,
"Finally, while the vast majority of American citizens are protected by state data breach notification laws today, a federal standard has the potential to strengthen these requirements and impose stronger penalties. However, the goal of any federal breach notification law must be to strengthen consumer protections, not weaken the already inadequate incentives in place today. As a result, any such bill should include the resources and stronger authority for the
"Indeed, states must be allowed and encouraged to continue to innovate to protect their citizens. States have been the leaders in passing and revising data breach notification legislation over the years. At first, these laws primarily covered financial information such as
Conclusion
"Thank you again for the opportunity to testify here today about the challenges of implementing bug bounty programs to best safeguard personal information. We believe that these programs play a vital role in uncovering vulnerabilities in code before they can be exploited by malicious actors. However, in order to incentivize companies to deploy these and other data protection safeguards,
* * *
Footnotes:
1 As the world's largest independent product-testing organization, Consumer Reports uses its more than 50 labs, auto test center, and survey research center to rate thousands of products and services annually. Founded in 1936, Consumer Reports has over 7 million subscribers to its magazine, website, and other publications.
2
3
4 Equifax Announces Cybersecurity Firm Has Concluded Forensic Investigation of Cybersecurity Incident , EQUIFAX.COM (
5
6
7
8
9 The Digital Standard, https://www.thedigitalstandard.org/.
10 Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security, CONSUMER REPORTS, (
11 The Digital Standard, Data Security, Vulnerability disclosure program, https://www.thedigitalstandard.org/the-standard.
12
13
14 Security Breach Notification Laws,
15Jeremy Kahn, Uber Hack Shows Vulnerability of Software Code-Sharing Services , BLOOMBERG , (
16 Similarly, security researchers have called for modifications to the Wassenaar anti-proliferation agreement to allow for cross-border communications about security vulnerabilities and the effective management of bug bounty programs. See
17
18
19
20
21 Id. at 10.
22 Written Testimony of
23 From
24 Oral Statement of Commissioner
25 E.g. ,
26 E.g. , Delaware Amends Its Data Breach Notification Law ,
Senate Environment & Public Works Committee Issues Testimony From National Cattlemen’s Beef Association
Senate Commerce, Science & Transportation Subcommittee Issues Testimony From HackerOne
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News