Cyber Week in Review: August 28, 2015

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

• A U.S. Court of Appeals ruled that the Federal Trade Commission (FTC) has the authority to require companies to improve their cybersecurity practices. As a result of a 2008 and 2009 hack at the Wyndham hotel chains that exposed customer data, the FTC sued Wyndham for engaging in "unfair business practices" by having inadequate and unreasonable cybersecurity practices that led to the breach. Wyndham challenged the suit, arguing that the FTC had no business regulating companies’ cybersecurity practices. The appellate court decision is a resounding victory for the FTC, giving it authority to require U.S. companies that collect personal data improve their cybersecurity. The Center for Democracy and Technology, which filed a brief in support of the FTC, is thrilled that the decision sends "a clear signal to companies that robust security is a necessity when doing business." Paul Rosenzweig at Lawfare is skeptical, believing that the FTC is "not up to the task" of assessing appropriate cybersecurity practices. Same goes for the Berkman’s Center’s Josephine Wolff, who argues that the FTC’s vague cybersecurity advice will only lead to confusion in the private sector.
• Facebook’s ThreatExchange cyber threat information sharing platform has signed up over ninety participating companies in the six months since it’s launch—but not the U.S. government. Facebook says government agencies won’t be welcome in ThreatExchange until Congress passes legislation that defines how the U.S. government would use information shared with it. The platform allows participants to share threat data with all other members or with a subset of members, and integrates open source intelligence and data from Facebook. The social media giant said last week that it is looking for partners in the retail, telecom, and consulting industries—but it may be some time before the feds meet Facebook’s requirements. Congress put information sharing legislation on hold for summer recess, and twenty-two amendments await it when the Senate reconvenes.
• The United Nations released the consensus report from the Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International Security--more commonly known as the UN GGE. The GGE obtained consensus on the document in late June, but it took a little more than six weeks for the report to be made public. We’ll have an analysis of the report next week.
• And in case you missed it, be sure to check out our latest Cyber Brief, which proposes a framework for policymakers to respond to disruptive of destructive state-sponsored cyber incidents.