Transcripts For CSPAN2 Communicators With Terrell McSweeny 2

CSPAN2 Communicators With Terrell McSweeny May 23, 2017

This week on the communicators we want to produce you terrel mcsweeny, the only democrat on the trade commission what is the charge of the ftc . The federal trade commission is the nations top Consumer Protection Enforcement Agency. We have a general mandate to protect consumers from unfair deceptive acts and practices from anticompetitive practices. Mandate is realtivelily broad. We cover many sectors of the economy but as im sure well discuss we have limitations to our jurisdiction, including around issues of common carriage. So were at a moment in time where the ftcs jurisdiction fccs sure disk is a source of conversation in this area as well. So, i would say the ftcs role is a generalized Consumer Protection enforcer but we need to have some jurisdiction when it comes to telecommunications clarified. Host commissioner mcsweeney, we had on chairman o the Top Republican in fact the only republican on the commission at this time. A fivemember commission. Why are we down to two . Well, were fivemember commission, down to two through normal attrition. Some of the past commissioners left the end of their terms, and were waiting now new commissioner nominees from the new administration. Unlook the ftc we have commission where we can function as twomember commission and historically the ftc is a bipartisan commission. So my colleague acting chairman olaausen, function through consensus and we typically do agree. With that situation can you have a conversation in the hallway or does that call for an open meeting . We talk about the weather in the hallway, and sometimes our children and acting chairman has some wonderful any grand babies, we talk about other things, sports, develops in the news, but in fact if were talking about anything substantive were covered by the sunshine act and have to notice meetings elm welcome notice meetings if were talking about Enforcement Matters and close them but it creates an extra layer of notice. Host we invited you to talk to us about the issues the ftc is fating. If you go to the web site theres a video recording ran ransomware which is represent. What is the ftcs role. Guest a great question and topical considering the wanna been cry ransom became. The ntc is a general Consumer Protection enforcing and is taking on the roll of protecting das to security and we have brought 60 cases in the last few years involving whether security practices of companies are adequate to protect the consumer data theyre holding. So we have been very active in crafting an approach to the security of consumer data that includes or start with security in the initiative, and process that we like to Call Security by design, which is building the security principles along the way, and as you can imagine, a very important part of that is making sure that youre updating software, you are continuing to maintain and protect against vulnerabilities once their disclosed, and rye mediating the situations when they arise. The Ransomware Attack is an attack that companies are experiencing and Government Agencies are experiencing around the world, partly because the software theyre rung wasnt adequately patched. Just today the ftc put out updated guidance with recommendations about how to handle this particular attack, and thats available on our web site. So i think its very useful document. I think this underscores the really interesting aspects of our Cyber Security debate. Right . Which is first of all we have to make sure that software, when visuals are disclosed, is updated and patched, and who owns that responsibility is a big challenge, especially as we connect more and more things. So if were just relying on consumers and end users, we will end up in situations where we have this kind of Ransomware Attack being able to summit vulnerabilities that are not patched. And i think it underscores the importance that we all are starting to experience more and more in our daily lives of keeping software and iot devices current in their security. Theres an added challenge here, too, and it really is something that comes up in broader Cyber Security debate which is properly assessing the cost to consumers and our economy of a huge victory vulnerability. We we think about the debate eye around encryption back doors, one thing im an advocate for Consumer Security cares deep live about is making sure that when we think about the costs here, we are appropriately costing out the consumers and businesses Something Like a Ransomware Attack using an exploit that has been made public and thats the kind of vulnerability were seeing the consequence play out in in real time. Its a valuable lesson and i hope as we think about the policies in this area, we continue to really focus on it. The ftc has been focused on ram sorry war for a while, the last couple of years, and one area we are were very concerned in is the possibility for almost nuisance Ransomware Attacks, the internet of things. So, imagine i turn on my television and i the screen says, instead of game of thrones or whatever, my program i want to watch, pay my 50 bitcoin and then you can watch your program0. What this consumer supposed to do . Thats a real challenge we have not quite the right answer to yet. Host before we go any further lets bring david mccabe of who covers technology for that news organization. David . A pleasure to be here. You mentioned the ftc just relieved guidans in response to this attack and i wonder for people watching at home, average americans who are not up to date on every patch and exploit on the shadow brokers, what are the three things they can do to protect themselves from this type of attack, especially where you may have five, ten devices in your house that are all running different versions of different software. Id say first, make sure that youre updating your software. Software generally comes with a function that allows it to be automatically updated if you disable that function, turn it back on and update your software package. Your worried if the update is available, visit the Microsoft Web site. They have specific information specific to this attack, which is using a vulnerability in their system. The second advice i think is important here this is good advice not just in dealing with ransomware but jennie in security is backing up your files. Backing up your files in a rely able way so if your system is subtly encrypted the through a Ransomware Attack you still have another copy of all of that important personal information in a safe place that is disconnected from that compute sore that you can rae create it and youre not dependent on that computer. Thats the basic tip. And then i think the last point we would make is that the decision about whether to pay ransom in a Ransomware Attack is obviously an individual decision. Theres different advice available about whether to pay it but i think generally in this situation, with the attack, the advice has been not to pay it because you may not get your information back anyway. So, hes are the challenges that with ransomware, because sometimes i think people take the decision to go ahead and pay because man they dont have the backup or theyre not sure another way to get their information back. And of course, we continue to accept consumer complaints about this kind of thing so if youre experiencing a Ransomware Attack were happy to take the complaints, and of course, in this situation, this is a wide wide scale criminal indication sat i affecting countries around the world. Theres a large scale Law Enforcement effort underway to try to address it as well. The ftc handles the consumer end of things, not the criminal or an interesting question. The president s security adviser was the White House Press briefing and said ill would be great to many factors at play. What can the ftc do in terms of going after the people who are behind attacks like this . Well, again, the ftc is a Consumer Protection agency so we dont really engage the investigation of criminal enterprise using an exploit like this. Instead we look at trying to put out the best information possible to encourage companies to have the best security process and proceed noor place in their organization, to protect their consumer data. So, ours is one of advocacy, one of enforce; when a company has inadequate dat security practices and procedures and you could say that if you were not adequately maintaining your Cyber Security hygiene, as an organization, you have lost Consumer Information through a Ransomware Attack that could give rise to ftc liability. A Company Holding consumer dat that was the victim of an attack like this, this might open themselves up to action. Its highly fact, specific and what we be looking that is the adequacy of their security features. Cyber Security Best practices is not longer a thing that lives purely in Information Security officer role in an organization. It should be understood the highest levels of organizations candidate. Something you need organizations and companies. Something you need to have intensive workright and appropriate investment around. We want to avoid situations in which the risk of all of this has shifted on to individuals and away from organizations that have the capacity to invest and protect their cyber resources and data. And thats one of my bigger concerned about what has been going on the fcc as well. Obviously right now we have the situation in which the part of the dat security provisions that were applied to common carriers have been suspended and for me that is a huge shifting of the risk away from the broadband bravedder and on to the individuals and this kind of Ransomware Attack underscores why that can create a huge amount of costs to consumers. We recently did an interview with steve case, the founder of aol and he talked about not the internet of things but the internet of everything. Are you getting complaints the ftc about the internet of everything at this point . Well, i love they expression, the internet of everything if think it adequately captures the extent and scope of our interconnectivity. What we have, though in america is a situation where were not longer just connecting to the internet through a computer at a desk top or web site. Were connecting to our phones, of course, but were connecting to the wearable wed wear on our bodies and a lot of the devices wire filling our homes with and were connecting through our cars now as well. But were trying to describe with phrases like the internet of things or the internet of everything, is that greatly expanding scope of connectivity, and the ftc we dont necessarily get complaints about the internet of everything but we do focus on how to protect consumers in an environment where they are always connected to this ubiquityous internet. How to do we protect against scams and protect their Data Security. So, these their issues were looking at and they have led us, i think quite realistically to some of the internet of things devices in recent cases. So we have been looking at privacy practices around Smart Televisions, situations of Ransomware Attacks. We have been looking at the security of routers, for example, and so were starting to see a lot more cases involving those kinds of devices, those things, if you will. Are you seeing these attacks from within the u. S. Borders or outside . Thats a great question. I think its hard to do all of the forensics about where attacks come from. We dont necessarily look at where the attack comes from as much as what happened to the Consumer Information after an attack, and sometimes were looking at what is happening to the Consumer Information even if there isnt an attack. So if in our Smart Television case, for example, the television is collecting your second by Second Television viewing information withouted a twitly disclosing that you as the end user, thats not really an attack situation but it is a situation in which your private division viewing information is being collected and you havent given permission for it. So the would we say you need to be offered the chance to confirmatively consent that kind of monetization of your tv viewing. What is the greatest challenges are with policing this whole new landscape of devices . Well, i the challenge is going to be keeping pace with the kind of threats and innovations in the marketplace. Thinking of the fact that over the summer we put out a warning letter about a kind of code called silver push. We said, okay, american app developers, if youre using this, we have some concerns. This is code that essentially sniffs for audio beacons that are coming out of television programming, and use your smart phones and turns on the mic and captures that information which then is used to sell to you very specific things based on what youre viewing. We expressed concern about whether consumers could adequately consent to that kind of monetization of their information. One challenge will be to keep up with the new ways in which technology is being used to you could say surveil or monitor or gather very intimate information about people. Now, their connections become more intimate as they are in our bedroom and on our body in our childrens bedrooms and giving precise geolocation information about out becomes more important to protect that kind of consent so that people are aware of what is the opening their information, and dont have this sense of having no control over it, which is one of the chief complaints that we hear over and over again from the american consumer. Does the ftc have the resources to keep up with these technological changes. I think the ftc does a terrific job with the resources it has. I argue itself needs Additional Resources and needs to expand the number of technologists in our enforcement division. We have been growing our bureau of technology to ken us keep pace with the expanding technology and understand how the Technology Works and that kind of thing is going to be more important for us Going Forward because we are really going to need to understand how the Technology Works and whether its harming consumers or whether theres a deception element to how its operating. So its a big challenge keeping pace with the marketplace, and we are also increasingly work with other Government Agencies that are expert regulators. So, for example, in the spring well be doing a work show witness ntsa on connected cars and talking about privacy and security of connected vehicles and they have a lot of understanding about the engineering and all of the safety features of vehicles, which is a thing that the ftc does not necessarily have a lot of expertise on. Commissioner mcsweeney, you talked earlier about the rules of the road and how theyre a little unclear when it comes to the fcc and the ftc. Give us a snapshot of the current landscape and how you would like to see that changed. Well, the current landscape is that the federal trade commission has the generalized Consumer Protection enforcer does not have a lot of specific jurisdiction over the activities of common carriers, and the fcc us a a telecommunications and internet regulator does. Now, youre smiling appropriately because this gets complicated very quickly, but suffice to say i think there is a couple areas that im particularly concerned about. So, first, is the fact that right now, because of the congressional action on broadband privacy, we dont have any federal agency which jurisdiction over the privacy practices of broadband providers. Very concerned about that. Think its a huge gap and i would like to see Congress Step in and give the ftc jurisdiction very clearly which they could do by passing legislation. Now, it gets far more complicated when we talk about protecting and preserving nondiscrimination on the internet. Net neutrality. The open internet. Now, there i would argue that the federal Communications Commission ought to continue to protect Net Neutrality through its own internet order. We need an expert regulator with clear rules in order to protect that ecosystem because if we rely just on an Enforcement Agency like the ftc way want guarantee protection to innovators or entrepreneurs or consumers. Drilling down a little bit on that. Is there any way that a Net Neutrality landscape regulated by the ftc would work in anything other than name . Is there any way is there any way that kind of regime based on the ftc authority i think this is the enforcement only voluntary approach to protecting the open internet. Thats one thing thats been raised by chairman pai. I think that you i think its important to step become for a second and think about the current reality. Two things. One, the current reality is in america and really, for the last decade, has been of an open internet. An internet in which an entrepreneur sitting the edge can come up with a great idea and connect to a global audience without having to pay for access the bandwidth in place to get there. That is the status quo and if we undo the open justicer order we upend the status quo, and what we do in that situation i

© 2025 Vimarsana