According to a new proposal being considered by a suburb of New York City, any business or home office with an open wireless connection but no separate server to fend off Internet attacks would be violating the law.
Politicians in Westchester County are urging adoption of the law–which appears to be the first such legislation in the U.S.–because without it, "somebody parked in the street or sitting in a neighboring building could hack into the network and steal your most confidential data," County Executive Andy Spano said in a statement.
The draft proposal offered this week would compel all "commercial businesses" with an open wireless access point to have a "network gateway server" outfitted with a software or hardware firewall. Such a firewall, used to block intrusions from outside the local network, would be required even for a coffee shop that used an old-fashioned cash register instead of an Internet-linked credit card system that could be vulnerable to intrusions.
Open Wi-Fi networks are becoming increasingly popular as more and more laptops ship with wireless cards. There are now municipal wireless projects, and many businesses also offer access to customers free of charge.
That is apparently the case in White Plains, N.Y.
On a short drive down the main street, according to a statement from Westchester County, a team from the county’s Department of Information Technology last week found 248 wireless networks, nearly half of which had no "visible security."
County executive Andy Spano, the sponsor of the law, argued that this openness can lead to network vulnerabilities and identity theft. People do not realize how easily their personal information can be stolen. All it takes is one unsecured wireless network, Spano said in a statement.
Scott Fernqvist, special assistant to the county’s chief information officer, said that he thought the law would apply to home offices as well. It was just introduced; it is a draft, Fernqvist said. We are hoping it is enacted early next year, but this can change.
In reality, simply because Wi-Fi access is open does not mean corporate networks can be easily hacked for customer information. However, if that open wireless access point sits on an insecure corporate network, problems can arise, and that is where the law is intended to help.
We are making sure businesses have taken steps to separate the confidential data they have from the networks that offer Wi-Fi access, said Norman Jacknis, the county’s CIO and technical consultant to the proposal. The intention is not to make it harder for people to access free wireless networks.
Jacknis said the law is focused on educating consumers through public programs and forcing businesses to take precautions when dealing with sensitive data.
Jean Kaplan, a wireless analyst with IDC in Framingham, Mass., said the proposal is an "excellent idea," but that the combination of an open wireless connection and insecure corporate network is uncommon, if not "rare." And, due to the complexity of wireless and corporate security, Kaplan said he isn’t certain the law would be effective, though it should help raise awareness about wireless and corporate security.
Abner Germanow, also an IDC analyst, said typical Wi-Fi security concerns revolve around unauthorized use of the network, such as using a wireless connection to perform a (DoS) Denial of Service attack or spying on or "sniffing" traffic that flows from a computer to the access point.
Only the latter has identity theft ramifications, and that depends on the level of personal security enabled on the user’s computer, or the Web site the user is visiting, not the security of the access point or corporate network.
In fact, the law itself, though billed to "counter the risks of wireless networks," centers on corporate security rather than access point security. The proposal states that companies holding personal information must also have ‘secure networks that protect the public from potential identity theft and other potential threats such as computer viruses and data corruption.’
As an example, the county would require a retail business that processes credit card transactions on a wireless network to install a corporate firewall.
The proposal echoes a slew of bills in Congress and in state legislatures that are being considered in the wake of recent security problems involving Bank of America, payroll provider PayMaxx and Reed Elsevier Group’s LexisNexis service. But the other proposals tend to follow approaches such as requiring notification of breaches or restricting use of Social Security Numbers–as opposed to regulating wireless links.
According to the Westchester proposal, public Internet access sites also would have to post a sign saying:
You are accessing a network which has been secured with firewall protection. Since such protection does not guarantee the security of your personal information, use discretion.
Violations of any part of the law would be punishable with fines of $250 or $500.
The proposal now goes to the county legislature, which will decide whether it becomes law. Jacknis said that could happen as soon as December of this year.