County Law Would Mandate Wireless Security

A public official in Westchester County, some 30 miles north of New York, has proposed legislation that would require businesses that collect customer information to apply basic security like firewalls when also offering wireless access to consumers.

The proposed law, which the county said is the first of its kind in the United States, aims to ensure that local businesses have corporate security enabled and to cut down on identity theft in the area.

Open Wi-Fi (search) networks are becoming increasingly popular as more and more laptops ship with wireless cards. There are now municipal wireless projects, and many businesses also offer access to customers free of charge.

That's apparently the case in White Plains, N.Y.

On a short drive down the main street, according to a statement from Westchester County, a team from the county's Department of Information Technology last week found 248 wireless networks, nearly half of which had no "visible security."

County executive Andy Spano (search), the sponsor of the law, argued that this openness can lead to network vulnerabilities and identity theft.

"People don't realize how easily their personal information can be stolen. All it takes is one unsecured wireless network," Spano said in a statement.

In reality, simply because Wi-Fi access is open doesn't mean corporate networks can be easily hacked for customer information.

However, if that open wireless access point sits on an insecure corporate network, problems can arise, and that's where the law is intended to help.

"We're making sure businesses have taken steps to separate the confidential data they have from the networks that offer Wi-Fi access," said Norman Jacknis (search), the county's CIO and technical consultant to the proposal. "The intention is not to make it harder for people to access free wireless networks."

Jacknis said the law is focused on educating consumers through public programs and forcing businesses to take precautions when dealing with sensitive data.

Jean Kaplan, a wireless analyst with IDC in Framingham, Mass., said the proposal is an "excellent idea," but that the combination of an open wireless connection and insecure corporate network is uncommon, if not "rare." And, due to the complexity of wireless and corporate security, Kaplan said he isn't certain the law would be effective, though it should help raise awareness about wireless and corporate security.

Abner Germanow, also an IDC analyst, added, "These are two separate issues. This [the question of customer data] has nothing to do with whether it's a wireless or wired network. If you gather information about customers, you should keep it separately secure anyway."

Germanow said typical Wi-Fi security concerns instead revolve around unauthorized use of the network, such as using a wireless connection to perform a DoS (denial of service) attack or spying on or "sniffing" traffic that flows from a computer to the access point.

Only the latter has identity theft ramifications, and that depends on the level of personal security enabled on the user's computer, or the Web site the user is visiting, not the security of the access point or corporate network.

In fact, the law itself, though billed to "counter the risks of wireless networks," centers on corporate security rather than access point security. The proposal states that companies holding personal information must also have "secure networks that protect the public from potential identity theft and other potential threats such as computer viruses and data corruption."

As an example, the county would require a retail business that processes credit card transactions on a wireless network to install a corporate firewall.

The proposal now goes to the county legislature, which will decide whether it becomes law. Jacknis said that could happen as soon as December of this year.

Check out eWEEK.com's Mobile & Wireless Center for the latest news, reviews and analysis on mobile and wireless computing.