The idea of accessing content with the tap of a finger on any screen, in any location has quickly become reality. As the next wave of connected computing emerges, inter-connected Internet of Things (IoT) networks will become more complex and cyberattacks will literally become a matter of life and death.
IoT is seen as a big growth opportunity for operators due to the volume of connections expected – there will be as many as 75 billion devices by 2020 according to a Morgan Stanley report. And now, we’re starting to see investments in IoT stock take priority. Take SoftBank’s billionare CEO, Masayoshi Son, for example. After recently buying ARM for $32 billion, he shared his perspective on IoT: “First there was the internet, then the mobile internet, and next there will be the Internet of Things, which is going to be the biggest paradigm shift in human history. I’m making this investment at the very beginning of this shift.”
While IoT brings exciting growth opportunities to the telecommunications and tech industries, there is one key issue that many companies overlook – when the bad stuff happens in these systems, who is liable? The answer, and even the approach to identify liability, is unclear. This is an issue that all operators should evaluate carefully as they look to make large IoT investments.
Let’s use a recent example, the massive distributed denial of service (DDoS) attack against Dyn, a DNS service provider, on October 21, 2016. The Dyn attack affected some of the biggest names in the internet and involved a botnet of more than 100,000 interconnected devices around the world.
First, let’s start with the rationale for the attack.
One theory is that this was an orchestrated attack in retaliation for Dyn’s assistance to Brian Krebs, a well-known cybersecurity reporter, who had been the victim of an earlier DDoS attack. Another is that it was a mistake, when a disgruntled gamer used publicly available Mirai code to attack PlayStation’s network, catching Dyn in the crossfire. Regardless, thousands of internet sites including Twitter, Amazon, Netflix, and PayPal were unable to conduct business for several hours. Estimates of the damages vary but one thing is certain – it was very costly.
So who’s going to pay for the cost of the disruption?
Let’s start with the obvious culprits, those who intentionally launched the attack. As it turns out, they are not so obvious. If this was a well-orchestrated and organized attack, we may never learn the identity of the attackers. If it was the work of a single disgruntled gamer, we’re not likely to find much cash in his or her pockets.
The next likely defendant would be the manufacturers of the devices that were co-opted for the bot network. Current speculation is that the botnet used in the Dyn attack primarily exploited the digital video recorders (DVR) and IP cameras of a single Chinese company, XiongMai Technologies.
Setting aside issues of jurisdiction and enforcement, we would still need a workable theory of liability.
Let’s look at this from a classic “product liability” perspective: There’s no basis for a warranty claim because the victims here didn’t buy the devices from XiongMai. So they have no warranty on which to base a claim. Nor is there strict liability because the business of providing web-accessible cameras and DVRs is not generally considered to be inherently hazardous.
We’re then left with negligence as the basis for liability.
To prevail on a negligence claim, the victims would need to show that XiongMai breached a duty of care that was owed to the victims and that the damages arising from that breach were reasonably foreseeable to XiongMai when it designed the DVRs and cameras. It’s a safe guess that no reasonable judge or jury would find that XiongMai owed a duty of care to Dyn or the thousands of internet sites that depend on Dyn simply because XiongMai built internet-accessible DVRs and cameras.
Nor would a jury be likely to believe that XiongMai could reasonably foresee a hacker publishing malicious code that a disgruntled gamer would then use to accidentally and massively disrupt Dyn and a big chunk of the internet.
That leaves Dyn. Using the same analysis applied to XiongMai above, the issue would boil down to whether Dyn had taken adequate measures to protect itself against a reasonably foreseeable threat that could impact thousands of internet sites. In this case, given that this same kind of botnet had managed to take down Krebs, one of the nation’s foremost experts on cybersecurity, it would be hard to demonstrate that Dyn could have prevented it. The notion of using hindsight to put the burden of extraordinary security standards on the victim of a mass DDoS attack violates a certain sense of propriety.
At this point, the victims have no one to turn to for compensation. This makes the case for regulators to impose minimum security standards on IoT manufacturers and appropriate penalties or recourse for those who fail to meet those standards.
With no clear short-term answer, victims will likely look to hold someone with deep pockets liable for damages the next time an attack takes place. Operators must ensure they have a plan to mitigate these risks. Preparatory best practices could include the following actions:
- Define target use cases: Identify the most likely types of attacks, given the nature of the IoT services the operator plans to deploy.
- Gameplay potential threats and consequences: There are enough examples of attacks now for operators to gameplay the consequences and potential actions they might face and take.
- Give legal and compliance a seat at the table: Given the complexity and uncertainty of IoT liability frameworks, the operator’s legal and compliance teams should have a seat at the table from the beginning of the design process all the way through launch and support.
- Define test of reasonableness: In the case of a legal issue, the operator should expect a test of reasonableness to be applied to determine whether it took appropriate security measures for its IoT deployment. Defining this test of reasonableness in advance, if the courts have not already, will feed the development and implementation of the broader IoT security program.
- Get involved: Operators are no strangers to regulatory discussions. This is a chance to be proactive and participate in such discussions if and when they happen. It’s better to be part of the process than be surprised at the outcome.
Ojas Rege is Chief Strategy Officer at MobileIron, a software company specializing mobile security.