In the absence of regulation or widely recognized industry standards, courts may end up setting minimum cybersecurity standards for the Internet of Things as a flood of lawsuits follow widespread breaches of consumers’ connected devices.
Legal experts, industry representatives, regulators and internet freedom advocates gathered at a Tuesday conference in D.C. in the aftermath of a huge distributed denial of service attack powered by web-connected consumer devices, which ground many major websites’ operations to a halt.
“There will for sure be more lawsuits,” predicted Lisa Hayes, a vice president with the Center for Democracy and Technology.
“Manufacturers and users of [IoT] connected devices are on notice,” added Harriet Pearson, a lawyer at Hogan Lovells which hosted the conference.
Experts have noted that the devices co-opted by Mirai — the botnet responsible for the Oct. 21 DDoS attack — all used factory coded default passwords, meaning the devices could easily be used to bombard the target sites with massive amounts of data. And that the devices, mainly DVRs and webcams, were not patchable — meaning the software could not be be updated when flaws or problems emerged.
But making the user set their own password and making the device patchable are both elements of any set of security best practices.
“There are standards out there, guidelines, not just from the government, but also from industry,” Pearson said.
She said she would advise IoT device manufacturers, “You better take a look at what you’re doing and make sure that it’s on par, at least, with what the standards are,” adding there is a risk of being sued.
“In a variety of areas of law, if you are deemed not to have applied a reasonable standard of care, you are more likely to face possible litigation,” Hogan Lovells attorney Deen Kaplan told CyberScoop.
The standard of care required will vary from case to case, he added. “The standard for protecting highly regulated or classified information, for example, is much higher than the one for isolating a publicly available email address.”
There are many sources courts draw on when looking at reasonableness, he said, including accepted industry practices and voluntary standards.
In other words, explained Pearson, we may not need new laws to enforce certain basic standards on industry.
“We actually have a lot of law here that can be used to incent and to create new action,” she said.
Michael Kidney, a class action lawyer with the firm, said that might be enough to spark a suit.
“An increasing number of federal courts have held that [consumers] can assert a class action based on an allegation of a diminution in value” of a product or service they bought.
An IoT device that was widely perceived as having weak security might fit that argument, he said, especially if it was attacked in a way that didn’t just steal data, but caused the device to malfunction.
“Even if the [security]incidents are isolated, a lot of federal courts have said that can form the basis of a claim by all the users of that device,” he said.
Incentives are generally a problem in the IoT ecosystem, said Travis LeBlanc, who heads enforcement at the Federal Communications Commission.
Taking the Oct. 21 attack as an example, he noted “the people who are using those [web]cameras [weaponized into a DDoS canon by the Mirai botnet] weren’t affected… The vendors have already sold the product and got their money … And the [Internet Service Providers] — I mean it’s additional traffic but not significant to them… So you have three players without any incentive” to try to fix the problem — which is being inflicted on a third party.
Even if we don’t need new laws, we may end up getting them — and not necessarily good ones — if there is a major IoT attack, other speakers warned.
“A consumer-facing [security] event is going to be the flashpoint,” predicted Austin Carson, legislative director for Rep. Michael McCaul, R-Texas, the chairman of the House Homeland Security Committee.
“The first event of that kind [attacking devices so they malfunction] …. there’s going to be a massive lawsuit [and] there will probably be some type of congressional action,” as well said Carson.
LeBlanc reminded the audience that this was the origin of the sweeping powers in the massive anti-terror law named the USA Patriot Act — hurriedly passed in the aftermath of the Sept. 11 terror attacks.
“That was authorities that people [in the executive branch] had been asking for for years,” he said.