The Internet of (Not-so-Liable) Things in 2017

Share and earn Cybytes
Facebook Twitter LinkedIn Email

In 2016, we witnessed the first massive Internet of Things (IoT) botnet attacks. In 2017, we may witness the first successful attempt to hold someone with deep pockets liable for the damages.

Or maybe we won’t.

For a variety of reasons, finding a sufficiently solvent defendant to stick with this kind of legal liability may be an exercise in futility.

Let’s take the October 21st massive distributed denial of service (DDoS) attack against Dyn, a DNS service provider. The Dyn attack affected some of the biggest names in the Internet and involved a botnet of more than 100,000 interconnected devices around the world.

A sophisticated attack? Hard to tell. One theory is that this was an orchestrated attack in retaliation for Dyn’s assistance to Brian Krebs, a well-known cybersecurity reporter, who had been the victim of an earlier DDoS attack. Another is that it was a mistake. That a disgruntled gamer was using publicly available Mirai code to attack Playstation’s Network and Dyn got caught in the crossfire. Regardless, thousands of Internet sites including Twitter, Amazon, Netflix and Paypal were unable to conduct business for several hours. Estimates of the damages vary but one thing is certain–it was very costly.

So who’s going to pay for the cost of the disruption?

Let’s start with the low-lying fruit, i.e. those who intentionally launched the attack. There’s not much there. If this was a well-orchestrated and organized attack, we may never learn the identity of the attackers. If it was the work of a single disgruntled gamer, we’re not likely to find much cash in his pockets.

The next likely defendant would be the manufacturers of the devices that were co-opted for the bot network. Current speculation is that the botnet used in the Dyn attack primarily exploited the digital video recorders (DVR) and IP cameras of a single Chinese company, XiongMai Technologies.

Setting aside issues of jurisdiction and enforcement, we would still need a workable theory of liability. Let’s look at this from a classic “product liability” perspective.

There’s no basis for a warranty claim because the victims here (i.e., the adversely affected Internet sites and their users, not to mention Dyn itself) didn’t buy the devices from XiongMai. So they have no warranty on which to base a claim.

Nor is there strict liability because the business of providing web-accessible cameras and DVR’s is not generally considered to be inherently hazardous.

We’re left with negligence. To prevail on a negligence claim, the victims would need to show that the XiongMai breached a duty of care that was owed to the victims and that the damages arising from that breach were reasonably foreseeable to XiongMai when it designed the DVR’s and cameras.

I’d venture to guess that no reasonable judge or jury would find that XiongMai owed a duty of care to Dyn and the thousands of Internet sites that depend on Dyn simply because XiongMai built Internet-accessible DVR’s and cameras. Nor would a jury be likely to believe that XiongMai could reasonably foresee that a hacker would publish malicious code that a disgruntled gamer would use to accidentally and massively disrupt Dyn and the thousands of Internet sites that depend on Dyn.

That leaves Dyn. Using the same analysis that we applied to XiongMai above, the issue would boil down to whether Dyn had taken adequate measures to protect itself against a reasonably foreseeable threat that could impact thousands of Internet sites. In this case, given that this same kind of botnet had managed to take down Krebs, one of the nation’s foremost experts on cybersecurity, it would be hard to demonstrate that Dyn could have prevented it. Which seems right. The notion of using hindsight to put the burden of extraordinary security standards on the victim of a mass DDoS attack violates a certain sense of propriety.

Which leaves the victims with no one to turn to for compensation. And makes the case for regulators to impose minimum security standards on IoT manufacturers and appropriate penalties or recourse for those who fail to meet those standards.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About MobileIron
The leader in security and management for mobile apps, documents, and devices, MobileIron's mission is to enable organizations around the world to embrace mobility as their primary IT platform in order to transform their businesses and increase their competitiveness. More than 15,000 companies rely on MobileIron’s scalable architecture, rapid innovation, and best practices for their mobile initiatives. Global companies, including 8 of the top 10 automotive manufacturers, 7 of the top 10 pharmaceutical companies, 5 of the top 10 banks, 5 of the top 10 law firms, and 4 of the top 10 retailers, rely on MobileIron for their Mobile First initiatives.
Promoted Content
MobileIron Cloud Security
The MobileIron Cloud service is MobileIron’s cloud-based solution for provisioning and managing users’ bring-your-own-device (BYOD) and corporate-owned personally enabled (COPE) mobile devices. MobileIron Cloud enables IT administrators to deploy and enforce corporate security policy, deploy and manage enterprise apps, and establish usage policies for apps and content. The MobileIron Cloud service implements numerous technical security controls designed to help secure and isolate enterprise data at rest and data in motion, and to ensure the user’s personal data remains private.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?