The IoT liability jumble

02.03.2016
The Internet of Things (IoT) is disrupting just about every industry. But it may get disrupted itself as the nation’s legal and regulatory system slowly catches up with the massive security and privacy risks it creates.

Not anytime soon, however. “Work in progress” was the operative phrase at a panel session at this week’s RSA conference titled, “Flaming toasters to crashing cars – the Internet of Things and mass liability.”

Most of the problem with establishing legal liability surrounding the IoT is that while its growth is regularly called “explosive,” there is a lot more, and bigger, exploding yet to come.

The number of connected things is expected to expand so exponentially that one of the panelists, Jay Brudz, an attorney at Drinker Biddle & Reath, declared that “Internet of Things” is already a “dumb phrase. In years to come, it’s going to be everything but computers with a human interface, so it’s just going to be the Internet,” he said.

Another panelist, Eric Hibbard, CTO for security and privacy at Hitachi Data Systems, agreed that the IoT, as vast as it appears, is “still in the early days. NIST (National Institute of Standards and Technology) has some materials on this, but the broader set is a work in progress.”

That does not mean nothing is happening. Nithan Sannappa, a privacy and data security attorney at the Federal Trade Commission (FTC), said the agency is interested in IoT consumer products or services, and has brought about 50 cases against various companies, mostly focused on the, “inadequacy of the company’s network.”

[ MORE FROM RSA: See all the news happening at the show ]

Sannappa was the lead attorney on the recent settlement between the FTC and ASUSTek Computer over flaws in its consumer routers.

While the company had promised that customers could, "safely secure and access your treasured data through your router,” the FTC found that, “hackers used easily accessible tools to locate and exploit (them), gaining access to more than 12,900 consumers' storage devices.”

The FTC’s authority comes under its role in sanctioning companies that demonstrate, “unfair and deceptive” business practices.

But the FTC settlements so far haven’t included any heavy financial penalties – in most cases the companies agree to improve their security and to submit to audits. If they violate the terms of the agreement, they can then be subject to fines.

And while that may send a signal to other manufacturers about not promising what they are not delivering, Hibbard and Brudz both said in the rush to get connected devices to the market, security remains an afterthought.

Eric Hibbard, CTO for security and privacy at Hitachi Data Systems

“The business model is to launch them and then fix them later,” Brudz said.

Hibbard said this will become a bigger problem since the IoT amounts to “the building blocks of our future environment. The problem is that we’re only thinking three years ahead when we should be thinking 30 years ahead. It’s like our highway system – it would be better if we could completely rebuild our roads, but we can’t. We can only patch them.”

Another problem is that most devices are not easily updated, so when vulnerabilities are discovered, they remain. “Some of them are embedded in your wall,” Hibbard said. “They’re not designed to let you get access.”

And yet another problem affecting legal liability is what Hibbard called, “a mashup of devices – a half-dozen different devices put together in ways they were never designed to be in the first place.”

[ ALSO ON CSO: Security and the Internet of Things – are we repeating history ]

Those components could be in things ranging from bridges to traffic signals to cars. “From a legal perspective, it opens up interesting areas,” he said. ”If something bad happens, which component made the poor decision that caused the harm”

Brudz said the legal system also has yet to sort out who is responsible for damages in the case of a breach. In the case of ASUS routers, “is the fault with the guy who made the router, or the guy who stole the information (from customers)” he asked. “If somebody breaks into your house, can you sue the guy who made the lock”

What makes it even more complicated is that many attackers are in different countries, far from the reach of American law enforcement or the courts.

Sannappa said some of the biggest names in the private sector, like Apple, Google and Samsung, may help to set overall IoT security standards. “There is a possibility where we could have larger ecosystems, industry leaders, setting up a way for smaller players to have guidance.

“Then regulators can say, this is what you were supposed to be doing and weren’t,” he said.

But there was general agreement that the process will take time. “We may be looking three to four years out before standards start arriving,” Hibbard said. “And I think it is going to be the legal community that is going to weigh in on it.

“It’s going to be a wake-up call to manufacturers and developers to do something about their house of cards,” he said.

(www.csoonline.com)

Taylor Armerding