Cybersecurity Experts to Congress: It’s Time for Guidance

On October 21, 2016, millions of internet users across the United States were prevented from accessing a number of popular websites, including Amazon, Netflix, Spotify and Twitter.  The reason?  A hacker had previously released the source code for Mirai malware on the dark web, a vast and anonymous network for illegal activity.  Mirai is designed to find and infect relatively unprotected devices that are connected to the internet.  In this “Internet of Things (IOT)” world, there are a lot of these: DVRs, baby monitors, security cameras, printers, and more.  With the help of another hacking group, Mirai found its way onto millions of these devices, and then waited.

At the programmed time, Mirai used the infected devices to begin a coordinated campaign called a Distributed Denial of Service (DDoS) attack.  Essentially, the devices all began communicating with a company called Dyn, flooding it with so much traffic that it could no longer maintain its service.  What made this such a problem is that Dyn is a domain name system (DNS) server.  It monitors and reroutes internet traffic, functioning almost like a switchboard for the internet.  When Dyn could not handle the massive surge in traffic, many websites became inaccessible.

During a House of Representatives hearing last week, internet security experts urged Congress to take some action to prevent future attacks.  Currently, there are no regulations or even informal standards offering guidance to device manufacturers on how to provide cybersecurity for their products.  Filling this vacuum is critical.  Many experts believe the recent attack may have been something of a trial run to test system vulnerabilities. Meanwhile, the number of internet-enabled devices currently stands at 6.4 billion, and is expected to reach approximately 20 billion in the next four years.  That means that hackers have a massive platform from which to launch more attacks.

For now, because of the barriers faced by plaintiffs, litigation is unlikely to play a large role in encouraging manufacturers to address device security.  In order to successfully bring a case, a plaintiff must show that they have suffered some harm that is “concrete and particularized.”  This can be very difficult to do.  For example, a customer whose personal data was stolen may not be able to recover damages until they can show that a third party has used the data in a way that harmed the customer.  In the instant case, Dyn and the affected web sites may be able to overcome this obstacle, only to be confronted with another: the economic loss rule.  This rule differs from state to state, but generally requires that, to recover for negligence, a plaintiff must be able to show physical damage to person or property.  While the October 21, 2016 attack caused widespread business interruption, it did not result in personal injuries or property damage.

Currently, neither the government nor the legal system have sent device manufacturers any signals about how to better keep their products from being used for cyberattacks.  Eventually, as the increasing ubiquity of IOT devices results in a growing list of personal and property casualties, the legal system will begin to define standards of negligence.  It would be irresponsible for Congress to do nothing and wait for industry standards to be set by this method.  Congress should act on the advice of experts and formulate reasonable IOT security guidelines as soon as possible.