In 2016, we witnessed the first massive Internet of Things (IoT) botnet attacks. In 2017, we may witness the first successful attempt to hold someone with deep pockets liable for the damages.
Or maybe we won’t.
For a variety of reasons, finding a sufficiently solvent defendant to stick with this kind of legal liability may be an exercise in futility.
Let’s take the October 21st massive distributed denial of service (DDoS) attack against Dyn, a DNS service provider. The Dyn attack affected some of the biggest names in the Internet and involved a botnet of more than 100,000 interconnected devices around the world.
A sophisticated attack? Hard to tell. One theory is that this was an orchestrated attack in retaliation for Dyn’s assistance to Brian Krebs, a well-known cybersecurity reporter, who had been the victim of an earlier DDoS attack. Another is that it was a mistake. That a disgruntled gamer was using publicly available Mirai code to attack Playstation’s Network and Dyn got caught in the crossfire. Regardless, thousands of Internet sites including Twitter, Amazon, Netflix and Paypal were unable to conduct business for several hours. Estimates of the damages vary but one thing is certain--it was very costly.
So who’s going to pay for the cost of the disruption?
Let’s start with the low-lying fruit, i.e. those who intentionally launched the attack. There’s not much there. If this was a well-orchestrated and organized attack, we may never learn the identity of the attackers. If it was the work of a single disgruntled gamer, we’re not likely to find much cash in his pockets.
The next likely defendant would be the manufacturers of the devices that were co-opted for the bot network. Current speculation is that the botnet used in the Dyn attack primarily exploited the digital video recorders (DVR) and IP cameras of a single Chinese company, XiongMai Technologies.
Setting aside issues of jurisdiction and enforcement, we would still need a workable theory of liability. Let’s look at this from a classic “product liability” perspective.
There’s no basis for a warranty claim because the victims here (i.e., the adversely affected Internet sites and their users, not to mention Dyn itself) didn’t buy the devices from XiongMai. So they have no warranty on which to base a claim.
Nor is there strict liability because the business of providing web-accessible cameras and DVR’s is not generally considered to be inherently hazardous.
We’re left with negligence. To prevail on a negligence claim, the victims would need to show that the XiongMai breached a duty of care that was owed to the victims and that the damages arising from that breach were reasonably foreseeable to XiongMai when it designed the DVR’s and cameras.
I’d venture to guess that no reasonable judge or jury would find that XiongMai owed a duty of care to Dyn and the thousands of Internet sites that depend on Dyn simply because XiongMai built Internet-accessible DVR’s and cameras. Nor would a jury be likely to believe that XiongMai could reasonably foresee that a hacker would publish malicious code that a disgruntled gamer would use to accidentally and massively disrupt Dyn and the thousands of Internet sites that depend on Dyn.
That leaves Dyn. Using the same analysis that we applied to XiongMai above, the issue would boil down to whether Dyn had taken adequate measures to protect itself against a reasonably foreseeable threat that could impact thousands of Internet sites. In this case, given that this same kind of botnet had managed to take down Krebs, one of the nation’s foremost experts on cybersecurity, it would be hard to demonstrate that Dyn could have prevented it. Which seems right. The notion of using hindsight to put the burden of extraordinary security standards on the victim of a mass DDoS attack violates a certain sense of propriety.
Which leaves the victims with no one to turn to for compensation. And makes the case for regulators to impose minimum security standards on IoT manufacturers and appropriate penalties or recourse for those who fail to meet those standards.