Cybersecurity Experts to Congress: It's Time for Guidance

Cybersecurity & Technology

On October 21, 2016, millions of internet users across the United States were prevented from accessing a number of popular websites, including Amazon, Netflix, Spotify and Twitter.  The reason?  A hacker had previously released the source code for Mirai malware on the dark web, a vast and anonymous network for illegal activity.  Mirai is designed to find and infect relatively unprotected devices that are connected to the internet.  In this "Internet of Things (IOT)" world, there are a lot of these: DVRs, baby monitors, security cameras, printers, and more.  With the help of another hacking group, Mirai found its way onto millions of these devices, and then waited.

At the programmed time, Mirai used the infected devices to begin a coordinated campaign called a Distributed Denial of Service (DDoS) attack.  Essentially, the devices all began communicating with a company called Dyn, flooding it with so much traffic that it could no longer maintain its service.  What made this such a problem is that Dyn is a domain name system (DNS) server.  It monitors and reroutes internet traffic, functioning almost like a switchboard for the internet.  When Dyn could not handle the massive surge in traffic, many websites became inaccessible.

During a House of Representatives hearing last week, internet security experts urged Congress to take some action to prevent future attacks.  Currently, there are no regulations or even informal standards offering guidance to device manufacturers on how to provide cybersecurity for their products.  Filling this vacuum is critical.  Many experts believe the recent attack may have been something of a trial run to test system vulnerabilities. Meanwhile, the number of internet-enabled devices currently stands at 6.4 billion, and is expected to reach approximately 20 billion in the next four years.  That means that hackers have a massive platform from which to launch more attacks.

For now, because of the barriers faced by plaintiffs, litigation is unlikely to play a large role in encouraging manufacturers to address device security.  In order to successfully bring a case, a plaintiff must show that they have suffered some harm that is "concrete and particularized."  This can be very difficult to do.  For example, a customer whose personal data was stolen may not be able to recover damages until they can show that a third party has used the data in a way that harmed the customer.  In the instant case, Dyn and the affected web sites may be able to overcome this obstacle, only to be confronted with another: the economic loss rule.  This rule differs from state to state, but generally requires that, to recover for negligence, a plaintiff must be able to show physical damage to person or property.  While the October 21, 2016 attack caused widespread business interruption, it did not result in personal injuries or property damage.

Currently, neither the government nor the legal system have sent device manufacturers any signals about how to better keep their products from being used for cyberattacks.  Eventually, as the increasing ubiquity of IOT devices results in a growing list of personal and property casualties, the legal system will begin to define standards of negligence.  It would be irresponsible for Congress to do nothing and wait for industry standards to be set by this method.  Congress should act on the advice of experts and formulate reasonable IOT security guidelines as soon as possible.

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek