homeland and national security issues surrounding iot

1 downloads 278 Views 89KB Size Report
1 SCITECH E-MERGING NEWS SUMMER 2018. The core discussion centered on what is important to keep the network running safe
UNDERESTIMATED AND DUPLICATED: HOMELAND AND NATIONAL SECURITY ISSUES SURROUNDING IOT By Charlene Collazo

Judicial Law Clerk, District Court for Montgomery County

T

he transnational reach of IoT was a common theme discussed at the ABA Section of Science & Technology Law Section’s 2018 IoT National Institute panel on Homeland and National Security in an Internet-Everything World. The panelists included Leonard Bailey, Special Counsel for National Security, Computer Crime & Intellectual Property Section at the U.S. Department of Justice; Rajesh De, Partner at Mayer Brown LLP and former General Counsel for National Security Agency; Jonathan W. Gannon, Assistant Vice President and Senior Legal Counsel with AT&T Services and former Deputy Unit Chief for the Office of Intelligence, National Security Division at the U.S. Department of Justice; Richard Martinez, Partner at Jones Day; and Daniel Sutherland, Associate General Counsel for the National Protection & Programs Directorate of the Department of Homeland Security. While IoT devices have improved our lives and promoted the advancement of technology, it is important that we focus on how these devices can be used by enemy targets. Bailey highlighted that in May 2018, the Department of Homeland Security released information describing the exploitation of U.S. cell phone users’ data by nefarious actors through the SS7 messaging system. He continued by explaining that this recent example emphasizes the problem of underestimating the possibility of havoc created by smart technology. Gannon underscored that from his perspective - he assists in protecting more than 90 billion petabytes of data – it is no surprise that criminal gangs and transnational states are playing around in this space.

The core discussion centered on what is important to keep the network running safely is to prevent the proliferation of insecure devices and get one step ahead of the botnets. To answer this question, it may be helpful to understand how IoT has transformed the data security. De illustrated this with two points: first, cyber threats have evolved from preventing and stealing information to use information for destructive and restrictive attacks and second, IoT accentuates new threats as these devices do not have the same life cycle of updates as software. The panelists posed several solutions to keeping the networks safe while promoting the proliferation of more IoT devices. Gannon noted that the use of Automated Indicator Sharing is important, which allows the sharing of information related to cyber

1  SCITECH E-MERGING NEWS SUMMER 2018

and security breaches between the private and government sector. However, he cautioned that a more sophisticated system should be developed. Sutherland also presented information on roundtables that have brought together various leaders and professors in the area of cyber and national security. Hypotheticals related to various security issue scenarios have been discussed, but at times, he expressed that conversations proved stale. However, lawyers were added to these roundtables to add a different perspective. While complete solutions have not been resolved, Sutherland shared that some potential incentives exist that could to lead to greater security measures. One incentive would be to transfer software liability to IoT devices, which would drive security in this area. Another possible incentive

would be to place responsibility on the courts to take up these security issues through the use of contract or tort law. But, some panelists, including Sutherland, expressed wariness in placing responsibility on the courts to decipher standards. As De explained, even courts are split as to the proper standing that should be required of plaintiffs in cyber litigation. As one audience member summarized it, technology and law are very different; the former is quick while the latter is slow. Another important factor affecting security across IoT devices was the audits requirement of the government procurement process. Sutherland

questioned how well these audits are conducted and what resources are used. The audit process is important, especially when many of these products are sold cheaply and produced in mass quantities. For this reason, clear industry standards are necessary to determine who in the manufacturing chain should be responsible for any breaches and who has a duty to the consumer. De stressed the reasonableness standard: as long as security audits and risk management processes are reasonable, then IoT manufacturers should be clear about risks and responsibilities. In concluding the discussion, panelists noted that answers to these

2  SCITECH E-MERGING NEWS SUMMER 2018

questions could become clearer as the International Organization for Standardization convenes later this year to continue working on drafts to the Internet of Things and related technologies standardization 41 (ISO/IEC JTC 1/SC 41). The transnational reach of IoT and the security implications is an important conversation that needs to be continued. As Gannon expressed, as cyber threats continue to increase, more internal and “in the moment” conversations will need to be entertained.