IoT Security and Privacy Risks
Transcript of IoT Security and Privacy Risks
Fast Forward: Hot Technology Law Topics May 24, 2016
1
Overview/Agenda
• An Internet of Things (IoT) Panorama: What is IoT, what’s driving it, and who regulates it (David Bodenheimer)
• IoT on Trial: disrupting discovery, mass torts, and product liability (Steve Teppler)
• Big Data and the Cloud: why you need an umbrella (Karli Swift)
• IoT Security and Privacy Risks (Lucy Thomson) • Autonomous Vehicles, Drones, and Robots:
compliance, liability, and information governance (Steve Wu)
• Takeaways (All)
2
Panel
• Ruth Hill Bro (Moderator), Privacy Attorney, Chicago; Membership and Diversity Committee Chair and Past Section Chair, SciTech Section; [email protected]
• David Z. Bodenheimer, Partner, Crowell & Moring LLP, Washington, DC; Co-Chair,
Security, Privacy and Information Law Division and Section Vice- Chair, SciTech Section
• Karli Swift, Associate, Baker, Donelson, Bearman, Caldwell & Berkowitz, Atlanta; Co-Chair, Big Data Committee, SciTech Section
• Steven W. Teppler, Partner, Electronic Discovery & Technology Based Litigation, Abbott Law Group, P.A., Jacksonville, FL; Chair, Internet of Things Committee, SciTech Section
• Lucy L. Thomson, Founding Principal, Livingston PLLC, Washington DC; Co-Chair, Security, Privacy and Information Law Division and Past Section Chair, SciTech Section
• Stephen Wu, Of Counsel, Silicon Valley Law Group, San Jose, CA; Past Section Chair, SciTech Section
3
What is IoT, What’s driving it, & Who regulates it?
David Z. Bodenheimer Crowell & Moring LLP (www.crowell.com)
An Internet of Things Panorama:
4
SciTech 2006 The SciTech Lawyer (2006)
SciTech 2016 Internet of Things • Too Big to Regulate? • Too Ubiquitous to Miss? • Too Fast to Keep Up?
Peering Far into the Future
5
• More Devices than Humans – 25 Billion Devices 50 Billion (2020)
• 127 Devices/Second – Devices added to Internet (5.4M/day)
• $11 Trillion Global Economy – $2 Trillion (2016) – $11 Trillion (2025)
IoT Technology Tsunami
6
• What is the Internet of Things? – Definitions & Examples
• Why do we care about IoT? – Benefits & Risks
• How is IoT regulated? – Congressional & Regulatory Oversight – Challenges & the Future
Internet of Things?
7
White House Report
“The ‘Internet of Things’ is a term used to describe the ability of devices to communicate with each other using embedded sensors that are linked through wired and wireless networks.”
What is IoT?
8
Other Definitions
• FTC Report (2015) – Various experts
• CRS Report (2015) – Broadly defined
• NIST Guide (2016) – Being defined
What is IoT? The Real Answer
“Ask me what the Internet of Things is. My usual answer is, ‘I don’t know.’” Senator Fischer quoted in Politico (June 29, 2015)
9
By Example • Smart Homes
– HVAC, lights, locks • Healthcare
– Inhalers, monitors • Smart Cities
– Pollution monitors & transportation
IoT = Smart!
More Examples • Smart Farming
– Sensors, drones
• Energy – Clean tech
• Industrial Uses – Factory sensors – Predictive O&M – Supply chain
What is IoT?
10
Senate Res. 110
• Economic Impact • Consumer Benefits • Business Efficiencies • Smart Cities • Innovation • Global Competition
[S. Res. 110 (Mar. 24, 2015)]
Why care about IoT?
11
Benefit Cornucopia
• Economics -- $$$ – $2 Trillion (today) – $11 Trillion (2025)
• Business Efficiencies – 10-20% energy
savings – 10-25% labor
efficiencies
And More • Consumer Benefits
– 95% auto accidents – Nursing home glut – $1.1 Trillion remote
monitoring savings
• Global Innovation – U.S. leadership – Global competition
Why care about IoT?
12
Risks Unlimited? • Cybersecurity
– 25 billion devices – 50 billion by 2020 – Automated links – Supply chain length – Cyber espionage
“every node, device, data source . . . a security threat” [DHS IoT (Dec. 2015)]
Why care about IoT? And More?
• Privacy – Zettabytes of data – All transport – Smart cities – IoT + drones – Surveillance
*FTC Report *CRS Q&A *Hill Hearings
13
Patchworks
• Privacy Patchwork – HIPAA (healthcare) – GLB (financial) – FERPA (educational) – Privacy Act (federal)
• Cyber Patchwork • FISMA (federal) • HIPAA/GLB, etc.
Who regulates IoT? Integrated Tech
• IoT + Drones – “Next trillion files” – FAA regulate?
• IoT + Cloud – Big Data = Bigger – GSA & FedRAMP?
14
• Congressional Committees – “more than 30 different congressional
committees” [Politico (June 2015)]
• Congressional Hearings – Senate Commerce (Feb. 2015) – House Commerce (Mar. 2015) – House Judiciary (Jul. 2015)
Who regulates IoT?
15
Federal Agencies • FCC
– Spectrum management • DHS
– Critical infrastructure • FTC
– Consumer devices • FDA
• Medical devices
Who regulates IoT? And More
• DOE – Smart grid
• DOT – Connected cars
• DOD – IoT advanced tech
• DOJ – Law enforcement
16
NIST Publication
“However, the current Internet of Things (IoT) landscape presents itself as a mix of jargon, consumer products, and unrealistic predictions. There is no formal, analytic, or even descriptive set of the building blocks that govern the operation, trustworthiness, and lifecycle of IoT. This vacuum between the hype and the science, if a science exists, is evident. Therefore, a composability model and vocabulary that defines principles common to most, if not all networks of things, is needed to address the question: “what is the science, if any, underlying IoT?” [NIST, Draft NISTIR 8063 (Feb. 2016)]
Who regulates IoT? Privacy of Things
“The Internet of Things (IoT) will create the single largest, most chaotic conversation in the history of language. Imagine every human being on the planet stepping outside and yelling at the top of their lungs everything that comes into their heads, and you still wouldn’t be close to the scale of communications that are going to occur when all those IoT devices really get chattering.” [Geoff Webb, How will billions of devices impact the Privacy of Things? (Dec. 7, 2015)]
17
IoT in 2016
IoT in 2017
• 1.9 Billion More Devices • Another $2 Trillion • More Hill Scrutiny • Expanded IoT Regulation • Harder Cyber Issues ABA IoT National Institute April/May 2017 Washington, DC
IoT in Your Future
18
The Internet of Things on Trial: Disrupting Discovery, Mass Torts and Product liability
American Bar Association Section of Science and
Technology Internet of Things Committee
Hot Topics Call May 24, 2016
a.k.a. - More of the same things change…
Steven W. Teppler Abbott Law Group, P.A.
19
What is the Internet of Things (a.k.a. “IoT”)?
• A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data – Objects can be physical or logical
20
Another IoT Definition
• The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure. Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications. The interconnection of these embedded devices (including smart objects), is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid. (From Wikipedia)
21
A Brave New World - of Disruptive Technologies
Pervasive Computing
Social Networks
Mobile Computing
Big Data
Internet of Things Cloud
Computing
Augmented & Virtual Reality
Artificial Intelligence& Robotics
3D Printing & JIT
Manufacturing
Privacy & Security
Technologies
Wearable Computers
22
Some Factoids: Where IoT is Headed
23
And that’s not all… The Internet of Things includes:
24
IoT Concerns - Security
– Some say that if one thing can prevent the Internet of Things from transforming the way we live and work, it will be a breakdown in security.
25
Existing and New Security Issues
New Business Associate Compliance Requirements
26
Driverless Cars
27
Telepresence Robots
28
Drone Commercialization
29
Drone Video and Images
30
Mobile Health Revolution
31
Automotive Platforms
32
Security Risks
33
Another Explosion of Information to Curate
• Business Intelligence • Business Continuity • Regulatory Compliance • Preservation • Litigation
34
Challenges for ERM Professionals IoT and Document Retention
• What is an IoT “document” or “record?” – Identify and evaluate IoT information for proper
incorporation into a document retention policy
35
Challenges - IoT and Electronic Discovery
• ESI Preservation • Identification • Collection • Production
36
Challenges – Mass Liability Potential
– The size, monoculture (uniformity), insecurity, and
non-standardized coding and manufacture of connected devices and services provided through them puts millions of users of the “Internet of Things” at risk for serious injury and financial harm on a massive scale
– Consider 25 billion connected devices by 2020 • https://www.ftc.gov/system/files/documents/reports/federal-
trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
37
Internet of Things – That Can/Will Give Rise to Liability… and to eDiscovery Issues
38
IoT Liability Concerns – Why?
• Coding for these devices is often a one time event, will become
obsolete and ultimately fail to properly work, either through neglect (no upgrades) or through faulty initial design
• Testing of these devices is unregulated, unaudited and generally not disclosed (so what is the MTBF for an IoT?)
• Coding for these devices is unregulated, unaudited, and subject to little if any quality control
• Security (and security standards) for these devices have yet to be adopted or even developed
• Most IoT devices have no logging mechanisms to record failure or malfunction events
39
Overview/Agenda
• Introduction to Big Data and Cloud Computing • Legal Implications
– Notice and Consent – Ethical Issues – Key Contract Terms
• New Developments
42
Introduction to Big Data and the Cloud
43
Big Data
– Retailer adjusts pricing in near-real time for items, based on demand and inventory using data sets.
– Thermostat learns human patterns to cool or heat
when needed and create a digital record of its operations to activate the HVAC system, and the temperature of the house.
44
It
5
The Cloud
45
Legal Implications
46
Notice and Consent
– Types of Information Collected
– Privacy Policy vs. Terms of Use
– Express vs. Implied Consent
47
Software as a Service
48
Key Contract Terms
– What information is being collected? – Are other laws implicated? (e.g. PHI = HIPAA) – Risk Allocation
• Service Level Agreements • Data Security • Intellectual Property • Indemnification
49
Final Thoughts and Resources
50
New Developments
• Federal Trade Commission Report: Big Data: A Tool for Inclusion or Exclusion?
http://1.usa.gov/1n52gG6
51
Questions?
52
Lucy L. Thomson, Esq. CISSP, CIPP/US/G Past Chair, ABA Section of Science & Technology Law Livingston PLLC Washington, D.C.
IoT Security and Privacy Risks
Thomson © 2016 53
• $3.1 Trillion in 2025 • Smart Cities
Thomson © 2016 54
• Threats – new character • Vulnerabilities – present at every level of
the stack – Documented by NIST Guide to Industrial
Control Systems (ICS) Security, NIST Spec Pub 800-82, Rev. 2 (May 2015)
• Consequences—disruption of operations and services can be catastrophic – Potential cascading failures
IoT Presents New Risks
Thomson © 2016 55
IoT/Big Data—A Torrent of Data at Risk
Massive Data Breaches Create Heightened Risk e-Bay, 145 million records breached (2014) Heartland, 130 million (2008-09) Target, 110 million (2013) Sony Online Entertainment, 102 million (2011) JP Morgan Chase, 76 million (2014) Anthem BlueCross BlueShield, 69-80 million (2015) Epsilon, 60-250 million (2011) Home Depot, 56 million (2014) TJX, 46 million (2006-07) Office of Personnel Management (OPM), 22.5 million
security clearance records, 5 million fingerprints (2015)
Thomson © 2016 56
A Few Hackable Things . . .
• Toys – Hello Barbie
(http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children)
– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)
– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/) – Commercial and military drones too
(http://www.bbc.com/future/story/20140206-can-drones-be-hacked?ocid=ww.social.link.email)
Home appliances, such as . . . – http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/#more-
33751) – Refrigerators (http://thehackernews.com/2014/01/100000-refrigerators-and-other-
home.html) “Smart “ toilets (http://www.forbes.com/sites/kashmirhill/2013/08/15/heres-what-it-looks-like-when-a-smart-toilet-gets-hacked-video/#4545f4352b15)
Thomson © 2016
57
A Few Hackable Things . . .
• Toys Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children)
58
A Few Hackable Things . . .
Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-
wi-fi-hello-barbie-to-spy-on-your-children)
– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)
59
A Few Hackable Things . . . .
Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-
wi-fi-hello-barbie-to-spy-on-your-children)
– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)
– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/)
60
A A Few Hackable Things . . . . . .
• Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-
wi-fi-hello-barbie-to-spy-on-your-children)
– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)
– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/)
– Commercial and military drones too (http://www.bbc.com/future/story/20140206-can-drones-be-hacked?ocid=ww.social.link.email)
61
A A Few Hackable Things . . .
• Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-
hijack-wi-fi-hello-barbie-to-spy-on-your-children) – Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-
awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/) – Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/) – Commercial and military drones too (http://www.bbc.com/future/story/20140206-
can-drones-be-hacked?ocid=ww.social.link.email) • Home appliances, such as . . .
– HVAC systems – e.g., Trane Thermostat (http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/#more-33751)
62
A Few Hackable Things . . . Toys
– Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children)
– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)
– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/)
– Commercial and military drones too (http://www.bbc.com/future/story/20140206-can-drones-be-hacked?ocid=ww.social.link.email)
• Home appliances, such as . . . – HVAC systems – e.g., Trane Thermostat
(http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/#more-33751)
– Refrigerators (http://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html)
63
A Few Hackable Things . . .
• Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-
hijack-wi-fi-hello-barbie-to-spy-on-your-children)
– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)
– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/)
– Commercial and military drones too (http://www.bbc.com/future/story/20140206-can-drones-be-hacked?ocid=ww.social.link.email)
• Home appliances, such as . . . – HVAC systems – e.g., Trane Thermostat
(http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/#more-33751)
– Refrigerators (http://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html)
– “Smart “ toilets (http://www.forbes.com/sites/kashmirhill/2013/08/15/heres-what-it-looks-like-when-a-smart-toilet-gets-hacked-video/#4545f4352b15)
64
Hackable Things That Can Hurt . . . .
• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-
highway/)
– Driverless cars (http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)
• Medical devices – Insulin pumps (http://juntoblog.net/medical-device-hacks-when-cyber-risk-
becomes-deadly/)
– Pacemakers (http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#3a07041e13e0)
– And others (http://null-byte.wonderhowto.com/forum/is-hacking-implanted-medical-devices-next-big-cyber-crime-0149205/)
• Hospitals (https://securityevaluators.com/hospitalhack/securing_hospitals.pdf)
65
Hackable Things That Can Hurt . . .
• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-
highway/)
66
Hackable Things That Can Hurt . . .
• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-
highway/) – Driverless cars
(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)
67
Hackable Things That Can Hurt . . .
• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-
highway/) – Driverless cars
(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)
• Medical devices – Insulin pumps (http://juntoblog.
net/medical-device-hacks- when-cyber-risk-becomes-deadly/)
68
Hackable Things That Can Hurt . . .
• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-
highway/) – Driverless cars
(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)
• Medical devices – Insulin pumps (http://juntoblog.net/medical-device-hacks-when-cyber-risk-
becomes-deadly/)
– Pacemakers (http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#3a07041e13e0)
69
Hackable Things That Can Hurt . . .
• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-
highway/) – Driverless cars
(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)
• Medical devices – Insulin pumps (http://juntoblog.net/medical-device-hacks-when-cyber-risk-
becomes-deadly/)
– Pacemakers (http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#3a07041e13e0)
– And others (http://null-byte.wonderhowto.com/forum/is-hacking-implanted-medical-devices-next-big-cyber-crime-0149205/)
70
Hackable Things That Can Hurt . . .
• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-
jeep-highway/) – Driverless cars
(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)
• Medical devices – Insulin pumps (http://juntoblog.net/medical-device-hacks-when-
cyber-risk-becomes-deadly/) – Pacemakers
(http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#3a07041e13e0)
– And others (http://null-byte.wonderhowto.com/forum/is-hacking-implanted-medical-devices-next-big-cyber-crime-0149205/)
• Hospitals
(https://securityevaluators.com/hospitalhack/securing_hospitals.pdf)
71
. . . and Giant Hackable Things
• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)
• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104)
• Transportation networks – e.g., Polish tram system (http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html)
• Pipelines – e.g., Turkish pipeline explosion (http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar)
• Power grids – e.g., December 2015 Ukraine incident (http://www.homelandsecuritynewswire.com/dr20160216-russian-govt-behind-attack-on-ukraine-power-grid-u-s-officials)
72
. . . and Giant Hackable Things
• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)
73
. . . and Giant Hackable Things
• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)
• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104)
74
. . . and Giant Hackable Things
• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)
• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104)
• Transportation networks – e.g., Polish tram system (http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html)
75
. . . and Giant Hackable Things
• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)
• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104)
• Transportation networks – e.g., Polish tram system (http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html)
• Pipelines – e.g., Turkish pipeline explosion (http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar)
76
. . . . . and Giant Hackable Things
• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)
• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104) • Transportation networks – e.g., Polish tram system
(http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html) • Pipelines – e.g., Turkish pipeline explosion (http://www.bloomberg.com/news/articles/2014-12-
10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar) • Power grids – e.g., December 2015 Ukraine incident
(http://www.homelandsecuritynewswire.com/dr20160216-russian-govt-behind-attack-on-ukraine-power-grid-u-s-officials)
77
Cascading failures:
• Lloyd’s/Cambridge University “Business Blackout” Report (http://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/business-blackout)
• Lloyd’s/Cambridge University “Business Blackout” Report (http://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/business-blackout)
78
2016 Assessment Devices designed and fielded
with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructure and U.S. Government systems.
Broader adoption of IoT devices and Artificial Intelligence (AI)—in settings such as public utilities and health care—will only exacerbate these potential effects.
79
2015 Assessment • Despite ever-improving network
defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come.
• …we foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.
80
IoT Devices May Be Inherently Insecure
IoT Devices Can Become Attack Vectors into the Entire Network Security is not built into the architecture and design of the device or
software The IoT device lifecycle is much longer (~ 10 years) than the software in the
devices (~ two years) Vendors may not provide software patching or support the software in the
future IoT devices are being used in ways they were not designed for or with other
technologies that create security risks
Thomson © 2016 81
• NIST Cyber-Physical Systems, http://www.nist.gov/cps/ • NIST Cybersecurity Framework (2014),
http://www.nist.gov/cyberframework/ • Energy Information Sharing and Analysis Center (ISAC) • Cybersecurity Procurement Language for Energy Delivery Systems • Center for Internet Security, 20 Critical Security Controls for Effective
Cyber Defense (2015), http://www.cisecurity.org/critical-controls/
Resources
82
FREE TO THOSE WHO JOIN SCITECH: These 2013 issues (100 pages) of The SciTech Lawyer, the quarterly magazine oSection of Science & Technology Law, are the culmination of SciTech’s year-long exploration of the mobile transformation. We continue to explore this continually evolving area.
Check out other SciTech books www.ambar.org/scitechbooks.
83
The Data Breach and Encryption Handbook provides a road map through the requirements of the state data breach laws and HITECH, analyzes the security failures of the major data breaches, and demystifies encryption for businesses, IT professionals, and lawyers. Check out other helpful SciTech books at www.ambar.org/scitechbooks.
84
Stephen S. Wu Silicon Valley Law Group (www.svlg.com)
Autonomous Vehicles, Drones, and Robots Compliance, Liability, and Information Governance
85
Overview
• Autonomous Vehicles and Drones in the News • Compliance • Liability • Information Governance
– Privacy – Security
86
Autonomous Vehicles
87
Drones in the News
88
Ground and Sea Drones
Neighborhood delivery Maritime applications
89
Compliance
90
AV Regulation/Influence
Regulation • International—Geneva and
Vienna Conventions • Federal (DOT, NHTSA)—
FMVSS, recall authority • State (DMVs)—vehicle
codes • Local—ordinances regarding
traffic control
Non-Governmental Entities • Insurers—underwriting
practices (driver+prod liab) • Private plaintiffs • Standards bodies • Trade groups
91
State automated driving laws
Source: Gabriel Weiner and Bryant Walker Smith, newlypossible.org
92
Regulation of Drones
• Federal Aviation Act of 1958 – regulation of navigable airspace
• How the Federal Aviation Administration regulates
• Different uses of drones • FAA Modernization and Reform Act of 2012 • Certificates of Authorization or Waiver (COAs) • NTIA privacy best practices
93
Liability
94
$4 Billion Plus Liabilities
95
Potential Parties
• Raw Materials Seller • Component Part Manufacturer • Manufacturer of Finished Product • Distributor • Retailer • Aftermarket Product Seller • Service Company • Owners • Government
96
Potential Parties
• Software Developer • Big Data Service Provider • Cloud Hosting Vendor • Infrastructure Service Provider • Security Technology Vendor • Managed Security Service Provider
97
Possible Causes of Action
• Strict Liability • Negligence • Warranty (Express or Implied) • Fraud • Statutory Claims
– Unfair or Deceptive Trade Practices – False Advertising
• Security or Privacy Breach
98
Information Governance
99
Pervasive Data Collection
100
Lesley Stahl Driving
101
Voluntary Best Practices for Drone Privacy
• Inform others • Minimize data collection • Limit use and sharing • Secure collected data • Monitor and comply with applicable law From: NTIA Best Practices for UAS Privacy, Transparency, and Accountability, May 18, 2016
102
Drone Vulnerabilities
103
A The Larger Picture
Pervasive Computing
Social networks
Mobile computing
Big Data
Internet of Things Cloud
Computing
Augmented & Virtual Reality
Artificial Intelligence & Robotics
3D Printing & JIT
Manufacturing
Privacy & Security
Technologies
Wearable computers
104
Takeaways
105
FAST FORWARD Join us for two new Fast Forward webinars in the 2016-2017 bar year: Fast Forward: Hot Science Law Topics Fast Forward: Hot Technology Law Topics FREE for SciTech members Designed to get you up to speed on the latest science and technology law developments Brought to you by SciTech’s Membership and Diversity Committee Find out more at ambar.org/scitech
106