Beale: Assessing the legal response to attacks on “internet of things”

April 10, 2019Duke Law News

Sara Sun BealeThe phrase “internet of things” (IoT) encompasses devices other than computers and phones connected to the internet that collect, send, and receive data, such as so-called “smart” household and wearable appliances, implanted medical devices, voting machines, cars, trains, airplanes, power plants, dams, and other components of infrastructure. As Charles L. B. Lowndes Professor of Law Sara Sun Beale and Peter Berris ’17 point out in a recent paper, virtually every type of IoT device has been subject to corruption through hacking or a botnet attack that uses malware to reprogram its function. Motives for these attacks, they observe in “Hacking the Internet of Things: Vulnerabilities, Dangers, and Legal Responses,” 16 Duke Law & Technology Review 161-204 (2018), include pranking, data theft, extortion, revenge, and terrorism.

Insecurity in the IoT that makes it vulnerable to hacking can cause damage in the physical world, they observe. Yet they find the current legal response to such attacks inadequate; while they are often illegal under the federal Consumer Fraud and Abuse Act (CFAA) or analogous state legislation, “existing laws punish conduct after the fact without addressing the vulnerabilities that facilitate hacking.”

Beale, an expert in federal criminal law and procedure, and Berris, an associate at Shipman & Goodwin in Washington, D.C., outline the nature and causes of underlying vulnerabilities in the IoT, as well as the practical and procedural issues in investigating and prosecuting attacks under the CFAA. These include jurisdictional challenges, given that many attacks originate abroad, and it can be difficult to identify the source of hacks, which are typically routed through intermediaries, and botnet attacks, which often cross jurisdictions and involve millions of computers.

In addition to examining options for improving security of the IoT, Beale and Berris parse possible theories for legalizing “hacking back” against botnets, as by creating exceptions for invasive counterattacks through a legal framework modeled on the laws governing recapture of property. Apart from a host of ethical concerns, hacking back could just escalate attacks and create new ones, or even be interpreted by a foreign government as a military response, leading to cyberwarfare or physical hostilities.

However difficult it may be to find a comprehensive solution to the “complex, multifaceted, and numerous” dangers faced by the IoT, government inaction is the “worst option,” Beale and Berris conclude: “If we wait passively for the full array of dangers of the IoT to become a reality, the wait will not be long, and the crisis could be severe.”