Cybercrime Fighter

ORDER REPRINTS DOWNLOAD COMMENT DISCUSS SHARE

Liability is apportioned among the security players and runs on the ‘weakest link in security chain’ doctrine

“First let me explain how liability is apportioned among the security players. The system today runs on the doctrine of ‘weakest link in security chain.’ Weakest link is the weakest point of protection. Who is most vulnerable is most culpable. Now, your data cloud systems provider retained its security and was not breached. The breach occurred downstream in gateways installed and run by you. There the cloud bound data was redirected. There is some failure on the cloud provider’s part, as their cloud analytics systems were alerting that incoming cloud data was ‘irregular’ - it is just that analysis arrived too late. Further, parameters for those analysis programs were developed by your analysts, not the cloud provider. It was a sophisticated hack; turns out data was not turned off, which would have generated a cloud provider’s alert to you, but instead corrupted and dummied for the stream up transmission to your cloud. This made it look like the traffic was normal, when in fact it wasn't.”

“Ok,” says Rachael, “I don’t like it, but I can accept that.”

First some background,” continues Doug. “Exploit kits are sold on the dark market where black hats place subscriptions for newly-discovered vulnerabilities. So much so, that zero day exploits have exploded in today’s world. The dark web tweeted the discovery and sale offer of an exploit of the gateway vulnerability, a full seven days before the attack. Your gateways were exploited three days before your home attack. That explains the progress made in subverting your sensors before you were personally attacked. The ‘distraction attack’ occurred at about the same time your packaged sensor data was offered for sale.” He pauses, “So the real question is, ‘who was liable for not generating a fix during those respective seven and three days’ time?’”

Doug: “Next comparisons of the code Siemen’s provided, plus after you notified them, their quick response with a solution to the hole, put Siemens in the clear. I’m sure they backed the task force because they realized they had a solid hand to start with. Still, in 2015, another hardware company found unauthorized code that allowed backdoor-access to its routers to exist undetected for three years. No publicly-disclosed evidence exists to suggest a backdoor was used, but technically there was 'no way to detect' if it had been. We might never know more here.”

Doug: “The consensus of the task force is that the CSO from the OEM gateway firm, who you outsourced for the security certification and patch maintenance, is on the hook for liability. A backdoor was found in code used to authorize the gateway use, that is, via their authentication of your software lease to their product. It’s an old technique going back two decades and they should have known better. Now it’s not definitive and it will drag in the courts as the hack erased relevant log data. But even if it was not the vector, that is being judged the weak link in this episode. The OEM is being thrown under the bus. Normally that’s not a bad thing. In the long view blaming the weakest link, guilty in a specific instance or not, results in our systems perpetually growing stronger. However, my investigation found the OEM for the gateway is a small cutout firm of the type that is expected to take the liability, go bankrupt, and later reconstitute itself in a new guise. I suggest you vet your vendors better going forward.”

Rachael: “I am frustrated and not a little angry at the legal and insurance system. I should be protected and not just recompensed. Paying for the infrastructure repair bills does not repair the corporate image damage.”

Doug nods and then signals the waitress, ordering Rachael a drink. “You are going to need it for this next part. Proving Jonathon’s involvement in the attack on your home is not likely to happen. He has too many cutouts to follow through the web. Instead, local U.S. prosecutors will attempt to charge him with trafficking for movement of restricted climate data across national boundaries. More irony, this is possible because of the national paranoia from the old climate warming debates. Treaties stipulate local state oversight of data transfer when comparing different climate zones. To get a climate agreement, governments stipulated local control for movement of climate data in order to control comparative analysis. Each country gets to judge if it meets the old agreed climate warming targets now coming due. It's part of why your watershed analysis division is restricted by regulation to the U.S.”

Rachael: “This is not what I expected to happen. Sure, I considered and planned for the possibility of a cyber-attack, but mostly that was about prevention. Somehow I assumed the social systems would just be there for me.”

Doug’s closing dialog to Rachael as he signals for the check: “Frankly, I’ve no confidence our social, political, and legal systems are up to the IoT security challenge. They're still inching forward while technology blazes along increasingly beyond our control. Yet our ability to develop systems to shirk and avoid responsibility, that’s better than ever. My suggestion? Finish your drink.”

Leading by example, and with an ironic smile, he tosses back his whiskey.