IoT Botnet Attacks – Judge for Yourself

Yesterday’s mass-IoT-botnet attack on core Internet services (Twitter, Netflix, etc. via DNS provider Dyn) is drawing a lot of attention, mainly because for the public at large it is an eye-opening education in the hidden Internet of Things connections between their beloved electronic devices and online services.

You can read elsewhere the as-yet-understood details of the attack (e.g. “Hacked Cameras, DVRs Powered Today’s Massive Internet Outage” by Brian Krebs). And you’ll be reading more and more warnings of how this particular attack is just the beginning (e.g. from my friend Alan Silberberg, “Mirai Botnet DDoS Just the Beginning of IoT Cybersecurity Breaches“).

But today, in the wake of the attack, a DC friend known for peering around corners asked for my opinion about the ultimate meaning of this approach, and whether this attack means “the game has changed.” Here’s my response:

Last year I was asked by Georgetown Law School to give a private briefing to the Federal Judicial Center’s annual convocation of 65 federal judges from jurisdictions across the United States. The overall FJC session addressed “National Security, Surveillance Technology and the Law,” and in part was prompted by the Edward Snowden and WikiLeaks events. Here’s an article about the conference, and you can view the full agenda here. As you can see from the agenda, I joined noted security expert Bruce Schneier in presenting on “Computer Architectures and Remote Access.” That’s a fairly technical topic, and so I asked an organizer ahead of time what the judges wanted to learn and why, and was told “They’re encountering a tidal wave of cases that involve claims against government warrants for access, and conversely claims involving botnet attacks and liability.” I then asked what level of technical proficiency I should assume in preparing my remarks, and was told, “Based on their own self-assessments, you should assume they’re newbies encountering computers for the very first time.”

After a good laugh, that was the approach I took, and with patience Bruce and I were able both to educate and to spark a great back-and-forth conversation among the nation’s judges about the intricacies of applying slowly evolving legal doctrines to rapidly evolving technical capabilities.

The answer to today’s question is Yes, the game has changed. The tidal wave is well upon us and won’t be technically turned back in large part. We can (over time) introduce tighter security into some elements of IoT devices and networks, but that won’t be easy and would hamper the ease and invisibility of IoT operations. I think eventually we’ll come to realize that the notion of “Internet Security” is going to be like “Law & Order” – a good aspiration, which in everyday practice is observed in the breaking.

We’ll develop more robust judicial and insurance remedies, to provide better penalization and risk-valuation avenues, for what will be an inevitably continuing onslaught of law-breaking.

Yet in that onslaught crimes will be better defined, somewhat better policed, definitely better prosecuted (our Judges will be better educated!), and perhaps most importantly victims will be better insured and compensated, as we learn to manage and survive each new wave of technological risk.

By the way, if you’d like to plunge into the reading list which those federal judges had assigned as their homework on surveillance technologies and national security law, click here or the image below to download the 5-page syllabus for the session, courtesy of Georgetown Law, with links to the full set of Technology Readings and Legal Readings, across fields like Interception and Location Tracking, Digital Forensics, Metadata and Social Network Analytics, Cloud Computing and Global Communications…. It’s a very rich and rewarding collection, guaranteed to make you feel as smart as a federal judge 🙂