As Thomas Merton wrote, “no man is an island.” Lately, we’ve begun to recognize that Merton’s famous observation is equally true of IT systems and that the Internet of Things is – if nothing else – a connector of these many heretofore isolated technology “islands.
”The problem is that, when it comes to defending the Internet of Things, the “island” metaphor works just as well. What I’m referring to are the different islands (the more oft-used metaphor is “silos”) of skills and authority on which the security community, policy and lawmakers, and law enforcement operate. The lack of coherence within this area poses the biggest risk to both the public and private sectors, which will come to rely ever more on Internet of Things systems. We need to recognize that a concerted effort is required to correct this situation as a means of protecting ourselves.
Why? For one thing, the federal statutes that cover computer crime are already badly outdated, notably the Computer Fraud and Abuse Act (CFAA) of 1986. For one thing, the standards that must be met to apply the CFAA often fail to cover the huge variety of online criminal activity that exists today, compared with 30 years ago, when the law was written. The practical result, for prosecutors, is that a growing body of crimes fall in between the cracks of the CFAA, or are treated sparingly by that law.
A case in point: I recently read a news report about a group of stock traders in the U.S. who were charged for insider trading. They were accused of collaborating with black hat hackers based in Ukraine who instructed the traders on how to steal financial press releases before they were publicized. It gave the traders a leg up on the rest of the market, and they made an estimated $100M.
That’s a pretty straight forward scheme. What’s interesting here is the question that faced prosecutors in charging the suspected black hats based in Ukraine. As it stands, the criminal charges that are being explored by the U.S. Justice Department won’t meet the standards for insider trading, so there is potential to pursue a wire fraud charge, which has a lower standard for prosecution than insider trading.
Considering the fact that there are not extradition treaties in place with the countries where these potential suspects are believed to reside, the charges will only be window dressing. The Securities and Exchange Commission is filing civil charges, but those don’t apply outside of the U.S. That means that the Ukrainian accomplices of the rogue traders may never see the inside of a U.S. courtroom, unless they decide to visit Disneyland some time in the next couple of decades.
The IoT is only going to make this already confusing picture much more so. For one thing, the IoT’s combination of remotely deployed devices, mobile applications and cloud based management infrastructure will make today’s tortured questions about jurisdictional borders seem quaint, by comparison. And IoT based crimes introduce the possibility of cyber-kinetic acts that could result in physical or even bodily harm – further challenging a legal system that currently draws a clear line between physical and online crime.
I say this as a way to introduce the idea that we in the security community have a vested interest in making sure the laws that are on the books and that are used to pursue cyber crime are effective and modern. We owe it to our profession and industry to make sure that new laws drafted, presumably, for our benefit are informed and tailored to the problem(s) at hand. Security practitioners, legislators, and law enforcement are all combatting the same enemy, but we still move too much in our own bubble environments, separated by a sea of mistrust and misunderstanding. That has to end. If we can collaborate across the technology, policy, and legal fronts, we can put the bad guys on their back feet. If not, we will continue to the gates wide open.