IPV6 and Internet of Things: Smart Nation, Smart Hacks and Legal Liability for Cybersecurity breaches

Benjamin AngSenior Fellow, Centre of Excellence for National SecurityEducation Chair, Internet Society Singapore ChapterFurther discussion at www.isoc.sg

Where we come from

CENS

Multinational team of

specialists in national and

homeland security

Based at NTU’s RSIS,

working closely with

NSCS and CSA

ISOC.SG

Dedicated to ensuring

that the Internet stays

open, transparent and

defined by you.

Organizing events,

Providing education,

Engaging policy

Myself

Former Lawyer

Former CIO

Senior Research Fellow

in Cybersecurity Law and

Policy

IPV6 solves some problems for the Internet of Things

Problem #1

Too many devices:

Estimated 10 – 15 billion

IOT devices already

Only 4 billion IPV4

addresses, running out

IPV6 has enough

addresses

340 undecillion

addresses

Problem #2

Devices need to poll

(collect data, pass to

controller when polled)

All need their own

address

IPV6 has enough

addresses

340 undecillion

addresses

Problem #3

Devices need

connectivity and

reliability

Small devices = less

space for security

IPV6 supports

connectivity and

reliability

IPV6 has capability for

IPSEC, encryption,

integrity checking

IOT has risks

Rushing to market = security is not a priority

Manufacturers’ updates are also not a priority

What could go wrong

PDPC fined KBOX $50K

Sony paid US$8 m to settle

$2.5 million ($10,000 / pax ) for identity theft losses$2 million ($1,000 / pax ) reimbursing protective measures$3.5 million legal fees

Types of Legal Liability

Negligence Breach of

Personal Data

Protection Act

Breach of Official

Secrets Act

Breach of other

Regulations

Breach of

ContractBreach of

Directors Duties

to Company

Liability in Negligence

1. Duty of care2. Breach of duty3. Breach causes loss

Negligence Personal Data

Protection Act

Official Secrets

Act

Breach of other

Regulations

Breach of

Contract

Directors Duties

to Company

1. Duty of Care

Could your company foresee that customers / employees would be affected?

I suppose I

should care

2. Breach of Duty

Did your company do what any reasonable company would have done?

Your firewall isn’t

updated and your

password is ‘admin’

Who cares

3. Damage caused

Loss of identity = not much damage

My identity has been

stolen from your

database!

So what is it

worth?

3. Damage caused

Loss of money = more likely to be damage

They used the stolen

data to empty out my

bank account!

Oops

3. Damage caused

Physical Injury from an IOT hack = REALLY BAD DAMAGE

They caused my

smart car to crash,

and injured my eyes!

Oh no

Breach of PDPA

1. Reasonable security arrangements to protect personal data to prevent unauthorised access, collection etc

2. Fine up to $1 million

Negligence Personal Data

Protection Act

Official Secrets

Act

Breach of other

Regulations

Breach of

Contract

Directors Duties

to Company

PDPC fined KBOX $50K

“The practice of sending large volumes of members’ personal data via unencrypted email is a vulnerability and an example of how K Box had not sufficiently protected the members’ personal data.” – PDPC

Parents suing Mattel

“Defendants' inherently

dangerous product and

unlawful and negligent

collection, use, and

distribution of minors'

personal information”

Let’s meet at

the park at

midnight

Breach of OSA

S5(iv) If a person fails to take reasonable care of the information … that person shall be guilty of an offence

Negligence Personal Data

Protection Act

Official Secrets

Act

Breach of other

Regulations

Breach of

Contract

Directors Duties

to Company

Breach = offence

Fine of up to $2000 and prison up to 2 years

They took official

documents and data

from your server

Oh no

Breach of Regulations

Monetary Authority of Singapore Technology Risk Management Notice: A bank (etc) shall implement IT controls to protect customer information …

Negligence Personal Data

Protection Act

Official Secrets

Act

Breach of other

Regulations

Breach of

Contract

Directors Duties

to Company

Breach = fines

They took customer

data from your

banking server

Oh no

Breach of Contract

Express Contract: Service Level AgreementsImplied Contract: Sale of Goods Act

Negligence Personal Data

Protection Act

Official Secrets

Act

Breach of other

Regulations

Breach of

Contract

Directors Duties

to Company

Breach of Implied Contract

IOT Devices are products = Sale of Goods Act creates a contract between buyer and seller

Some pervert took over the

Smart Camera in our house

– it isn’t fit for purpose!

Oh no

Breach of Directors Duties

Directors owe a fiduciary duty to the company

Negligence Personal Data

Protection Act

Official Secrets

Act

Breach of other

Regulations

Breach of

Contract

Directors Duties

to Company

Breach of Directors Duties

Shareholders can sue the Directors

You haven’t been

taking care of our

company!

Oh no

What can we do?

31

Singapore Chapter

Workshops and training

Panel of Lawyers

Build awareness in your Board and Employees

Public Policy issue advocacy

Networking events

32

Singapore Chapter

Get Involved

Join the Singapore Chapter, or

Attend an Event

– Blockchain Seminar 2016

Ask a Lawyer at www.isoc.sg

This is your Internet.Join it!

Background Information

Centre of Excellence for National Security

Multinational team of research

specialists in national security

Working with National Security

Coordination Secretariat (NSCS) and

Cyber Security Agency (CSA)

CENS Research Programmes

Homeland Defence

Programme

Radicalisation

Studies Programme

Social Resilience

Programme

Cybersecurity

Programme

• Strategic

Communication

• Social Media

Analysis

• Radicalisation to of

individuals and

groups

• Criminology,

psychology,

sociology, history

and political science

• Multiculturalism,

citizenship, class,

immigration

• How globalised

societies cope with

crises such as

pandemics and

terrorist attacks.

• Cyber threats

• Cybercrime

• Smart Cities

• Confidence Building

Measures

• Controversies

(security vs privacy)

How CENS influences national policy

Publish Commentaries and Briefs

Educate National Security Officials

Organize workshops and seminars for

to create a community of practice in

public and private sectors

37

Singapore Chapter

Internet Society Mission

To promote the open development,

evolution, and use of the Internet for

the benefit of all people throughout

the world.

38

Singapore Chapter

Your Membership helps Change the World

Internet Society members achieve change through partnerships and technical expertise.

90+Chapters

Worldwide

Your membership to the Internet Society gives you a

powerful voice.

50000+Individual

Members

140+Organization

Members

39

Singapore Chapter

Public Consultation with MDA on changes to Licensing of Websites

Photo: © Stonehouse Photographic

www.internetsociety.org/wcit

40

Singapore Chapter

Lodging complaint against law firm representing Dallas Buyers Club in threatening users

Photo: © Stonehouse Photographic

www.internetsociety.org/wcit

41

Singapore Chapter

Seminars on Charlie Hebdo, Cybersecurity Skills Building, Election Blogging, IOT, and more

Photo: © Stonehouse Photographic

www.internetsociety.org/wcit

42

Singapore Chapter

World IPv6 Launch

www.WorldIPv6Launch.org