Upload
visual-law-school
View
236
Download
1
Embed Size (px)
Citation preview
IPV6 and Internet of Things: Smart Nation, Smart Hacks and Legal Liability for Cybersecurity breaches
Benjamin AngSenior Fellow, Centre of Excellence for National SecurityEducation Chair, Internet Society Singapore ChapterFurther discussion at www.isoc.sg
Where we come from
CENS
Multinational team of
specialists in national and
homeland security
Based at NTU’s RSIS,
working closely with
NSCS and CSA
ISOC.SG
Dedicated to ensuring
that the Internet stays
open, transparent and
defined by you.
Organizing events,
Providing education,
Engaging policy
Myself
Former Lawyer
Former CIO
Senior Research Fellow
in Cybersecurity Law and
Policy
IPV6 solves some problems for the Internet of Things
Problem #1
Too many devices:
Estimated 10 – 15 billion
IOT devices already
Only 4 billion IPV4
addresses, running out
IPV6 has enough
addresses
340 undecillion
addresses
Problem #2
Devices need to poll
(collect data, pass to
controller when polled)
All need their own
address
IPV6 has enough
addresses
340 undecillion
addresses
Problem #3
Devices need
connectivity and
reliability
Small devices = less
space for security
IPV6 supports
connectivity and
reliability
IPV6 has capability for
IPSEC, encryption,
integrity checking
IOT has risks
Rushing to market = security is not a priority
Manufacturers’ updates are also not a priority
What could go wrong
PDPC fined KBOX $50K
Sony paid US$8 m to settle
$2.5 million ($10,000 / pax ) for identity theft losses$2 million ($1,000 / pax ) reimbursing protective measures$3.5 million legal fees
Types of Legal Liability
Negligence Breach of
Personal Data
Protection Act
Breach of Official
Secrets Act
Breach of other
Regulations
Breach of
ContractBreach of
Directors Duties
to Company
Liability in Negligence
1. Duty of care2. Breach of duty3. Breach causes loss
Negligence Personal Data
Protection Act
Official Secrets
Act
Breach of other
Regulations
Breach of
Contract
Directors Duties
to Company
1. Duty of Care
Could your company foresee that customers / employees would be affected?
I suppose I
should care
2. Breach of Duty
Did your company do what any reasonable company would have done?
Your firewall isn’t
updated and your
password is ‘admin’
Who cares
3. Damage caused
Loss of identity = not much damage
My identity has been
stolen from your
database!
So what is it
worth?
3. Damage caused
Loss of money = more likely to be damage
They used the stolen
data to empty out my
bank account!
Oops
3. Damage caused
Physical Injury from an IOT hack = REALLY BAD DAMAGE
They caused my
smart car to crash,
and injured my eyes!
Oh no
Breach of PDPA
1. Reasonable security arrangements to protect personal data to prevent unauthorised access, collection etc
2. Fine up to $1 million
Negligence Personal Data
Protection Act
Official Secrets
Act
Breach of other
Regulations
Breach of
Contract
Directors Duties
to Company
PDPC fined KBOX $50K
“The practice of sending large volumes of members’ personal data via unencrypted email is a vulnerability and an example of how K Box had not sufficiently protected the members’ personal data.” – PDPC
Parents suing Mattel
“Defendants' inherently
dangerous product and
unlawful and negligent
collection, use, and
distribution of minors'
personal information”
Let’s meet at
the park at
midnight
Breach of OSA
S5(iv) If a person fails to take reasonable care of the information … that person shall be guilty of an offence
Negligence Personal Data
Protection Act
Official Secrets
Act
Breach of other
Regulations
Breach of
Contract
Directors Duties
to Company
Breach = offence
Fine of up to $2000 and prison up to 2 years
They took official
documents and data
from your server
Oh no
Breach of Regulations
Monetary Authority of Singapore Technology Risk Management Notice: A bank (etc) shall implement IT controls to protect customer information …
Negligence Personal Data
Protection Act
Official Secrets
Act
Breach of other
Regulations
Breach of
Contract
Directors Duties
to Company
Breach = fines
They took customer
data from your
banking server
Oh no
Breach of Contract
Express Contract: Service Level AgreementsImplied Contract: Sale of Goods Act
Negligence Personal Data
Protection Act
Official Secrets
Act
Breach of other
Regulations
Breach of
Contract
Directors Duties
to Company
Breach of Implied Contract
IOT Devices are products = Sale of Goods Act creates a contract between buyer and seller
Some pervert took over the
Smart Camera in our house
– it isn’t fit for purpose!
Oh no
Breach of Directors Duties
Directors owe a fiduciary duty to the company
Negligence Personal Data
Protection Act
Official Secrets
Act
Breach of other
Regulations
Breach of
Contract
Directors Duties
to Company
Breach of Directors Duties
Shareholders can sue the Directors
You haven’t been
taking care of our
company!
Oh no
What can we do?
31
Singapore Chapter
Workshops and training
Panel of Lawyers
Build awareness in your Board and Employees
Public Policy issue advocacy
Networking events
32
Singapore Chapter
Get Involved
Join the Singapore Chapter, or
Attend an Event
– Blockchain Seminar 2016
Ask a Lawyer at www.isoc.sg
This is your Internet.Join it!
Background Information
Centre of Excellence for National Security
Multinational team of research
specialists in national security
Working with National Security
Coordination Secretariat (NSCS) and
Cyber Security Agency (CSA)
CENS Research Programmes
Homeland Defence
Programme
Radicalisation
Studies Programme
Social Resilience
Programme
Cybersecurity
Programme
• Strategic
Communication
• Social Media
Analysis
• Radicalisation to of
individuals and
groups
• Criminology,
psychology,
sociology, history
and political science
• Multiculturalism,
citizenship, class,
immigration
• How globalised
societies cope with
crises such as
pandemics and
terrorist attacks.
• Cyber threats
• Cybercrime
• Smart Cities
• Confidence Building
Measures
• Controversies
(security vs privacy)
How CENS influences national policy
Publish Commentaries and Briefs
Educate National Security Officials
Organize workshops and seminars for
to create a community of practice in
public and private sectors
37
Singapore Chapter
Internet Society Mission
To promote the open development,
evolution, and use of the Internet for
the benefit of all people throughout
the world.
38
Singapore Chapter
Your Membership helps Change the World
Internet Society members achieve change through partnerships and technical expertise.
90+Chapters
Worldwide
Your membership to the Internet Society gives you a
powerful voice.
50000+Individual
Members
140+Organization
Members
39
Singapore Chapter
Public Consultation with MDA on changes to Licensing of Websites
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
40
Singapore Chapter
Lodging complaint against law firm representing Dallas Buyers Club in threatening users
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
41
Singapore Chapter
Seminars on Charlie Hebdo, Cybersecurity Skills Building, Election Blogging, IOT, and more
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
42
Singapore Chapter
World IPv6 Launch
www.WorldIPv6Launch.org