Ever hear of the term “attack surface area” in cybersecurity? It is a concept of cyberattack defense in depth.

It refers to the exposure we have associated with all communications and devices connected to those networks and more recently devices connections through intermediary systems and equipment that connected to our networks, including the Internet. As the connections increase, so does our risks of being successfully attacked.

All the emerging technologies like the Internet of Things (IoT), self-driving vehicles, advanced robotics, artificial intelligence and more will dramatically increase the cyberattack surface area associated with the organizations, all of which you must protect. While that is a big challenge, there is another related issue that just popped up in conversations that deserves some thought. Some are beginning to believe that the victims of DDoS cyberattack may begin to routinely bring legal action against the owners and equipment vendors of a compromised systems and devices used to generate the DDoS used to disrupt systems. The conversation quickly moved to the fact that many of the equipment/devices traffic do not come equipped with cybersecurity and really do not easily allow this to be added in the aftermarket. 

The initial conversation evolved into an interesting topic that is deeply concerning on many levels. What will legal implication be when some of these vulnerable devices used in transportation, medical facilities, or in home healthcare become compromised and contribute to the death of an individual or individuals?

I asked Benjamin Wright, Attorney and SANS Institute Instructor about this issue and he said,” I think the risk that a chief security officer or chief information security officer would be criminally charged for some kind of failure is a real long shot. Those are mid-level corporate officers who report to higher executives. Holding mid-level corporate officers criminally accountable for actions by their corporations is exceedingly rare. To charge them criminally, the prosecutor has to possess a tremendous amount of evidence showing direct intent to do something wrong.”  He also explained more generally, “As technology changes, the possibility for new kinds of lawsuits grows. The history of technology law is filled with new kinds of lawsuits and new liability as unexpected things happen when the new technology is implemented. Vendors who sell new kinds of technology such as the Internet of Things always face some kind of legal risk. That's just the nature of our society.” He added: “Yes. I do believe lawsuits like those that you describe could motivate orgs and vendors to be more proactive with security.” 

CSOs and CISOs are becoming primary targets of post-breach litigation. Just look at all the legal actions surrounding the huge data breach at the Federal Office of Personnel Management (OPM). There have been and are a number of causes for action surrounding this incident. Most of them seek to hold the organization and individuals accountable for negligence, privacy violations and multiple other causes of action.  Now for the million dollar question: there are legal actions that will likely be precedent setting for litigation against CIOs, CSOs and CISOs in future cyberattacks and data breaches. Could claims of negligence with respected to cybersecurity shortcomings bring criminal charges against CIOs, CSOs and the CISO? While they are certainly facing civil actions, but bringing criminal charges is a more serious risk. Will all of this lead to all organizations and vendors becoming more proactive about cybersecurity and build defenses in?  Who knows, but let’s hope so. Perhaps the best thing to do is to speak with a lawyer about how professionally liable we might be if the systems we were hired to protect get compromised, and as always, keep accurate and timely records of all documents.