Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

IJay Palansky

"Within two or three years, there is going to be a big wave of IoT cybersecurity-related litigation. I think it's inevitable. Despite the fact that there hasn't been a lot of it up until now, this is going to be a huge growth area in terms of litigation throughout the country and anyone in the IoT space who isn't taking that into account when they're making their decisions about cybersecurity are in for a rude awakening these next few years."

IJay Palansky is a pioneer in IoT litigation. A partner at the law firm Armstrong Teasdale, IJay focuses on litigation and trial of large, complex commercial cases, including consumer class actions and product liability cases.

Brian Contos:              

Welcome to the Cybersecurity EffectivenessPodcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is IJay Palansky. Welcome to the podcast, IJay.

IJay Palansky:                

Thanks, Brian. Thanks for having me on.

Brian Contos:                

You know, IJay, we met earlier in 2018 at Black Hat and we were both speakers – speaking on different topics –but we were in the speaker ready room and I found our conversation to be extremely interesting and I went to hear your presentation, and I thought, "Wow, this would be a really great topic for our podcast." So, I'm so glad you could join us today. If you could start off, maybe just give folks a little bit of background on who you are and what you do?

IJay Palansky:                

Sure, so I'm a little bit of a creature of a different color when it comes to the cybersecurity community. I'm actually a lawyer and I'm a litigator, trial litigator, and frankly, three and a half years ago, I knew virtually nothing about cybersecurity. And then I became the lead counsel for the federal class action litigation that followed on from the pretty well-known Jeep hack that Charlie Miller and Chris Valasek did back in 2015 that was featured in Wired Magazine and the evening news. Since then, I've sort of had a crash course in cybersecurity and that led to me speaking at Black Hat earlier this year.

IJay Palansky:                

So, it's been a really interesting journey and I think I come to this field with a bit of a different perspective and it's been nice to see that despite the fact that I definitely don't have the hacker or engineering credentials of most of your listeners, I'm hopefully adding something to the conversation in particular with respect to policy issues and I think it also gives a little bit of ammunition to CISOs and others in the cybersecurity departments of organizations to let the people who are making the decisions about budget know that it's really important to pay a lot of attention to this, because if you don't, there could be trouble coming down the pipe.

Brian Contos:                

Yeah, absolutely. I'm a big fan of having people from disparate backgrounds share their ideas and perspectives.I just think we need more of that in the security industry overall, so I think our listeners will really appreciate that. As I mentioned earlier, I got to meet you and hear you at Black Hat 2018. You had some pretty definitive predictions as it results to IoT – specifically, IoT litigation in the near future. So, tell our audience a little bit about that if you will.

IJay Palansky:                

Sure. The bottomline prediction is that I think that within two or three years, there is going to be a big wave of IoT cybersecurity-related litigation. I think it's inevitable. If we back up a little bit from there, if you take my Jeep hack case, for example, it's really, as far as I know, the first of its kind in terms of focusing on IoT cybersecurity hacking and vulnerabilities. But I'm happy to go into this in more detail. I think there are all kinds of reasons why, despite the fact that there hasn't been a lot of this litigation up until now, going forward, this is going to be a huge growth area in terms of litigation throughout the country and anyone in the IoT space who isn't taking that into account when they're making their decisions about what level of cybersecurity or what types of cybersecurity to design into their IoT products.They're in for a rude awakening when this litigation really starts up and I think that's going to happen in the next few years.

Brian Contos:                

So, why do you think that is? I hear a lot of people talking about IoT and security and there could potentially be issues. Coming from this, you have a very different perspective than somebody that's hands on keyboard, trying to engineer these, why? Why do you think IoT security is such a likely target for litigation?

IJay Palansky:                

Sure, well, I mean, I think it's sort of a confluence of a whole bunch of different factors. Many of them, you and your audience [are] going to be very familiar with. My sense is that for most IoT products, cybersecurity just is not properly designed and certainly there are exceptions, but for all kinds of different reasons, market-related reasons and perceived ROI reasons – and that's probably something to get back to as we progress through this discussion – but IoT manufacturers are trying to get their products out, the latest whizzbang technology, consumer-friendly. Everybody loves a gadget and cybersecurity design tends to be an afterthought.

IJay Palansky:                

What that has led to is under-investment in cybersecurity and that means that a lot of these devices are really vulnerable and that in turn is going to mean that there are probably going to be a lot of hacks going forward. There have been some big ones already, but to have a lawsuit, you need a couple of things at least. Not only a hack or a severe vulnerability, but you need to have usually harm that can be identified and attribution. And there just haven't been a lot of really good candidates when it comes to larger IoT-related hacks and vulnerabilities that have those criteria.

IJay Palansky:                

What's going to happen, though, because IoT products are exploding everywhere... I mean, the estimates are all over the place, but I've seen estimates north of 20 billionIoT devices by 2020 and if they don't have good cybersecurity, you're gonna have hacks, you're gonna have harm. You have the distinct possibility of cyber physical impacts and you've got an actual person who's been injured because of a hack, you can almost guarantee there's going to be a lawsuit and what that means is that although up until now plaintiff's lawyers have shied away a little bit from this field because it's complicated, they're not sure of the technology, the ground rules in terms of just the way that the law is going to be applied are not clear.

IJay Palansky:                

And if you're a plaintiff's lawyer, and you take on a case on a contingent feed basis, you're looking at every case as an investment and all of those uncertainties and risks make these types of cases a little bit less attractive. But as these cases start to happen more often, as they percolate through the legal system, plaintiff's lawyers are going to become more comfortable with them and all of a sudden, we're very quickly going to reach a tipping point where any hint that there's a serious cybersecurity problem with a product, we're not talking about just any vulnerability, there are always vulnerabilities, but serious problems or hacks that cause injury, those are going to lead to lawsuits and those lawsuits are going to be particularly complex and risky for anybody who's involved.

Brian Contos:                

So, your perspective is really, look, there hasn't been a lot yet, up to 2018, there hasn't been a lot of cases, but you think that's going to change in the near future, and do you feel it's just we're moving so quickly, there's so many new IoT solutions coming out, people are embracing them, whether it's at work or at home or a combination for automobiles, for home security, it's just like you said – I think 20 billion, right? So, is it just the sheer volume that you think is going to cause this to hit that tipping point?

IJay Palansky:                

No, I don't think it is, actually. It's not just a question of volume, but when you have problems... If you had a relatively simple equation, which is all a lawyer like me is capable of handling in terms of math, if you've got certain inherent problems and you've got a larger sample, there are more likely to be instances that are good candidates for lawsuits. But really, the underlying problem seems to be, like I said, because of the ROI calculus that a lot of firms go through, when they're making decisions about functionality and where to invest their dollars and time, what seems to be happening is too many people in organizations in the IoT supply chain are valuing other priorities ahead of cybersecurity.

IJay Palansky:                

And the answer to all of these, at least right now, I mean if you get sued, there are certain things you need to do, like hire a good lawyer and take some other steps, but really the answer first and foremost is just responsible sound cybersecurity design and engineering. And unfortunately, what I'm hearing more and more often is that what rules the day ultimately is ROI, return on investment, and I believe, from the perspective of a lawyer, that the organizations that are making that calculus are not basing it on accurate information. They don't properly understand the risks associated with future litigation.

IJay Palansky:              

 If they're valuing those too low, they are placing a high enough value on those, when their ROI calculus, they're going to make the wrong decision in terms of where to design that cybersecurity, what level of cybersecurity, what type of cybersecurity to get. So, really, I think ultimately what we're talking about here is a failure to properly appreciate what the risk is and that's translating just into a level of cybersecurity design in IoT products that by and large doesn't hit the mark.

Brian Contos:                

Well, let's talk a little bit about the defendants themselves. Is there an aspect of IoT litigation, maybe it's one thing, maybe it's 20 things, but that makes them particularly risky for defendants?

IJay Palansky:                

Yeah, I mean, I think that there really are and this is one of those things that I think causes the underinvestment and the failure to appreciate the risks. I think I'd focus on two or three things. First of all, it's not just a question of litigation.If something goes wrong with your product, and it doesn't need to be you as the manufacturer, as the retailer. If you're involved with the product, an IoT product, and something goes wrong, there's a big hack, you've got all kinds of other concerns beyond just litigation. Reputational concerns, concerns relating to the costs of litigation itself, even if you didn't do anything wrong. All of that needs to be taken into account.

IJay Palansky:                

Second of all, the supply side ecosystem for even simple IoT products is incredibly complex.What that means is that in all likelihood, if there's an IoT product that gets hacked and causes an injury that leads to a lawsuit, anybody associated with the cybersecurity for that product is going to get hauled into court and that's a complex and potentially dangerous dynamic, because what ends up happening is that all the defendants end up kind of pointing the finger at each other, saying, "Listen, I didn't do anything wrong, it was that guy over there or this guy over here."

IJay Palansky:                

It can be a component manufacturer, it can be somebody that did the testing on the product that missed something that was glaring, it could have even, in certain circumstances, be the people that design software. And so you're going to end up with very complex litigations when these things happen. To me, the biggest one is if you think about it, ultimately, no matter what the claim is, no matter what sort of happened, the plaintiff is going to have to prove that the IoT product didn't meet the right standard of care, and that's a legal term. It can mean different things under different circumstances, but it basically means you need it to design sound, responsible cybersecurity.

IJay Palansky:                

But how is that determined, right? There are very few standards for any of this stuff, and in a court of law, what's going to end up happening is it's going to be the jury that decides. What I said at Black Hat was, you know, sitting here in a room full of the leading experts in the world on cybersecurity and I bet if we got 12 of you in a room together, to decide what the right level of cybersecurity was for a particular device, there's no way you would agree.

IJay Palansky:                

Now, imagine that it's not a room full of experts, it's 12 people off the street in the form of jurors who know nothing about cybersecurity and it's your company's future and viability that's at stake and those are the people who have to decide what the right level of cybersecurity was that you should've designed into your product. Now, they may get it right, that's the job of the lawyer, to explain to them what the right level of cybersecurity is and whether the product met that level, but because of sort of the new nature of it and the technical aspects of it, there's much more significant risk that they're going to get it wrong, and I wouldn't want to have my fate in the hands of 12 jurors who may or may not hitt he mark.

IJay Palansky:                

So what should be happening, I believe, is that if anything, anyone in the IoT supply chain should be designing in a margin for error, making sure that they've not only hit the mark for cybersecurity, but actually surpassed it a little bit, so that if anything goes wrong, they can stand up in a court of law, or the court of public opinion and confidently say, "Listen, we did this right. We were responsible, we took care." If you can't do that, things could end up really badly.

Brian Contos:                

Yeah, as soon as you started saying finger pointing, my mind automatically went to the supply chain, 'cause it's not me, it's the 50 other people that we work with, right? That's how it goes. When you were at Black Hat and you gave this talk in 2018, and anybody that's been to Black Hat knows that after the talks there's a mad rush on stage and people want to ask you more questions and drill deeper into topics. How did that audience feel about this? Was there, "Yeah, yeah, we get it."Or, "We don't think this is a big deal." Or, "We think certain areas need to be focused on more than others." What was sort of the consensus of the Black Hat audience?

IJay Palansky:                

Yeah, you know, it was really nice. That was the first cybersecurity conference I had ever attended, let alone spoken at, and I had no idea how my talk was going to be received and what I found was that in particular where almost all the talks are highly technical, I think that people were very receptive to what I had to say.It was a different viewpoint and I think it corresponded well with what really the community at large believes. The more that I talk to people, the more people are trying to figure out how to overcome some of the natural market incentives that may push organizations toward having less cybersecurity, or rushing products out the door.

IJay Palansky:                

So, the message that I was delivering and from the perspective that I was delivering it, I think resonated with pretty much everybody. So, it's really been nice to seethe response that I've gotten and getting the opportunity to speak on blogs like this one has been one of the nice side effects of being one of the first people to be in a position to talk about these things.

Brian Contos:                

Yeah, very exciting. And talk about being thrown into the deep end for your first talk. Hey, welcome to BlackHat. That's fantastic. So, IJay, as we sort of wrap things up here, we have a question that we love to ask everybody that's on the show and that's who is your favorite superhero or super villain and why?

IJay Palansky:                

I'm going with the new Philadelphia Flyers mascot, Gritty. For those of you who know who he is, you'll understand what I'm talking about and for those of you how don't,YouTube “Gritty and the Philly fanatic” and you'll pull up a video that will haunt your nightmares. So, I'm going to go with super villain, since I'm not a Philadelphia sports fan. But that's my answer for you. He's terrifying on any number of levels.

Brian Contos:                

I love it, I love it. And then of course, if anyone has a fear of massive orange beards, you might not want to take a look at that one. Well, thanks, IJay and thanks to all our listeners for joining and be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin. 

 

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog