Now, there are a number of legal,
many, I want to say infinitesimal.
There are so many different potential regulatory structures
that are going to limit, for example,
an insurance company's ability to get into a medical device or really anybody,
as long as we're talking about here in the US.
For example, the Computer Fraud and Abuse Act which is generally
an extremely overbroad and poorly applied piece of law.
It prohibits as a criminal matter,
but also creates a civil cause of action for the unauthorized access of a computer,
and that would include potentially a medical device.
I think you could construct pretty easily
a criminal case using this extremely broad law to say that somebody who gained access to
a medical device here in the US has violated the CFAA and
has committed a crime or the person who was harmed could file a civil action.
The scenario that scares me,
it's not to say that there isn't
much more work to be done on the regulatory front here in the US,
but there are already a number of laws that
regulate unauthorized access of medical devices here in the US.
The scenarios that really bother me, that really scare me,
that seem tricky are the scenarios that involve
non-foreign actors or crossing one border and entering into another state.
Because as you probably know from following the debates over NSA surveillance,
there a large and pretty robust set of
protections to limit the way the NSA spies on Americans here in the US.
There are incidental collections of Americans data which are worrying,
but pretty robust legal protections here in the US,
almost as robust as any in the world,
and there are almost zero protections for non-Americans, right?
The NSA is deploying its full powers
to collect information about pretty much everybody outside the US.
Every other state is doing the same thing,
collecting information about non-citizens.
That means there are a 193 countries,
you've got 192 states that wire information potentially
or want to use you as a vector for achieving some state goal.
You didn't used to be really much of
a factor when you were just a person who had a suitcase.
But now, if you have a phone and a laptop and maybe a pacemaker,
you have these tools that would potentially allow a state
to use you as a way to gain access to an American network.
Whether it's your corporate network, your university network,
or some computer network.
It's not just a problem because there are no current laws on
the books when it comes to international cooperation regarding hacking,
it's that I don't see a process.
I don't see a clear path forward in terms of building an international framework.
It's easy to say,
"Of course what we need, this is an international problem,
that the Internet in its best,
in its highest form is seen as an international network".
Of course, its very domesticated now.
There are very different Internets in each state and states are
very jealous of their territory and the way that the Internet behaves on their territory,
and that's an important battle that's playing out and it will play out,
I think with medical devices as well.
But, my fear is that it would be great if
we could come up with an international treaty that resolves some of these questions,
potentially provide international rights of privacy that
could be applied to what a state might do to one's computers,
one's medical devices, one's body.
We're so far apart in terms of the major players that I don't see
the prospect of a meaningful international treaty on cyber security issues.
I think you could get a treaty that's good between not many states,
or you could get a treaty with lots of states that's not very good.
And of course, what we need is a treaty that's good with lots of states.
Lauren SolbergAssistant Professor
