Confronting the dangers posed by the Internet of Things – as demonstrated by the Oct. 21 Mirai DDoS attack – members of the House of Representatives' Energy and Commerce Committee held a hearing on Wednesday that examined the feasibility of regulating IoT devices.
Speaking before the Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade, experts testified that IoT device manufacturers generally lack the financial incentive to secure their products while device consumers lack the motivation to practice responsible cyber hygiene with said products.
“The market really can't fix this. The buyer and seller don't care,” testified Bruce Schneier, a computer security expert and fellow at Harvard University's Berkman Klein Center for Internet & Society. “I argue that government has to get involved, that this is a market failure and what I need are some good regulations.”
Schneier predicted that the U.S. might even need to create a brand new agency to manage IoT technology because it represents a singular, unprecedented threat covering an unwieldy range of computerized devices, including cameras and electronics, smart home devices, automobiles and more.
“When it didn't matter – when it was Facebook, when it was Twitter, when it was email, it was okay to let programmers [have] the special right to code the world as they saw fit,” said Schneier, noting that he's generally not a proponent of regulation. “But now that it's the ‘World of Dangerous Things' – that it's cars and planes and medical devices and everything else – maybe we can't do that anymore.”
Dr. Kevin Fu, CEO of healthcare cybersecurity managed services firm Virta Labs, told Congress he believes some form of governmental mandate is inevitable because there are no economic drivers compelling manufacturers to take the matter upon themselves.
“We are in this sorry and deteriorating state because there is almost no cost to a manufacturer for deploying products with poor cybersecurity to consumers,” testified Fu, also an associate professor at the University of Michigan's Department of Electrical Engineering and Computer Science. “Also, there's no benefit if they deploy something with good security,” he added later.
“It all comes down to accountability, whether that be economic accountability or liability,” Fu stated.
Rep. Greg Walden (R-Ore.) expressed a certain reluctance to enact legislation or regulation, expressing concern that such actions could lock ineffective policies into statute, allocate resources unwisely, or stymie innovation. “…While I'm not taking a certain level of regulation off the table, the question is whether we need a more holistic approach,” said Walden, chairman of the Subcommittee on Communications and Technology.
“The United States cannot regulate the world,” Walden added. “Standards applied to American-designed, American-manufactured, American-sold devices won't necessary capture the millions of devices purchased by the billions of people around the world, so the vulnerabilities might remain.”
But Schneier argued that even U.S.-only regulation would inevitably force worldwide change because it wouldn't be practical for global manufacturers to make different versions of devices that meet various national standards. “Companies will make one software and sell it everywhere, just like automobile emissions-control laws in California affect the rest of the country,” said Schneier.
Schneier did agree, however that implementing regulations carelessly or improperly could curtail technological progress.
On the other hand, “a well designed cybersecurity framework will actually promote innovation,” according to Fu. The key, he added, is to use regulations to enforce the implementation of longstanding cybersecurity principles, but not specific technologies or mechanisms, which can quickly change and become outdated.
“It will be very difficult to build in security if we don't have these principles set in place, and it needs to have buy-in from industry. It needs to have government leadership as well,” said Fu. “But it's all about setting those principles, many of which are already known for over 30 years in the cybersecurity community.”
In his testimony, Dale Drew, SVP and CSO at telecom and ISP firm Level 3 Communications, said that before the U.S. imposes regulation, a good place to start “would be to define a set of standards for manufacturers to meet pre-market for security.” Currently, too much attention is placed on how these devices should be operated, as opposed to how manufacturers can make them secure in the first place, he opined. To the extent that such standards can apply pressure globally on device-makers, “I think that we can get some traction and some momentum before we have to start regulating.”
In the meantime, Rep. Jan Schakowsky (D-Ill.) called on existing watchdog agencies including the FTC to play a more active, leading role in holding companies accountable for inadequate cybersecurity protections.
“Given the nature of cyberattacks, we cannot count on IoT manufacturers to do the right thing on their own,” said Schakowsky, ranking member of the Subcommittee on Commerce, Manufacturing and Trade. “They have little financial incentive to improve security and their customers may not even realize when their devices are being used to harm others.”
The threat of DDoS attacks, especially those caused by hijacked IoT devices, is growing rapidly year over year. According to Akamai Technologies' latest quarterly State of the Internet/Security Report – released last Tuesday – the total number of DDoS attacks in Q3 2016 increased by 71 percent, compared to the same period last year. Moreover, attacks featuring bandwidths of greater than 100 Gbps increased by 138 percent.
According to Drew's testimony, approximately 2 million IoT devices were at one point affected by the Mirai botnet malware or its predecessor Bashlite – only a fraction of which (100,000, according to Dyn) were used in the Oct. 21 DDoS attack that barraged Domain Name System service provider Dyn with malicious traffic, in turn disabling numerous major websites.
“The Internet as a whole has taken steps to neuter portions of [the threat], but it's still a 1.5, 1.6 million-strong-node botnet,” said Drew to Congress. “The saving grace we've had so far is that no one's been able to afford to rent all 1.7 million nodes. They've been renting them at 80 to 150 thousand nodes at a time. Our biggest fear is that another adversary sees the power of this total force and begins to adopt attacks that follow a similar nature.”