The mounting number of high-profile hacks related to IoT (Internet of Things) devices should give anyone cause for concern. A big reason the hacks are occurring has to do with a lack of proper security standards for IoT devices -- which a number of prominent experts recently told Congress should be enacted by the government and not the tech industry.
Members of the House Energy and Commerce Committee met to discuss last month's DDoS attack on DNS provider Dyn (which has just been acquired by Oracle) and heard from security experts such as Bruce Schneier.
In prepared remarks, he urged lawmakers to take immediate regulatory actions:
There is no way to patch the CCTV cameras and DVRs that are being exploited, and those devices will remain on the Internet for years if not decades. They'll remain in use because of an additional market failure: neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don't care. They wanted a webcam -- or thermostat, or refrigerator -- with nice features at a good price.
Even after they were recruited into this botnet, they still work fine -- you can't even tell they were used in the attack. The sellers of those devices don't care: They've already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It's a form of invisible pollution. And, like pollution, the only solution is to regulate.
The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
But as the Register reports, Schneier's words seemed to fall on deaf ears, or at least ones reluctant to expend political capital on IoT security:
Michael Burgess (R-TX) stressed in his opening remarks that the answer to the security issues was in developing "best practices," and government's role was to elicit a "meaningful response from industry."
Bob Latta (R-OH) noted that there needed to be "IoT security guidelines to keep pace with rapidly evolving technologies," but stressed there was a "delicate balance between oversight and regulatory flexibility" and that it should fall on industry to develop best practices that would "not hinder innovation."
Even Democrats steered clear from suggesting that the government take a direct role in the situation. Anna Eshoo (D-CA) noted that the IoT security problem was a "global issue" and noted that "little more than a quarter" of the devices that were involved in the recent attacks were located in the US, while the products "most vulnerable" were based in China. The implication was obvious: what's the point in legislating when China is the real problem?
Analysis: There's No Way to Pass the IoT Security Buck
"The Internet is a commons and we all need to be part of that," says Constellation Research VP and principal analyst Steve Wilson. "To remind users to keep their own computers patched is a relegation of duties by tech companies. Some of the things that need patching aren't even computers anymore. Getting people to think about toasters as if they're computers is just abhorrent. These things have to be safe out of the box."
Moreover, "we absolutely know product safety can't be left to market forces," Wilson adds. "It's a thing that needs to be mandated because we know companies won't do the right thing if we leave them alone. What we really need is a Ralph Nader of the Internet."
The DDoS attack on Dyn's infrastructure caused outages at some major websites, including Amazon and Twitter. While nobody got physically hurt, it's a matter of time before the twin forces of criminal enterprise intent and shoddy IoT device security collide in a manner where that does happen, Wilson says. "We have to hold [IoT device makers'] feet to the fire," he says. Moreover, "if we're going to make software quality fit to purpose it will have an impact on development lifecycles and costs," he adds. "We need to face up to that."
Part of the reason for Congress' members inertia during last week's meeting can be attributed to the unknowns surrounding policy decisions by the incoming Donald Trump administration. Also, outgoing President Barack Obama recently appointed the country's first federal chief information security officer, Gregory Touhill, who could drive a more aggressive posture toward IoT security, assuming he's given that mandate from Trump. With untold millions more IoT-enabled consumer devices sure to be lit up during the holiday season, the security threat level will only get higher.