Experts to Propose Some Government Intervention on IoT Cybersecurity
A trio of cybersecurity experts is expected to recommend Wednesday that the federal government consider some form of intervention to fix IoT devices' security in the wake of recent attacks. Level 3 Chief Security Officer Dale Drew and two other experts are set to testify during a joint House Communications Subcommittee/House Commerce Trade Subcommittee hearing on IoT cybersecurity. The hearing will examine how cyberattacks are evolving because of the proliferation of connected devices and how to mitigate future attacks (see 1611090063). The subcommittees sought testimony in part because of the October distributed denial of service attacks against DynDNS (see 1610260067). The panel is set to begin at 10 a.m. in 2175 Rayburn.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Subcommittee members plan in part to examine how the connected devices industry addresses cyber risks when developing new products and how companies assume responsibility for those risks, the subcommittees' Republican staffers said in a joint memo. The Mirai botnet, which was used in executing the DynDNS attacks and other recent major DDoS attacks, has been “able to infect hundreds of thousands of connected devices through automatic scanning of the internet,” the memo said.
Mirai “would search for connected devices with known username and password combinations, then use these weak credentials to take control of the devices,” the memo said. About 100,000 connected devices sent malicious traffic to Dyn during the attacks. Researchers studying affected devices from a pre-Dyn attack involving the Mirai botnet “discovered that, for some devices, the manufacturers had not provided a method for consumers to change the usernames or passwords, and many consumers were unaware that their devices were vulnerable,” the memo said.
Level 3's Drew is expected to recommend that the government “provide appropriate guidance” on IoT cybersecurity. Bad actors “are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated and they know there are no endpoint protection capabilities” on connected devices, Drew said in prepared testimony. The current “lack of any security standards for IoT devices is certainly part of the problem that ought to be addressed.” Device manufacturers and vendors “should embrace and abide by additional security practices to prevent harm to users and the internet,” Drew said.
“Like pollution, the only solution [to address IoT cyber risks] is to regulate,” says IBM subsidiary Resilient Chief Technology Officer Bruce Schneier. The federal government “could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care," he says. "They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks.” Either of those options “would raise the cost of insecurity and give companies incentives to spend money making their devices secure,” Schneier says: The federal government needs to “resist the urge to weaken the security of any computing devices” at the FBI's request, since weakening devices' encryption “will make these attacks easier and more damaging.” U.S. regulations won't affect devices manufactured and proliferated internationally, but strong IoT cybersecurity regulations in the U.S. and other major markets will force manufacturers “to upgrade their security if they want to sell to those markets,” Schneier will testify.
The federal government should consider creating an “independent, national embedded cybersecurity testing facility” modeled after the Nevada National Security Site, the National Transportation Safety Board or car crash safety tests, said University of Michigan security researcher Kevin Fu in prepared testimony. Neither the federal government nor the private sector currently has “the capability to safely conduct thorough testing and assessment on IoT devices,” Fu will say. The costs of such a facility would easily exceed $1 billion, but would be much cheaper than having individual entities set up individualized testing facilities, Fu said. The federal government should direct the National Institute of Standards and Technology, the National Science Foundation and other support agencies to “advance our understanding” of IoT cybersecurity, Fu says. The government should also incentivize basic cyber hygiene practices and protocols for connected devices, he will testify.
The hearing is likely to be an “opening salvo” in Congress' expected 2017 scrutiny of IoT cybersecurity, a tech sector executive said in an interview. The DynDNS attacks have generated significant congressional interest in recent weeks, which some lobbyists told us could presage a significant examination of the cybersecurity of connected devices (see 1610260067). House Commerce has made a strong first move in leading such an examination by scheduling the Wednesday hearing, but other committees could feasibly claim jurisdiction over IoT cybersecurity given connected devices' proliferation throughout many industries, the tech lobbyist told us. It might make sense for both houses to establish separate select committees on IoT, though such a proposal likely would incur the same level of resistance as proposals to create a unified cybersecurity committee have encountered in recent years, the lobbyist said.