DDOS attacks raise questions from lawmakers

In the wake of last week's distributed denial-of-service attack that crippled high-profile websites by attacking underlying infrastructure, several lawmakers have called on the government to improve cybersecurity protections and consider new rules for potentially risky web traffic.

Sen. Mark Warner (D-Va.), co-founder of the Senate Cybersecurity Caucus, is seeking answers from the Federal Communications Commission, the Federal Trade Commission and the Department of Homeland Security on the resources available and needed to keep cyber malefactors from breaching consumer products.

In an Oct. 25 letter to FCC Chairman Tom Wheeler, Warner asked what network management practices could be adopted by internet service providers to repel traffic that might emanate from botnets and whether it is possible to assess the risks associated with the devices that make up the internet of things, apprise consumers of those risks and encourage users to download operating system and firmware updates when they are available.

"The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic," Warner wrote.

Homeland Security Secretary Jeh Johnson said the attack on internet infrastructure provider Dyn has been mitigated. In a statement, he added that the attack was potentially caused by the Mirai botnet, a massive network of hijacked IoT devices that directed waves of traffic to Dyn systems and took them off-line.

Johnson also said DHS plans to publish a set of strategic principles for IoT security in the coming weeks.

In an Oct. 25 speech before the Council on Foreign Relations in New York City, Director of National Intelligence James Clapper attributed the attack to a non-state actor but did not say which hacker group might be responsible.

Separately but also in response to the attack, two members of the Senate Select Committee on Intelligence have asked President Barack Obama to work with Congress to bolster the government's ability to identify and quickly react to weaknesses in cyber networks.

Sens. Angus King (I-Maine) and Martin Heinrich (D-N.M.) sent a letter to Obama on Oct. 24 requesting his involvement in developing standardized, governmentwide policies for detecting vulnerabilities and enlisting the private sector's help in fixing them.

"The recent intrusions into United States networks and the controversy surrounding the Federal Bureau of Investigation's efforts to access the iPhone used in the San Bernardino attacks have underscored for us the need to establish more robust and accountable policies regarding security vulnerabilities," King and Heinrich wrote.

The senators cited the expansion of bug bounty programs -- which the private sector and recently the Pentagon have used to reward hackers who report security vulnerabilities -- as a cost-effective way to discover and patch potential network trouble spots.

The senators also called for new legislation governing the Vulnerabilities Equities Process that would require agencies to report serious security vulnerabilities to technology manufacturers and for broader use of the authorities afforded under the Cybersecurity Information Sharing Act of 2015.