The government needs to intervene in the internet of things market to avoid the kind of cyberattacks that caused internet outages last month or potential physical-world damage, a panel of security experts told a House committee Wednesday.
Both manufacturers and consumers seem unwilling to bear the cost of stronger security measures for connected devices they either see as nearly disposable or not worth upgrading.
“The government has to get involved. This is a market failure,” security technologist Bruce Schneier told the House Energy and Commerce Committee on Nov. 16.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
To keep costs low, many IoT manufacturers don't invest in the kind of security features and protocols consumers expect from computer and smartphone makers. They often skip good cyber hygiene practices, too. Some devices feature default or easily identifiable passwords or hard-coded credentials users can’t change, and others require consumers to watch out for security updates, Level 3 Communications Chief Security Officer Dale Drew said in written testimony.
Insecure devices infected by Mirai malware overwhelmed web services provider Dyn in October, knocking popular websites like Netflix and Twitter offline for hours. They were only a fraction of the botnet—one likely rented by an individual with a personal grudge against a gaming site, Drew wrote.
Botnet operators, motivated by money or mischief, will continue recruiting IoT devices because they have little to no security and can go undetected for a long time. Security standards or certifications from the government could help, Drew said.
Alternately, the government could incentivize the industry to build security into products and encourage cryptography, said Dr. Kevin Fu, Virta Labs CEO and University of Michigan engineering and computer science associate professor. His suggestion is in line with the National Institute of Standards and Technology’s recent Systems Security Engineering guidance.
At the beginning of the hearing, Chairman Greg Walden, R.-Ore., said he was open to some kind of regulation though the experts didn’t agree on how to go about it. Lawmakers asked if the government could come up with one set of IoT standards to secure all types of devices, and while Drew thought it could, Fu and Schneier disagreed. They also discussed breaking regulation down by agency, though several agencies including the Federal Communications Commission, Federal Trade Commission and National Highway Traffic Security Administration already issue guidance over some aspects of the internet of things.
Schneier suggested a new, centralized agency. Rep. Anna Eshoo, D-Calif., said it was the wrong climate for that, though Walden and Rep. Michael Burgess, R-Texas, said they were open to the idea if they could eliminate two existing agencies.
“Nothing motivates the government into action like security and fear,” Schneier said, citing how the Homeland Security Department was created in 44 days.