DHS Secretary: DDoS Attack ‘Mitigated’

Homeland Security Secretary Jeh Johnson

Homeland Security Secretary Jeh Johnson J. Scott Applewhite/AP

DHS is working on principles to secure the internet of things, DHS Secretary Jeh Johnson says.

U.S. officials believe the cyberattack that interrupted Twitter, Netflix and other websites Friday has been mitigated, Homeland Security Department Secretary Jeh Johnson said in a statement today.

DHS held an information sharing conference call with 18 major communication services providers the day the distributed denial of service, or DDoS, attack occurred, Johnson said.

DDoS attacks involve hacking into unsecured computers and other internet-connected devices, then using those devices to flood a site with more requests and commands than it can handle. Friday’s attack targeted Dyn, a company that provides web optimization services to numerous major internet companies.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Johnson confirmed security researchers’ reports the Friday attack used a type of malware called Mirai, which targets connected devices such as webcams and entertainment systems, and was earlier used to attack the website of cybersecurity reporter Brian Krebs and a French internet service provider.  

The DHS cyber operations hub, the National Cybersecurity Communications and Integration Center, is working with law enforcement and private companies on ways to combat the malware, Johnson said.

DHS is also working on a set of strategic principles for securing connected devices, known as the internet of things, which will be released in coming weeks, he said.

The internet of things has grown exponentially in recent years but the security of those devices has lagged, Joshua Corman, director of the Atlantic Council’s Cyber Statecraft Initiative, told reporters in a conference call today.

Many connected devices carry known software vulnerabilities that can be exploited by hackers, but consumers either don’t know how to patch those vulnerabilities or, in some cases, aren’t able to, he said.

On an individual level, those vulnerabilities—a connected refrigerator sending out spam emails, for example—are not particularly dangerous, he said. When those vulnerabilities are taken in aggregate, however, they can do great damage as the Dyn attack showed. 

“There’s a strong instinct to focus on safety critical [systems] where bits and bytes meet flesh and blood,” Corman said. “The cognitive dissonance from this particular set of attacks is you can’t neglect lower-priority devices.”