A growing mass of poorly secured devices on the Internet of things represents a serious risk to life and property, and the government must intervene to mitigate it. That’s essentially the message that prominent computer security experts recently delivered to Congress.
The huge denial-of-service attack in October that crippled the Internet infrastructure provider Dyn and knocked out much of the Web for users in the eastern United States was “benign,” Bruce Schneier, a renowned security scholar and lecturer on public policy at Harvard, said during a hearing last month held by the House Energy and Commerce Committee. No one died. But he said the attack—which relied on a botnet made of hacked webcams, camcorders, baby monitors, and other devices—illustrated the “catastrophic risks” posed by the proliferation of insecure things on the Internet.
For example, Schneier and other experts testified that the same poor security exists in computers making their way into hospitals, including those used to manage elevators and ventilation systems. It’s not hard to imagine a fatal disaster, which makes it imperative that the government step in to fix this “market failure,” he said.
The problems with IoT devices are worsening because manufacturers lack incentives to prioritize security. Even if consumers wanted to assess the relative security of Internet-connected thermostats and other devices, there are no established ratings or other measures.
There is little disagreement that the government should do something about this, since so many critical systems are vulnerable to attacks like the one that hit Dyn. Exactly how the government should handle the situation, however, is a subject of an intensifying debate in Washington—one that won’t be settled before President-elect Donald Trump takes office. Business groups such as the U.S. Chamber of Commerce and the Consumer Technology Association argue that new regulations on IoT devices could hinder innovation.
Schneier argues that we need a new agency in charge of cybersecurity rules. This seems unlikely, given that Trump campaigned on a broad promise to roll back regulations, and Republicans generally oppose expanding the government. But if something catastrophic were to happen, a frightened public would probably ask that something be done, and the government should be prepared for that, he warned the committee members.
How big is the risk? Massive and growing, says Kevin Fu, a University of Michigan professor of computer science and engineering who specializes in cybersecurity. Not only are IoT devices being added in “sensitive places that have high consequence, like hospitals,” Fu said, but millions of them can be easily hacked and gathered into huge botnets, armies of zombie computers that adversaries can use to debilitate targeted institutions.
Fu, who also testified in the House hearing, believes that without a “significant change in cyber hygiene” the Internet can’t be relied on to support critical systems. He recommends that the government develop an independent entity in charge of testing the security of IoT devices. The process should include premarket testing along the lines of the automotive crash testing done by the National Highway Traffic Safety Administration, post-attack testing similar to what the National Transportation Safety Board does after car crashes, and “survivability and destruction testing” to assess how well devices cope with attacks, says Fu.
We don’t know yet whether the Trump administration or the next Congress will make addressing IoT-related risks a priority. So what can the government do in the meantime? Last month, the Department of Homeland Security released a set of “strategic principles for securing the Internet of Things,” and suggested that the government could sue manufacturers for failing to “build security in during design.” On the same day, the National Institute of Standards and Technology, which publishes industry standards for many areas of technology, issued voluntary guidelines for engineering “more defensible and survivable” connected systems.
Meanwhile, every additional connected computer—whether it is in a car, drone, medical device, or any one of countless other gadgets and systems—is exposed to these risks. That’s why centralized regulatory authority is needed, according to Schneier: “We can’t have different rules if the computer has wheels, or propellers, or makes phone calls, or is in your body.”
A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?
Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.
A startup says it’s begun releasing particles into the atmosphere, in an effort to tweak the climate
Make Sunsets is already attempting to earn revenue for geoengineering, a move likely to provoke widespread criticism.
10 Breakthrough Technologies 2023
These exclusive satellite images show that Saudi Arabia’s sci-fi megacity is well underway
Weirdly, any recent work on The Line doesn’t show up on Google Maps. But we got the images anyway.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.