Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

  • NICK LITTLE
  • Connectivity

    Security Experts Warn Congress That the Internet of Things Could Kill People

    Poorly secured webcams and other Internet-connected devices are already being used as tools for cyberattacks. Can the government prevent this from becoming a catastrophic problem?

    A growing mass of poorly secured devices on the Internet of things represents a serious risk to life and property, and the government must intervene to mitigate it. That’s essentially the message that prominent computer security experts recently delivered to Congress.

    The huge denial-of-service attack in October that crippled the Internet infrastructure provider Dyn and knocked out much of the Web for users in the eastern United States was “benign,” Bruce Schneier, a renowned security scholar and lecturer on public policy at Harvard, said during a hearing last month held by the House Energy and Commerce Committee. No one died. But he said the attack—which relied on a botnet made of hacked webcams, camcorders, baby monitors, and other devices—illustrated the “catastrophic risks” posed by the proliferation of insecure things on the Internet.

    For example, Schneier and other experts testified that the same poor security exists in computers making their way into hospitals, including those used to manage elevators and ventilation systems. It’s not hard to imagine a fatal disaster, which makes it imperative that the government step in to fix this “market failure,” he said.

    The problems with IoT devices are worsening because manufacturers lack incentives to prioritize security. Even if consumers wanted to assess the relative security of Internet-connected thermostats and other devices, there are no established ratings or other measures.

    There is little disagreement that the government should do something about this, since so many critical systems are vulnerable to attacks like the one that hit Dyn. Exactly how the government should handle the situation, however, is a subject of an intensifying debate in Washington—one that won’t be settled before President-elect Donald Trump takes office. Business groups such as the U.S. Chamber of Commerce and the Consumer Technology Association argue that new regulations on IoT devices could hinder innovation.

    Schneier argues that we need a new agency in charge of cybersecurity rules. This seems unlikely, given that Trump campaigned on a broad promise to roll back regulations, and Republicans generally oppose expanding the government. But if something catastrophic were to happen, a frightened public would probably ask that something be done, and the government should be prepared for that, he warned the committee members.

    How big is the risk? Massive and growing, says Kevin Fu, a University of Michigan professor of computer science and engineering who specializes in cybersecurity. Not only are IoT devices being added in “sensitive places that have high consequence, like hospitals,” Fu said, but millions of them can be easily hacked and gathered into huge botnets, armies of zombie computers that adversaries can use to debilitate targeted institutions.

    Fu, who also testified in the House hearing, believes that without a “significant change in cyber hygiene” the Internet can’t be relied on to support critical systems. He recommends that the government develop an independent entity in charge of testing the security of IoT devices. The process should include premarket testing along the lines of the automotive crash testing done by the National Highway Traffic Safety Administration, post-attack testing similar to what the National Transportation Safety Board does after car crashes, and “survivability and destruction testing” to assess how well devices cope with attacks, says Fu.

    We don’t know yet whether the Trump administration or the next Congress will make addressing IoT-related risks a priority. So what can the government do in the meantime? Last month, the Department of Homeland Security released a set of “strategic principles for securing the Internet of Things,” and suggested that the government could sue manufacturers for failing to “build security in during design.” On the same day, the National Institute of Standards and Technology, which publishes industry standards for many areas of technology, issued voluntary guidelines for engineering “more defensible and survivable” connected systems.

    Meanwhile, every additional connected computer—whether it is in a car, drone, medical device, or any one of countless other gadgets and systems—is exposed to these risks. That’s why centralized regulatory authority is needed, according to Schneier: “We can’t have different rules if the computer has wheels, or propellers, or makes phone calls, or is in your body.”

    Get stories like this before anyone else with First Look.

    Subscribe today
    Already a Premium subscriber? Log in.

    Uh oh–you've read all of your free articles for this month.

    Insider Premium
    $179.95/yr US PRICE

    Digital Consequences
    Want more award-winning journalism? Subscribe and become an Insider.
    • Insider Premium {! insider.prices.premium !}*

      {! insider.display.menuOptionsLabel !}

      Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

      See details+

      What's Included

      Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

      The Download: our daily newsletter of what's important in technology and innovation

      Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

      Special discounts to select partner offerings

      Discount to MIT Technology Review events

      Ad-free web experience

      First Look: exclusive early access to important stories, before they’re available to anyone else

      Insider Conversations: listen in on in-depth calls between our editors and today’s thought leaders

    • Insider Plus {! insider.prices.plus !}* Best Value

      {! insider.display.menuOptionsLabel !}

      Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

      See details+

      What's Included

      Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

      The Download: our daily newsletter of what's important in technology and innovation

      Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

      Special discounts to select partner offerings

      Discount to MIT Technology Review events

      Ad-free web experience

    • Insider Basic {! insider.prices.basic !}*

      {! insider.display.menuOptionsLabel !}

      Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

      See details+

      What's Included

      Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

      The Download: our daily newsletter of what's important in technology and innovation

    /
    You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.