A growing mass of poorly secured devices on the Internet of things represents a serious risk to life and property, and the government must intervene to mitigate it. That’s essentially the message that prominent computer security experts recently delivered to Congress.
The huge denial-of-service attack in October that crippled the Internet infrastructure provider Dyn and knocked out much of the Web for users in the eastern United States was “benign,” Bruce Schneier, a renowned security scholar and lecturer on public policy at Harvard, said during a hearing last month held by the House Energy and Commerce Committee. No one died. But he said the attack—which relied on a botnet made of hacked webcams, camcorders, baby monitors, and other devices—illustrated the “catastrophic risks” posed by the proliferation of insecure things on the Internet.
For example, Schneier and other experts testified that the same poor security exists in computers making their way into hospitals, including those used to manage elevators and ventilation systems. It’s not hard to imagine a fatal disaster, which makes it imperative that the government step in to fix this “market failure,” he said.
The problems with IoT devices are worsening because manufacturers lack incentives to prioritize security. Even if consumers wanted to assess the relative security of Internet-connected thermostats and other devices, there are no established ratings or other measures.
There is little disagreement that the government should do something about this, since so many critical systems are vulnerable to attacks like the one that hit Dyn. Exactly how the government should handle the situation, however, is a subject of an intensifying debate in Washington—one that won’t be settled before President-elect Donald Trump takes office. Business groups such as the U.S. Chamber of Commerce and the Consumer Technology Association argue that new regulations on IoT devices could hinder innovation.
Schneier argues that we need a new agency in charge of cybersecurity rules. This seems unlikely, given that Trump campaigned on a broad promise to roll back regulations, and Republicans generally oppose expanding the government. But if something catastrophic were to happen, a frightened public would probably ask that something be done, and the government should be prepared for that, he warned the committee members.
How big is the risk? Massive and growing, says Kevin Fu, a University of Michigan professor of computer science and engineering who specializes in cybersecurity. Not only are IoT devices being added in “sensitive places that have high consequence, like hospitals,” Fu said, but millions of them can be easily hacked and gathered into huge botnets, armies of zombie computers that adversaries can use to debilitate targeted institutions.
Fu, who also testified in the House hearing, believes that without a “significant change in cyber hygiene” the Internet can’t be relied on to support critical systems. He recommends that the government develop an independent entity in charge of testing the security of IoT devices. The process should include premarket testing along the lines of the automotive crash testing done by the National Highway Traffic Safety Administration, post-attack testing similar to what the National Transportation Safety Board does after car crashes, and “survivability and destruction testing” to assess how well devices cope with attacks, says Fu.
We don’t know yet whether the Trump administration or the next Congress will make addressing IoT-related risks a priority. So what can the government do in the meantime? Last month, the Department of Homeland Security released a set of “strategic principles for securing the Internet of Things,” and suggested that the government could sue manufacturers for failing to “build security in during design.” On the same day, the National Institute of Standards and Technology, which publishes industry standards for many areas of technology, issued voluntary guidelines for engineering “more defensible and survivable” connected systems.
Meanwhile, every additional connected computer—whether it is in a car, drone, medical device, or any one of countless other gadgets and systems—is exposed to these risks. That’s why centralized regulatory authority is needed, according to Schneier: “We can’t have different rules if the computer has wheels, or propellers, or makes phone calls, or is in your body.”