With the U.S. government undergoing a transfer of power after last week's election, Congress' Committee on Energy and Commerce held a hearing Wednesday exploring cyberattacks and the security of internet-of-things devices. The hearing was called shortly after the attacks on domain name service provider Dyn, an incident that disrupted user access to major internet sites on Oct. 21.
Unlike many previous cyber attacks, the attacks on Dyn were promulgated by a slew of unsecure IoT devices such as webcams and DVRs. The source code for the malware that used the IoT devices for the attack has been published online, meaning the incident may be just the beginning of these types of attacks. Unlike the October attacks, however, technologists warned attacks could become life and death incidents, affecting hospitals, transportation, or other critical infrastructure.
"Government has to get involved," said security technologist Bruce Schneier, testifying at the hearing. "This is a market failure."
Plus, Schneier pointed out that IoT vulnerabilities could be so dispersed throughout the internet stack, "no one system may be at fault." Virta Labs CEO Kevin Fu agreed. "There's almost no cost to a manufacturer for deploying products with poor cybersecurity to consumers," he said.
Schneier and Fu were joined by Level 3 Communications Senior Vice President Dale Drew. All three technologists agreed more needs to be done to prevent the preponderance of damaging cyber attacks and that to do so will take a cooperative effort from the public and private sectors, as well as academic institutions.
Lawmakers on both sides of the aisle were clearly engaged Wednesday on what needs to be done to mitigate cyber attacks, from distributed denial of service attacks to more physically dangerous attacks on medical devices, automobiles, planes, and critical infrastructure, something Schneier repeatedly referred to as the "internet of dangerous things."
Lawmakers, however, did not agree on how much government should get involved in regulating the IoT market and cybersecurity.
At one point, ranking member Rep. Anna Eschoo, D-Calif., took a jab at the governing party's dislike for more government regulation and how her legislation, which calls for cybersecurity standards set by the National Institute for Standards and Technology, has had little bipartisan support.
"We don't want this to be an innovation killer, but I don't want my refrigerator talking to the food police somewhere." -Greg Walden, R-Ore.
Energy and Commerce Committee Chairman Greg Walden, R-Ore., expressed concern that once a statute gets locked in, it's difficult to change it. He did add, "We don't want this to be an innovation killer, but I don't want my refrigerator talking to the food police somewhere."
Level 3's Drew said standards will play a big part in creating incentives for companies to build in more security into products. He said creating standards can help define how to fix a given problem but he didn't go so far as to call for more government involvement.
Schneier agreed that standards are needed, but correlated the emerging IoT landscape to the pollution model, one in which a holistic view is needed. True, one consumer purchasing a web cam has very little impact on the security environment, but multiply that by millions, and the impact grows exponentially. Yet, with a pollution model in mind, government could set the goal and the private sector could then figure out the most economically viable way of achieving that goal.
Fu said NIST, which published guidance for securing IoT devices earlier in the week, has done a good job creating standards, but buy in will be needed from both industry and government. The Department of Homeland Security also released strategic principles for securing the IoT earlier in the week.
Fu noted there is a shortfall in cybersecurity experts. Universities, research institutes, community colleges all have a potential role to play in creating a more sophisticated work force.
Schneier went further and called for a new federal agency to drive an accountable cybersecurity framework, but with an incoming Republican supermajority, creating more government is likely a nonstarter. With that, however, Schneier harkened back to the early days of the second Bush administration. After the 9/11 attacks, an entire new government agency, the Department of Homeland Security, was implemented in short time.
"It's a problem we're going to have. Government is going to get involved anyway," he warned.
If you want to comment on this post, you need to login.