Last week’s massive distributed denial-of-service attack has prompted an urgent focus on the need for industry-led cybersecurity standards for internet of things devices.
U.S. Sen. Mark Warner, (D-Va.) said Thursday that he favors an industry-based approach before seeking some form of government regulation of IoT security.
“Last week’s attack does reveal a new level of vulnerability, and I’m trying to make it clear ... that this is not a problem that the government ought to be the first actor in solving,” he said in a telephone interview.
“IoT ought to be an area where industry collaborates and if they can set standards first, that’s good,” Warner said.
Some sort of up-to-date industry “seal of approval” or comparative ratings system regarding the security-readiness of IoT devices may be effective, he said.
“If industry can come up with security standards as we move from 12 billion to 34 billion IoT devices in 2020, that’s terribly important,” Warner said.
Today, there’s not much economic incentive for IoT device makers to add security protections, he added. “Security adds cost, but if there’s no economic benefit, [manufacturers] figure, why do it?” he said.
Having some type of industry standard with a seal of approval or rating system would encourage companies and consumers to buy more secure devices, thereby creating that needed economic incentive, Warner reasoned.
Warner said his office staff has been talking to longtime security guru Peiter Zatko, also known as the hacker Mudge, about the potential for comparative ratings for IoT devices.
Zatko said on Friday through a Twitter message that he has been in touch with Warner’s office about the ratings concept and found Warner “very supportive.” Zatko’s nonprofit Cyber Independent Testing Lab offers Consumer Reports-style ratings on software, including for IoT.
“Warner particularly liked [our ratings] in place of simple ‘approval labels,’ which can incentivize vendors to do no more than the bare minimum and do not allow an evaluation of actual risk and safety for multiple products that may all have or lack such an opaque seal,” Zatko said.
Experts have suggested some basic security requirements that manufacturers need to provide. They include a unique user name and password for each IoT device. Currently, default user names and passwords can easily be found by hackers to exploit a device. Another recommendation is to build IoT devices so they can automatically receive software updates, including security patches.
Last Friday’s attack used the widely available Mirai botnet to attack an estimated 100,000 IoT devices, such as internet-connected cameras. Those devices were then used to flood servers at DNS provider Dyn in a distributed-denial-of-service attack (DDoS), leading to disruptions for internet users trying to access major sites.
Warner, a former Virginia governor who was involved in venture capital for the telecommunications industry in the 1980s, said the lack of attention to IoT security has been endemic for decades.
“We went into the internet with the idea of how we can get coverage and resilience, but what I don’t think we have thought about is security. Security has not been high on the design criteria,” Warner said.
“How do we make that IoT refrigerator secure so it can say to buy more milk if DDoS attacks by botnets are possible? We’ve got this huge potential challenge that builds on a whole series of other challenges like stolen intellectual property and national security concerns.”
Because of the nature of the attack, some experts have speculated that amateurs could have launched last Friday’s attack, which in some ways could be more troubling than if sophisticated criminals or hackers for a foreign government were involved.
“Whether it’s a state or a bunch of teenage hackers, it does reveal a new level of vulnerability,” Warner said.
Warner has been addressing unsecure IoT devices for a while, including with a letter to the Federal Trade Commission in June. On Tuesday, he sent letters on the attack to the FTC as well as the Department of Homeland Security and the Federal Communications Commission.
In the letter to the FCC, Warner asked nine questions, including whether the FCC has asked the National Institute of Standards and Technology about setting security standards. “Should manufacturers have to abide by minimum technical security standards?” the letter asks.
Another question from Warner to the FCC posed the idea that internet service providers might deny insecure IoT devices access to their networks. In the interview, Warner said, “I’m not suggesting that we violate the principles of net neutrality, [but]… we need to get ahead of this.”
Warner said that his questions to the FCC and others were intended only to learn the best approach to bolster IoT security. “I’m still trying to learn about this,” he said. “it’s too early to come to a conclusion.”
One approach he clearly favors is better citizen education about cybersecurity. “I do think having a clear set of appropriate cyber hygiene techniques drilled into every consumer is good. It would be great if industry could give those ideas of how consumers should act.”
It also makes sense, he said, for “America to take the lead on this, but to make sure we don’t create a problem of putting American products at a disadvantage.”
One problem with the government setting standards on IoT security is making the standard flexible enough to meet future demands. “If we were to set some government standard, how does that stay flexible so the standard can change next month because of the sophistication of hackers?” Warner asked.
One security expert said one possibility would be for the U.S. to ban sales of the most insecure devices. “Regulations which ban the sale of horribly secured devices in the U.S. might cause vendors to fundamentally improve the security of their devices for everyone with a global impact, because manufacturers want to be able to sell into the U.S.,” said Mark Dufresne, director of threat research and adversary prevention at security provider Endgame.
However, Dufresne said it is impractical for Warner to suggest that an ISP block a device’s access to the internet.
“Vulnerable devices are all over the globe,” he said. “Even if we got rid of all of them in the U.S., it really wouldn’t matter. The botnet is huge and can still target U.S. systems. ISPs may not be able to identify downstream devices with confidence and might miss some while mistakenly turning some off.”