By Taylor Armerding
Jan. 9, 2017
The private sector often views government as the problem, not the solution. But, in the view of a growing number of experts, the opposite is true when it comes to addressing the rampant and increasing security risks of the Internet of Things (IoT).
While it is not a unanimous view, there is general agreement that the blessings the IoT brings to modern life are being undermined by its curses – and that the market will not correct those curses.
Its almost magical benefits are well documented and well advertised – self-driving cars and the ability to lock or unlock doors or adjust a home thermostat from hundreds of miles away were fantasies only a few years ago. But its billions of connected devices are so lacking in security that they are putting not only individual users at risk, but public and private infrastructure as well, including the infrastructure of the internet itself.
October’s Distributed Denial of Service (DDoS) attack on Internet Domain Name Service (DNS) provider Dyn is the most famous illustration.
It only caused inconvenience when it took down a number of popular websites for part of a day. But its use of possibly millions of devices like webcams and DVRs in a botnet to launch the attack showed that the IoT can supply a zombie army of devices that could damage life and safety if aimed at targets like hospitals or the nation’s critical infrastructure.
All while individual users likely had no idea that their devices had been “conscripted” for the attack.
So, since neither developers/manufacturers or individual users are affected, those are risks the marketplace – competition and consumer pressure – hasn’t corrected. And that means government must intervene more aggressively, according to experts who testified before the House Committee on Energy and Commerce in mid-November: Bruce Schneier, CTO of Resilient Systems, which was recently acquired by IBM; Dr. Kevin Fu, CEO of Virta Labs and a professor at the University of Michigan; and Dale Drew, CSO of Level3 Communications, an internet backbone provider.
“There is a fundamental market failure at work,” Schneier said. “Basically, the market has prioritized features and cost over security.”
The lack of security, he said, is “a form of invisible pollution. And, like pollution, the only solution is to regulate.”
There are a variety of views on that declaration. Stu Sjouwerman, CEO of KnowBe4, said Schneier is “absolutely right – the FCC should be the agency that tests these devices for minimum required security standards, such as default credentials that need to be changed by the end-user before the device can be put in production.”