Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best prac

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Schneier crap-storm warning falls on deaf ears

Congress provided a masterclass in selective hearing Wednesday when urged by experts to do something about the increasing risk posed by poor IoT security.

At a session of the House's Energy and Commerce Committee into last month's attack on DNS provider Dyn that caused widespread disruption to online services, several security experts highlighted the main problem as a lack of security standards and urged Congress to act. Their pleas were repeatedly rebuffed.

Chief security officer of Level 3, Dale Drew, warned [PDF] representatives that "the current lack of any security standards for IoT devices" was a big part of the problem, and said IoT manufacturers needed to "embrace and abide by additional security practices to prevent harm to users and the internet."

He argued that "there may be a role for the government to provide appropriate guidance."

Likewise, CEO of Virta Labs, Dr Kevin Fu, said [PDF] that "IoT security remains woefully inadequate, and the Dyn attack is a sign of worse pains to come." Fu took a stronger line on government intervention, arguing that it needs to actively support agencies that were developing solutions to IoT security issues, including looking at establishing "an independent, national embedded cybersecurity testing facility."

But it fell to security guru Bruce Schneier to argue outright [PDF] for legislation. "Like pollution, the only solution is to regulate," he stressed. "The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don't care."

He continued: "They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure."

Benign – but not for long
In order to stress the importance of the issue, Schneier noted that the DDoS attack on Dyn, as disruptive as it was, was still largely "benign."

"Some websites went offline for a while. No one was killed. No property was destroyed. But computers have permeated our lives. The Internet now affects the world in a direct physical manner. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. We are connecting cars, drones, medical devices, and home thermostats. What was once benign is now dangerous."

The calls for government intervention met a brick wall in the Republican-held House, however.

Michael Burgess (R-TX) stressed in his opening remarks that the answer to the security issues was in developing "best practices," and government's role was to elicit a "meaningful response from industry."

Bob Latta (R-OH) noted that there needed to be "IoT security guidelines to keep pace with rapidly evolving technologies," but stressed there was a "delicate balance between oversight and regulatory flexibility" and that it should fall on industry to develop best practices that would "not hinder innovation."

Even Democrats steered clear from suggesting that the government take a direct role in the situation. Anna Eshoo (D-CA) noted that the IoT security problem was a "global issue" and noted that "little more than a quarter" of the devices that were involved in the recent attacks were located in the US, while the products "most vulnerable" were based in China. The implication was obvious: what's the point in legislating when China is the real problem?

Despite the clear flags, Bruce Schneier remained determined to push the case for government to act. "The market really can't fix this," he argued. "The buyer and seller don't care," he stressed. "Government has to get involved. This is a market failure. This is not something the market can fix."

He proposed that the government should create a new agency to look into the issue, since even just his mobile phone crosses multiple government agencies' jurisdictions.
 

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
...

"The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don't care."

He continued: "They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks.
....
...."Government has to get involved....I agree 100%!
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Anna Eshoo (D-CA) noted that the IoT security problem was a "global issue" and noted that "little more than a quarter" of the devices that were involved in the recent attacks were located in the US, while the products "most vulnerable" were based in China

At the risk of supporting a party (I prefer not to), this sounds like a cop out to me. Only 25%? Why would someone say that? It doesn't matter where they occur, and 25% is 25% of voters and citizens in the U.S. This is insensitive to the current situation imo. Also, the fact that this is a "global" problem seems to me an unusual thing to point out for a member of Congress. Since when can't Congress send a message that America's leadership in a situation is required in a global context. Congress has the ability to apply pressure to the system to get things done, even internationally. This is, of course, within the context of its standing as an entity of the U.S. government.

I agree Congress must get involved. However, I think I kind of understand one thing that's being said. That can be found in this statement:

Bob Latta (R-OH) noted that there needed to be "IoT security guidelines to keep pace with rapidly evolving technologies," but stressed there was a "delicate balance between oversight and regulatory flexibility" and that it should fall on industry to develop best practices that would "not hinder innovation."

I feel he's right about this. Leadership should come first from the communications/computer industry on the matters contained in this subject. What I like most about the comment is that it is honorably true to the big picture contextually, including the international scope of the challenge that is ahead. There is something here, at least implied, for other nations to grasp and hold on to, feeling that they can have a say in what happens. Sure a plan of change but for sure, also, changes that everyone can live with long term. Overall, the comment suggests a considerate and deliberate approach to changes that involves all affected nations and peoples.

If I am right, this dilemma is only going to be resolved in a one very specific, although, in some particular cases of regulation, perhaps all encompassing, set of regulations and changes of and/or to the actual structure of the internet and of and/or to regulation and oversight of internet activities. The patience implied in the comment suggests that Latta at least wants to move forward cautiously and make sure privacy and national protections are secured in any changes. Maybe I am reading things into this quote, but "delicate balance between oversight and regulatory flexibility" does suggest this to me. I hope that a cautiously progressive model can be developed that all internet dependent nations (pretty much all now) can live with. In that light, I do hope this way of doing things reaches the largest part of Congress.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Security should not be hindrance, rather a part of continuous implementation for any technological aspects like IoT.

Remember that usually when no one manage to lead the correct practice and guidelines, then it came up with last minute inefficient strategy regardless before and after attack.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
The known all goverments strategy is to heal something only when it is proven to be sick. The conclusive evidence is too often the terrorist attack.:(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top