The folks over at IEEE Spectrum have a nice piece looking at the case for regulating The Internet of Things in the wake of the recent denial of service attacks against managed DNS provider Dyn, Krebs on Security and others.
The specter of a massive, global population of insecure and connected devices bodes ill for the health of the Internet, the article argues. And, given that The Internet is, perhaps, the single most important piece of critical infrastructure to economies across the world, that threat must be taken seriously.
Without us even knowing it, the connected devices in our homes and businesses can carry out nefarious tasks. Increasingly, the Internet of Things has become a weapon in hackers’ schemes. This is possible in large part due to manufactures’ failure to program basic security measures into these devices.
Now, experts in the U.S. are asking regulators to step in. Calls for public policy to improve device security have reached a fever pitch following a series of high-profile denial-of-service attacks leveraged in part by unsuspecting DVRs, routers, and webcams. In October, hackers flooded the Internet service company Dyn with traffic by assembling millions of IoT devices into a virtual botnet using a malicious program called Mirai.
“The problems are not problems that markets can solve,” says Bruce Schneier, a security specialist affiliated with Harvard University who has asked for more regulation. He says attacks like the one on Dyn are akin to air pollution—an externality that manufacturers aren’t motivated to fix.
In light of recent attacks, it’s clear that Internet of Things (IoT) devices will continue to serve on the front lines of botnets if their security isn’t somehow improved. And to critics, history shows that manufacturers cannot be trusted to do that on their own.
“I would say it’s ripe for regulation because frankly, the manufacturers aren’t doing what’s in the broad social interest, they’re doing what’s in their narrow commercial interest,” says Zachary Goldman, executive director of New York University’s Center on Law and Security.
Still, the case for regulation is a complicated one. The IoT is a sweeping term used to refer to billions of assorted devices that connect to the Internet. It includes a wide range of objects including wireless trashcans, connected cars, voice-controlled power outlets, and industrial machinery. In loosest terms, it could encompass everything from basic sensors to supercomputers.
Regulating these devices together means devising a rule that would be broad enough to cross many sectors and cover all of these products. So far, there has been no clear proposal or agreement among supporters on a potential regulatory framework for IoT security. And many disagree that government regulation would be effective, saying hackers change their attacks so frequently that it would be hard for any regulatory body to keep up.
When asked what effective U.S. IoT security regulation, Schneier shared a few ideas: minimum security standards, interoperability standards, the ability to issue a software update or patch after a product has hit the market, and even placing code in escrow so that problems can still be managed in case a company goes out of business.
But ultimately, Schneier said policymakers and cybersecurity experts would have to work out the details. “What would it look like? I don’t think it’s sound-bitey, I think we need to still figure it out,” he says. “It’s not obvious what we need to do but it’s clear that the market can’t solve it.”
David Thaw, a law professor at the University of Pittsburgh who specializes in cybersecurity policy, says proponents should consider a few important questions in their discussions, such as is there an agency that clearly has the authority to regulate and enforce any proposed new rules? And if so, is it possible to draft effective and appropriate regulations?
So far, no single agency has been tasked with keeping tabs on the IoT. Instead, some agencies have found reason to cover parts of it. Currently, the Department of Health and Human Services protects personal health information stored on connected devices, while the Federal Reserve has published security guidance that covers devices linked to the financial industry. The National Highway Transportation Safety Administration also recently issued guidelines for connected cars.
For general consumer devices, the Federal Trade Commission has used Section 5 of the Federal Trade Commission Act which prohibits “unfair and deceptive acts” in commerce to bring a case against a manufacturer that marketed its routers as secure but neglected to include what the FTC considered basic security protocols.
Other than bringing cases based on this provision, the FTC doesn’t have clear authority to more broadly regulate the security of IoT devices. Even so, the agency has tried to take other steps to improve the situation. In 2015, it outlined best practices for IoT security, such as requiring users to change default passwords when setting up a product, and urged manufacturers to pursue “self-regulatory programs” within their industries.
“We recommend that companies engage in ‘security by design’ which means they conduct regular risk assessments, and minimize the data that they collect and maintain, and that they test their security before launching a product,” says Jared Ho, an attorney in the FTC’s Division of Privacy and Identity Protection.
In 2015, the FTC also concluded that specific IoT security legislation was not warranted, though it said lawmakers should enact general data security legislation that not only protects consumers from leaky devices but also extends to the functionality of the device itself. That means if hackers capture an innocent WiFi-enabled coffeepot within their botnet, or cause a heart monitor to suddenly sputter in a patient’s chest, manufacturers could be held accountable.
If Congress ever gets around to drafting IoT security legislation, the FTC’s 2015 recommendations for reasonable IoT security practices could someday become law. Industry groups have also floated their own recommendations as a starting point. Rulemakers could also look to third-party certifications available through groups such as the Online Trust Alliance.
Thaw in Pittsburgh says he recommends an approach known as flexible regulation. Rather than mandating technical security prescriptions that may soon be outdated, flexible regulation describes critical steps that companies must take such as performing a risk assessment, drafting a plan to minimize security risks, training staff in security protocols, and sticking to their cybersecurity plan. Regulators describe this set of steps they expect companies to take, and issue punishment if they fail to do so.
It may seem like companies could easily fudge compliance with this approach, but Thaw looked back at industries governed by flexible regulations from 2000 to 2010 and found they were four times more effective at preventing data breaches than those subject to regulations requiring specific technological features.
Moving forward, he says flexible regulation is probably the best way to approach IoT security, if policymakers or the public decide to do it at all. He also likes that it’s sufficiently broad to serve the many companies, devices, and security risks that operate within the IoT. “One-size-fits-all is an attacker or adversary’s dream,” he says.
The National Institute of Standards and Technology took a flexible approach in the agency’s Cybersecurity Framework, which outlines its preferred strategy for securing critical infrastructure projects. Thaw adds that even with broad flexible IoT regulations in place, regulators could still choose to establish more narrow rules and standards for specific sectors or types of devices.
Regardless of the approach, Goldman of NYU suggests “treading cautiously” when creating any IoT security protocols, saying it’s quite possible to wind up with onerous regulations “that don’t advance security, but do squelch innovation,” he says. “That’s bad.”
Another option, Goldman describes, would be to grant victims the right to recover damages from manufacturers. This would admittedly only help after an attack had already occurred, but it could give manufactures a financial incentive to implement better security.
“At present, I think it would be very hard if not impossible to sue manufacturers of the devices that were hijacked in the Mirai botnet attack,” he says. “But Congress could write a law that says they’re liable if they don’t engage in standard security practices.”
When it comes down to it, there is broad agreement among cybersecurity experts that improving IoT security is a complicated but critical matter. With a newly-elected U.S. Congress set to begin its duties in January, manufacturers and consumers will have to see whether this Congress is up for the challenge.