A recent congressional hearing focused on emerging cybersecurity threats and the impact on consumers and the economy. At the forefront of the discussion was what can be done to mitigate future attacks and risks.
In a Congressional hearing in mid November, security experts testified about the “catastrophic” risks posed by the proliferation of Internet of Things (IoT) connected devices. Well-known websites like Netflix, Twitter, CNN and the like were affected during the widespread denial of service (DDoS) attack in October that left much of the eastern United States without internet service. Internet infrastructure provider Dyn was targeted in that attack, which was called “benign” compared to what could happen, according to Bruce Schneier, a renowned security scholar and lecturer on public policy at Harvard who testified.
A press release issued by The Energy and Commerce Committee had this to say:
“It’s estimated that 50 billion devices will be connected to the Internet by 2020 and as this number grows, so do too the risks.”
No doubt, technology presents so many benefits for both consumers and businesses across a variety of sectors. But unsecured devices allow entry points for malicious actors to disrupt vital communication.”
In his testimony, Dale Drew, senior vice president and chief security officer at Level 3 Communications, discussed the importance of a collaborative approach to address IoT security risks.
“Bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats. … Network operators, device manufacturers and users will need to remain vigilant to the security risk these devices present.”
Drew stressed the importance of working together.
“It will be imperative for all relevant stakeholders to continue to work collaboratively to address and mitigate IoT security risks so that we can reap the benefits of this exciting and transformative technology,” he said.
Testing IoT Security
As it stands now, there’s little incentive for manufacturers to make security a priority. Consumers have no real way of assessing the security of say an Internet-connected thermostat or other device, since there’s no established ratings in place or agency that tracks such information.
The experts who testified seemed to agree something should be done by the government, though exactly how it should be handled is being debated.
Kevin Fu, a University of Michigan professor of computer science and engineering who specializes in cybersecurity spoke about the IoT devices that are increasingly common in sensitive areas, like hospitals.
“Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps are increasingly being targeted by hackers seeking to steal patient medical records from hospitals,” according to a story published by Kaspersky Lab in June. “Attackers consider the devices soft digital targets, seldom guarded with same security as client PCs and servers within hospitals.”
Fu recommends a “significant change in cyber hygiene” that includes creating a new independent entity tasked with testing the security of IoT devices before they land on the market.
A Matter of Homeland Security
In Nov. the Department of Homeland Security released a set of “strategic principles for securing the Internet of Things.”
The report had this to say:
“Last year, in a cyber attack that temporarily disabled the power grid in parts of Ukraine, the world saw the critical consequences that can result from failures in connected systems. Because our nation is now dependent on properly functioning networks to drive so many life-sustaining activities, IoT security is now a matter of homeland security.”
While the report shares non binding guidelines for securing IoT devices, it also suggests the government could sue manufacturers if they fail to build security into a product from the very beginning.
“Failing to design and implement adequate security measures could be damaging to the manufacturer in terms of financial costs, reputational costs, or product recall costs. While there is not yet an established body of case law addressing IoT context, traditional tort principles of product liability can be expected to apply.”
Are you covered for identity theft?
Image: Pixabay