The private sector often views government as the problem, not the solution. But, in the view of a growing number of experts, the opposite is true when it comes to addressing the rampant and increasing security risks of the Internet of Things (IoT).
While it is not a unanimous view, there is general agreement that the blessings the IoT brings to modern life are being undermined by its curses – and that the market will not correct those curses.
Its almost magical benefits are well documented and well advertised – self-driving cars and the ability to lock or unlock doors or adjust a home thermostat from hundreds of miles away were fantasies only a few years ago. But its billions of connected devices are so lacking in security that they are putting not only individual users at risk, but public and private infrastructure as well, including the infrastructure of the internet itself.
October’s Distributed Denial of Service (DDoS) attack on Internet Domain Name Service (DNS) provider Dyn is the most famous illustration.
It only caused inconvenience when it took down a number of popular websites for part of a day. But its use of possibly millions of devices like webcams and DVRs in a botnet to launch the attack showed that the IoT can supply a zombie army of devices that could damage life and safety if aimed at targets like hospitals or the nation’s critical infrastructure.
All while individual users likely had no idea that their devices had been “conscripted” for the attack.
So, since neither developers/manufacturers or individual users are affected, those are risks the marketplace – competition and consumer pressure – hasn’t corrected. And that means government must intervene more aggressively, according to experts who testified before the House Committee on Energy and Commerce in mid-November: Bruce Schneier, CTO of Resilient Systems, which was recently acquired by IBM; Dr. Kevin Fu, CEO of Virta Labs and a professor at the University of Michigan; and Dale Drew, CSO of Level3 Communications, an internet backbone provider.
“There is a fundamental market failure at work,” Schneier said. “Basically, the market has prioritized features and cost over security.”
The lack of security, he said, is “a form of invisible pollution. And, like pollution, the only solution is to regulate.”
There are a variety of views on that declaration. Stu Sjouwerman, CEO of KnowBe4, said Schneier is “absolutely right – the FCC should be the agency that tests these devices for minimum required security standards, such as default credentials that need to be changed by the end-user before the device can be put in production.”
Mark Baugher, principal security engineer at Greenwave Systems, is not convinced that government regulation will solve the problem. But he agrees about the reason for the market failure.
“The costs of cheap, poorly designed network products are typically borne by someone other than the users of those products,” he wrote in a recent essay furnished to CSO.
“Economists call this a ‘negative externality,’ meaning that the costs are external to the market. Market-based solutions therefore don’t work.”
This is not a new problem – Schneier, Fu and others have been saying for years that the IoT is insecure because both the developers and buyers of devices care much more about features and price than they do about security.
But Schneier told the committee that the DDoS attack on Dyn shows that the stakes are now much higher than having a bank account compromised or an identity stolen.
“We are connecting cars, drones, medical devices, and home thermostats,” he said. “What was once benign is now dangerous.”
Of course, what form government involvement should take is less clear. Drew was less forceful than Schneier or Fu about the role of government, saying only that, “there may be a role for the government to provide appropriate guidance.”
But there is general agreement that government could and should require what is described as “basic security hygiene,” and while that would not make devices bulletproof, it would make it much more difficult to exploit them.
Matt Devost, managing director at Accenture Security, is one of several experts who told CSO that government can play a crucial role by forcing the market to address the most obvious, blatant insecurities of IoT devices.
“Establishing a minimum essential security requirement in new devices that forces the user to set up a robust password before the device can be used would be an improvement over default passwords,” he said, “along with an ability to automate the firmware update process in the event a critical vulnerability is discovered in the product.”
Fu, in his testimony before the congressional committee, recommended an independent, national cybersecurity testing facility modeled along the lines of the National Transportation Safety Board.
Schneier also recommended that government force “minimum security standards” on IoT manufacturers, including imposing liability on those that fail to comply, “allowing companies like Dyn to sue them if their devices are used in DDoS attacks.”
And Craig Spiezle, executive director of the Online Trust Alliance (OTA), said the government should require that, “products not ship with any known critical vulnerabilities, and have a commitment to provide security patches and updates through their life.”
Other regulatory initiatives could get more complicated, however.
Sen. Mark Warner (D-Va.), in an Oct. 25 letter to the Federal Communications Commission (FCC), Federal Trade Commission (FTC) and Department of Homeland Security (DHS), asked if Internet Service Providers (ISP) could help force improvements in security of IoT devices by denying insecure devices access to the internet, including refusing to assign them an IP address.
FCC Chairman Tom Wheeler, in a Dec. 5 response, noted that global realities mean that actions of a single ISP won't change much. “Protective actions taken by one ISP against cyber threats can be undermined by the failure of other ISPs to take similar actions,” he wrote. “This weakens the incentive of all ISPs to take such protections.”
Experts are also extremely wary of government involvement in regulating any element of internet security because of its demonstrated desire for “back doors” into devices and networks.
Schneier, even while calling for federal regulation to improve IoT security, said that, “government needs to resist the urge to deliberately weaken the security of any computing devices at the request of the FBI.”
Baugher, while declaring that “government is needed for cybersecurity,” also declared just as emphatically that “the US government can’t deliver it,” in part because it has demonstrated repeatedly that it can’t secure its own infrastructure. He cited multiple examples – former secretary of state and recent Democratic presidential candidate Hillary Clinton is the most famous example – of Cabinet-level officials using private, and insecure, email servers.
But more significantly, he said, is that US government policy, “is and has been to weaken device security to better enable information collection. The government is in no position to advocate mechanisms for increasing the cybersecurity of IoT or other applications when it simultaneously tries to undermine the security of devices and their users.”
For now, specific regulations with legal force and penalties appear to be some time away. Not that there is no activity. The FTC recently announced the "IoT Home Inspector Challenge," a contest that, “challenges the public to create a technical solution (‘tool’) that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.” The winner will receive a $25,000 prize, with $3,000 prizes for runners-up.
There are also a number of government documents that address internet security – DHS just recently published "Strategic Principles for Securing the Internet of Things," but noted that they are, “non-binding principles and suggested best practices,” which means there is no force of law and no consequence for failing to follow them.
Sjouwerman called the document, “a good start, but no teeth.”
Baugher, noting that there are other government “best practices” recommendations, said the DHS paper suggests to him that, “there seems to be a competition between some federal agencies. The proposals at this point seem more political than technical.”
And Spiezle said while, “the threat of government regulation as well as enforcement is important, we need action today.”
That, he said, can come from the private sector. He said OTA has issued a public call to major retailers including Costco, Amazon, Best Buy and Target, “to stop selling products that fail to adhere to core foundation security and privacy principles.
“We are speaking to insurance companies to consider the same on product liability,” he said. “Retailers do not sell products that could hurt a child or made by child labor, why sell and profit from selling products with known vulnerabilities?”
The OTA, he said, published version 2.0 of what it calls, “The IoT Trust Framework”on Jan. 5, which he said is intended to provide, “a tool for developers to develop against, retailers to audit the products they are selling and businesses to use to evaluate the products they purchase.”
Fu said the good news, if there is any, is that serious attention to IoT security could yield significant benefits. “For IoT devices already deployed, take joy that the millions of insecure IoT devices are just a small fraction of what the IoT market will resemble in 2020,” he told the congressional committee.