It didn\u2019t have to happen.Last month\u2019s massive distributed Denial-of-Service (DDoS) attack on Domain Name System (DNS) service provider Dyn, which used a botnet of thousands of Internet of Things (IoT) devices to disrupt dozens of major websites including Twitter, Spotify, PayPal, GitHub, CNN.com and the New York Times, could \u201ceasily\u201d have been prevented.That contention comes from the Online Trust Alliance (OTA), creator of what it calls the\u00a0"IoT Trust Framework", 31 principles designed to improve the security and privacy of connected devices and data, which it released this past March (see sidebar).The declaration was not a direct response to the Dyn attack \u2013 it came more than a month earlier on Sept. 8. The OTA announced that, \u201cevery vulnerability or privacy issue reported for consumer connected home and wearable technology products since November 2015 could have been easily avoided.\u201dNot some. Not most. All of them.Which would appear to run counter to the mantra of every security expert in the world: There is no such thing as 100 percent security.Craig Spiezle, OTA executive director and former director of security and privacy at Microsoft, agreed that a blanket statement like that, on its face, could easily be interpreted as hyperbole.\u201cThere is no perfect security,\u201d he said. But he added that IoT devices could and should have vastly better security than they do, and if they did, a DDoS attack like the one against Dyn would have been difficult to impossible.Unfortunately we have yet to see leadership from any of the companies or platforms to embrace these or other security fundamentals.\u201cWhat we have observed is that the inherent design of the devices, and their supporting applications, have not embraced security fundamentals nor fully anticipated the need for a security development lifecycle discipline \u2013 what we call \u2018sustainability,\u2019\u201d he said.While the mainstream media and some government officials presented the attack as a shocking development, security experts agree that nobody should have been surprised.Since the \u201cbirth\u201d of the modern IoT, said to be around 2008 \u2013 the point at which there were more connected devices than people in the world \u2013 there have been constant warnings from security experts, in everything from blog posts to television interviews to conference keynotes, that those devices were insecure \u2013 catastrophically insecure.Among the numerous vulnerabilities are that most of them have open and discoverable administrative controls, default passwords and no capability to be patched or updated.Experts have warned that an attack surface that broad and vulnerable would prove irresistible to criminal hackers.Indeed, the conclusion of analysts is that the attack was most likely carried out not by a hostile nation state or sophisticated cyber criminals looking to extort money from large websites, but by \u201cscript kiddies\u201d who used the Mirai malware source code after finding it posted publicly on the website Hackforums.And this latest attack confirms that a massive compromise of those devices is not just a threat to the individual owners, but to the entire structure of the Internet. While laptops have been used to create botnets for years, IoT devices are much more attractive, since there are so many more of them, and many of them are on all the time.Reportedly, webcams and DVRs were the main devices used in this attack. But other IoT devices range from toasters to alarm clocks, pressure sensors, valves, thermostats, light bulbs, refrigerators, door and window locks, vehicles, printers, medical devices on up to the power grid. They\u2019re all called \u201csmart.\u201d But they have not been built smart enough to protect themselves and their owners.Current estimates are that there are somewhere between 13 billion and 18 billion IoT devices now in use.Still, while security experts are not surprised, others apparently are. US Sen. Mark Warner (D-Va.), cofounder of the Senate Cybersecurity Caucus,\u00a0sent a letter last week to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security\u2019s National Cybersecurity & Communications Integration Center (NCCIC), expressing alarm at the Dyn attack and calling for everything from government alerts to retailers and consumers about insecure IoT devices (which would include most of them) to keeping insecure devices off the internet by denying them IP addresses.Warner\u2019s staff said he was unavailable, and declined to comment on why such a letter wasn't sent years ago.There were also calls from several Silicon Valley-based cybersecurity venture capitalists for IoT devices to use standardized encryption and other security measures.Bob Ackerman, founder and managing director of the cyber venture capital firm Allegis Capital, acknowledged that exhortations like these are late in coming. But he said some of it is simply due to human nature \u2013 until something catastrophic happens, people are in denial.After an attack like this, \u201cpeople come to life in feigned indignation,\u201d he said, acknowledging that since the attack was so predictable, \u201cthe outrage is misplaced.\u201dBut he said an attack of that scale might have the benefit of finally awakening a push for better IoT security. \u201cOne of the fundamental challenges is that they (IoT devices) are designed to be functional, at price points that limit the capability to be updated in the field. And that is a minefield of massive proportions.\u201dIt\u2019s very difficult to make a $12 smart egg tray if you have to spend $500,000 on engineering to follow the checklist.It is not going to change quickly, however, even with something like the IoT Trust Framework available. Replacing or boosting security in even the majority of the billions now in use simply will not happen.As Chester Wisniewski, principle research scientist at Sophos, put it, the framework would, \u201crectify most common issues with IoT devices, were it to be followed.\u201cI also want a pony,\u201d he said, \u201cand neither is likely to happen anytime soon. It\u2019s very difficult to make a $12 smart egg tray if you have to spend $500,000 on engineering to follow the checklist.\u201dSpiezle acknowledged that while some companies have embraced the OTA framework, \u201cothers have said the added cost of 11 cents is prohibitive, and others say encryption will impact their battery life. Unfortunately we have yet to see leadership from any of the companies or platforms to embrace these or other security fundamentals.\u201dMike Lynch, chief strategy officer at inAuth, sees similar problems. He noted first what other experts have been speaking about for years \u2013 that product designers and manufacturers are not necessarily security experts.Second, \u201cin the eyes of many organizations, building in security protocols is an unnecessary expense that eats into margins,\u201d he said. \u201cBoth factors combine to create conditions where security is relegated to afterthought status.\u201dFinally, \u201cmany consumers of these IoT devices are not tech savvy, and asking them to patch firmware may be beyond their technical capabilities or desires,\u201d he said.Many consumers of these IoT devices are not tech savvy, and asking them to patch firmware may be beyond their technical capabilities or desires.Still, experts say there are constructive ways to start reducing IoT security risks.Spiezle said the OTA believes the risks are great enough that vulnerable devices may have to be taken offline, somewhat like what the airlines have done to the Samsung Galaxy Note 7 phones, due the risk of fire.\u201cSecond we are calling for all retailers \u2013 Target, Best Buy, Costco, Amazon and others \u2013 to review the devices they are selling and to pull products that are either not secure out of the box or not patchable over their lifecycle off their shelves.\u201dWhile he did not call for specific government regulation, he said government could help consumers by providing, \u201can advisory for products that do not meet minimal standards.\u201dFor the longer term, if the IoT is ever to improve from being a security minefield, Wisniewski believes it will take a major mindset shift.\u201cToday almost all of the responsibility is on the consumer, who more often than not is not aware of the risks and doesn't know what to do to mitigate them,\u201d he said. \u201cThe burden should be almost entirely on the manufacturer to make it as simple as possible. The devices I've analyzed tend to lean towards terrible, and absolutely none of my devices would get a \u2018responsible\u2019 rating.\u00a0\u201cConsumers have some responsibility, but shouldn't have to become security specialists,\u201d he said.Spiezle said in the long run that attitude would save money for IoT developers. \u201cThe cost to address a bug in a device prior to shipping is less than $200,\u201d he said.\u00a0\u201cTo do it post release can cost of $15,000. The economics are pretty clear, and unlike a site vulnerability, the liability exposure for a device that is compromised can risk putting a company out of business.\u201dFor now, however, Lynch said public concern is well warranted. \u201cThese attacks are bringing awareness of just how dependent on the internet we are, and how the IoT will be a critical failure point if future cybersecurity attacks succeed,\u201d he said.