Lawmakers have been warned that cyber attacks are going to get physical and if they want to have a decent answer when things do go wrong, they’ll need to make laws that force manufacturers to build secure products.
The October attacks on managed domain name service provider Dyn, which broke access to sites like Amazon, Twitter and Spotify, caught even security experts by surprise. The attacks relied on code, known as Mirai, that corralled over 100,000 webcams and DVRs to launch some of the largest distributed denial of service (DDoS) attacks on record.
While the attacks were not physically dangerous, in a world where connected devices are used to regulate bodies, transport, and buildings, they could be. They're also preventable. In an ideal world, the Dyn disruptions would not have occurred because webcam and other device makers had secured products before selling them to customers across the globe.
They didn't because consumers don't demand they do, according to security expert Bruce Schneier.
“The market really can’t fix this. The buyer and seller really don’t care. The buyer and seller want a device that works. This is an economic externality. They don’t know about it and it’s not part of the decision. Government has to get involved. This is a market failure and the government needs to get involved. This is not something the market can fix,” said Schneier.
Schneier told lawmakers at a House Committee on Energy and Commerce on Wednesday “risks were too great and the stakes are too high” to wait for an attack with a human cost of September 11, and appealed not just for new government regulations but also a special US agency to deal with the problem.
“The choice is not between government involvement and no government involvement. It’s been smart government involvement and stupid government involvement,” said Schneier.
He was referring to the US Department of Homeland Security, which was created a month and half after the September 11 attacks.
“I’d rather think about it now, even if you say you don’t want this, because when something happens and the public says, ‘Something must be done. What do you mean a thousand people just died?’, we have something more than ‘I dunno let’s figure it out fast’”.
Schneier also laid out four truths of information security and the Internet of Things for lawmakers to chew over.
- Attack is easier than defense: complexity is the worst enemy of security and that’s especially true of the internet. “The internet is the most complex machine that man has ever built by a lot and it’s hard to secure. Attackers have the advantage,” said Schneier.
- Connections between systems are weak: This includes vulnerabilities in DVRs and webcams that allowed hackers to take down websites. Another example was the Target breach, which exploited an HVAC system managed by a contractor. “Vulnerabilities like this are hard to fix because no one system might be at fault. There might be two secure things that come together and create vulnerability,” said Schneier.
- The internet empowers everyone, including attackers. Of the IoT device attack that took down down Dyn, Shcneier said: “That code, which someone smart wrote, was made public and anyone can rent it to attack somebody else. I don’t recommend it, but it can be done.” He added that the Dyn attack was “benign” where as a real IOT attack affects physical world in a direct manner, such as cars and airplanes.
- The economics don’t trickle down: Computers and phones are secure because Google, Microsoft, and Apple spends countless hours ensuring they’re patched. They’re entirely different to IoT devices, which can be cheaper, low-margin, and incapable of being patched. They’re also replaced every 10 years or so, giving software bugs to a much longer lifespan.
And while US legislators can only create laws for IoT goods sold in the US, he contended the size of the US market could allow it to become a de facto standard for the rest of the world.
“A US-only regulatory system will affect products in the world because this is software. Companies will make one software and sell it everywhere,” he said, pointing to California auto laws impacting other states in the U.S.
But if the governments really want to take on more responsibility for technology, they'll need to navigate unchartered territory.
Schneier, who said he was not a fan of government regulation, argued the FBI should be prevented from undermining the security of smartphones but also suggested greater regulation over coding in general since IoT technology poses a threat to the physical world.
“When it was Facebook, Twitter, email, it was OK to give programmers the special right to code the world as they saw fit. But now that it’s the world of dangerous things, — cars, planes, medical devices — maybe we can't do this anymore,” he said.