The U.S. government needs to pass regulations mandating internet of things security measures before device vulnerabilities start killing people, a security expert told lawmakers.
A massive distributed denial-of-service attack aided by IoT devices in October "was benign" because a couple of websites crashed, said Bruce Schneier, a veteran cybersecurity researcher and lecturer at Harvard University. But the next attack may be more dangerous.
With cars, airplanes, thermostats, and appliances now connected to the internet, "there's real risk to life and property, real catastrophic risk," Schneier told two House of Representatives subcommittees Wednesday.
While some Republican committee members questioned the need for IoT security regulations, Schneier suggested that sellers and customers of IoT devices have little reason to fix them without a push.
Many IoT devices are low-profit products with little security built in, no easy avenue to patch vulnerabilities, and no way for customers to know their devices are compromised, he and other experts said. And while users replace smartphones every 18 months, a compromised DVR may be used for five years, a car for 10, and a thermostat may be replaced "approximately never," Schneier said.
This leads to a market failure where regulation is needed, he said. "The market really can't fix this," Schneier added. "Buyer and seller don't care."
Schneier's call for IoT regulations is likely to meet resistance in the Republican-controlled Congress, however. Regulations aren't completely off the table, but they would be a "knee-jerk reaction" to recent attacks, said Representative Greg Walden, an Oregon Republican. "The United States cannot regulate the world."
Many IoT devices are manufactured overseas, Walden noted, and U.S. regulations can't mandate their security measures.
In addition, regulations could limit innovation from U.S. IoT companies and hurt the nation's chances to be a world leader in the IoT industry, Walden said. "We don't want this to be an innovation killer," he added. "I don't think I want my refrigerator talking to some food police."
Other witnesses during Wednesday's hearing called on the U.S. government to push for IoT standards that the industry can adopt. On Tuesday, the U.S. National Institute of Standards and Technology released updated guidance on securing IoT.
IoT security remains "woefully inadequate" even as security experts saw the problems coming, said Kevin Fu, CEO of Virta Labs and a computer science professor at the University of Michigan. "We are in this sorry and deteriorating state because there's almost no cost for a manufacturer to deploy products with poor cybersecurity."
Fu called for national IoT security standards, more federal research on IoT security, and a national testing lab for devices.
The U.S. should start with standards and "apply pressure" to IoT device makers, added Dale Drew, CSO for Level 3 Communications. "They can be applied globally, and I think we can get some traction and momentum before we start regulating."