One thing technologists overtly shun is the prospect of government regulation. But recent DDoS attacks carried out by botnets of connected things have spooked some people of influence in security to the point where intervention by lawmakers may be inevitable.
Testifying before subcommittees of the House Committee on Energy and Commerce on Wednesday, Bruce Schneier said that economic pressure from the market cannot properly and entirely address the risks posed by vulnerable Internet of Things devices. Further, he conceded that we may have reached a point where innovation may have to suffer in favor of securing the manufacture and distribution of connected devices.
“I don’t like it,” Schneier said. “But in a world of dangerous things, you may have to constrain [innovation]. You can’t just build a plane and fly it. It might be that the Internet era of fun and games is over because the Internet is dangerous. [Regulation] will constrain innovation, but this is what we do when innovation can cause catastrophic risks.”
Schneier, along with the University of Michigan’s Dr. Kevin Fu and Level 3 Communications CSO Dale Drew told the House committee members that IoT insecurity must be also addressed at an engineering level where security must be built in, not bolted on.
The witnesses also used the DDoS attacks against Dyn as an eye-opener to the simplicity and scale with which such attacks can be carried out. Fu promoted the idea of following the lead of organizations such as NIST which encode principles into standards, rather than being prescriptive about how things should be secured. Drew advocated for incentives for manufacturers to get it right from the outset and avoid the mess created by the connected cameras and DVRs set into the wild protected by weak or default passwords. It was these devices that were co-opted by the Mirai botnet and used to attack Dyn, French webhost OVH and security journalist Brian Krebs’ website.
Schneier, meanwhile, posed the prospect of the creation of a new government agency to enforce such regulation. He also encouraged lawmakers and decision makers to alter their perception of connected devices and consider them computers with wheels in the case of automobiles, or computers that keep things cold, in the case of smart refrigerators.
“I think we need a new agency,” Schneier said when asked how he’d construct regulations if given a blank slate. “The problem is we can’t have different rules if a computer has wheels, propellers, or works in the human body. It won’t work. We have to figure out rules that are centralized.”
When challenged that the creation of new agencies may be a non-starter in the government, Schneier pointed to the creation of the Department of Homeland Security 44 days after the September 11 terrorist attacks. He urged lawmakers not to wait for a catastrophe to act, that relatively benign attacks like the one on Dyn should be a call to action now.
“The choice should be between smart government involvement and stupid government involvement,” Schneier said. “When something happens and the public says something must be done, ‘What do you mean a thousand people just died?’ We have to have something more than, ‘Let’s just figure this out fast.’ I’m not a regulatory fan, but this is a world of dangerous things.”
The barrier to securing IoT devices in particular is largely economic. Most of these devices are made offshore, with little oversight, and at a low-cost. Those are the pressures governing the conversation today, rather than security.
“We need regulation because this is not something the market can fix,” Schneier said, adding that he believes U.S.-led regulations will affect products worldwide in a positive manner if security is a priority. “For the first time, the Internet affects the world in a direct, physical manner. It’s been okay at Facebook and Twitter to give programmers a special right to code things the way they saw fit. Now that we’re in a world of dangerous things, maybe we can’t do that anymore. I don’t like this. I like a world where the Internet gets to do what it wants, but I’m not sure we can do that anymore.”