The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices.
In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren’t manufactured in the United States, so regulation would have no effect on their security.
“While I’m not taking a certain level of regulation off the board, the United States can’t regulate the world,” said Rep. Greg Walden (R-Ore.), chairman of the Subcommittee on Communications and Technology.
Security experts have been lamenting the horrific state of IoT device security for many years, and recent events have only served to reinforce those feelings. Many embedded devices are designed to be cheap and functional, with little to no thought given to security. And few have a mechanism to receive updates, so when security issues are discovered, consumers have no real way to correct them. Kevin Fu, an associate professor at the University of Michigan, and CEO of Virta Labs, said the root cause of the problem is that there’s no consequences for vendors who sell insecure devices.
“It will get much worse if these security problems remain unchecked.”
“There’s almost no cost for manufacturers deploying products with no security to consumers. Is there a tangible cost to any company that puts an insecure IoT device in the market? I don’t think so,” said Fu, one of the witnesses at Wednesday’s hearing.
“It will get much worse if these security problems remain unchecked. IoT insecurity puts human safety at risk.”
Another piece of the puzzle is the fact that there’s no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle.
“I actually think we need a new agency. We can’t have different rules if a computer makes calls, or a computer has wheels, or is in your body,” said cryptographer Bruce Schneier, another witness during the hearing. “The government is getting involved here regardless, because the stakes are too high. The choice isn’t between government involvement and no government involvement. It’s between good government involvement and stupid government involvement. I’m not a regulatory fan but this is a world of dangerous things.”
Both Fu and Schneier said there need to be some standards for the secure development of IoT devices, but it needs to be done carefully.
“Standards will raise the tide, but we have to do them right because if we do them wrong it will stifle innovation,” Schneier said.
“It will be very difficult to build in security if we don’t have principles in place, many of which have been known for 30 years in cybersecurity,” Fu said.
Some lawmakers suggested an approach that would involve an independent testing organization.
“I think we need a Good Housekeeping seal of approval. But NIST needs to set the standards, not the Congress. Because if we miss the mark, we will miss it by a wide mile,” said Rep. Anna Eshoo (D-Calif.).