In-brief: is regulation the right approach to securing The Internet of Things or can industry clean up its own act? IEEE Spectrum takes a look.
The folks over at IEEE Spectrum have a nice piece looking at the case for regulating The Internet of Things in the wake of the recent denial of service attacks against managed DNS provider Dyn, Krebs on Security and others.
The specter of a massive, global population of insecure and connected devices bodes ill for the health of the Internet, the article argues. And, given that The Internet is, perhaps, the single most important piece of critical infrastructure to economies across the world, that threat must be taken seriously.
Quoting Bruce Schneier of the firm Resilient and (recently) Harvard University, IEEE argues that market forces aren’t likely to bring about a resolution for insecure, connected devices. Attacks like the one on Dyn, Schneier argued in this op-ed to the Washington Post, are akin to “air pollution” — an “externality that manufacturers aren’t motivated to fix.”
Others in the article echo that sentiment, noting that manufacturers are bound to focus on what is in their “narrow commercial interest” rather than benefitting the public good.
But regulate what? And via what mechanism? There is no agency with direct responsibility for The Internet of Things, and interest in it currently spans a handful of agencies in the U.S. Federal Government, among them: The Federal Trade Commission, the National Highway Traffic Safety Administration, the Department of Homeland Security, The Food and Drug Administration and the Department of Commerce.
“Regulating these devices together means devising a rule that would be broad enough to cross many sectors and cover all of these products,” IEEE notes. “So far, there has been no clear proposal or agreement among supporters on a potential regulatory framework for IoT security.”
There are challenges: regulations and regulators move slowly, while the pace of technology change and adoption is breakneck. And history has shown that even tightly regulated markets, like medical devices, can overlook new threats (like cyber attacks) that don’t fit into pre-established paradigms.
Recently, calls from lawmakers to regulate the Internet of Things have increased.
In a letter dated November 3, Representatives Frank Pallone (D-NJ) and Jan Schakowsky (D-IL) of the House Committee on Energy and Commerce asked FTC Chairwoman Edith Ramirez to urge device manufacturers to “implement security measures” and “alert consumers to the security risks posed by continuing to use default passwords on (Internet of Things) devices.”
The letter was inspired by recent, large-scale denial of service attacks linked to a maliciouscomputer network (“botnet”) called Mirai. As reported by The Security Ledger, Mirai relied on a global network of compromised devices such as closed circuit television cameras (CCTVs) and digital video recorders to launch attacks on web sites. An attack on the managed domain name systems (DNS) provider Dyn made it difficult to reach sites including Twitter and Spotify during an October attack.
The FTC under Ramirez has been among the most aggressive federal agencies in addressing the security and privacy challenges of the IoT. In addition to sponsoring conferences to discuss the impact of connected devices, the agency has put its foot forward to enforce laws about the collection and sharing of geolocation information. It has also issued fines to companies that fail to properly secure their technology, resulting in harm to consumers.