On Friday October 21, 2016, the people of the United States learned two scary lessons: 1. It’s relatively easy for rogue actors to turn consumer technologies against their owners and wield them as weapons; and 2. Doing so may shut off access to the websites we rely on to do business and conduct our social lives. We now know the distributed denial of service (DDOS) attack that blocked viewers from accessing Twitter, the New York Times, and dozens of other prominent websites succeeded by using a botnet virus to attack and then hijack nearly half a million “internet of things” devices, like surveillance cameras, and use them as a virtual army. Many experts immediately pointed the finger at weak security; the rush to get more “smart” devices to market skirted information security needs. The solution to this problem is thorny, and companies are bound to bristle at regulations requiring them to enhance their security. But at least one expert thinks that’s exactly what we need.
Writing in the Washington Post, information security expert Bruce Schneier argues “the only solution is to regulate.”
The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
As Schneier argues, it might have been ok to allow for security to come as an afterthought (if it came to mind at all) when the product rushed to market was a spreadsheet. But now software runs our cars, pacemakers, and home security systems. The risks are too great, he says, to allow the free market to determine whether or not it’s worthwhile to spend the extra money—or ask customers to deal with the hassle—to better secure their products.
There will undoubtedly be powerful opposition to such regulation, if it’s proposed. Regulations on software and IoT companies may face dissent not only from the technology sector—which presumably doesn’t want the government telling it how to build products—but also the US intelligence agencies, which may perversely benefit from an insecure internet. Years ago the Chief Technology Officer for the CIA said, “we fundamentally try to collect everything and hang onto it forever.” When he was the Director of the CIA, David Petraeus said he looked forward to the day when his agency could spy on us through our dishwashers and other IoT devices. That will be much harder to do if those devices are secure.