Recent Cyberattacks Using Compromised IoT Devices Prompt Congressional Hearing Recent Cyberattacks Using Compromised IoT Devices Prompt Congressional Hearing

Recent Cyberattacks Using Compromised IoT Devices Prompt Congressional Hearing

On November 16, 2016, the Congressional Committee on Energy and Commerce conducted a hearing entitled “Understanding the Role of Connected Devices in Recent Cyber Attacks.” The hearing was held in response to the recent series of distributed denial of service (DDoS) attacks targeted at Dyn, which was designed to render Dyn’s external domain name services unavailable and was the largest DDoS attack to date. The attacks were orchestrated by a botnet that coordinated hundreds of thousands of Internet-connected devices across the globe that were affected by malware. The hackers were able to compromise the devices mainly due to the fact that default passwords were not reset by the users of the devices.

The hearing included a three witness panel comprised of Dale Drew, Senior VP and CSO of Level 3 Communications, Dr. Kevin Fu, CEO of Virta Labs and Associate Professor in the Department of Electrical Engineering and Computer Science at the University of Michigan, and Bruce Schneier, an Adjunct Lecturer at the Kennedy School of Government and Fellow of the Berkman Klein Center at Harvard University. During opening remarks, each of the witnesses provided insight into how to address security concerns regarding Internet-connected devices. All agreed that it was unrealistic to expect the market to fix security related issues and that regulations were the only possible route to achieving consumer confidence and manufacturer buy-in. The panel noted that manufacturers of cheaper Internet-connected devices are not incentivized to incorporate security mechanisms. Further, the panel noted that consumers typically do not expect such security mechanisms at the lower price points at which they are purchasing the devices, and they are not generally directly impacted when such devices are compromised.

Each of the witnesses additionally provided testimony during a question and answer portion of the hearing.  Various issues were inquired about and addressed during the hearing, the highlights including:

- How do we establish a framework in the United States with a global impact without stifling innovation?

  • By defining standards for pre-market security limitations (i.e., take it out of the hands of the consumer, which will always be a weak link) that are technologically invariant and set a desired result without legislating the process to achieve the desired result.
  • In collaboration with other countries, the European Union, etc.
  • Implementing national infrastructure legislation.
- What would a framework look like in a national infrastructure bill?

  • Different applications may or may not require similar regulations; the panel was divided two to one.
  • Focus on the pre-market incentives to implement security measures.
- The Federal Trade Commission released suggested best practices for device manufacturers to follow, but manufacturers do not appear to be following such suggested practices, why?

  • No incentive to follow or punitive consequences for not following.
  • Implementation of security measures is costly and manufacturers do not know from one level to the next (e.g., a hardware company relying on software from a vendor) what security measures or lack thereof exist.
Collectively, the panel noted that security measures should be taken out of consumers’ hands and manufacturers should be incentivized to implement pre-market security solutions at every level in the manufacturers’ development stack (e.g., software, hardware, etc.). Additionally, the importance of relying on alternative authentication methods was noted, pointing out the weaknesses of passwords, as well as the need for automatic patching of firmware to address security concerns post-market entry. In summary, while the panel acknowledged all Internet-connected devices will not be completely secure, the panel emphasized the need for regulations to be implemented sooner rather than later. Such innovations must not stifle innovation, but rather target a desired result and incentivize the incorporation of pre-market security measures.

For more information on cybersecurity of connected devices, contact any member of our Internet of Things practice group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized