Congress Steps into the IoT Security Fray

Congress stepped into the fray surrounding Internet of Things (IoT) device security (or the lack thereof) recently when it held a hearing on how to combat distributed denial-of-service (DoS) attacks, which exploit connected devices as a means of thwarting web activity. The most glaring example of such an attack came on October 21. An IoT botnet called Mirai was directed at web services provider Dyn, which then spread from there to paralyze numerous well-known Internet sites like Amazon, Netflix, and Reddit.

Members of the House Energy and Commerce Committee heard testimony from experts like Bruce Schneier, a renowned cybersecurity expert, who said during the hearing he thinks a new federal agency may be necessary to regulate IoT, despite what may be the incoming administration’s reluctance toward more government oversight. “I don’t see the choice as being between government involvement and no government involvement, but between smart government involvement and stupid government involvement. I would rather think about it now,” Schneier said.

Slow Down, Offer Support

Another participant in the process, Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), attended the hearing and submitted a written statement to the committee. Spiezle sees two main issues that need resolving. First, IoT manufacturers should embrace basic cybersecurity principles when designing new products and avoid the tendency to move too quickly to launch products out of expediency while sacrificing security. Second, IoT vendors need to provide adequate ongoing support for their products throughout their lifecycles and not security updates out of the equation. His organization is also recommending that retailers pull IoT products off shelves if those products do not meet certain minimum security standards.

Nothing was resolved during the hearing, though new legislation or rules are likely to be promulgated at some point, given the potential harm from these kind of attacks. Meantime, there are other governmental and industry efforts to thwart attacks that exploit IoT technologies. For instance, the National Institute of Standards and Technology (NIST) has created a framework that outlines IoT security standards. Also, the Z-Wave Alliance recently announced new security requirements for all of its certified IoT devices. Lastly, computer scientists are working on a style of software programming called formal verification that is ostensibly hack-proof and could one day be used as a method for enhancing the security of IoT devices and systems.

There are real efforts underway to fight back against IoT attacks. Nonetheless, the vulnerabilities of a connected society are not going away soon, and efforts to stay ahead of nefarious actors has to be ongoing. What seems clear is that business as usual in this regard is no longer acceptable, as Spiezle and others argue, and fundamental changes are required in how IoT products are developed, sold, and supported. I could not agree more.