Internet of Things Cybersecurity Flaws Demand Holistic Cure

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Nov. 16 — Only a holistic, bipartisan cure will fix cybersecurity vulnerabilities pervading the internet of things (IoT) that allowed a massive denial of website access, House lawmakers said at a Nov. 16 hearing.

Companies that manufacture IoT devices should be aware that Congress is looking to regulators, including the Federal Trade Commission, to focus on the security of their products. IoT cybersecurity should be dealt with through proper regulation and enforcement, members of the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing and Trade said.

Rep. Greg Walden (R-Ore.), chairman of the Subcommittee on Communications and Technology, said that “industry, government and cybersecurity researchers” need to adopt a holistic approach. IoT cybersecurity is a “bipartisan issue” and “we are all in this together,” he said.

A distributed denial-of-service (DDoS) attack in mid-October shut down numerous websites, including Netflix Inc. and Twitter Inc. The hearing convened jointly by two House Energy and Commerce subcommittees was the first to cover the attack. Vulnerabilities in consumer IoT devices, such as digital cameras and webcams, were exploited by hackers to form a network that bombarded the websites with so much traffic that they slowed or even shut down.

IoT cybersecurity threats may also come from nation-state attackers, including from China, that seek to disrupt the U.S. economy or that seek to destroy critical infrastructure, Rep. Anna G. Eshoo (D-Calif.), ranking member of the Communications and Technology Subcommittee said. When manufactures don’t update their products to meet new cybersecurity threats, nation-state’s around the world will see the vulnerability, she said.

Federal Oversight Needed?

IoT cybersecurity may be driven through proper regulation and enforcement, members of the House subcommittees said.

Rep. Jan Schakowsky (D-Ill.), the ranking member of the Commerce, Manufacturing and Trade Subcommittee said that the FTC needs to play a central role in consumer protection and data security enforcement.

Bruce Schneier, adjunct lecturer at the Kennedy School of Government at Harvard University, agreed, telling the panel that the U.S. needs a strong regulatory system, not just for domestic policy, but for international impact as well. A robust “U.S. regulatory system will affect products around the world,” he said. Because many of today’s products are developed in the U.S., international lawmakers, companies and consumers will follow the call from U.S. device manufactures to create and use more secure products.

However, Republican lawmakers don’t see a need for more robust data security enforcement regulations. Rep. Michael C. Burgess (R-Texas), chairman of the House Commerce, Manufacturing and Trade subcommittee, said that “a new federal agency” shouldn’t be created. What the U.S. needs is a more robust set of best practices or guidelines for the IoT industry to follow, he said. If a new data security or cybersecurity agency is created “you may have to get rid of another” more important one, he said.

The best approach to IoT cybersecurity regulation or legislation may be a mix of private and public sector input. For example, Congress shouldn’t pass a law that is “too perspective” because “it would shoe horn too many of the different IoT products,” Rep. Brett Guthrie (R-Ky.) of the Communications and Technology Subcommittee said. Congress needs to work with industry stakeholders to “find the right solution” to the growing IoT cybersecurity problem, he said.

High Stakes Cybersecurity

The DDoS attack that shut down popular websites across the U.S. didn’t cause any real or physical damage. Any losses were seen by consumer-facing companies who may have lost revenues due to the internet shutdown.

Although the DDoS attack that took down popular internet websites was a nuisance, the larger implications of such an attack are horrifying, Schneier said. For example, shutting down a website is a nuisance to consumers but turning off a car’s engine through an IoT cyberattack may have destructive consequences, he said.

Tech companies may have to deal with some constraints on innovation to help better protect IoT devices. “In the world of dangerous things you need to regulate them,” Schneier said. Limiting innovation isn’t the best thing to do “but companies should do it because of” potential catastrophic risks.

“The internet era of fun and games are over,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Further information on the hearing is available at http://src.bna.com/j79.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.