When IoT DDOS’s Itself and What Congress Can Do About It
October 27, 2016
News on October 21st that Internet of Things-connected devices such as surveillance cameras and DVR’s were commandeered to wage denial of service attacks on a company provisioning the Internet domain name system spread as quickly as a Trump tweet.
It could not have been unexpected.
The IoT phenomenon has presented great promise for the 21st century. We’re told to anticipate life-changing and productivity-enhancing developments such as gains in health care through remote monitoring; manufacturing and supply chain efficiency; electric grid load balancing; traffic management; and agricultural water and soil management.
But discussions about how to secure these systems have been more theoretical than specific, leaving a confidence gap – and a security hole - in the promise.
By now we are conditioned to news of hijacked botnets of computers and servers clogging traffic to brand-name websites – even those having the highest-bandwidth. But last Friday’s attack signaled a new method of malice: harnessing tens of millions of limited-function/no-security devices for the same purpose.
What next? We could conjure an IoT botnet attacking other unsecured IoT systems across the ecosystem, as if part of some cannibalistic dystopia imagined in an episode of the Netflix show “Black Mirror.” But this isn’t science fiction.
So what are our policy options beyond allowing the marketplace and technological innovation to sort it out?
The European Union – always innovative with regulatory ideas – is proposing a labelling system for internet-connected devices that are certified secure. The EU is hoping to maintain consumer confidence and trust in IoT by creating rules that force companies to meet tough security standards and submit to multi-pronged certification processes to guarantee privacy.
Meanwhile, the National Telecommunications and Information Administration (NTIA) is taking a more methodical approach with its voluntary “multi-stakeholder process” for convening industry, government and other interest groups to sort out a multiplex of issues. The Federal Trade Commission, in contrast, has for years tested its ambiguous authority to flex cyber regulatory muscle, as my Wiley Rein colleague Kirk Nahra explains in his trenchant blog. But the EU’s opening salvo should encourage preemptive coordination of regulatory oversight both within the United States and internationally, before the IoT ecosystem is balkanized by byzantine regulation across international borders and platforms.
What needs definition are not just security technology and interoperability considerations that are better left to technical standards organizations and market-based partnerships, but a myriad of legal and policy concerns. Just a few issues that U.S. and international stakeholders need to coordinate include:
· Privacy and data handling requirements
· Spectrum allocation needs and adjudication
· State and local regulation versus federal preemption
· Incident response protocols and consumer notification of system and data breaches
· Product warranty versus software liability
· Over-the-air versus manufacturer patching and software updates
· Product lifecycle and owner transition issues
· Supply chain security
· Product labeling like an “Underwriter Laboratories” seal
Expanding on the NTIA model, the Senate Commerce Committee took a good first step in September when it reported S. 2607 - the Developing Innovation And Growing The Internet Of Things (DIGIT) Act. The bill’s sponsors - Sens. Deb Fischer (R-NE), Kelly Ayotte (R-NH), Cory Booker (D-NJ) and Brian Schatz (HI) - would create an interagency process with stakeholder input that is designed to get us closer to developing confidence in the security of the IoT marketplace.
This bill requires the Department of Commerce to convene a working group of federal agencies – not just NTIA - to provide recommendations to Congress about many of the issues bulleted above. The simple objective is to plan for and encourage the proliferation of the IoT in the United States. The working group must consult with nongovernmental stakeholders, including industry experts, technology manufacturers, businesses, and consumer groups.
The bill includes an ambitious one-year timetable for the working group to report its recommendations. The process might be better served with a longer time horizon, particularly given the complex overlay of international policy differences.
Friday’s IoT-enabled botnet gave us the proverbial wake-up call. It calls on us to attack the relevant policy questions as aggressively as newly-matrixed internet systems can turn against themselves. An essential aim of the DIGIT Act is to force multiple federal agencies with differing policy equities to forge a uniform framework for IoT policy and regulation. This framework would encourage innovation, ensure security, privacy and interoperability, and avoid duplicative or conflicting regulations that at best would confuse the marketplace and at worst create the unintended consequences that regulation should be designed to prevent.
Congress would do well during the lame duck session after the elections to pick up this bill and move it forward, so we can get moving on a truly “multi-stakeholder” process. This would cultivate an Internet of Things and prevent an “Internet of Threats.”