Which Comes First – Death Or IoT Security Regulations?
In October 2016, the company Dyn, which is one of the hosts of the domain name system whose servers monitor and direct traffic on the Internet, experienced a major distributed denial of service (DDoS) attack. This DDoS attack caused North American users of several websites and services such as Netflix, Twitter, Reddit, and others to experience sporadic outages. The attack began about 7am ET and spread westward into the evening. This cyberattack was not the first to target core components of the Internet’s infrastructure, but it was the largest attack ever to be launched through the Internet of Things (IoT).
IoT is a broad collection of devices, both consumer and industrial, that are connected to the Internet. These devices can be both a target for attack such as SCADA systems that control components of the electrical grid, or as in the case of the attack on Dyn, devices themselves can be used to launch attacks. As the consumer IoT expands rapidly to billions of devices — smart TVs, baby monitors, automobiles, drones, medical devices, and much more — they create a network that clever hackers (nation-state actors, criminals, and creepy voyeurs) can access to launch DDoS attacks or collect sensitive personal data on billions of consumers.
Tragedy of the IoT Commons
There’s a tragedy of the commons problem with consumer IoT. Since the owners of consumer devices are not affected by their devices being hijacked during a DDoS attack – their devices continue to operate as normal – they have no urgency to demand better IoT security from manufacturers. Rather, the harm occurs to the victims of the attackers, not to the owners of the devices.
The attack on Dyn was a foreshadowing of the worse types of attacks that could come. Instead of this type of nuisance attack, imagine an attack was launched on vulnerable medical devices. An attacker could potentially shutdown MRIs, x-ray machines and other medical equipment connected to the Internet. This could occur since many medical facilities fail to change factory default login names and passwords. As driverless vehicle technology becomes ubiquitous and connected to the Internet over the next several years, imagine massive IoT based attacks that shutdown navigation or braking systems.
Are these types of attacks likely to occur on a massive scale? If consumers are ambivalent and manufacturers are slow to improve IoT security, it could happen. The question is whether the industry can implement effective IoT security standards or will the government force them through new IoT security regulations?
Privacy as a Driver for Better IoT Security
Consumers’ privacy concerns could force manufacturers to take basic steps toward improving IoT cybersecurity. For example, a search engine called Shodan makes it easy for hackers to locate poor security devices on the Internet. Additionally, there have been several news stories about children who have had their Internet connected toys and baby monitors hacked and even hearing the hackers speaking to them over the devices.
Privacy concerns, while valid, have not caused consumers to change their behavior en masse and privacy regulators have not yet taken significant action to expand their oversight to IoT. However, the reputational damage from major breaches and enforcement of data breach and privacy regulations, will over time drive product manufacturers to review and improve privacy controls.
In the meantime, many people are unlikely to take the time to read product manuals to find out how to change their login credentials. Unfortunately, those same manuals are easily found on the Internet, and often contain default login passwords – usually something as simple as admin or password. Even if manufacturers begin to ship products with unique passwords – an easy step to take – there will be other exploits for hackers who want to build an online army of bots or a botnet – a network of devices used to launch DDoS attacks without the owner’s knowledge.
Over time, the software in IoT devices will become more complex as well, presenting more opportunities for exploitation. For example, a household robot will have a more complex operating system than a child’s toy and therefore, it will be more susceptible to being compromised.
Security by Design
Recently, “security by design” has been promoted as the key to ensuring effective IoT security. To date, market forces have been too weak to encourage manufacturers to focus effectively on IoT security and products with ineffective security continuing to reach the market. However, there are signs that both industry and government are starting to take IoT security more seriously. For instance, the automobile industry is publishing and promoting cybersecurity best practices and technical standards and the U.S. Department of Transportation recently released guidelines for vehicle cybersecurity. The U.S. National Institute on Standards and Technology recently released a publication providing guidance for “security by design,” NIST Special Publication 800-160: Systems Security Engineering.
Considering the vast numbers of things that will be connected to the Internet, there will be hundreds of variations in how the NIST, DoT and other government and industry guidelines will be adapted into industry product standards. Security by design for a doll will not be the same as an infusion pump, nor that of a driverless vehicle. There are already hundreds of product standards and each of those will need to be revised to incorporate security by design.
Death and Regulation
Revamping standards is a mammoth undertaking for engineers, IT security professionals and other experts that volunteer their time on standards committees. Demand for the convenience and quality of life enhancements that the IoT promises is high. While consumers seem to have a tolerance for privacy failures, it is unlikely that tolerance will extend to injury or loss of life. In the past, when an industry has been slow to act and public attention has been raised due to accidents and injuries, government regulation has indubitably followed. Historical examples include the introduction of federal railroad safety regulations in the 1800s after the railroad barons failed to make the changes needed to prevent accidents, and food and drug regulations that began to emerge in the early 20th century after consumers became ill and even died.
With the government so far taking a light touch and avoiding regulations that would impede IoT innovation, assuming the industry will make strides and progress on creating and implementing IoT security standards, the likelihood of specific IoT security regulations is low. While there will be some exceptions in areas where there is clearly a higher potential for injury or loss of life such as medical devices, driverless vehicles and remotely-piloted or autonomous drones, industry standards, even in these cases, are likely to be the primary guidance, with current government regulations being updated as necessary to account for new IoT security concerns.
French Caldwell is Chief Evangelist at MetricStream and has been decisively shaping the governance, risk and compliance market for the last 15 years. French is a former Fellow and Vice President of Gartner where he led their GRC research, including the influential Gartner Magic Quadrant on GRC, as well as research into public policy and disruptive technology. Additionally, French is a retired naval officer and a nuclear submariner.