(Re-published from Crossroads: Cybersecurity Law & Policy | Nov. 15, 2016) This post specifically discusses the testimony provided by Bruce Schneier, Fellow, Berkman-Klein Center at Harvard University and Special Advisor to IBM Security, in advance of “Understanding the Role of Connected Devices in Recent Cyber Attacks,” a Congressional Joint Hearing on the security of the Internet of Things (IoT) scheduled for Nov. 16, 2016.
In October, there was a widespread distributed denial-of-service attack (DDoS) that impacted multiple websites such as the social and payment networks Pinterest, Reddit, PayPal, and Twitter. The attack leveraged a known exploit and general lack of cybersecurity hygiene in use within the devices commonly referred to as IoT devices. To cause the domain name service provider Dyn to go offline which resulted in dozens of websites becoming unreachable as hosts were not able to properly resolve IP address to domain names.
Schneier asserts that the DDoS attack essentially recruited thousands or perhaps millions of IoT devices to send traffic to Dyn which caused the service to slow down and eventually crash. According to Schneier, there are two approaches to effecting such an outcome:
- use a high-end multi-node server with tremendous bandwidth to overwhelm the capabilities of the target of the attack (this is a very large effort); or
- using a scale vector to leverage multitudes of devices, each of which has a smaller individual payload that in the aggregate overwhelms the capabilities of the target causing it to crash and go offline.
The IoT DDoS, then, is the latter model, and in using otherwise innocent systems to work together in a common nefarious goal, the devices are controlled and therein referred to as botnets as active or passive software is used to direct their behavior to a shared purpose.
Schneier highlights the fact that this attack, while an inconvenience, was altogether benign and caused no real harm within the physical realm. The target was taken offline and websites were therefore inaccessible; however, there were no direct physical impacts. Schneier states that the distinction is important because the lines between the virtual and physical worlds are increasingly blurred as we leverage and implement technology in several areas, such as medical devices, autonomous weapons systems, water and dam controls, etc. Therefore, there exists the possibility that an attack could have targeted devices that while technological in nature have a more visceral impact since they directly control physical implementations.
The inherent lack of security in IOT devices is essentially a fundamental market failure per Schneier. He asserts that the market has placed a lesser emphasis on security and a higher premium on features and interoperability. Many of these devices lack a secure protocol or medium through which security updates can be verified and applied even when the longevity of many of these devices is significantly longer than standard technology (e.g., a home thermostat has an extremely long expected life; whereas a computer or phone has a much shorter usage cycle).
This fact is important in many respects, not the least of which is that the exploit used for the IoT DDoS attack is now public and can be harnessed by script kiddies or less technically inclined malfeasor and as such in the absence of a clear path for security upgrades all the IoT devices currently in the marketplace are suddenly vulnerable and highly exploitable. Schneier posits that this is further compounded by the fact that consumers are indifferent to this issue as they value price over security and the manufacturers have no incentive to bake-in additional security protocols as this would merely represent a cost and impact to the bottom-line that could not be offset by higher pricing models since the current marketplace is placing a zero premium on security features.
Having addressed the issue, Schneier states that the most viable solution is to impose government regulations similarly to the model used for pollution controls (namely government must take action to force implementation). Schneier’s assertion rests on the premise that in the absence of consumer demand, there is no incentive for manufacturers to deliver more secure and updatable products and thus the government must intervene. This control could be done in one of two ways: either by imposing liability on manufacturers for harm caused by their devices when used in attacks for instance, or by enforcing a floor that represents minimum security standards.
Schneier then goes on to say that the government must also resist the urge to weaken the security of any computing device based upon a request from law enforcement (e.g., the FBI). Stating further that weakening encryption, for instance, would make attacks easier and more damaging and will cause greater harm to society than any benefit that may be provided to the FBI. This assertion seems somewhat of an aside and is not strengthened by any particular assertion nor any argument beyond pure rhetoric …
To read the full blog, click here.
Christopher Folk is a candidate (2017) for both a master’s in Forensic Science and Technology (Syracuse University) and a Juris Doctor degree (SU Law). Also a software engineer, Folk’s legal externship is with Chertoff Group company Delta Risk, where he focuses on legal and policy analysis pertaining to US and International cyber law.