The Communications and Technology Subcommittee, chaired by Rep. Greg Walden (R-OR), and the Commerce, Manufacturing, and Trade Subcommittee, chaired by Rep. Michael C. Burgess, M.D. (R-TX), on Wednesday held a hearing examining the recent series of Internet of Things (IoT) connected device-based distributed denial of service (DDoS) attacks.
In October, hackers exploited insecure IoT devices to launch a DDoS attack against global Internet routing company Dyn that resulted in thousands of consumers being unable to connect with Netflix, Twitter, CNN, and other well-known websites.
“How do we create a national framework where the stakeholders are really driving this in real time…and where we don’t lock certain requirements into statute?” Chairman Walden asked the witnesses.
In his testimony, Dale Drew, Senior Vice President and Chief Security Officer at Level 3 Communications pointed out some of the security failures of IoT devices:
“Some devices utilize default and easily-identifiable passwords that hackers can exploit. Others utilize hard-coded credentials that users are not able to change. Many devices also lack the capability of updating their firmware, forcing consumers to monitor for and install updates themselves. The global nature of the IoT device marketplace means many products are manufactured in and shipped to foreign countries that have yet to embrace sound cybersecurity practices. IoT devices also are particularly attractive targets because users often have little way to know when they have been compromised.”
According to Drew, “The primary motivation for these attacks appears to be financial. Hackers utilize DDoS to overwhelm a business, threatening to take their business offline unless they pay a ransom to the attacker.”
He urged for a more proactive form of defense, saying “…we have decided to be proactive about protecting our backbone, our customers, and the global internet as a whole.”
In his testimony, Adjunct Lecturer, Kennedy School of Government, Harvard University, and Fellow, Berkman Klein Center, Harvard University pointed out what he called a “market failure.”
“…neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don’t care. They wanted a webcam — or thermostat, or refrigerator — with nice features at a good price. Even after they were recruited into this botnet, they still work fine — you can’t even tell they were used in the attack. The sellers of those devices don’t care: They’ve already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It’s a form of invisible pollution.”
Chairman Burgess noted the importance of leadership from industry, stating, “The balance between functionality and security is not going to be resolved in the near term. The culture surrounding personal cybersecurity must change to ensure the Internet of Things is not vulnerable to a single device. Government is never going to have the man power or resources to address all of these challenges as they come up – which is why we need industry to take the lead.”
“How do we make ourselves more secure without sacrificing the benefits of innovation and technological advances? The knee-jerk reaction might be to regulate the IoT, and while I am not taking that off the table, the question is whether we need a more holistic approach,” concluded Chairman Walden.
“Any sustainable and effective solution will require input from all members of the ecosystem for the so-called “Internet of Things.” We’ll need a concerted effort to improve not only device security, but also coordinate network security and improve the relationships between industry, government, and security researchers. We’re all in this together and will need to take responsibility for securing the Internet of Things,” he added.