Experts to Congress: IoT regulation may be inevitable
- By Matt Leonard
- Nov 17, 2016
In Nov. 16 testimony before a joint subcommittee meeting of the House of Representatives, cybersecurity experts debated whether the internet of things should be regulated by government.
Cybersecurity expert Bruce Schneier (above) testifying before Congress on the government’s role in regulating the internet of things.
The hearing -- a joint effort of the House Energy and Commerce Committee's Subcommittee on Communications and Technology and Subcommittee on Commerce, Manufacturing, and Trade -- was scheduled to discuss security challenges facing the IoT infrastructure after a distributed denial of service attack on Dyn’s web service infrastructure pushed websites like Amazon, Spotify and Netflix offline. The Oct. 21 attack used malware known as Mirai to enlist IoT devices as attack vectors.
“These attacks raise troubling questions,” Rep. Anna Eshoo (D-Calif) said in her opening statement at the hearing.
The witnesses included Dale Drew, the chief security officer at Level 3 Communications; Kevin Fu, the CEO of Virta Labs and associate professor at University of Michigan; and Bruce Schneier, the internationally renowned security technologist and an adjunct lecturer at the Kennedy School of Government at Harvard University.
The three experts agreed that the IoT space has some work to do regarding the security of devices. Some products don’t allow users to change default passwords, Drew pointed out in his prepared remarks. And changing passwords is not enough; Fu said two-factor authentication must be the new baseline for IoT devices.
Government can help by promoting security research and creating standards, the witnesses said. Fu told House members that agencies like the National Science Foundation and the National Institute of Standards and Technology could both play vital roles.
In fact, the Nov. 15 release of NIST’s SP 800-160 lays out some of the standards for IoT. NIST Fellow Ron Ross, who was honored by GCN as the 2015 Government Executive of the Year for his cybersecurity work, called it the most important document he’s worked on in this time there. “Ultimately, we need to bring to our systems a greater level of penetration resistance,” Ross said earlier this week. This is become more important as the nation’s critical infrastructure connects to the internet, he said.
Although the experts agreed on the importance standards, they differed on the need for government regulation. Both Fu and Schneier said the government will likely have to put regulations in place, though Fu was open to industry having a chance to self regulate. Drew also said industry should be trusted to police itself, but that government would have to step in if that doesn’t work.
The need to secure IoT could signal an end to the open internet that society has enjoyed since its very beginning a few decades ago, Schneier said. “It’s fun the way it is, but I’m not sure we can do that any more.”
The IoT is becoming the “internet of dangerous things” as cars and critical infrastructure become more connected. “I argue that the government has to get involved,” Schneier said. “This is not something the market can fix.”
The three experts also were in agreement on the importance of building security into connected products rather than bolting it on after purchase. (This security engineering approach has been a advocated by others and is the cornerstone of the new NIST guidelines.) And they advised that any law that the government did pass should be flexible enough to evolve with rapidly changing technology.
There are currently three different bills pending in Congress call for an IoT strategy. Identical language in the measures would press businesses to “implement reasonable privacy and cybersecurity practices and protect consumers’ personal information to increase confidence, trust, and acceptance of this emerging market.”
Fu laid out some possible areas where the government can help move IoT security forward. First, it can incentivize manufacturers to build security into products either through regulation or other means. But it can also leverage the cyber expertise at federal agencies, form partnerships with universities and continue studying the technology. It could be a good idea to create independent facilities to test embedded cybersecurity defenses needed by IoT devices, he suggested.
Multiple outside groups also submitted comments for the hearing. The Online Trust Alliance offered recommendations for consumers, manufacturers, internet service providers and the government. “Coordinated efforts will help to ensure industry can innovate and flourish while enhancing the safety, security, and privacy of consumers, enterprises and the nation’s critical infrastructure,” OTA’s statement said.
Craig Spiezle, the executive director or OTA, told GCN after the hearing that the organization would like to see the industry self-regulate, but after urging trade organizations to do something about security flaws for months, he said he hasn’t “seen much of a willingness to take that on.”
“I think in the absence of meaningful self-regulation, the government needs to step in,” Spiezle said.
Fu said he worries about the industry's inability to change, but said everyone must work to help institute new standards in manufacturing and selling of these IoT products.
“The time is right to do something now,” he said, “to do something wise.”
Matt Leonard is a former reporter for GCN.