On November 16, 2016 the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a hearing on “Understanding the Role of Connected Devices in Recent Cyber Attacks.” The hearing was in response to the unprecedented distribution denial of service (DDos) on October 21, 2016 which saw consumer websites such as Netflix, Twitter and CNN as well as others go down following a botnet attack directed from malware in millions of American devices. The hacked devices used maliciously, (known as bots or collectively as botnets) flooded these websites with junk traffic, overwhelming the sites and preventing them from being able to distinguish from legitimate traffic. The hearing focused on what vulnerabilities are present, possible solutions, possible ramifications of attacks on consumer devices, critical infrastructure and public safety mechanisms from a wide array of malicious actors.
The witnesses were industry experts, Dale Drew, of Level 3 Communications; Kevin Fu, of Virta Labs, and the University of Michigan; and Bruce Schneier, from the Berkman Klein Center, at Harvard University.
Chairman Greg Walden began the hearing highlighting the increasing use of technology in Americans daily lives, the dependence of Americans on the internet of things, devices that allow them to control elements of their lives, such as applications and devices that remotely unlock doors, baby monitors, and smart appliances. Many members of the subcommittee remarked how the DDoS attack stressed the importance to secure these devices without losing the benefits, the balance between functionality, innovation and security. Representative Marsha Blackburn made the important point that the internet of things is growing extremely quickly, the average American has more than three devices. This illustrates the widening gap of insecurity.
The expert witnesses were firm in their recommendations that while the DDoS attack in October 2016 was just on popular websites and not critical elements, that attacks towards critical apparatuses such as public safety mechanisms, hospital systems, and critical infrastructure points are highly likely. The internet of things devices have major security flaws that do not have built in security updates or patch mechanisms and consumers are greatly unaware of the threat posed by their devices. Mr. Schneier pointed out that many of these devices are the same, having the same basic configuration which, limits consumer control. He also pointed out the various elements that need to be secure, from software to hardware to internet communications. All three panelists discussed the lack of incentives for manufacturers to secure the devices or integrate security mechanism into the production. The panelist urged action for oversight due to the growth of the issue and inevitable nature of growth in vulnerabilities.
Mr. Fu added that regulations, standards and liabilities for security need to be “built in, not bolted on.” All panelists stressed the importance of addressing the vulnerabilities posed by the internet of things and the unprecedented threat that the United States faces. As in almost every cybersecurity field the government is clearly very far behind. As experts point out vulnerabilities in basic systems have and will only grow exponentially fast. The government is behind addressing these issues, these vulnerabilities. Greater oversight is called for because of the critical consequences attacks can and will have on both the public and private sectors.