Lawmaker Strives For IoT Security Regulatory Remedy
DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices.
In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security.
"While I'm not taking a certain level of regulation off the board, the United States can't regulate the world," said Rep. Greg Walden (R-Ore.), chairman of the Subcommittee on Communications and Technology.
Security experts have been lamenting the horrific state of IoT device security for many years, and recent events have only served to reinforce those feelings. Many embedded devices are designed to be cheap and functional, with little to no thought given to security. And few have a mechanism to receive updates, so when security issues are discovered, consumers have no real way to correct them. Kevin Fu, an associate professor at the University of Michigan, and CEO of Virta Labs, said the root cause of the problem is that there's no consequences for vendors who sell insecure devices.
Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle.
"I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."
Both Fu and Schneier said there need to be some standards for the secure development of IoT devices, but it needs to be done carefully. Some lawmakers suggested an approach that would involve an independent testing organization.