Twitter, The New York Times, Spotify, Pinterest, and Etsy were the victims of a cyber-attack two weeks ago. The distributed denial of service (DDOS) Mirai botnet hijacked thousands of DVRs, webcams, and baby monitors to take these websites down – everyday internet-of-things (IoT) devices that were commandeered by hackers. A decade ago, this may have sounded like lines lifted straight out of a science fiction novel. Today, it’s the reality faced by American corporations and citizens.
In order to prevent everyday devices like baby monitors from being used as cyber weapons, we need to do two things. First, Internet Service Providers (ISPs) should adopt standards that automatically detect and filter malicious traffic flowing through their networks. Second, an industry-led ratings standard must be established to ensure that future IoT products are designed with a focus on security requirements.
The security problem that IoT devices present is not new and has been widely discussed. But the irreconcilable fact is that we are rapidly moving towards a world where everyday devices are connected to the web. In fact, Cisco estimates that by 2020, we would have over 50 billion Internet-of-things devices. From the refrigerator that tells you to throw out milk that’s about to go bad to the self-driving cars about to take over our roads, technological innovation is offering us comforts like never before. Unfortunately, this also increases the opportunities available to cyber attackers, who range from the average cybercriminal to nation-states looking to exploit the underlying vulnerabilities in our smart devices.
In the cyber-world, offense has long outpaced defense for the simple reason that only one vulnerability needs to be found to exploit. Hackers constantly change their tactics, and the latest attack reflected a strategic shift in cyber-attacks. Instead of targeting individual websites, the attack was carried out on Dyn, a company that provides internet infrastructure services. The timing was remarkable, too, coming at the heels of widespread alarm about Russian interference on Election Day.
So, what do we do about poorly secured IoT devices?
In the past few years, the marketplace has been flooded with cheap, highly insecure “smart” things. Many of them come from abroad and have little or no password protection. This makes them an easy target for attackers looking to hijack and commandeer these devices.
Some have asked for an outright ban and recall of these insecure devices, while others have asked for regulating the IoT market. It’s important to note that many of these devices in the market today come with hardcoded passwords, and companies that produce them do not have the capacity to introduce software updates or patches. On the other hand, businesses continue to prioritize profiteering over essential security investments that are fundamental to safeguarding future IoT products. We must therefore tackle this problem keeping in mind two things: the number of poorly secured devices that are already in the market and the number of devices that are yet to be designed and produced in the near future.
A recall of a few thousand devices is unlikely to have any significant impact on the security question posed by the millions of devices that are already present in our workplaces and homes. Hackers use a technique called ‘spoofing’ in DDOS attacks, where packets are sent over the network with forged or invalid IP addresses. To counter this, ISPs have adopted the BCP38 standard which allows filters to detect and block malicious traffic that follow certain known patterns. This mechanism would be effective against DDOS attacks and would have provided Dyn with the first line of defense while its servers were being flooded with spoofed packets. Though filters can be expensive, if ISPs adopted this mechanism it would significantly dent the threat posed by existing IoT devices that are weakly secured.
Second, to ensure that businesses have the economic incentive to produce secure products in the future, industry-based security standards and certain minimum cybersecurity requirements should be introduced. Industry-led standards that work as ratings or labels, provide customers with information on the security of devices that they are about to buy. In a competitive market, the introduction of comparative-ratings system means that brands will be forced to consider the security of products in their business models. Keeping in mind the pace of innovation, industry-led standards will be far more flexible to change when compared to government standards.
Many security experts have also recommended that manufacturers should adhere to certain minimum technical security standards set by the National Institute of Standards and Technology. These standards would then also apply to foreign companies that wish to sell their products in the U.S.
Of course, the clamor for regulations in the IoT market is bound to be received with heavy skepticism in Silicon Valley. The key, however, is to balance the need to set security standards with the facilitation of business models that place high value on security. Though this still leaves room for weakly secured IoT devices to be manufactured and sold in other countries, in an increasingly globalized world the measures adopted by the US will eventually diffuse to other markets. Overall, this approach is essential to creating a safe environment for smart devices.
The impact from cyberattacks has ranged from disruption of businesses to raising broader national security threats. The Mirai botnet attack highlights the easiness with which cyberattacks can be carried out by hacktivists, cybercriminal gangs, and nation-state actors. Needless to say, securing our smart devices has now become the need of the hour. It’s important to remember that a world of smart devices can offer us benefits, if and only if, we take the immediate measures to ensure its security.
Poonam Ravindranath is a Master of Public Policy student at Georgetown University. She formerly worked as a software development engineer for Cisco Systems.
The views expressed by authors are their own and not the views of The Hill.