WASHINGTON — The Obama administration urged tech companies to make millions of devices safe from hacking, underscoring the risks posed by an increasingly bewildering array of internet-connected products permeating daily life, covering everything from fitness trackers to computers in automobiles.
In a report obtained by The Associated Press, the Homeland Security Department described runaway security problems with devices that have been made internet-capable in recent years, a group that includes medical implants, surveillance cameras, home appliances, digital video recorders, thermostats and baby monitors.
It said they posed “substantial safety and economic risks,” recommending immediate action by software and hardware developers, service providers, manufacturers and commercial and government buyers. No specific penalties were proposed for manufacturers failing to comply. No blame was placed on consumers buying and operating such products.
“The growing dependency on network-connected technologies is outpacing the means to secure them,” Homeland Secretary Jeh Johnson said.
The department’s strategy represents an attempt to organize the so-far scattered cybersecurity efforts for the category of devices known as the “internet of things.” It comes less than a month after hackers harnessed an army of 100,000 internet-connected devices around the world, such as DVRs and security cameras, to attack Dyn Co., which helps route internet traffic to its destination. It caused temporary internet outages to sites that included Twitter, PayPal, Pinterest, Reddit and Spotify.
Such threats are likely to increase, U.S. officials warn.
“Securing the internet of things has become a matter of homeland security,” Johnson said. Tuesday’s guidance, he added, should help companies “make informed security decisions.”
The report culminates a six-month review by Robert Silvers, the assistant homeland security secretary for cyber policy, who coordinated with cybersecurity experts, industry associations and branches of the government such as the Justice and State departments. They spoke about possibly holding companies accountable through product liability principles and how to create a uniform rulebook for securing these devices.
“We need to have a very serious national conversation about what the approach is, and we need to do it urgently,” Silvers said.
The internet of things is decentralized and enormously complex, making it difficult to regulate. A camera with online capabilities may be designed in California, manufactured in China with parts from Taiwan and sold to someone who operates it on Germany’s network. Silvers said there is no benefit to “190 different national approaches.”
Some industrial sectors have moved forward with their own recommendations. In September, the National Highway Traffic Safety Administration published guidelines for self-driving cars. The Food and Drug Administration published its own guidance for medical devices in January.
For more than a decade, companies have added internet capabilities to devices as an additional feature, sometimes without security considerations. But adding security in wholesale fashion afterward is often more costly. It is also more complicated when change standard industry practices.
Some fixes are easier than others. The government urged companies to ensure security setting are turned on by default. Unique passwords for each device should be required so hackers can’t use a single stolen password to control thousands or more devices. Manufacturers ought to make products whose vulnerabilities can be fixed remotely.
“You can’t rely on a consumer to spend three hours to upgrade her toaster software. It’s not going to happen,” Silvers said.
The government also highlighted the need for an “end-of-life strategy” for devices that aren’t created to last indefinitely. As a result, they won’t be patched and updated forever, leading to new vulnerabilities for consumers using devices beyond certain expiration dates.
The recommendations were released before a congressional hearing Wednesday on the role of connected devices in cyberattacks. No government officials were expected to testify.
To prevent more attacks, the government must increase security regulations for “what are now critical and life-threatening technologies,” according to Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School and a well-known cybersecurity expert.
“It’s no longer a question of if; it’s a question of when,” Schneier said in prepared remarks for the hearing.