Senator Pushes For IoT Device Security Standards In Wake Of Massive DDoS Attack
The co-founder of the Senate Cybersecurity Caucus is appealing to federal agencies to address the lack of security standards requirements for Internet of Things device manufacturers.
Days after a distributed denial of service attack was launched through IoT consumer devices, Sen. Mark Warner (D.-Va.) sent a letter to the Federal Communications Commission, Federal Trade Commission and Department of Homeland Security slamming manufacturers for "flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support."
"Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback or liability concerns, I am deeply concerned that we are witnessing a ’tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none," he wrote Tuesday.
[Related: 7 Internet Of Things Devices With Security Risks That Solution Providers Can't Ignore]
The DDoS attack, launched Friday through IoT consumer devices including webcams, routers and video recorders, overwhelmed servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites.
The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data.
Warner said that manufacturers whose devices were involved in this IoT attack face few incentives to tighten security around their devices and "… buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics."
Casey Newton, CEO of San Francisco-based IoT security solution provider OneID, said that many manufacturers don't want to pay the extra costs that will come along with stronger security measures for devices – and don't have any incentive to do so.
"There's a lack of basic security protection," said Newton. "The problem with IoT is that in the rush to deploy and ship devices, no one thought about security. It will stay that way in the consumer space until the FTC and others come out with a strong set of basic requirements for manufacturers. Until that type of mandate is there, manufacturers have no incentive."
On Monday, manufacturer Hangzhou Xiongmai said it will recall the web cameras that use its circuit board and other components – which were one of the many devices used in the attack.
Warner's letter questioned how government agencies could better keep track of connected devices before they are plugged into networks, and what types of network management practices are available for internet service providers to respond to DDoS threats.
Sen. Warner also questioned whether it is possible for internet service providers to designate certain network devices as insecure and deny them connections to their networks.
"DDoS attacks can be powerful tools for censorship, criminal extortion, or nation-state aggression," he said. "While the internet was not designed with security in mind, its resiliency … is now being undermined."
The Senate Cybersecurity Caucus, which is led by Warner and Sen. Cory Gardner (R.-Colo.), focuses on the issues surrounding digital security, as well as national security.