Last week’s massive distributed denial-of-service attack has prompted an urgent focus on the need for industry-led cybersecurity standards for internet of things devices.
U.S. Sen. Mark Warner, (D-Va.) said Thursday that he favors an industry-based approach before seeking some form of government regulation of IoT security.
“Last week’s attack does reveal a new level of vulnerability, and I’m trying to make it clear ... that this is not a problem that the government ought to be the first actor in solving,” he said in a telephone interview.
Sen. Mark Warner (D-Va.)
“IoT ought to be an area where industry collaborates and if they can set standards first, that’s good,” Warner said.
Some sort of up-to-date industry “seal of approval” or comparative ratings system regarding the security-readiness of IoT devices may be effective, he said.
“If industry can come up with security standards as we move from 12 billion to 34 billion IoT devices in 2020, that’s terribly important,” Warner said.
Today, there’s not much economic incentive for IoT device makers to add security protections, he added. “Security adds cost, but if there’s no economic benefit, [manufacturers] figure, why do it?” he said.
Having some type of industry standard with a seal of approval or rating system would encourage companies and consumers to buy more secure devices, thereby creating that needed economic incentive, Warner reasoned.
Warner said his office staff has been talking to longtime security guru Peiter Zatko, also known as the hacker Mudge, about the potential for comparative ratings for IoT devices.
Zatko said on Friday through a Twitter message that he has been in touch with Warner’s office about the ratings concept and found Warner “very supportive.” Zatko’s nonprofit Cyber Independent Testing Lab offers Consumer Reports-style ratings on software, including for IoT.
“Warner particularly liked [our ratings] in place of simple ‘approval labels,’ which can incentivize vendors to do no more than the bare minimum and do not allow an evaluation of actual risk and safety for multiple products that may all have or lack such an opaque seal,” Zatko said.
Experts have suggested some basic security requirements that manufacturers need to provide. They include a unique user name and password for each IoT device. Currently, default user names and passwords can easily be found by hackers to exploit a device. Another recommendation is to build IoT devices so they can automatically receive software updates, including security patches.
Last Friday’s attack used the widely available Mirai botnet to attack an estimated 100,000 IoT devices, such as internet-connected cameras. Those devices were then used to flood servers at DNS provider Dyn in a distributed-denial-of-service attack (DDoS), leading to disruptions for internet users trying to access major sites.
Sign up for Computerworld eNewsletters.