Warner, a former Virginia governor who was involved in venture capital for the telecommunications industry in the 1980s, said the lack of attention to IoT security has been endemic for decades.
“We went into the internet with the idea of how we can get coverage and resilience, but what I don’t think we have thought about is security. Security has not been high on the design criteria,” Warner said.
“How do we make that IoT refrigerator secure so it can say to buy more milk if DDoS attacks by botnets are possible? We’ve got this huge potential challenge that builds on a whole series of other challenges like stolen intellectual property and national security concerns.”
Because of the nature of the attack, some experts have speculated that amateurs could have launched last Friday’s attack, which in some ways could be more troubling than if sophisticated criminals or hackers for a foreign government were involved.
“Whether it’s a state or a bunch of teenage hackers, it does reveal a new level of vulnerability,” Warner said.
Warner has been addressing unsecure IoT devices for a while, including with a letter to the Federal Trade Commission in June. On Tuesday, he sent letters on the attack to the FTC as well as the Department of Homeland Security and the Federal Communications Commission.
In the letter to the FCC, Warner asked nine questions, including whether the FCC has asked the National Institute of Standards and Technology about setting security standards. “Should manufacturers have to abide by minimum technical security standards?” the letter asks.
Another question from Warner to the FCC posed the idea that internet service providers might deny insecure IoT devices access to their networks. In the interview, Warner said, “I’m not suggesting that we violate the principles of net neutrality, [but]… we need to get ahead of this.”
Warner said that his questions to the FCC and others were intended only to learn the best approach to bolster IoT security. “I’m still trying to learn about this,” he said. “it’s too early to come to a conclusion.”
One approach he clearly favors is better citizen education about cybersecurity. “I do think having a clear set of appropriate cyber hygiene techniques drilled into every consumer is good. It would be great if industry could give those ideas of how consumers should act.”
It also makes sense, he said, for “America to take the lead on this, but to make sure we don’t create a problem of putting American products at a disadvantage.”
One problem with the government setting standards on IoT security is making the standard flexible enough to meet future demands. “If we were to set some government standard, how does that stay flexible so the standard can change next month because of the sophistication of hackers?” Warner asked.
Sign up for Computerworld eNewsletters.