Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.
First, the facts. Those websites went down because their domain name provider — a company named Dyn — was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers — possibly millions — of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites.
Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.
The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.
Is government regulation the only way to get manufacturers of Internet of Things (IoT) devices to care about security?
(Score: 5, Interesting) by stormwyrm on Saturday November 12 2016, @05:58AM
As much as this place seems to be a den of libertarian diehards I think it has to be said that this is one of the situations where government regulation really is the only viable solution. Even some libertarian theorists recognise that market failure of this kind is one of the only places where government is useful. It's just like the reason why we have things like the FDA and the EPA, and it's arguable that these agencies have done way better than just leaving things up to the "invisible hand" which is just going to fist you up the ass in cases like this. A car analogy is useful here I think. Would the average motorist go out of their way to add, say, a catalytic converter to their car, or keep their vehicles well-tuned so that they don't emit black clouds of smoke? The car companies aren't going to care about these things because they cost money, and the selling point that "our cars have fewer air emissions" isn't going to make them sell more cars when adding anti-pollution devices adds a significant expense. The average motorist isn't going to care about this, because they're like snowflakes in an avalanche: no one of them feels responsible for the cloud of smog. In the same way, "our devices are more secure" isn't going to make an IoT gadget company sell more units, especially since it is a claim that is hard for an individual purchaser to verify, over a cheaper company that cuts corners on security. An average, individual owner of an insecure IoT device will likewise not care very much that their devices are being suborned to participate in a massive distributed denial of service attack on someone, as long as their devices seem to be otherwise working as advertised. The only way that worked to make car companies and motorists responsible for air pollution was to have the Environmental Protection Agency lay down regulations that dictated emissions standards. I can't think of another way to make the manufacturers and owners of network-connected devices care about security than for a government agency to lay down regulations that dictate security standards.
Numquam ponenda est pluralitas sine necessitate.
(Score: 3, Interesting) by GungnirSniper on Saturday November 12 2016, @07:47AM
Keep your laws away from my code. But liability laws should still apply for insecure devices.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 4, Insightful) by termigator on Saturday November 12 2016, @02:33PM
Agreed. I think many hear make the mistake that "regulation" would entail laws dictating coding practices and hardware design. That is not needed. Instead, the law could state that manufacturers can be held liable. Right now, the industry is allowed to claim no warranty of fitness and claim no liability. Other industries (e.g. auto) are not allowed to do that.
(Score: 4, Insightful) by stormwyrm on Sunday November 13 2016, @05:50AM
Exactly. To extend my car analogy, that would be the equivalent of the EPA telling car companies that they must design their engines and fuel systems in a certain way. The EPA is not now nor has it ever been in the business of automotive research and development. In the same way, a hypothetical Computer Security Protection Agency (this is what the NSA should be doing, by the way, not spying on the world!) would not go down to the level of dictating coding practice or hardware design either. Most likely they would start by doing the analogue of EPA emissions testing on devices that are permitted to be sold in the United States. Perhaps they might hire a bunch of tiger teams to check devices for at the very least the most glaring of security flaws. That way we wouldn't have any of these IoT devices which have default passwords that can't be changed and other obvious nonsense. If someone sold a device with an unpatchable flaw, they might force the manufacturer to issue a recall the way the NHTSA does today, or issue liability lawsuits themselves. They will not be perfect of course, but nothing ever is, but if they are created with a clear mandate and proper authority to execute it there is potentially plenty of good that they could do that would be otherwise impossible.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @12:03PM
Regulation is not the only way to fix this. There are certainly technical solutions that can mitigate DDoS attacks. Let's work on those instead of whining. If users and vendors don't care about security, they can learn a lesson from being hacked.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @03:04PM
(Score: 0) by Anonymous Coward on Wednesday November 16 2016, @04:27PM