IoT Security: House Hearing Seeks Remedies
Despite the uncertainty around tech policy in a Trump Administration and a Republican-controlled Congress, the need for better Internet security might be one issue that both parties can agree on. In light of a cyberattack that took down Internet services such as Netflix and Twitter last month as well as security attacks on connected devices, the House Communications Subcmte and Commerce Subcmte held a joint hearing Wed to understand the role of IoT devices.
Regulatory intervention might be inevitable moving forward, said witness Bruce Schneier, adjunct lecturer at the Kennedy School of Government at Harvard University. “If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the Internet of Things and increased regulation of what are now critical and life-threatening technologies. It’s no longer a question of if, it’s a question of when,” he told the lawmakers. He proposed minimum security standards on IoT manufacturers, which would force them to make their devices secure. And “most importantly, the government needs to resist the urge to deliberately weaken the security of any computing devices at the request of the FBI.
Devices like smart phones are becoming the de facto digital hub where we control many of our Internet of Things devices,” he said. Schneier, also a fellow at Berkman Klein Center at Harvard that focuses on cyberspace issues, warned that attempts to weaken encryption will make cyberattacks easier and more damaging. “Invest in FBI cybersecurity expertise, not back doors. Regardless of what you think about regulation vs. market solutions, I believe there is no choice. Governments will get involved in the IoT, because the risks are too great and the stakes are too high,” he said. Private companies are not always fans of government intervention, but Dale Drew, svp/chief security officer at Level 3, said there may be a role for the government to provide “appropriate guidance” and “it will be imperative for all relevant stakeholders to continue to work collaboratively to address and mitigate IoT security risks.”
Greg Walden(R-OR), head of the Communications Subcmte, asked how to create a national security framework for connected devices. The best place to start is standards, said Drew, pointing to the lack of any security standards for IoT devices. In particular, IoT makers and vendors should “embrace and abide by additional security practices to prevent harm to users and the Internet,” he said. Kevin Fu, CEO at Virta Labs and an associate professor at University of Michigan, advocated for built-in security for connected devices. “If cybersecurity is not part of the early design of an IoT device, it’s too late for effective risk control,” he said. And it will be difficult to ensure security features are built-in unless there are standards and principles set in place, he said. Cybersecurity measures should be included in national legislation, since the Internet is part of our national infrastructure, according to Anna Eshoo (D-CA). While Walden cautioned that government mandates could potentially stifle innovation, he said cybersecurity is a bipartisan matter that legislators from both sides of the aisle would want to address.