October 25, 2016
In the rush to produce cost-effective connected devices, not enough focus has been placed on security measures. The cost of such inattention became evident on October 21 when hackers exploited vulnerabilities in hundreds of thousands of everyday devices, including baby monitors and cameras, to cripple the Internet. This attack was merely a sign of things to come, said a cybersecurity expert at the Atlantic Council.

“This [cyberattack] is essentially in part fueled because the economics are such that we want these technologies, we want them fast to market, we want them inexpensive, so many of these devices have incredibly low margins, [and] have no security [measures],” said Joshua Corman, the director of the Atlantic Council’s Cyber Statecraft Initiative.

In light of the growing dependence on connected Internet of Things (IoT), from cars to medical devices, “these devices are essentially…a manifestation of our security debt that we’ve been allowed to accumulate, and the compound interest has essentially created a tidal wave. This is just the beginning,” he added.

On October 21, Internet-infrastructure management company Dyn suffered a widespread cyberattack that shut down websites such as Netflix, Amazon, Spotify, and Twitter. This distributed denial of service attack (DDoS) flooded Dyn with overwhelming traffic. Working through connected IoT devices such as cameras, home routers, and baby monitors, hackers were able to render all sites reliant on Dyn inoperable.

The Federal Bureau of Investigation and the Department of Homeland Security are investigating, but cannot yet say who was behind the cyberattack.

Corman joined Allan Friedman, director of Cybersecurity Initiatives, National Telecommunications and Information Administration at the US Department of Commerce, in a conference call on October 24 to discuss the implications of the cyberattack for current and future security procedures designed to regulate the production of IoT devices.

Corman said that “when we have uncomfortable truths…it necessitates that we explore and give serious consideration to uncomfortable solutions.” Beau Woods, deputy director of the Council’s Cyber Statecraft Initiative, moderated the call. 

Ultimately, Corman said, the hack on Dyn “is in some ways a gift that got our attention, but can maybe motivate and catalyze some corrective action.”

According to Woods, the DDoS attack on Dyn was based off of a botnet called Mirai. Botnets are composed of poorly configured and insecure IoT devices that have been infected with malware.  The Mirai botnet is open source, therefore, Friedman said, as long as an adversary has the technical sophistication, they could take up the code from Mirai and repeat the attack experienced by Dyn. “Now that the source code is available to anyone, attribution will be much harder,” he said. 

This DDoS attack is not the first of its kind, according to Corman. These types of attacks are being carried out more frequently and effectively. He said that cyberattacks conducted by manipulating IoT devices target a “security blind spot.”

“You only appreciate an ecosystem when something gets much bigger than it used to be, or much smaller than it used to be. Then you appreciate how interconnected everything is,” Friedman said.

Corman described how the widespread dependence on connected technology is exceeding the ability to secure devices. “In our race to adopt technologies for their immediate and obvious benefits, we seldom do the cost-benefit equation to notice the deferred cost in security risks these [devices] incur,” he said. Once the devices are sent to market, security is no longer accounted for. Corman claimed that if the default posture of these devices is insecure, they will continue to pose a greater and eventually unmanageable threat.

Though there is an instinct to focus on safety-critical industries, such as medical devices, first, “you can’t really neglect the lower-priority devices,” said Corman. “What we saw on Friday is that we should care.”

Emphasizing the need for companies to make regulatory adjustments to address further vulnerabilities before there is a more serious failure, Corman said that “in lieu of any sort of minimum hygiene standards for cyber security for these devices, you’re going to see a greater and greater portion of Internet-connected devices be insecure, low-hygiene, unmanageable, and potentially brought to bear to do larger attacks.”  

Corman said there is still space to handle these attacks, but the main focus should be to adopt countermeasures to handle the full scope of the threat. Friedman spoke to the idea of “bolting on” security measures for existing IoT infrastructure and building out with new security regulations. However, both questioned whether the rate of adopting countermeasures can match the velocity of growth seen in IoT.

Corman described how solutions must be cost-effective and economic while preserving basic freedoms. However, “while we have been loath to stifle innovation in Internet technology,” Corman said, “the very economic harm that we tried to avoid may be occurring because of lost revenue to these Internet services or devices that are rendered useless or permanently damaged.”

According to Friedman, “the challenge is how do we make sure that we don’t destroy this ecosystem through security risks while also not destroying this ecosystem through imposing solutions that will choke growth at an unreasonable level.” Friedman focused on the idea of government support for post-market security and guidance in creating new security regulations.

Ultimately, according to Friedman, the role of government is to catalyze the discussion and instigate the necessary collaboration between all stakeholders. He described the ongoing “multi-stakeholder process” that invites all parties involved to create a common vision of security support.

“We know that our stakeholders understand that there is a sense of urgency,” Friedman said, “and we believe that by having the first round of [reforms] be voluntary, we’re creating a necessary but sufficient component to this ecosystem to ramp up security.” Though this process relates to new regulations, not products currently at large, it marks the beginning of a sense of awareness.

According to Friedman, cybersecurity on an international scale is an issue of interdependence among nation states. The global supply chain has created a system of shared consequences, thereby making cybersecurity an area of common interest with the potential for common investment. “The hope I have is that we have some common ground there,” Friedman said. “Even our adversaries have cars and medical equipment and transportation that is mutually exposed.”

Rachel Ansley is an editorial assistant at the Atlantic Council.

RELATED CONTENT