By Megan Bozman
Cybersecurity think tank ICIT, The Institute for Critical Infrastructure Technology, published a report last week entitled “Rise of the Machines: The Dyn Attack Was Just a Practice Run.” The report provides a comprehensive analysis of the Mirai IoT botnet and suggestions for enhancing IoT cybersecurity in the future, which include legal regulations.
The Perfect Storm of IoT Cybersecurity Vulnerabilities
If you weren’t paying attention yet, the opening sentence should grip you like an excellent novel, “The perfect storm is brewing that will pummel our Nation’s public and private critical infrastructures with wave upon wave of devastating cyberattacks.” In particular, the Mirai malware offers “a quantum leap in capability” that can be leveraged even by unsophisticated adversaries, state authors James Scott (Sr. Fellow, ICIT) and Drew Spaniel (Researcher, ICIT).
The Motivation Game
“The brunt of the vulnerabilities on the Internet and in Internet-of-Things devices, rest with DNS, ISPs, and IoT device manufacturers who negligently avoid incorporating security-by-design into their systems because they have not yet been economically incentivized and they instead choose to pass the risk and the impact onto unsuspecting end-users.”
The harsh reality is that security doesn’t generate incremental revenue. Additionally, lack of security has no negative impact on revenue generation. Consumers don’t tend to care, so developers building and selling IoT products don’t bother to care either.
Participation Trophy Winners, Those Darn Kids!
The authors continue their dire predictions that, “America’s treasure troves of public and private data, IP, and critical infrastructure continues to be pilfered, annihilated, and disrupted.”
It makes me sad to say, but I am not the least bit surprised at either the lack of security-by-design, or the accusation that this shortcoming is a result of lack of economic incentive. What does shock me is an attack on the culture of tech companies. The authors continue, “while an organizational culture of ‘Participation Trophy Winners’ managed by tech neophyte executives continue to lose one battle after the next.”
While I do share their disdain for participation trophies, I’m perplexed at the relevance. The authors don’t seem to clarify this connection.
Don’t Swallow a Spider
IoT cybersecurity is a marathon, not a sprint, and Mr. Scott and Mr. Spaniel caution against short-term solutions that may lead to even greater problems in the future. For example one suggestion after the Mirai DDoS attacks from “panicked cybersecurity professionals and faux experts” was to employ a controllable computer worm to patch, update, or actively protect devices. This suggestion ignored “the inevitable eventuality that a malicious threat actor will seize control of the worm or that the intended operation of the worm will have very unintended consequences.”
I’m reminded of the children’s song about the old lady who swallowed a fly, then swallowed a spider to eat it. In addition to short-term solutions potentially causing even more problems, some attempts to exploit Mirai’s vulnerabilities may even be illegal under the Computer Fraud and Abuse Act (CFAA).
IoT Security Recommendations and Remediation
What the authors do recommend is preparedness and forethought. Specifically, developing an incident response plan, hardening networks against attacks, and conducting regular validation testing.
Computer security researcher Bruce Schneier wrote, “an additional market failure: neither the seller nor the buyer of those devices cares about fixing the vulnerability… There is no market solution because the insecurity primarily affects other people. It’s a form of invisible pollution. And, like pollution, the only solution is to regulate.”
Mr. Scott and Mr. Spaniel assert that IoT cybersecurity must be regulated, “in a way that promotes security-by-design without stifling innovation, and remains actionable, implementable and binding. For the sake of lasting impact instead of a market shift that avoids the regulations, national regulation seems most appropriate.” The authors further recommend adding modern provisions to HIPAA and other sector relevant legislation.
I admit I was pleased the authors reiterated the strong case against ‘backdoors.’ “Regardless of device, the possible harmful impact outweighs any advantage by orders of magnitude.”
Other avenues for mitigating security risks discussed include open source development and testing of IoT software, reputational harm through media exposure, and reduced dependence on foreign IoT devices. Finally, Kevin Fu, Co-founder, CEO at Virta Laboratories; Associate Professor, University of Michigan EECS, urged Congress to consider the creation of an independent, national embedded cybersecurity testing facility modeled after the automotive crash testing conducted by the National Transportation Safety Board (NTSB).