The market won’t fix the problem of botnets and IoT security and the government will need to get involved, according to a cybersecurity think tank.
The stability of the internet could be in serious danger. That’s the dire message from a new report by the Institute for Critical Infrastructure Technology (ICIT), a cybersecurity think tank.
The recent DDoS attack on DNS provider Dyn, which took out a sizable chunk of the internet, including major sites such as Amazon, Paypal and Twitter, has been a wake up call, says the report, and is forcing the government to look for answers to the problem of the incredibly insecure IoT.
Mirai, the open source malware that powered the IoT botnet behind the Dyn DDoS attack, was used again to knock nearly one million Deutsche Telekom customers off line. The hackers responsible said that wasn’t their intent and apologized. They were trying to install the malware by exploiting a router vulnerability. ICIT says both scenarios are trouble and should be paid attention to by manufacturers and lawmakers alike, and that secure-by-design just isn’t happening.
“The buyer and seller really don’t care. The buyer and seller want a device that works. This is a market failure and the government needs to get involved. This is not something the market can fix,” security expert Bruce Schneier told lawmakers at a recent House Committee on Energy and Commerce.
Schneier also said that while the Dyn attack was largely benign, if such an attack were launched against connected or autonomous cars, smart thermostats or medical devices, the results could be catastrophic and even deadly.
The ICIT report issued a strong condemnation of ISPs and IoT device manufacturers, accusing them of putting profit before security:
“The brunt of the vulnerabilities on the Internet and in Internet of Things devices, rest with DNS, ISPs, and IoT device manufacturers who negligently avoid incorporating security-by-design into their systems because they have not yet been economically incentivized and they instead choose to pass the risk and the impact onto unsuspecting end-users,” the report said. “As a result, IoT botnets continue to grow and evolve. Deep Web DDoS-for-Hire services increase in their availability to rent or barter for, in their profitability, and in their accessibility; thereby compounding the pandemic of havoc that will continue to be unleashed on the global IoT macrocosm.”
The report recommends national regulation of IoT security, economic incentives that mandate security-by-design, holding manufacturers accountable for insecure products, and a reduction in the country’s dependence on Chinese-made IoT devices. The full report can be accessed here.