Hearing Highlights Cybersecurity Flaws in Internet of Things

    Dec 12, 2016

    What role does the proliferation of connected devices play in the execution of a DDoS attack, and what supply chain issues and challenges exist for hardware and software developers in the Internet of Things (IoT) ecosystem? These were among the questions being asked at a November 14 House Energy and Commerce Committee hearing on the role of connected devices in recent cyber attacks.

    “How do we make ourselves more secure without sacrificing the benefits of innovation and technological advances,” asked Rep. Greg Walden (R-OR) after observing that the recent denial of service attack that blocked popular sites like Netflix and Twitter was on a scale never before seen. “The knee-jerk reaction might be to regulate the Internet of Things, and while I am not taking that off the table, the question is whether we need a more holistic solution.”

    According to Dale Drew, the chief security officer for Level 3 Communications, vulnerabilities in IoT devices stem from several sources, including easily-identifiable passwords that hackers can exploit, the inability of devices to update their firmware, and the global nature of the IoT device marketplace in which products are manufactured in foreign countries that don’t follow sound cybersecurity practices.

    “With the exploding proliferation of IoT devices, so too will the threats they pose continue to expand and evolve,” Drew told the committee. “Bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices that can detect and remove the threats. Network operators, device manufacturers and users will need to remain vigilant to the security risks these devices present.”

    Some representatives used the hearing to call for legislation to provide expanded data enforcement authority for the Federal Trade Commission (FTC). “Given the nature of cyber attacks, we cannot count on IoT manufacturers to do the right thing on their own,” Rep. Jan Schakowsky (D-IL) stated. “Consumer watchdogs, like the FTC, must take a leading role in promoting cybersecurity and holding companies accountable when they fail to provide adequate protections.”

    In January 2015, the FTC released a staff report that recommended best practices that businesses can implement to reap the benefits from a growing world of Internet-connected devices while enhancing and protecting consumers’ privacy and security. While the report did not urge legislation to regulate the IoT specifically, it reaffirmed the commission's support for general data security breach legislation. It also renewed a call for Congress to pass a broad-based privacy bill that provides clear standards and appropriate incentives to ensure basic privacy protections across all industry sectors.

    However, industry groups cautioned the committee about government regulation as a solution to IoT cybersecurity flaws. “Regulations cannot always keep up with the pace of cybersecurity threats,” wrote Kyle Pitsor of the National Electrical Manufacturers Association, in a letter to the Committee. “Any new security policies or regulations must be flexible enough to allow manufacturers to continue to innovate and provide their customers with cyber-secure products.”

    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International