Opinion: Bruce Schneier “Understanding the Role of Connected Devices in Recent Cyber Attacks”
Testimony Before US House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks”
This post specifically discusses testimony provided by Bruce Schneier in advance of the Congressional Hearing on the security of the Internet of Things (“IoT”) scheduled for November 16, 2016.
Common Background: In October, there was a widespread distributed denial-of-service attack (“DDoS”) that impacted multiple websites such as Pinterest, Reddit, PayPal, and Twitter. The attack leveraged a known exploit and general lack of cybersecurity hygiene in use within the devices commonly referred to as IoT devices. To cause the domain name service provider Dyn to go offline which resulted in dozens of websites becoming unreachable as hosts were not able to properly resolve IP address to domain names.
[Opinion based on the Testimony of Bruce Schneier]:
Schneier asserts that the DDoS attack essentially recruited thousands or perhaps millions of IoT devices to send traffic to Dyn which caused the service to slow down and eventually crash. According to Schneier, there are two approaches to effecting such an outcome: 1) use a high-end multi-node server with tremendous bandwidth to overwhelm the capabilities of the target of the attack (this is a very large effort), or 2) using a scale vector to leverage multitudes of devices, each of which has a smaller individual payload which in the aggregate overwhelms the capabilities of the target causing it to crash and go offline. The IoT DDoS then is the latter model and in using otherwise innocent systems to work together in a common nefarious goal, the devices are controlled and therein referred to as botnets as active or passive software is used to direct their behavior to a shared purpose.
Schneier highlights the fact that this attack while an inconvenience was altogether benign and caused no real harm within the physical realm. The target was taken offline and websites were therefore inaccessible; however, there were no direct physical impacts. Schneier states that the distinction is important as the lines between the virtual and physical worlds are increasingly blurred as we have leveraged and implemented technology in several areas such as medical devices, autonomous weapons systems, water and dam controls, etc. Therefore, there exists the possibility that an attack could have targeted devices that while technological in nature have a more visceral impact since they directly control physical implementations.
The inherent lack of security in IOT devices is essentially a fundamental market failure per Schneier. Schneier asserts that the market has placed a lesser emphasis on security and a higher premium on features and interoperability. Many of these devices lack a secure protocol or medium through which security updates can be verified and applied even when the longevity factor of many of these devices are significantly longer than standard technology (e.g., a home thermostat has an extremely long expected life; whereas a computer or phone has a much shorter usage cycle). This is important in many respects, not the least of which is the fact that the exploit used for the IoT DDoS attack is now public and can be harnessed by script kiddies or less technically inclined malfeasor and as such in the absence of a clear path for security upgrades all the IoT devices currently in the marketplace are suddenly vulnerable and highly exploitable. Schneier posits that this is further compounded by the fact that consumers are indifferent to this issue as they value price over security and the manufacturers have no incentive to bake-in additional security protocols as this would merely represent a cost and impact to the bottom-line which could not be offset by higher pricing models since the current marketplace is placing a zero premium on security features.
Having addressed the issue, Schneier states that the most viable solution is to impose government regulations similarly to the model used for pollution controls (namely Government must take action to force implementation) Schneier’s assertion rests on the premise that in the absence of consumer demand there is no incentive for manufacturers to deliver more secure and updatable products and thus the government must intervene. This could be done in one of two ways; either by imposing liability on manufacturers for harm caused by their devices when used in attacks for instance, or by enforcing a floor that represents minimum security standards.
Schneier then goes on to say that the government must also resist the urge to weaken the security of any computing device based upon a request from law enforcement (e.g. FBI). Stating further that weakening encryption for instance would make attacks easier and more damaging and will cause greater harm to society than any benefit that may be provided to the FBI. This seems somewhat of an aside and is not strengthened by any particular assertion nor any argument beyond pure rhetoric.
Schneier also acknowledges that IoT is a global market and consequently controls implemented in the US may not have far reaching global impacts. To counter this, Schneier asserts that were the US and a number of other major markets to implement strong Internet-security regulations on IoT devices, manufacturers would then be forced to upgrade their security in order to sell into those markets. That may be more reflective of a US-centric view of the world and the marketplace specifically. If IoT devices are being manufactured offshore in less-labor capital intensive markets and then enter the global marketplace the relative power of the US economy is somewhat displaced in the global context. If the US imposes regulations and protocols on devices, then that drives up the cost of those devices which means businesses will be incentivized to enter new markets and non-US markets to decrease costs and drive additional profits. This therefore is quite distinct from the pollution control model where pollution occurs at the local level; here manufacturing and markets have a global context and if the costs of doing business in the US are substantially raised then markets will flourish elsewhere.
Overall, Schneier’s approach while likely more technically feasible and practical in the short-term lacks the long-term thought process that is going to be necessary to secure both current incarnations of devices as well as new. While a strong argument can be made for the need for encryption and the ability of devices to engage in secure communications even if only for the ability to effect security updates and patch rollouts, it may be time to consider a multi-network approach such that networks are available for use based on device type and application. While there are of course interoperability concerns, if networks were segmented and secured within discrete frameworks then the ability to “control” one class of devices, especially in the case of IoT where the sheer number of devices may or soon will be approaching billions, then the impacts of malware in the IoT sphere may have less spillover effects into other network segments (e.g. core network and routing functions of DNS servers in the commercial or consumer context). Building separate, network segments based on the class of devices would add administrative overhead and will raise issues related to interoperability but it would have the effect of segmenting traffic and preventing issues such as occurred last month during the IoT DDoS attack.
That being said, it is going to be important to implement basic cybersecurity protocols within IoT devices. However, interoperability and ease-of-use are still primary consumer motivators so those will have to be tackled from a technical perspective in order to encourage and promote adoption of devices that are in fact “secure.” Ultimately the market will be the primary driver for this and an increased focus on cybersecurity issues and once people begin to understand the potential impacts to their daily lives — education and knowledge can be leveraged to “encourage” consumers to demand enhanced security from their vendors. Thereby creating a demand-driven market approach from which we all will ultimately benefit without requiring additional government regulation and over-reach. Let’s encourage the market to do the right thing rather than trying to force it.
See also previous post: Input to the Commission on Enhancing National Cybersecurity.