Opinion: Bruce Schneier “Understanding the Role of Connected Devices in Recent Cyber Attacks”

Testimony Before US House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks”

This post specifically discusses testimony provided by Bruce Schneier in advance of the Congressional Hearing on the security of the Internet of Things (“IoT”) scheduled for November 16, 2016.

 

hhrg-114-if17-wstate-schneierb-20161116Common Background: In October, there was a widespread distributed denial-of-service attack (“DDoS”) that impacted multiple websites such as Pinterest, Reddit, PayPal, and Twitter.  The attack leveraged a known exploit and general lack of cybersecurity hygiene in use within the devices commonly referred to as IoT devices.  To cause the domain name service provider Dyn to go offline which resulted in dozens of websites becoming unreachable as hosts were not able to properly resolve IP address to domain names.

[Opinion based on the Testimony of Bruce Schneier]:

Schneier asserts that the DDoS attack essentially recruited thousands or perhaps millions of IoT devices to send traffic to Dyn which caused the service to slow down and eventually crash.  According to Schneier, there are two approaches to effecting such an outcome: 1) use a high-end multi-node server with tremendous bandwidth to overwhelm the capabilities of the target of the attack (this is a very large effort), or 2) using a scale vector to leverage multitudes of devices, each of which has a smaller individual payload which in the aggregate overwhelms the capabilities of the target causing it to crash and go offline.  The IoT DDoS then is the latter model and in using otherwise innocent systems to work together in a common nefarious goal, the devices are controlled and therein referred to as botnets as active or passive software is used to direct their behavior to a shared purpose.

Schneier highlights the fact that this attack while an inconvenience was altogether benign and caused no real harm within the physical realm.  The target was taken offline and websites were therefore inaccessible; however, there were no direct physical impacts.  Schneier states that the distinction is important as the lines between the virtual and physical worlds are increasingly blurred as we have leveraged and implemented technology in several areas such as medical devices, autonomous weapons systems, water and dam controls, etc.  Therefore, there exists the possibility that an attack could have targeted devices that while technological in nature have a more visceral impact since they directly control physical implementations.

The inherent lack of security in IOT devices is essentially a fundamental market failure per Schneier.  Schneier asserts that the market has placed a lesser emphasis on security and a higher premium on features and interoperability.  Many of these devices lack a secure protocol or medium through which security updates can be verified and applied even when the longevity factor of many of these devices are significantly longer than standard technology (e.g., a home thermostat has an extremely long expected life; whereas a computer or phone has a much shorter usage cycle).  This is important in many respects, not the least of which is the fact that the exploit used for the IoT DDoS attack is now public and can be harnessed by script kiddies or less technically inclined malfeasor and as such in the absence of a clear path for security upgrades all the IoT devices currently in the marketplace are suddenly vulnerable and highly exploitable.  Schneier posits that this is further compounded by the fact that consumers are indifferent to this issue as they value price over security and the manufacturers have no incentive to bake-in additional security protocols as this would merely represent a cost and impact to the bottom-line which could not be offset by higher pricing models since the current marketplace is placing a zero premium on security features.

Having addressed the issue, Schneier states that the most viable solution is to impose government regulations similarly to the model used for pollution controls (namely Government must take action to force implementation) Schneier’s assertion rests on the premise that in the absence of consumer demand there is no incentive for manufacturers to deliver more secure and updatable products and thus the government must intervene.  This could be done in one of two ways; either by imposing liability on manufacturers for harm caused by their devices when used in attacks for instance, or by enforcing a floor that represents minimum security standards.

Schneier then goes on to say that the government must also resist the urge to weaken the security of any computing device based upon a request from law enforcement (e.g. FBI).  Stating further that weakening encryption for instance would make attacks easier and more damaging and will cause greater harm to society than any benefit that may be provided to the FBI.  This seems somewhat of an aside and is not strengthened by any particular assertion nor any argument beyond pure rhetoric.

Schneier also acknowledges that IoT is a global market and consequently controls implemented in the US may not have far reaching global impacts.  To counter this, Schneier asserts that were the US and a number of other major markets to implement strong Internet-security regulations on IoT devices, manufacturers would then be forced to upgrade their security in order to sell into those markets.  That may be more reflective of a US-centric view of the world and the marketplace specifically.  If IoT devices are being manufactured offshore in less-labor capital intensive markets and then enter the global marketplace the relative power of the US economy is somewhat displaced in the global context.  If the US imposes regulations and protocols on devices, then that drives up the cost of those devices which means businesses will be incentivized to enter new markets and non-US markets to decrease costs and drive additional profits.  This therefore is quite distinct from the pollution control model where pollution occurs at the local level; here manufacturing and markets have a global context and if the costs of doing business in the US are substantially raised then markets will flourish elsewhere.

Overall, Schneier’s approach while likely more technically feasible and practical in the short-term lacks the long-term thought process that is going to be necessary to secure both current incarnations of devices as well as new.  While a strong argument can be made for the need for encryption and the ability of devices to engage in secure communications even if only for the ability to effect security updates and patch rollouts, it may be time to consider a multi-network approach such that networks are available for use based on device type and application.  While there are of course interoperability concerns, if networks were segmented and secured within discrete frameworks then the ability to “control” one class of devices, especially in the case of IoT where the sheer number of devices may or soon will be approaching billions, then the impacts of malware in the IoT sphere may have less spillover effects into other network segments (e.g. core network and routing functions of DNS servers in the commercial or consumer context).  Building separate, network segments based on the class of devices would add administrative overhead and will raise issues related to interoperability but it would have the effect of segmenting traffic and preventing issues such as occurred last month during the IoT DDoS attack.

That being said, it is going to be important to implement basic cybersecurity protocols within IoT devices.  However, interoperability and ease-of-use are still primary consumer motivators so those will have to be tackled from a technical perspective in order to encourage and promote adoption of devices that are in fact “secure.”  Ultimately the market will be the primary driver for this and an increased focus on cybersecurity issues and once people begin to understand the potential impacts to their daily lives — education and knowledge can be leveraged to “encourage” consumers to demand enhanced security from their vendors.  Thereby creating a demand-driven market approach from which we all will ultimately benefit without requiring additional government regulation and over-reach.  Let’s encourage the market to do the right thing rather than trying to force it.

See also previous post: Input to the Commission on Enhancing National Cybersecurity.

Tags: ,

4 Responses to “Opinion: Bruce Schneier “Understanding the Role of Connected Devices in Recent Cyber Attacks””

  1. […] I testified about this at a joint hearing of the Subcommittee on Communications and Technology, and the Subcommittee on Commerce, […]

  2. […] I testified about this at a joint hearing of the Subcommittee on Communications and Technology, and the Subcommittee on Commerce, […]

  3. […] I testified about this at a joint hearing of the Subcommittee on Communications and Technology, and the Subcommittee on Commerce, […]

  4. […] I testified about this at a joint hearing of the Subcommittee on Communications and Technology, and the Subcommittee on Commerce, […]

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories