FCC Chairman Tom Wheeler published an interesting letter addressed to Senator Mark Warner, in response to his questions asking what the FCC is planning to do regarding the well-publicized IoT DDoS attack powered by Mirai & co botnets. Mr. Warner puts it well when he states that “Mirai’s efficacy depends, in large part, on the unacceptably low level of security inherent in a vast array of network devices”. And he is right to be concerned.
With the public release of the source code on 1 October, copy-cat botnets and new strains have multiplied and DDoS services are flourishing in darknet marketplaces. The criminal underground is quickly tweaking and improving the code to take advantage of the breadth of unsecured IoT devices available online, hoping to reach ever greater attack heights than the already astounding 1.2 Tbps allegedly recorded during the Dyn DDoS on 21 October. In less than 3 weeks since the release of the source code, attackers managed to double the bandwidth of the Mirai-fueled attack. The 620 Gbps DDoS on KrebsOnSecurity.com at the end of September was already a record-breaker. But the criminal market is just emerging for IoT botnets.
Just recently in November, a similar DDoS attack outed almost 1 million Deutsche Telekom routers in Germany, affecting about 5% of its customers in the country. The attack was an attempt to infect the devices in order to enslave them into a new botnet. While routers have been the primary targets, DVRs, IP-connected cameras, and even printers have been roped into the botnets. There is little doubt that as competition in underground markets intensifies, a growing number of new devices will be exploited.
Going back to Mr. Warner’s concerns about the default administrative passwords shared by many IoT devices and publicly accessible open management ports, his frustration at the inertia of ISPs and manufacturers in proactively tackling security is unsurprising, and shared by Mr. Wheeler in turn.
Both decry the failure to incorporate security at the design level, and Mr. Warner has the right of it when he states that “manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support”. He concludes that this inaction is mainly due to the absence of liability, standards or feedback. An additional, but equally important, point raised by Mr. Warner reflects the inability of consumers to properly evaluate the security of IoT devices at purchase, and when failure occurs post-acquisition, there is little recourse for them.
Mr. Wheeler’s answer to the concerns raised by Mr. Warner offer an interesting, and refreshing, perspective on the role the FCC could play in actually regulating the matter. He observes that “cyber-accountability […] requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively” and proceeds to outline a rather ambitious plan entitled 5G/IoT Cybersecurity Risk Reduction Program.
The plan consists of the usual voluntary engagement and best practices efforts involving public and private stakeholders that have formed the meat of most U.S. cybersecurity agendas, at least where the private sector is concerned. However, it departs starkly from the accepted American view that ‘regulation kills innovation’ by outlining a number of rulemaking activities, including a certification process to protect networks from IoT device security risks, a cybersecurity certification for IoT devices, and a consumer labeling requirement. Critics will likely argue that such certification would be largely beyond the FCC’s jurisdiction and many will voice those same recriminations against the undue burden and cost government will be placing on the private sector if such regulations were to be implemented. This was the very feeling that seeped out of the Congressional hearing on 16 November, when Bruce Schneier talked about the Dyn attack and the potential for a ‘fatal IoT disaster’ posed by unsecured IoT devices.
While Mr. Wheeler's proposal seems to be an aggressive one from a U.S. perspective, it has already been voiced in Europe. The EU deputy commissioner for digital economy and society, Thibault Kleiner, stated in October that the Commission was planning to propose legislation that would include a certification process for IoT devices. The Commission would look to encourage the private sector to develop a labelling system for secure devices, not unlike the one developed for energy consumption in the EU. ENISA is already on board, and recently released a joint statement with NXP on the Security of Smart Infrastructures, Products and Services, recommending the establishment of various certification and labelling measures for security and trust in IoT devices and networks.
It is likely that the European Union will be the first to effectively implement such regulation, before the U.S. However, it is unlikely that this will happen anytime soon. If the negotiation and debate process of the GDPR and NIS Directive are anything to go by, it could be years before anything comes into force. IoT botnet herders will have little difficulty in continuing to enslave new devices. To their delight in fact, regulatory efforts will be opposed and denounced by in the name of innovation and market pressure. Of course over-regulation can be just as much a burden as no-regulation would be a grievous mistake, but there is a balance to be had between market incentives and regulatory oversight, as Mr. Wheeler so aptly put it.
In the meantime unfortunately, two events are likely to bring about any form of action sooner: a class-action lawsuit or a high death toll. The chances of either happening are very real, especially when considering the implications of connected medical devices, cars, and industrial control systems in critical infrastructures. The time to regulate is now or the price to pay may be a heavy one to bear. As Mr. Schneier concluded in November at the Congressional hearing, “regardless of what you think about regulation vs. market solutions, I believe there is no choice. […] The security vulnerabilities in the Internet of Things are deep and pervasive, and they won’t get fixed if the market is left to sort it out for itself. We need to proactively discuss good regulatory solutions; otherwise, a disaster will impose bad ones on us”.
