U.S. Senator Hassan: IoT Security Needs Standards, Federal Regulation
Remember the monster distributed denial of service (DDoS) attack last year that hit internet DNS provider Dyn and took out popular websites including Twitter, PayPal, CNN, Reddit, Netflix, Github, Pinterest, Spotify, Wired and Yelp?
Well, so does U.S. Senator Maggie Hassan (D-NH), whose state is also home to Dyn’s headquarters in Manchester. Hassan is a proponent of strengthening U.S. cyber security defenses and has called for government regulations to set security standards for Internet-facing devices to which providers must comply. Last month she participated in a Senate Commerce, Science, and Transportation Committee hearing concerning the Internet of Thing’s (IoT) cybersecurity vulnerabilities.
Her position on securing the IoT is that not enough is being done by device makers to protect consumers.(Note: Hassan is a co-sponsor of Sen. Mark Warner’s (D-VA) bill, the Internet of Things Cybersecurity Improvement Act of 2017 proposed in August, that would require that anytime the U.S. government purchases an internet-connected device that device would have to adhere to certain baseline security criteria.)
Here’s more (via a CNet interview):
On IoT security for IT consumers:
There are significant risks involved with having so many of these things connected to one another and the internet without a lot of consumer understanding and very little standardization to really help us navigate this.
On government’s role in regulating IoT security:
We know already that hackers have co-opted internet-connected devices that have had little or no security and then turned those devices into cyberweapons.
If you just leave it up to the market to eliminate unsecured devices or raise standards, that’s not going to be a short-term or long-term solution…I think it’s so important that we come together and set some standards here…[and] also raise consumer awareness about what they need to do to ensure that their IoT devices can’t be weaponized.
What’s really important to balance here is the need to spur innovation in this space with the need to make sure that there are standards in place to protect people.
On tech companies’ willingness to work with Congress on IoT security:
What the companies are beginning to understand is that our networks and our data are only as secure as the weakest link in the chain. And so, if you just leave it up to the market to eliminate unsecured devices or raise standards, that’s not going to be a short-term or long-term solution.
I am encouraged by the kind of constructive dialogue that we’ve been able to have with industry, and again, encouraged that there’s bipartisan attention to this, which should help us continue that kind of constructive dialogue with industry.
What you’re seeing now is a recognition by tech companies that some of their approach to innovation and development has had a series of unintended consequences…It’s our job to make them aware, as well as consumers, that we really do have threats we have to address.
On consumer awareness of IoT security:
It is really important that consumers are aware that the products they purchase actually have internet connectivity, and I think there are a fair number of consumers who may not understand that.
It’s the job of the producers to make clear to consumers that their devices are internet-connected, and include instructions about how to change these passwords and take other very simple security measures…The federal government has a role to play in strengthening awareness of internet connected devices, so that consumers can recognize the devices and what they need to do in order to maintain good cyber hygiene.
I think this is a great discussion. U.S. Senator Maggie HassanIn is putting the focus on things that the government should be helping with. It is no different than building interstate highways and not having standards or funding to insure the roads are designed correctly, built correctly, are safe to use, and include enforcement if you break the law.
If government agencies and schools had a set of cyber standards that they had to adhere to in order to get funding, we wouldn’t be having the current issues with cyber attacks in the SLED market.
I assume the private sector will be involved in establishing the standards and will be asked to build and provide all of the services to insure they are maintained and protected. As long as we have a set of minimums and they are constantly reviewed to insure they are adequate this could be a welcome improvement.
Today the issue is simple. When budgets get tight, cyber purchases and upgrades get delayed. They have no standards that they must meet so it is the easiest area to cut in a budget. The old answer is beef up the cyber insurance a little to make sure we don’t get hit with a financial loss.
The cyber insurance companies are getting smarter and are looking at a clients cyber footprint to better understand the risk. Organizations that don’t provide the minimums will most not be able to get cyber insurance in the future or will be looking at very high premiums and low coverage. The only way some will be able to get coverage is to improve there cyber protection. They could be looking at a large financial outlay to get to the point of getting coverage.
The number one reason vendors loss deals is the customer doesn’t want to spend the money. If they are required to meet standards that will change.
The public will benefit the most from this effort, it will allow vendors “MSSP” to increase volume and offer more competitive pricing for a set of minimum cyber offerings.