U.S. Senator Hassan: IoT Security Needs Standards, Federal Regulation

Remember the monster distributed denial of service (DDoS) attack last year that hit internet DNS provider Dyn and took out popular websites including Twitter, PayPal, CNN, Reddit, Netflix, Github, Pinterest, Spotify, Wired and Yelp?

Well, so does U.S. Senator Maggie Hassan (D-NH), whose state is also home to Dyn’s headquarters in Manchester. Hassan is a proponent of strengthening U.S. cyber security defenses and has called for government regulations to set security standards for Internet-facing devices to which providers must comply. Last month she participated in a Senate Commerce, Science, and Transportation Committee hearing concerning the Internet of Thing’s (IoT) cybersecurity vulnerabilities.

Her position on securing the IoT is that not enough is being done by device makers to protect consumers.(Note: Hassan is a co-sponsor of Sen. Mark Warner's (D-VA) bill, the Internet of Things Cybersecurity Improvement Act of 2017 proposed in August, that would require that anytime the U.S. government purchases an internet-connected device that device would have to adhere to certain baseline security criteria.)

Here’s more (via a CNet interview):

On IoT security for IT consumers:
There are significant risks involved with having so many of these things connected to one another and the internet without a lot of consumer understanding and very little standardization to really help us navigate this.

On government’s role in regulating IoT security:
We know already that hackers have co-opted internet-connected devices that have had little or no security and then turned those devices into cyberweapons.

If you just leave it up to the market to eliminate unsecured devices or raise standards, that's not going to be a short-term or long-term solution...I think it's so important that we come together and set some standards here… also raise consumer awareness about what they need to do to ensure that their IoT devices can't be weaponized.

What's really important to balance here is the need to spur innovation in this space with the need to make sure that there are standards in place to protect people.

On tech companies’ willingness to work with Congress on IoT security:

What the companies are beginning to understand is that our networks and our data are only as secure as the weakest link in the chain. And so, if you just leave it up to the market to eliminate unsecured devices or raise standards, that's not going to be a short-term or long-term solution.

I am encouraged by the kind of constructive dialogue that we've been able to have with industry, and again, encouraged that there's bipartisan attention to this, which should help us continue that kind of constructive dialogue with industry.

What you're seeing now is a recognition by tech companies that some of their approach to innovation and development has had a series of unintended consequences...It's our job to make them aware, as well as consumers, that we really do have threats we have to address.

On consumer awareness of IoT security:

It is really important that consumers are aware that the products they purchase actually have internet connectivity, and I think there are a fair number of consumers who may not understand that.

It's the job of the producers to make clear to consumers that their devices are internet-connected, and include instructions about how to change these passwords and take other very simple security measures...The federal government has a role to play in strengthening awareness of internet connected devices, so that consumers can recognize the devices and what they need to do in order to maintain good cyber hygiene.