In light of the recent distributed denial of service attack that prevented access to multiple U.S. websites as well as the increasing cybersecurity threat posed by Internet of Things (IoT) devices, the Federal government “needs a new agency” to deal with cybersecurity, according to Bruce Schneier, adjunct lecturer for the Kennedy School of Government at Harvard University.
“This is what we do when innovation can cause catastrophic risk,” Schneier said of the need to regulate IoT security in his testimony before the House Committee on Energy and Commerce on Wednesday.
Though committee members expressed doubts that government leaders would be open to expanding government through a new agency, Schneier said that catastrophic security events, such as the 9/11 attacks, have moved the government to take swift action to create a new agency to address future events. According to Schneier, it is entirely possible that a future attack on IoT vulnerabilities could result in a similar loss of life.
Dale Drew, senior vice president and chief security officer at Level 3 Communications, also testified that IoT devices pose “potential for significantly greater havoc” than what has occurred thus far.
Witnesses at the hearing agreed that, regardless of the potential for a new cybersecurity agency, there had to be some sort of government intercession in this problem.
“The market really can’t fix this: the buyer and seller don’t care,” Schneier said. “So I argue that government has to get involved.”
“From the manufacturing standpoint, the question is ‘how much are you going to pay for it?’ ” said Kevin Fu, CEO of Virta Labs and associate professor in the Department of Electrical Engineering and Computer Science at the University of Michigan. He explained that manufacturers don’t have much motivation to add security measures to their devices without the guarantee that consumers will pay more.
Schneier explained that security of devices is often so opaque that consumers rarely know that the product they just bought is at risk and aren’t likely to be aware of hacks that do occur.
“It shouldn’t be [consumers’] problem,” he said.
“We cannot count on IoT manufacturers to do the right thing on their own,” said Rep. Jan Schakowsky, D-Ill., adding that the manufacturers simply have “no financial incentive.”
“I think the best place to start is with standards,” said Drew.
“I’m also a fan of standards,” agreed Schneier, adding that the most effective standards would address the end goal of security while allowing manufacturers to figure out the best way to get there. “I think the answer is to make them technologically invariant.”
Fu also suggested putting up an independent cybersecurity testing facility, similar to those for transportation and highway safety.
Though the witnesses expressed concern over devices that were manufactured in or sold to foreign countries, they added that the U.S. would likely exert enough market pressure that, if their standards changed, other countries would likely follow suit.
“In the long term I think we’re going to see this actually producing innovation,” said Fu.
“I don’t like this. I like the world where the Internet can do whatever it wants,” said Schneier. “But I’m not sure we can do that anymore.”