Industry experts told Congress on Oct. 3 that regulations are necessary to secure the Internet of Things (IoT).
“Is the industry doing enough to ensure the security of IoT devices?” Rep. Jamie Raskin, D-Md., asked at the IT Subcommittee hearing on the Cybersecurity of IoT.
“No,” said Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council.
Corman cited recent ransomware attacks on hospitals as examples of places where cybersecurity could improve.
“While some want to wait, time really is the enemy here,” Corman said. “It’s hard to argue that the private sector is doing a good job here, especially on the protection of data.”
Critics have argued that heavy regulation will hinder the growth of innovation in the technology sector. Tommy Ross, senior director of policy at the Software Alliance, said that one way to address this issue is to develop regulations that are risk based.
Ray O’Farrell, chief technology officer at VMware, said that IoT should have vulnerability patching capabilities built in. This isn’t true of all devices because some don’t have software, which makes them harder to patch. For example, the IoT devices that were manipulated to carry out the Mirai attack on the Internet domain name management company Dyn in October 2016 were unpatchable.
“After Mirai, I said ‘Unpatchable IoT are the lawn darts of the Internet’–in that they are inherently unsafe,” Corman said.
Corman said that the way that the Federal government requires technology vendors to obtain certifications before they can be procured is an effective way for the government to protect itself from future breaches.
“This is more leading by example than forcing something,” Corman said.
Corman said that software should come with ingredient labels like food so that consumers can identify whether software has a bad ingredient and choose whether to use it.
Rep. Darrell Issa, R-Calif., said that the problem is the lack of a way to verify the identities of all connected devices. Issa said that there needs to be a way to fully qualify the identities of devices and this problem isn’t unique to IoT.
“We have old problems that have never been resolved,” Issa said. “You’ve got to know who you’re talking to or inevitably, all the security in the world won’t help you when you send it to the wrong place.”