Members Examine Ways to Mitigate Future Risks
WASHINGTON, DC – The Communications and Technology Subcommittee, chaired by Rep. Greg Walden (R-OR), and the Commerce, Manufacturing, and Trade Subcommittee, chaired by Rep. Michael C. Burgess, M.D. (R-TX), today held a hearing examining the recent series of Internet of Things (IoT) connected device-based distributed denial of service (DDoS) attacks.
Last month hackers leveraged a DDoS attack against global Internet routing company Dyn that resulted in thousands of consumers being unable to connect with Netflix, Twitter, CNN, and other well-known websites. It’s estimated that 50 billion devices will be connected to the Internet by 2020 and as this number grows, so too do the risks.
While technology presents a host of benefits for both consumers and businesses across a variety of sectors such as health care, energy, education, transportation, and agriculture, unsecured devices on the network present a number of entry points for hackers and malicious actors to disrupt vital communications. Members continued the committee’s long track record of examining emerging cybersecurity threats and their impact on consumers and the economy while looking at what can be done to mitigate future attacks and risks.
In his testimony, Dale Drew, Senior Vice President and Chief Security Officer at Level 3 Communications, discussed the importance of a collaborative approach to address IoT security risks, stating, “Bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats. … Network operators, device manufacturers and users will need to remain vigilant to the security risk these devices present. … It will be imperative for all relevant stakeholders to continue to work collaboratively to address and mitigate IoT security risks so that we can reap the benefits of this exciting and transformative technology.”
In his questioning, Chairman Walden asked the witnesses for their opinion when it comes to drafting potential cybersecurity standards while not stifling innovation, asking, “How do we create a national framework where the stakeholders are really driving this in real time…and where we don’t lock certain requirements into statute?” Dr. Kevin Fu, CEO of Virta Labs and Associate Professor in the Department of Electrical Engineering and Computer Science at the University of Michigan, responded, “There are ways you can do this effectively without stifling innovation. In fact, I believe a well-designed cyber security framework will actually promote innovation… There is no perfect standard but it will be very difficult to build in security if we don’t have these principles set in place. It needs to have buy-in from industry. It needs to have government leadership as well but it’s all about setting those principles.”
Chairman Burgess noted the importance of leadership from industry, stating, “The balance between functionality and security is not going to be resolved in the near term. The culture surrounding personal cybersecurity must change to ensure the Internet of Things is not vulnerable to a single device. Government is never going to have the man power or resources to address all of these challenges as they come up – which is why we need industry to take the lead.”
“How do we make ourselves more secure without sacrificing the benefits of innovation and technological advances? The knee-jerk reaction might be to regulate the IoT, and while I am not taking that off the table, the question is whether we need a more holistic approach,” concluded Chairman Walden. “Any sustainable and effective solution will require input from all members of the ecosystem for the so-called “Internet of Things.” We’ll need a concerted effort to improve not only device security, but also coordinate network security and improve the relationships between industry, government, and security researchers. We’re all in this together and will need to take responsibility for securing the Internet of Things.”
For more information on today’s hearing, including a background memo, and archived webcast, click HERE.