Not a Matter of ‘If’ on IoT Cybersecurity Rules, Experts Say

Computer security experts on Wednesday pressed for comprehensive federal regulations mandating strong security protocols for the Internet of Things, saying it's not a matter of if but when rules are issued for connected devices.

"The Internet of Things affects the world in a directly physical manner—cars, appliances, thermostat, airplanes," said Bruce Schneier, a computer security expert at Harvard University, during testimony at a hearing held by two House Energy and Commerce subcommittees. "There's real risk to life and property. There's real, catastrophic risks."

With the increasing ubiquity and fundamental vulnerability of IoT technology, Schneier said it's a moot point to argue over whether the federal government will eventually regulate the industry. He pointed to the rapid response after 9/11, which included the creation of the Department of Homeland Security.

Barring a major change in the IoT cybersecurity ecosystem, he predicted that a similarly catastrophic event is inevitable. Standards and best practices—such as those issued Tuesday by the White House—are helpful, but probably not enough, he said.

"I'm not a regulatory fan," Schneier said. "But this is the world of dangerous things. We regulate dangerous things."

The hearing was held to address last month's wide-scale cyberattack against the internet infrastructure in the United States. That attack was directed through hijacked consumer IoT devices, many of which have outdated security safeguards like hardcoded passwords.

Kevin Fu, chief executive of the healthcare cybersecurity firm Virta Labs, told lawmakers that website outages are relatively harmless compared to the damage IoT-driven attacks could do as more connected devices are integrated into the global economy.

"I fear for the day when every hospital system is down, for instance, because an IoT attack takes down the entire health care system," he said, adding that federal security regulations for IoT technology will likely be required.

Rep. Anna Eshoo (D-Calif.) cautioned against expecting any firm regulatory mandate from the incoming GOP-led Congress, saying they "don't like that stuff."

Rep. Greg Walden (R-Ore.), acting as chairman of the committee, chided Eshoo for that characterization. "We're all engaged in this, both sides," he said. "We are all committed to trying to figure out how to find a solution."

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.