Lawmakers grapple with security of internet devices

Lawmakers on Wednesday grappled with improving the security of internet-connected devices amid growing concerns over their vulnerability to hackers.

Republicans acknowledged the threat but urged caution on passing new cybersecurity rules.

{mosads}“The knee-jerk reaction might be to regulate the Internet of Things, and while I am not taking that off the table, the question is whether we need a more holistic solution,” said Rep. Greg Walden (R-Ore.), who chaired the hearing before his Energy and Commerce subcommittee on communications and technology.

“The United States can’t regulate the world,” he warned.

At issue, is the security of devices comprising the “Internet of Things,” the multitude of consumer products from entertainment devices and appliances to personal fitness monitors that connect to the web.

They played a part in major cybersecurity attack last week, where hackers used a network of unsecured devices to overload the internet’s infrastructure and take down a number of prominent websites, including Twitter, Spotify and The New York Times.  

Democrats on the committee agreed that it could be difficult to craft regulations to deal with the wide array of internet devices.

But Democratic Rep. Jan Schakowsky (Ill.) also said that Congress couldn’t leave security up to product manufacturers alone, and urged regulators to take the lead.

“Given the nature of cyberattacks, we cannot count on IoT [Internet of Things] manufacturers to do the right thing on their own,” she said.

“Consumer watchdogs like the FTC [Federal Trade Commission] must take a leading role in promoting cybersecurity and holding companies accountable when they fail to provide adequate protections.”

Schakowsky also fired a shot at Republicans, who have pushed legislation they say would reform the FTC. Democrats though warn the bills could gut the agency’s regulatory power.

“Unfortunately … the Republican majority is pushing legislation to reduce the FTC’s authority and cripple its enforcement capabilities,” she said.

One witness, cybersecurity expert Bruce Schneier, told lawmakers that regulators needed to provide security guidelines.

“Regulation of devices connected to the internet will constrain innovation, but you can’t just build a plane and fly it. It can fall on someone’s house,” he said.

Schneier said consumers wouldn’t always choose devices with the best security, because many hacks wouldn’t affect their day to day use. And he said that companies would find it hard to implement security features on their own because of cost concerns.

“This is not something that the market can fix. The buyer and seller don’t care,” he explained.

But lawmakers from both parties and the witnesses acknowledged that last month’s attack was only a nuisance compared to the real damage possible.

“I fear for the day where every hospital system is down because an IoT attack brings it down,” Schneier said.