The evolution of cyber attacks powered by the internet of things

From a handheld device, I have the ability to monitor my home and even change my laundry. These are but a few of the latest conveniences made possible by the Internet of Things – a concept that describes the networked interconnectivity of everyday devices. But as the recent internet outage due to a distributed denial of service attack on an internet infrastructure company demonstrated, the Internet of Things comes at a cost. 

If we are to continue enjoying the convenience of IoT without being an accessory to cyber-attacks, new policies must be implemented which ban Botnet-for-hire organizations and mandate enhanced product security standards. To this end, the Department of Homeland Security should designate core internet backbone as critical infrastructure, require Internet Service Providers (ISPs) to detect and report Botnet for hires, and mandate stronger firmware access standards.

{mosads}Current procedures employed by manufacturers of Internet-capable devices are exposing the public to generally unknown and unwarranted vulnerabilities. Such devices, from baby monitors, appliances, to wireless routers, have little to no firmware security. Firmware is a manufactural installed software security program which reinforces protections provided by typical password usage. This weak security is baked into each device and renders them susceptible to seizure and use for corruption. One device possesses no threat, but one million devices sending data simultaneously can render the server and its hosted services inaccessible.

A journey of a thousand miles begins with but one step. Hackers employ this concept daily, probing networks, finding unsecured devices, and commandeering them into their gang. Once initiated, the devices continue functioning in their usual manner, but they also begin recruiting more members. A day, month, or perhaps a year later, the gang’s membership is at an all-time high. With over a million devices at his command, the leader of the hack game commands them to join hands and channel their energy towards the target.

The effects can be widespread and affect menial and critical tasks alike. It can prevent you from uploading pictures of your child’s new Halloween costume because the site is unavailable, or something much more troublesome like preventing you from withdrawing money from the ATM. Your feeling of inconvenience has grown to a state of fear and vulnerability, which you unknowingly assisted in creating by not changing the default password on your wireless router or because of a security vulnerability in your DVR.

We can’t afford to stand by idly until a botnet grows large enough to take down a critical data infrastructure. Policies must be implemented at the federal level providing liability incentives to Internet Service Providers (ISPs) and manufacturers for enhancing network security. Doing so will encourage ISPs to detect and disable malware. Incentives will similarly encourage product manufacturers to develop and push firmware updates to proprietary devices. The Cybersecurity Act of 2015, establishes provisions which permit the executive branch to provide such incentives to ISPs. 

Through the channels which allow access to devices and home monitoring from afar, lurks an adversary.  Over home surveillance systems, criminals are capable of watching you prepare for work or even worst viewing your young child as she sleeps peacefully in her crib. Even if you are savvy about cybersecurity, some of your devices have default firmware passwords that are much harder to change. As a result, beneath your nose, your new Internet-capable appliances have been recruited into a bot army planning to carry out cyber-attacks against a range of targets. Consumers must be equipped and educated.

Opposition against federal programs aimed at regulating Internet connectivity will be based upon perceived violations of constitutionally granted freedoms and civil liberties. The fear of the federal government exercising too much control has been a concern since the establishment of our nation. As a result of such concerns, catastrophic events are often required for changes to occur.  Such an event is brewing in cyberspace, powered by the internet of things, a massive botnet capable of causing severe damage to a critical infrastructure is under construction.

Conservatives will argue that the government has no place in dictating product design or mandating passwords. I firmly believe, policies regulating such practices should be implemented from the top down as result of the dangers in which DDOS via botnets poses to the nation as a whole.

We’ve evolved into the microwave generation and arrived at a fragile state in which convenience has superseded security. Glued to our handheld devices, we desire to control the world around us with but a touch of a button. Advances in technology such as the introduction of internet-connected devices have afforded us such luxuries. Such comforts come at a cost nonetheless, which extends beyond the product purchase price and infringes upon our individual freedoms and privacy. 

The genie is out of the bottle, and there is no putting it back in this instance as internet connected devices have become a way of life. We are stuck with these devices and the inherited dangers which accompany them. Just as we have addressed threats of this nature in the past, we will do the same in this manner. However, a sense of urgency must be applied as we can’t afford to wait for a major incident to occur before implementing remediation policies.

Phillips is a Master of Public Policy student at Georgetown University. He is also an active duty U.S. Army Officer with 18 years of experience in Information Technology Management.