In our rush to build Internet of Things we have left ourselves vulnerable to attacks
It may be anathema to Silicon Valley but government regulation is vital for safe innovation
Early investigations suggest the Mirai malware code primarily used CCTV cameras and digital video recorders made by a Chinese company, Xiongmai, which has flooded the market with cheap, easily hacked IoT devices. Photograph: iStockphoto
“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.”
That was the pithy tweet by Jeff Jarmoc, head of security for Salesforce, summarising just how vulnerable the internet has become as millions of new devices become connected to the internet after last week’s massive cyberattack.
The Mirai botnet attack took down Twitter, Amazon, Spotify, Netflix and others by targeting a Distributed Denial of Service or DDOS attack on Dyn, an internet infrastructure company – and the scale of the attack was achieved by using poorly secured Internet of Things (IoT) devices.
That sentence may sound like bad science fiction, with a touch of Skynet and a dash of The Matrix, but the reality is certainly cause for concern, if not yet the stuff of dystopian nightmare. And it’s not specifically network-connected toasters that are to blame here – early investigations suggest the Mirai malware code primarily used CCTV cameras and digital video recorders made by a Chinese company, Xiongmai, which has flooded the market with cheap, easily hacked IoT devices.
“Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users,” wrote cybersecurity writer Brian Krebs, himself the subject of a massive Mirai attack in September, one of the largest cyberattacks ever recorded. In the case of the latest attack, one estimate suggested it was using just 10 per cent of the nodes in the Mirai botnet, which suggests things are going to get a lot worse before they get better.
Related to all this is a separate, concerted threat to the security of the internet. As another leading internet security expert, Bruce Schneier, wrote last month, “Over the past year or two, someone has been probing the defences of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state.”
The most significant issue in terms of tackling this security flaw is that these devices won’t get patched – Xiongmai has neither the expertise nor the incentive to issue security updates, and many of these electronics can’t be patched in any case. While our computers benefit from having Microsoft, Google or Apple alert us to important security updates on a regular basis, cheap IoT gizmos will continue to pose a threat until the moment they are unplugged from the network. But why would consumers voluntarily do that to gadgets that still work?
“There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution,” wrote Schneier.
And just as in the case of environmental pollution, the only solution is government regulation. We live in a society with shared responsibilities, and we co-ordinate those responsibilities through our systems of governance. The threat posed by IoT devices highlights the unpredictable ways in which those responsibilities get distributed.
Such far-reaching government regulation of a burgeoning technology sector runs counter to the technology industry’s devotion to, at the very least, light-touch regulation. Indeed, there is a common strain of libertarianism in the technology community that deplores government action beyond national security.
The paragon of technological libertarianism is Paypal cofounder and Facebook board member Peter Thiel. For Thiel, governments are a form of tyranny whose yoke we should shake off – though his anti-government worldview somehow hasn’t prevented him from being an enthusiastic backer of Donald Trump’s presidential bid.
Thiel is an outlier in many ways, but even in its less extreme forms, Silicon Valley libertarianism cultivates a deep-seated scepticism of the value of government. The heavy hand of government is anathema to the conditions needed for innovation to thrive, goes the thinking – only the invisible hand of the free market can generate the sort of environment in which the future can be invented.
There’s an element of truth to that, of course, but it glosses over the importance of government in contributing to the environment in which innovation flourishes. The most obvious is patent protection, which is a form of monopoly granted by legislation and enforced by the legal system. There is also the education system, which teaches all these inventors and innovators in the first place.
And of course there is the internet itself, a global network that grew out of Arpanet, a US department of defence network, designed to be robust and secure if nodes in the network were subject to a physical attack.
Now, however, the threat isn’t nuclear; if we are to protect the network from connected toasters and their ilk, we will need to acknowledge the importance of government in allowing innovation to flourish safely.