By Scott Weiser
The world has become economically dependent on the Internet. The ability to connect and share information is essential to the functioning not just of economic markets but also of government itself. As computer technology advances we as a society become ever more dependent on an Internet of things that extend far beyond our home computers and laptops. Everything from automobiles to zoos are web-connected today and those connections multiply exponentially as new connected devices are invented and marketed.
The Internet of things (IoT) is certainly a convenience to us all, but it’s also a pathway to chaos for cyber criminals and enemies of the United States. Eric Lieberman, technology and law reporter for The Daily Caller tells of an unnamed university that was hacked through its light bulbs and vending machines.
By exploiting insecure IoT web-connected devices hackers tried to lock out university administrators from their network by attacking some 5000 IoT devices whose security programming doesn’t begin to be adequate. This is just one of thousands of examples of the vulnerability of our computer systems that can cost hundreds of thousands of dollars to repair.
This is not an abstract threat, it’s a concrete one that grows with every day that passes. One of the latest tactics is cyber-ransom, where a hacker infiltrates a system and encrypts all of the data and then demands a ransom to provide the decryption password. Many, if not most of these kinds of attacks are the result of poor device security procedures that are aided and abetted by manufacturers who either don’t care if their customers get hacked or who, in some cases, actually want our nation to have an insecure network.
Many of these devices are made in China, where manufacturers have no incentive at all to provide for U.S. computer security. Indeed it can be argued that the failure to adequately secure such devices is not accidental or negligent but intentional, facilitated by our weak cyber security laws and our own individual laziness.
Nobody likes complex, hard to remember passwords but it can no longer be an option for consumers to ignore the potential that their devices may be used to harm others. We must all be required to do what is necessary to keep the Internet secure whether we like it or not. Our convenience is no longer a paramount concern, national security is.
We know that China and other enemies of the United States have been attempting to infiltrate, suborn and attack our computer systems quite literally since the moment computers and networks were invented. Intelligence agencies know this and expect it, which is why it’s against federal law for government employees and agencies with access to classified materials to use any computer system other than the carefully designed and rigorously-secured government computers and networks, something that former Secretary of State Hillary Clinton was evidently to bone-headedly dense to understand.
We saw the wages of her disdain for computer security and her utter disregard for national security in the persona of her bathroom email server.
A solution is needed to combat the potential for devastating national security harm caused by widespread cyber attacks using the IoT. One way of improving IoT security is to pass laws that prohibit manufacturers from selling insecure devices and holding them liable if they do.
The exploit most often used with non-computer devices like vending machines, washing machines and other non-traditional computers is default passwords. For reasons of national security it is no longer sufficient to simply provide the capability for a user to change the default password when it’s put into use, manufacturers must be legally required to make it impossible for any such device to access the internet unless and until the default password has been changed by the user.
Further, the programming used to change the password must be required to allow only secure passwords not simple ones like “password,” which was the ridiculously inadequate one that brought low Clinton’s campaign chairman Jon Podesta.
Internal hard-coded password generation algorithms that meet strict standards set by the U.S. Government for self-generated randomness and encrypted impenetrability from the Internet should be mandatory for all Internet-accessible devices. No longer can users be allowed to negligently create insecure passwords that can be easily guessed or discovered by brute-force password cracking. Limits on the number of incorrect password attempts before the device’s Internet access is physically shut down and must be manually reset by the user must also be required.
The nature of the attacks in The Caller’s article were denial of service attacks (DOS), which attempt to overwhelm system servers with many irrelevant requests sent by thousands of devices. To help prevent such attacks, all IoT devices must also be required to have hard-coded safeguards against being used to generate many requests in a short period of time. Most IoT devices have no legitimate need to generate dozens of requests per second as a part of their normal functioning, and government regulations as to how often an IoT device is permitted to send such data packets, and for how long it may repeat those requests without connecting to an authorized server must be promulgated and enforced. If a device is compromised and the internal hard-coded safeguards are triggered the device must automatically shut down its Internet connectivity until it is manually reset (and the password changed) by the user.
The final component of IoT cyber security regulations is making the manufacturers of such devices liable for all damages caused by their failure to properly secure their devices. Allowing both the government and users who suffer damages caused by weak built-in cyber security to sue manufacturers for both actual and punitive damages will go a long way towards the goal of preventing a catastrophic cyber attack on this nation that could easily cripple our essential computer infrastructure and cause untold economic harm.
Originally published in the Daily Caller