Regulate cybersecurity or expect a disaster, experts warn Congress
NEW YORK, N.Y. — The U.S. government must demand that all internet-connected devices have built-in security, according to experts who warned Congress that the country could soon face a disastrous, lethal cyberattack.
The hearing, held Wednesday by members of the House Energy and Commerce Committee, examined how millions of infected internet-connected devices took down parts of the internet on October 21.
This kind of internet superweapon — essentially an army of 1.5 million infected gadgets — could be aimed at hospitals or critical government agencies. And it’s possible because manufacturers are making devices that are easy to hack and control remotely.
Experts blame poor practices by low-end manufacturers making devices like internet-accessible baby monitors, cameras and thermostats.
“I fear for the day every hospital system is down,” Kevin Fu, who teaches computer security at the University of Michigan, told the hearing. “This will require some kind of governmental mandate.”
Asking for regulation is a rare move for cybersecurity experts. They usually want fewer government rules, which tend to stifle innovation. But the panel of experts on Wednesday said this time it’s different.
“We’re not going to be laughing when the lights go out,” Fu said.
An estimated 6 billion devices are currently connected to the internet. That number is expected to reach 20 billion by 2020.
But low-end manufacturers currently have little incentive to spend the extra money to make products secure, experts say. Instead, they’re focused on churning out computer code and assembling parts on the cheap. As a result, they’re plagued with problems like default passwords that give hackers remote access.
“The market can’t fix this. The buyer and seller don’t care. Government has to get involved… What we need are some good regulations,” said Bruce Schneier, one of the world’s leading computer security experts.
Fu suggested a national cybersecurity testing facility, akin to an automotive crash safety testing lab. Schneier suggested a new federal agency that demands secure internet-connected gadgets.
They acknowledged that U.S. regulations won’t force a Chinese device maker to improve its standards. But they pointed out that companies don’t write two versions of computer code, so they’re more likely to do it right the first time around in order to access the American market.
Congresswoman Anna Georges Eshoo, a Democrat from California, said it was unlikely a Trump administration would be willing to act on these ideas.
“New agencies? New regulations? They’re dead in the water,” she said.
Schneier pointed out that the Bush administration created the Department of Homeland Security in the wake of the September 11 attacks. He said the same has to happen for cybersecurity before a crisis occurs and the public wonders why “1,000 people just died.”
“I’m not a regulatory fan. But this is the world of dangerous things,” Schneier said. “The choice is not between government involvement and no government involvement. It’s between smart government involvement versus stupid government involvement.”