More IoT devices means increased risk of cyberattacks

The "Internet of Things," or IoT, refers to the interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data. Examples include: internet-connected automobiles, medical devices, children's technology and toys, home security systems with Wi-Fi cameras, even that fitness tracker you wear on your wrist. While these present tremendous opportunities for improved convenience and quality of life, IoT devices pose tremendous cybersecurity challenges for private- and public-sector institutions.

Consider this: There are approximately 20 billion computing devices of one type or another connected worldwide; by 2020 projections estimate this number increases to 50 billion, much of it thanks to IoT-connected devices. The resultant attack surface is enormous, creating a virtually endless opportunity for exploitation by malicious actors.

Today, IoT device security is next to non-existent; manufacturers of these devices are not bound to regulations stipulating adherence to strict cybersecurity requirements in the same way they are to consumer safety regulations. As a result, attackers have an unlimited supply of unprotected, and unsuspecting target devices to harness in their execution of cyberattacks against governments and public- and private-sector organizations across the global economy. IoT devices form a ready and unwitting pool of resources for attackers to execute "DDoS attacks" -- a distributed denial of service attack -- where a target entity's system resources are flooded with illegitimate requests, often from networks of infected computer systems and devices known as "botnets," which overload the target system's bandwidth and prevent legitimate requests from accessing system resources or services.

Neither DDoS attacks nor the use of network-connected devices to perpetrate a DDoS attack is a novel concept. For decades, cyber criminals have infected computers around the world and recruited them into their armies of cyber zombies. However, with the advent of unsecured IoT devices, attackers' return on investment in perpetrating DDoS attacks has increased dramatically; no longer do they need to invest the level of time and resources to penetrate multiple company and personal systems to harness the power of computing devices for this purpose.

According to Cisco, the number of so-called DDoS attacks jumped globally by 172 percent in 2016, and Nexusguard, a vendor specializing in DDoS prevention services, observed a 380 percent increase in the number of DDoS attacks in the first quarter of 2017 compared with the previous year. Cisco estimates total attacks will grow to 3.1 million by 2021, a sobering estimate.

To put this threat into its proper context, on Oct. 21, 2016, domain name system provider Dyn was the victim of a DDoS attack that rendered major internet platforms and services unavailable to millions of users in Europe and North America. The attack used approximately 100,000 infected IoT devices from across the globe to overload Dyn's systems with data volumes as high as 1 terabyte per second (roughly equivalent to concurrently sending and receiving 40,000 emails, streaming 8,500 hours of music, 2,000 hours of surfing the web, and 350 hours of streaming high-definition video -- all in one second). With the power of an IoT botnet, even the largest telecommunication companies on whom we rely for our own internet connectivity are not immune.

There is no magic solution to prevent malicious actors from exploiting IoT devices. The speed with which these devices are propagating globally requires serious consideration towards mandating built-in IoT device security, especially when some estimates indicate 70 percent of IoT devices have unpatched vulnerabilities. Ideally, manufacturers could take proactive measures to bring to market IoT devices with standard security protocols to prevent exploitation of known security gaps. Simply allowing default passwords to be changed would be a modest improvement.

Unfortunately, all indications point to IoT devices remaining unsecure for several reasons, including: the economics of building in security features, and developing and distributing patches is cost prohibitive; the concern that implementing regulation on such devices will stifle innovation; and neither the manufacturer nor the customer care enough to force this change. Often manufacturers are more concerned with profitability and time-to-market dynamics, while customers focus on product price point and functionality.

In the absence of any mandated requirement for built-in IoT device security measures on the part of the manufacturer, end-user organizations are realizing that they must allocate resources to understand the IoT threat posed to their businesses and incorporate new controls in their cybersecurity strategies to mitigate this risk. In an article authored by Sean Joyce, a principal in PricewaterhouseCoopers' Advisory Practice and former deputy director of the FBI, he cites a PwC report that indicates, "35% of survey respondents said they have an IoT security strategy in place, and another 28% said they are implementing one. Additionally, 46% of respondents said they will invest in IoT security over the next year." While this survey indicates a move in the right direction, it remains that end-users must bear the cost of implementing effective protective controls to the IoT threat.

Government can and must play a leading role in shaping the future of cybersecurity posed by IoT devices and other relevant threats. One such opportunity is for nation states to mandate a national capacity to filter malicious traffic at the source; telecommunication companies should be empowered to proactively "clean their pipes" of malicious content before it reaches individual company networks, including the ability to hold their customers accountable and effectively disconnect "bad" actors without fear of liability.

Specific to the IoT threat, Congress has recognized the severity of the situation to some degree and is taking action to address the issue. In August 2017, a Senate bipartisan initiative led by Cory Gardner, R-Colo., Steve Daines, R-Mont., Mark Warner, D-Va., and Ron Wyden, D-Ore., sponsored legislation known as the Internet of Things Cybersecurity Improvement Act of 2017. Understanding IoT devices are marketed without appropriate safeguards and protections in place, Sen. Warner stated, "This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices." The act would require federal government vendors to provide internet-connected devices that are patchable, free of known security vulnerabilities, allow default passwords to be changed, and generally conform to industry cybersecurity standards. The act wields the stick in terms of incentivizing manufacturers to comply: ignoring these requirements negates the ability of non-compliant manufacturers to engage in business with the United States government.

With this act, the federal government has raised the bar, taking a step in the right direction. However, the act's obvious shortcoming is that it applies only to the U.S. federal government. Furthermore, the United States, while a significant market, represents only a fraction for the global market for IoT-connected devices and is not sufficient impetus for manufacturers to implement appropriate security capabilities to effectively curtail IoT exploits.

Those manufacturers who separate their companies from those providing unsecured devices, and choose to lead the way in participating in the establishment of IoT security standards will ultimately garner an economic advantage over their competitors. This would signal a shift to a market-based strategy that should motivate manufacturers to become determined in establishing real security for their IoT devices.

Manufacturers of IoT devices should also consider liability associated with products brought to market with inadequate technology security controls, and the resulting implication of financial and reputation risks. Lawsuits brought against manufacturers in other consumer market sectors have established a precedent that manufacturers cannot absolve themselves of responsibility for the safety of the products they offer. These lawsuits allege, among other claims, negligence, fraud, breach of contract, breach of the warranty of merchantability, violations of state consumer protections laws, and privacy violations. The plaintiffs in many of these cases argue that device vulnerabilities have allowed hackers to gain unauthorized access to the devices, which may ultimately lead to harm, but have thus far been unsuccessful. The courts are not likely to side with plaintiffs so long as the allegations imply possible and future damages stemming from a breach, rather than concrete proof of harm. However, it is only a matter of time before a victim is able to prove that a cybersecurity event, like the breach of an unsecured IoT device, was the proximate cause of an actual, immediate, and foreseeable injury.

As IoT continues to evolve with incredible speed, and becomes deeply entrenched in the corporate and consumer market environments, security of these devices needs to be taken seriously. There is no need to start from scratch when it relates to basic security features for IoT devices, for success leaves clues; over the last 15 years, much of the technical work and security strategies have already been worked out, and themselves evolve as cyber threats continue to morph. Technical features such as baked-in security features on smartphones and laptops can be adapted to IoT devices. Small to medium-sized organizations should apply simple cybersecurity best practices such as endpoint monitoring, device management, regular patching, and forcing password changes on a cyclical basis.

In the absence of government or manufacturer movement on IoT security, the position of any public or private sector organization regarding IoT devices in their network environments should default to a security first posture. Understanding the inherent risks to an organization of introducing IoT devices to its environment to facilitate informed and rational decisions related to technology security and process controls remains the only option. Whatever the future holds, we must recognize that, in today's global interconnected world, the riskiest path is inaction at all levels.