The security risk our connected devices pose urgently needs a policy response

Those looking to spend the evening of October 21 checking out the new season of Black Mirror, a semi-dystopian TV series which features vignettes illustrating the potential perils of new technologies, ironically had their plans foiled by a cyber-attack which resulted in Netflix (along with Twitter, Reddit, Spotify, Paypal and several other major sites) becoming inaccessible for several hours.

The outage has since been traced to a large-scale distributed denial of service (DDoS) attack targeting Dyn, a large domain name system (DNS) host. Many may have been bewildered by the news that it was seemingly executed by a large network of hacked “Internet of Things” (IoT) devices — CCTV cameras, DVRs and various other gadgets, a large number of them apparently made by a single firm in China. 

While even the screenwriters of Black Mirror would likely scoff at the notion of our mundane digital devices and appliances — be they cameras, TVs, fridges or kettles — rising up against us, the IoT actually poses a very significant problem that is rarely discussed outside of cybersecurity and technologist circles.  

While the true origin of the term “Internet of Things” is a matter of some dispute, the idea of having everyday devices linked to the internet (originally with RFID chips) gained traction in the late ’90s. Researchers at projects like the Auto-ID Center at the Massachusetts Institute of Technology, founded in 1999, aimed to revolutionize retail by using these chips as a smart, networked system to replace barcodes. But since then, the term has become more associated with the home automation movement, and with ‘smart’ devices like the Nest thermostat.

These new technologies, and the data they would produce, were widely heralded as having massive potential for increasing overall productivity and efficiency. What was not to love? A garbage can that alerted city workers when it’s full, reducing energy costs by 50 percent to 60 percent? How about an energy efficient lighting system that knows exactly when to turn itself off? The possibilities seemed endless. Some even went as far as to argue that the IoT could singlehandedly save the American economy.

But today, the landscape looks a tad bleaker. Gartner, a market research firm based in Connecticut, has estimated that the IoT currently consists of more than six billion connected devices, and that it could reach as many as 20 billion in the next five years. Most of these are used in commercial and industrial settings, but consumer electronics and home devices are part of the problem as well. The sheer volume of connected gadgets has created a security crisis which seems increasingly insurmountable, as illustrated by the longstanding concerns of leading experts such as Bruce Schneier and Brian Krebs.

Designed as a distributed network of networks, the Internet is inherently resilient. But the fact that it has so many overlapping nodes and layers also means that targets are plentiful. As well, now that certain large companies have become singlehandedly responsible for large elements of key internet infrastructure, and because these firms tend to cluster together — for example, it has been estimated that Amazon Web Services alone could be responsible for hosting more than 30 percent or more of the World Wide Web — an attack on a major company, like the one that targeted Dyn on Friday, can take down many of its high-profile clients. 

Many of the IoT devices being enslaved for these attacks are so riddled with security vulnerabilities that it is effectively impossible to secure them. They’re also increasingly being used for DDoS attacks, and pulled into botnets that are larger, more sophisticated, and more plentiful than ever before. If the trend continues, we’ll be in serious trouble. 

Indeed, as Schneier eloquently argued a few weeks ago, “We need to save the Internet from the Internet of Things.” Of course, this poses a unique challenge for legislators and policymakers. 

Can we even formulate a legal response to this increasingly international problem? How do we prevent negligent businesses from churning out products which can effectively become weaponized? Who should step up and take responsibility for the unowned Internet? How do we prevent these ‘smart’ devices from becoming increasingly volatile and disruptive? 

The attacks demonstrate that it’s time to start seriously talking about the potential solutions — be they technological approaches, such as implementing blockchain-based security, or regulatory responses, such as more robust telecommunications laws. 

Given the extraordinary size and importance of today’s Internet, we no longer have the luxury of simply sitting back and hoping that the problem will fix itself or simply go away. We need to deal with the Internet of Things, and soon.