The House of Representatives took a serious, and mostly bipartisan, look Wednesday at the cybersecurity threat posed by the Internet of Things.
A joint hearing—Understanding the Role of Connected Devices in Recent Cyber Attacks—was held in the Communications Subcommittee, chaired by Rep. Greg Walden (R-Ore.), and the Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael C. Burgess (R-Texas).
The hearing was held in the wake of the distributed denial-of-service (DDoS) attack last month that restricted access to some major websites.
Apparently, that attack only employed 150,000 of about a million and a half IoT devices still infected with the botnet that allows them to be commandeered to deliver similar or larger attacks in the future.
The seriousness of the issue was highlighted by the fact that the witnesses agreed that that DDoS attack—affecting Netflix, Twitter and others—was relatively benign compared to an attack on critical systems that could cost lives.
Rep. Pete Olson (R-Texas), a former Navy aviator, said that the biggest threat to security is not bombs and missiles but ones and zeros and that, in the current environment, the government has to be proactive.
In fact, Republicans and Democrats were both using the R-word (regulation) to talk about addressing the threat, as were all of the witnesses to some degree, though Dale Drew, senior VP and chief security officer at Level 3 Communications, focused on standards and existing regs rather than new ones.
Rep. Anna Eshoo (D-Calif.), ranking member of the Communications Subcommittee, did suggest when one witnesses said there might need to be a new government agency to deal with the cybersecurity of IoT that was not going to happen in the new administration. Walden joked that for every new agency created, they could eliminate two, a reference to President-elect Donald Trump's proposed requirement that two regulations be scrapped for every one added.
But Walden got serious, saying that the IoT cybersecurity issue was bipartisan and the Republican leadership would continue to address it.
Walden told the witnesses he was concerned about the government stepping into the marketplace but primarily because he had heard from cybersecurity witnesses before warn government to "first do not harm" and to be careful not to lock things into statute.
Rep. Frank Pallone (D-N.J.), ranking member of the Communications Subcommittee, pointed out that some folks have argued that regulating devices will constrain innovation. Witness Bruce Schneier, adjunct lecturer, Kennedy School of Government, Harvard University, conceded the point but said the government was definitely going to need to step in because the risk was too great. He said there was a fundamental difference between your spreadsheet crashing and losing your data and a connected car crashing and losing your life.
He emphasized that it was a catastrophic risk, crashing all connected cars, for example.
"It is an arms race and the current edge is to the attacker," said Schneier. He said given the scale of the web and the ability to affect physical objects via IoT, "it might be that the internet of fun and games is over."
