Stopping small devices from causing massive Internet disruptions
A machine鈥檚 size doesn鈥檛 necessarily match its digital impact.
In October, sent an enormous surge of junk information to the backbone of the Internet, an effort that overwhelmed , and , among others, sending their services offline.
The malware reportedly used in the attack, known as Mirai and , took advantage of the of , among other connected-but-insecure products.
鈥淚n this world of [the Internet of Things, or IoT] and interconnectedness, we need to understand that the lines between what is critical infrastructure and what is modern technology are very blurry,鈥 said Kiersten E. Todt, the executive director of the, which 聽released 聽cybersecurity recommendations for the next administration on December 1st.
鈥淪omething that is a technology that is meant to be a modern [convenience can] become critical infrastructure through varied ways of interdependencies and interconnectedness.鈥
Ultimately, it鈥檚 the small things that matter the most to the digital protections we all rely on. Collectively, it鈥檚 these tiny details that can add up to expose larger systems.
Todt was speaking on a panel at The Chertoff Group Security Series event in Washington DC.
The day鈥檚 events 鈥斅爓hich spanned several panels, and keynotes 鈥斅爐ackled the difficult question of 鈥渉ow do we create growth and 聽jobs securely, while at the same time protecting public safety and individual privacy?鈥 said Jim Pflaging, a principal at Chertoff.
Indeed, the proved that this entire class of seemingly insignificant things could be compromised to far greater ends than just endangering a user鈥檚 DVR-ed episodes of Everybody Loves Raymond.
Fixing that problem requires tighter coordination between the public and private sector, a variety of experts agreed.
Perhaps the government and the private sector could be more proactive in the future, taking down botnets instead of watching them roam, said Frank Cilluffo, the Director of the Center for Cyber and Homeland Security at George Washington University.
鈥淲hen we are really talking public-private partnership, if you ask me, that鈥檚 where we have had real effect: industry has taken a lead role and coordinated with government to ,鈥 he said on the panel, adding that there are already a series of successes that prove government and industry can collaborate in that way.
Todt further advocated for baseline standards for measuring security that these IoT devices need to contain in order to ward off serious attacks. 聽
While Todt was speaking generally, the and the both recently issued complementary sets of security guidelines for connected device makers.
One of the DHS recommendations specifically called out passwords, asking that manufacturers consider enabling 鈥渦nique, hard to crack default usernames and passwords.鈥 聽
鈥淚 think is losing whatever appeal it ever had as a principal way of verifying identity,鈥 said former Homeland Security Secretary Michael Chertoff, co-founder of his namesake Chertoff Group, in reference to unique passwords and not the recently released guidance. 鈥淲e are going to start seeing more sophisticated technological developments moving forward such as biometrics and multi-factor authentication. These are the kinds of things that we can build in that will reduce the risk (of using) these new smart devices.鈥
