This Is The Way The Government Will Save IoT Security

Published in

Extra Newsfeed

9 min readFeb 23, 2017

Political expediency will drive security policy

Imagine this scenario: It’s 2017 and your company’s WiFi cameras were just hijacked and they are now part of a two-million-strong botnet army engaging in a denial of service attack against internet infrastructure around the world including DNS servers, data centers, and popular websites. Facing a global “cyber Pearl Harbor”, world leaders convene an emergency summit in Washington, D.C. where they try to develop emergency remedies.

Now imagine the kinds of remedies these folks might actually dream up. And remember: this is 2017.

The IoT’s “We Got This” Fallacy

I am going to generalize and say that most of us in the tech world prefer the government to stay away from most aspects of our businesses. Antitrust laws, patent rights, FCC regulation — all (mostly) helpful. But government meddling in how we design and support our products … that’s different.

Because right now, the IoT is like the mid-19th century American wild west. But instead of cheap land and do-it-yourself law enforcement, we have cheap ARM-based CPUs and a thin veneer of something that passes for security. The IoT is moving fast and participants compete on a global — not national — basis. And plenty of tech folks, never mind government folks, are just getting their feet wet with the IoT. So in the interests of competing globally and moving quickly, IoT businesses wave a privacy policy, some bullet points on encryption, and a press release announcing participation in a standards body. And this passes for good corporate stewardship on IoT security today.

For now, all this hustle keeps regulators at bay since constituents aren’t furious at their lack of prescience or preparation.

Yet.

Then … Mirai Went “Boom!”

But the “we’ve got this” hallucination should have become instantly unfashionable with last October’s Mirai attack, as anyone with a clue in IoT security should agree. One guy enjoy reading — Bruce Schneier — has a clue and wrote this provocative piece on IoT security. He starts with the plain-old scariness of Mirai:

At a recent hacker conference, a security researcher analyzed 30 home routers and was able to break into half of them, including some of the most popular and common brands. The denial-of-service attacks that forced popular websites like Reddit and Twitter off the internet last October were enabled by vulnerabilities in devices like webcams and digital video recorders. In August, two security researchers demonstrated a ransomware attack on a smart thermostat.

But Mirai was just the enemy doing a systems test — the fallout from the attack could not have been that bad if you and I are sitting here reading blog posts on Medium, right? Like the German army tentatively crossing the into the Rhineland to see if the French would respond to a flagrant violation of the Versailles Treaty, Mirai was a system-wide test of IoT security.

If we’re all sober and not hallucinating, the Mirai test was a precursor to something bigger.

“We Are From The Government And We Are Here To Help.”

The assumption that now, post-Mirai, governments will just stand to the side while industry does its magic, is no longer viable:

The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

First, it’s too bad Milton Friedman — who was famous for his thoughts on the economic externalities of pollution — is not around to weigh in on the economic externalities of IoT security “pollution.”

Second, any reasonable participant in the IoT industry would agree what we are doing now is not working very well. The IoT is like a “world-sized robot”, as Schneier calls it, with billions of endpoints around the world talking to each other, sharing data, now or soon to be making AI-based decisions, and largely unregulated:

Until now we’ve largely left computer security to the market. Because the computer and network products we buy and use are so lousy, an enormous after-market industry in computer security has emerged. Governments, companies, and people buy the security they think they need to secure themselves. We’ve muddled through well enough, but the market failures inherent in trying to secure this world-size robot will soon become too big to ignore.

I am a civil libertarian and my general credo is that there is no problem that the government cannot make worse when it steps in to “help”. If history is our guide, then government regulation of IoT security will be crude, costly, and insufficient.

Regardless, my view on IoT security is now that governments have no choice but to intervene.

The Inevitability of IoT Security Regulation

A repeat of Mirai seems inevitable due to the sheer volume of vulnerable endpoints, the sophistication of the hackers, and the political and/or economic opportunity it presents. And with a repeat of Mirai — especially one on a greater scale than the last — end users will demand a solution. And in the absence of a meaningful solution from the private sector, there is only one path remaining:

Here’s the thing: Governments will get involved, regardless. The risks are too great, and the stakes are too high. Government already regulates dangerous physical systems like cars and medical devices. And nothing motivates the U.S. government like fear. Remember 2001? A nominally small-government Republican president created the Office of Homeland Security 11 days after the terrorist attacks: a rushed and ill-thought-out decision that we’ve been trying to fix for over a decade. A fatal disaster will similarly spur our government into action, and it’s unlikely to be well-considered and thoughtful action. Our choice isn’t between government involvement and no government involvement. Our choice is between smarter government involvement and stupider government involvement. We have to start thinking about this now. Regulations are necessary, important, and complex; and they’re coming. We can’t afford to ignore these issues until it’s too late.

Anticipating The IoT Regulators

It is theoretically possible that regulators are already secretly and urgently preparing for a future Mirai — call it a “Mirai II” — event, but you and I both know this is unlikely. Instead, a catastrophic cyber event like September 11th is the more likely event that will jar regulators into meaningful action.

So let’s imagine how “meaningful action” plays out by looking at past behavior. September 11th, 2001 was an unanticipated, catastrophic event yet the bulk of the response was fairly conventional:

They spent tons of money (e.g. funded what is now a $64 billion a year Department of Homeland Security),
They responded militarily (e.g. two wars in Afghanistan and Iraq); and
They imposed regulations (e.g. travel and import restrictions, Amber Alerts, etc.).

In other words, a very 20th-century response. Yet as we imagine how regulators will respond to a bigger Mirai event, another response to the September 11th attacks is worth noting: the immediate grounding of all airplanes in the U.S. immediately following the attacks. All planes in U.S. airspace, wherever they were, were told to immediately find an airport and land. Fighter jets were scrambled to deal with potential non-compliers. In effect, the government pressed a “kill switch” on air travel in order to minimize further loss of life and property. It was indiscriminate, a huge inconvenience to millions, and also very smart.

A larger-scale Mirai attack, I believe, will result in a similar rush to implement a “kill switch” for the IoT.

A Kill Switch Might Be The Easiest Political Option

The kill switch is a compelling political possibility when compared to all the other options. Here is Schneier, who advocates aggressive government intervention, with just a partial laundry list:

We need government to ensure companies follow good security practices: testing, patching, secure defaults - and we need to be able to hold companies liable when they fail to do these things. We need government to mandate strong personal data protections, and limitations on data collection and use. We need to ensure that responsible security research is legal and well-funded. We need to enforce transparency in design, some sort of code escrow in case a company goes out of business, and interoperability between devices of different manufacturers, to counterbalance the monopolistic effects of interconnected technologies. Individuals need the right to take their data with them. And internet-enabled devices should retain some minimal functionality if disconnected from the internet.

At best, such a laundry list will take years to fully implement and hundreds of billions of dollars.

But another of Schneier’s recommendations is closer to mine:

We also need to start disconnecting systems. If we cannot secure complex systems to the level required by their real-world capabilities, then we must not build a world where everything is computerized and interconnected.

It is going to be very hard to convince people to build non-connected devices. Too many horses have already left the barn: ARM-based silicon, MEMS sensors, easy access to low-cost manufacturing, expanding wireless connectivity options, tons of cloud-based software, etc. However, a cousin of non-connected devices is the device that can be disconnected, even in a Mirai situation. In other words, a “disconnectable” device. Or said more plainly, an IoT device with a kill switch.

Two Kill Switch Options

We can disconnect an IoT device from the internet in at least two ways:

Disconnect the device’s internet connection. Disconnecting a hijacked device’s internet connection via the internet service provider (ISP) is at first glance an attractive solution: the sources of the DDoS attacks are identified, the associated internet service provider is notified, and the internet connections for the offending devices are canceled. In practice, however, it’s not so easy and among other things risks disconnecting “innocent” endpoints and nudges ISP’s closer to the role of “internet policeman” which they want like syphilis. Still, I believe some flavor of government-mandated ISP kill switch will be part of a post-Mirai II response, as indiscriminate and crude as it will be. But it won’t be sufficient.
Disconnect the endpoint. Technically, this could be a gateway or access point, too. When your IoT device is hijacked, you could be notified by your ISP or you may figure it out on your own when you no longer have access to your WiFi camera or your cow tracking tag. Having a wireless side channel (see below) that allows for a factory reset of firmware by someone located nearby or just a shutdown of the hijacked device entirely is all that is required. This approach is explained in more detail here:

For politicians and regulators, the downside of endpoint kill switches is that they aren’t in use in the IoT today. Still, the endpoint kill switch is an attractive political option as it conforms (and I’m being unintentionally cynical here) the crude and indiscriminate past behavior of government in action and we should expect this to be part of a security policy prescription post-Mirai II.

But ultimately, as the world works to implement 500 different ideas or laws designed to make the IoT more secure, Johnny Politician — and perhaps his constituents, too — will ultimately feel more assured when he knows that there is a reliable kill switch out there waiting to be pressed as a last resort.

Final Thoughts

Kill switches are not silver bullets. Kill switches are not a panacea to the bigger problem. Kill switches are not a substitute for good software or security policy design.
An endpoint or gateway kill switch can double as a means of two-factor two-factor authentication, which all IoT endpoints will have in the future and that will also make remote hijacks like Mirai much more difficult to execute.
Mirai-type botnets can be transnational in nature so an attack from thousands of hijacked devices spread across 40 countries is difficult to address without political cooperation on IoT security across those countries. This is probably the most vexing aspect of solving for DDoS-based IoT threats and there are no multilateral institutions equipped to address this today.

You can reach me via @patdash7 or via email at pat @ haystacktechnologies dot com.

Also, if you liked this post, please consider scrolling down and recommending it here on Medium by clicking on the heart-shaped icon at the bottom left. Because if you do this, more people will see this post.