Stronger security urged for internet-enabled devices
Washington — The Obama administration urged the technology industry to secure millions of internet-connected devices from hacking, including fitness trackers, medical implants, surveillance cameras, home appliances, digital video recorders, thermostats, baby monitors and computers in automobiles. It proposed no specific penalties for manufacturers that do not comply.
In a report obtained by The Associated Press, the Homeland Security Department portrayed runaway security problems with a range of devices that have been made internet-capable in recent years. It said they posed “substantial safety and economic risks” and recommended urgent action by software and hardware developers, service providers, manufacturers and commercial and government buyers. No blame was placed on consumers who buy and operate such products.
“The growing dependency on network-connected technologies is outpacing the means to secure them,” Homeland Secretary Jeh Johnson said.
The department’s strategy represents an early step to organize scattered efforts to focus on cybersecurity for the category of devices known as the “internet of things.” It comes less than one month after hackers harnessed an army of 100,000 internet-connected devices around the world, such as DVRs and security cameras, to attack Dyn Co., which helps route internet traffic to its destination. It caused temporary internet outages to sites that included Twitter, PayPal, Pinterest, Reddit and Spotify.
U.S. officials say such an attack is a harbinger of security threats to come in the rapidly-developing next frontier for cybersecurity.
“Securing the internet of things has become a matter of homeland security,” Johnson said. He said Tuesday’s guidance should help companies “make informed security decisions.”
Robert Silvers, the assistant homeland security secretary for cyber policy, led a six-month review, coordinating with cybersecurity experts, industry associations and other branches of the government, such as the Justice and State departments. Those talks encompassed questions of product liability and making diplomatic efforts to create a uniform rulebook for securing these devices.
“We need to have a very serious national conversation about what the approach is, and we need to do it urgently,” Silvers said.
The internet of things is decentralized and enormously complex, making it difficult to regulate. A camera with online capabilities may be designed in California, manufactured in China with parts from Taiwan and sold to someone who operates it on Germany’s network. Silvers said there is no benefit to “190 different national approaches.”
Some industrial sectors have moved forward with their own recommendations. In September, the National Highway Traffic Safety Administration published guidelines for self-driving cars. The Food and Drug Administration published its own guidance for medical devices in January.
For more than a decade, companies have added internet capabilities to devices as an additional feature, sometimes without security considerations. But adding security in wholesale fashion afterward is often more costly.
The government urged companies to ensure security setting are turned on by default. It recommended requiring unique passwords for each device so hackers can’t use a single stolen password to control thousands or more devices. It encouraged manufacturers to make products whose vulnerabilities can be fixed remotely.
“You can’t rely on a consumer to spend three hours to upgrade her toaster software. It’s not going to happen,” Silvers said.
The recommendations were released before a congressional hearing Wednesday on the role of connected devices in cyberattacks. No government officials were expected to testify.
To prevent more attacks, the government must increase security regulations for “what are now critical and life-threatening technologies,” according to Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School and a well-known cybersecurity expert.
“It’s no longer a question of if, it’s a question of when,” Schneier said in prepared remarks for the hearing.