October 24, 2016

Internet of Things or Internet of Insecurity?

Last week, a massive distributed denial of service (DDoS) attack hit a major Internet domain name server, knocking out access to a number of popular websites, including Twitter and The New York Times. The Mirai tool—malware code that has been released as open source—that was used in the attack was also recently used in an attack against Brian Krebs’ popular online security blog. That attack was one of the largest ever recorded, clocking in at 620 Gbps at its peak.

There’s a lot to unpack in the discussion surrounding this issue, but let’s start with the fundamentals.

A DDoS attack is essentially a flood of web traffic to a website, with the intent of driving so much traffic that the server buckles under the pressure. Think of it in terms of attempting to board a subway train. You wait for the train to arrive, along with a few other people on the platform. Once the train arrives, however, hundreds of people scamper from out of nowhere, with no particular interest in actually riding the train to a particular destination. Rather, they crowd onto the train in an effort to prevent would-be passengers with an actual interest in riding the train. As a result, you are unable to board. That’s akin to what happens in a DDoS attack.

Although there have been a lot of major cybersecurity breaches, this latest attack is the largest to implicate the Internet of Things (IoT). The IoT refers to the burgeoning ecosystem of physical devices that are connected to the Internet and generate, consume, and exchange data via embedded sensors. For all the many potential benefits of this developing industry, security is an area that still needs some work. One of the major concerns brought to light by this recent incident is the potential for an insecure IoT to drive even more botnet attacks, where individual computers and devices are temporarily “enslaved” to a nefarious actor. It seems pretty clear that a network of CCTV cameras, digital video recorders, and other networked devices were captured by a botnet, driving the DDoS attack. The more insecure, interconnected devices that find their way to the market, the greater the chance that these situations become commonplace.

Yet all’s not lost. There are a number of solutions to beefing up online security available to consumers. One such solution is the use of content delivery networks (CDN). CDNs are digital service providers. Neither ISPs or web hosting companies, CDNs offer a range of cloud-level web optimization and cybersecurity services that help reduce bandwidth usage and create a more streamlined, user-friendly online experience. (For more on the technical operation of CDNs, see these recent Niskanen Center comments, as well as this more in-depth white paper from Akamai Technologies.) These services can help mitigate all but the most significant cybersecurity attacks. Of course, they come at a cost.

For instance, Krebs himself indicated that he employed Akamai’s Prolexic service, a free CDN service that was unable to handle the full brunt of the DDoS assault. Had he opted to pay for the full-fledge premium CDN offered by Akamai, Krebs would have been on the line for between $150,000 and $200,000 per year. That’s the cost for protecting against this size of an attack. There’s no getting around that.

So what can be done to avoid, or at least mitigate, future attacks like this one? Krebs suggests voluntary measures as one avenue:

there are efforts afoot to gather information about which networks and ISPs have neglected to filter out spoofed traffic leaving their networks. The idea is that by “naming and shaming” the providers who aren’t doing said filtering, the Internet community might pressure some of these actors into doing the right thing (or perhaps even offer preferential treatment to those providers who do conduct this basic network hygiene).

Naming and shaming can certainly help contribute to social norms that place a greater emphasis on appropriate online security practices. However, Krebs goes further, suggesting other methods for addressing the insecurities in physical hardware:

To address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, we probably need an industry security association, with published standards that all members adhere to and are audited against periodically.

The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval.

This would probably be a more ideal alternative: addressing the situation at the hardware level.  I echoed these sentiments in comments submitted to the National Telecommunications and Information Administration on the issue of the IoT:

Self-regulating mechanisms, such as industry-based standards, can serve producers and consumers well in this space, and better than standards that might be issued by government. … industry-led standards should be permitted to set the agenda in cybersecurity regulation. When market failures can be demonstrated, and demonstrated to require government intervention, then and only then should the government address the issue through legislation or regulation.

The key to ensuring continued cybersecurity innovation in the IoT sector lies on mechanisms such as these. Imposing a set of government-approved regulations on baseline cybersecurity standards is likely to have numerous unintended consequences, including incentivizing a “race to the bottom,” where companies are disincentivized from continually investing more resources in security products and research. That race will be propelled by a recognition that government-approved standards set the industry default standard—one that companies can fall back on as a defense mechanism when inadequate security imperils consumers.

There are other means for achieving more optimal levels of online security as well. Market forces, for instance, can have a profound corrective effect on cybersecurity failures. Cyber insurance is one such route. The increasing valuation of the cybersecurity market over the past quarter century is a clear indication that firms are placing more and more emphasis on defensive technologies and the risks associated with breaches. As I noted in a 2015 Niskanen Center paper: “As of 2015, the total size of the global cybersecurity market had exploded to over $100 billion, with an estimated growth to $170 billion by 2020.” The current cybersecurity insurance market hovers around $20 billion, and is likely to continue growing. Unfortunately, there is still a great deal of uncertainty surrounding how to properly evaluate the value of using certain tools, such as encryption, over others, like network security and firewalls. Those are issues that will likely need to be worked out by insurance underwriters and actuaries. Trial and error will have to drive those efforts.

All this having been said, it’s also important to understand that DDoS attacks like the one we just saw are not the real threat to online users. Yes, these attacks have been increasing in severity and scope over the past few years. As noted by Niskanen’s adjunct fellows Brandon Valeriano and Allison Pytlak, the real threat online is when attacks “target the context, integrity, and generation of information.” Specific, targeted attacks against individual users, firms, and agencies are far more pressing issues than wide-scale network assaults. Debates over whether law enforcement should have greater access to encrypted communications or if CDNs should be liable for copyright infringement online will have an outsized impact on the future of cybersecurity—for better or worse.

For now, there are a number of paths forward in addressing online cybersecurity concerns that can help ameliorate concerns:

  • Regulators and Policymakers: Congress and regulatory agencies should ensure ongoing innovation in the cybersecurity ecosystem by refraining from placing undue regulatory restrictions on CDNs. This includes denying them intermediary liability protections when it comes to copyright infringement claims.
  • The IoT Industry: Firms operating in the manufacture of IoT devices need to take a more proactive approach in addressing potential security concerns in both hardware and software. Industry-led standards should be a top priority for industry, utilizing comprehensive third-party validators like the Online Trust Alliance. If they do not, trust in this emerging market will falter, and regulators and/or Congress will undoubtedly be forced to action.
  • In General: We need to focus on cybersecurity as a “service,” not a mandatory obligation. There are no silver bullets to the problem of cybersecurity, but there are learning experiences, and we should treat each breach, attack, and intrusion as an opportunity to learn from mistakes, not create new ones with knee-jerk regulations.

In addition, the U.S. government should continue to support—and perhaps consider expanding—research and development grants for cybersecurity researchers. A regulatory response at this stage, however, should be viewed with skepticism, especially given the lackluster security standards embraced by our own government. (Anyone remember the OPM hack?)

Mandating auto-security updates for IoT devices may seem like a reasonable response to an incident like this. But it’s important to understand that it’s neither the only, nor necessarily the best, approach to addressing difficult cybersecurity questions. After all, DDoS attacks of the scale and size we saw last week are a relatively recent phenomenon. Encryption has only been enabled for many websites and email services in the last few years. The cybersecurity insurance market is still emerging, and working through effective actuarial evaluations. In short, the Internet is still an emergent economic market and social ecosystem, and we still have many lessons to learn, equities to balance, and best practices to develop.

As the Internet continues to mature, these issues will undoubtedly be addressed. For now, the most prudent course of action remains keeping lines of dialogue between industry and government open. If we regulate too early, or too onerously, the ramifications could very easily be a less secure, and less open, Internet.