Schneier: We Need a New Agency For IoT Security

Reader Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security. Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle. "I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."

Re:Or, you know, we can just not

[tlhIngan]

use this technology.

Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.

Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.

It's a distraction. A bad one. And if the recent mega-botnet attacks are any indication it's not good for the health of the internet either. So let's get rid of them before someone in a position of abusable power decides that they're evil and gets rid of them for us. With us doing it, it at least leaves the door open for getting it right next time. Not so certain that others would give the tinkerers a second chance on something like this. I've already had to deal with parents panicking over their children's laptop cameras.

That wasn't a fun conversation in the least.

Just because YOU don't see a need doesn't mean it isn't useful. In fact, you omitted the most useful IoT devices out there, interestingly enough.

IP cameras and DVRs. These have real uses and real benefits to users - checking up on the house or business. Often times we'd get an alert from the alarm company and instead of having to driving down to the office to check it out, we can look at the surveillance video OVER THE INTERNET, and see it was just an employee working late who used the wrong door. Heck, most good sysadmins have remote access to their environmental monitors in the data center and can remotely check stuff out for the same reason

Oh, and you know what devices were most vulnerable in the DYN attack? IP cameras and DVRs.

Internet controlled thermostats are nifty, and it's nice to be able to go on vacation, turn the A/C to just keep it from broiling, and then on the return, turn on the A/C to bring it back from desert day to human comfort. (Same goes with heat, too). Sure it's not a necessity, but it's a nicety

Then there's the door minders that let you know when someone is at the door when you're at the office, and you can let them put your packages in the garage rather than sitting on the front stoop inviting theft.