Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier: We Need a New Agency For IoT Security (onthewire.io)

Posted by msmash on from the need-of-the-hour dept.

Reader Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security. Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle. "I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."

6 of 165 comments (clear)

  1. Or, you know, we can just not by H3lldr0p · · Score: 5, Insightful

    use this technology.

    Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.

    Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.

    It's a distraction. A bad one. And if the recent mega-botnet attacks are any indication it's not good for the health of the internet either. So let's get rid of them before someone in a position of abusable power decides that they're evil and gets rid of them for us. With us doing it, it at least leaves the door open for getting it right next time. Not so certain that others would give the tinkerers a second chance on something like this. I've already had to deal with parents panicking over their children's laptop cameras.

    That wasn't a fun conversation in the least.

  2. Re:The course is clear by lgw · · Score: 5, Insightful

    The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement.

    The people have spoken. The desire for stupid government is strong. Stupid government involvement is the only allowable course.

    The right answer here is a non-governmental agency like UL. That can have greater reach (and, frankly, more credibility) than anything US government-specific. This would have to be coupled with a firm stance from the sever side of IOT (like AWS) requiring the certification.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  3. Wrong by Hognoxious · · Score: 4, Insightful

    We totally don't. Just fuck off already.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  4. Another way by MobyDisk · · Score: 5, Insightful

    Most electronics in the United States are (Underwriters Laboratory) UL approved. That is because there are various non-governmental rules that strongly influence people into buying UL approved products. One is that vendors often refuse to stock products that are not approved by some standards body, because otherwise they may face liability for the product. Another is that homeowners insurance will not cover you if a non-UL approved device started the fire. Hospitals and laboratories will not buy medical devices that are not UL approved.

    We need something like UL for security.

    It would be great to have a system like that in place, rather than to have the government directly involved. The toughest part is that so much electronics is purchased online, from overseas manufacturers, that this free-market solution may not work. Really, the free market is optimizing around it. It would be awesome to see Amazon and Newegg refuse to sell products unless they had some kind of security approval.

  5. Re:The course is clear by edittard · · Score: 4, Insightful

    When Private entity fails, it goes away

    Not if it's a bank.

    --
    At the bottom of the /. main page it says 'Yesterday's News'. Well they got that right.
  6. Re:The course is clear by Obfuscant · · Score: 2, Insightful
    And in the perfect libertarian world there wouldn't have been the Community Reinvestment Act and similar follow-on legislation that forced banks to make unsecurable loans to people they knew couldn't pay them back, creating a market for bad paper, culminating in a large number of defaults when people who couldn't pay back their loans were faced with balloon payments that they knew from the start they wouldn't be able to meet but they signed up for anyway. So yeah, in this ideal world, I'd go along with the libertarian "lock them up if they commit fraud" idea.

    The CEOs you want to lock up for "practicing fraud", however, were acting in response to community groups using the justice department as a bludgeon to either force the loans or be sued for discrimination. If they didn't have similar percentages of approved loans over their entire service area it was defacto proof of discrimination. The fact that some neighborhoods tend to be working class with people who couldn't afford home loans wasn't relevant, so the rules had to change to allow those loans to be approved anyway. Once those loans were approved, where does the bank get money to make more loans? By selling the ones it has. "Community Reinvestment" stops when the bank has loaned out all it can, unless it sells loans to get more to loan.

    The problem of measuring compliance with anti-discrimination laws using simple statistics is ongoing. For example, it is defacto proof of Title IX violation if the percentage of girls at a school participating in sports is not the same as the percentage of boys. If you run a school where 20% of the boys are on sports teams but only 10% of the girls, then you either need to coerce a lot of girls into joining a sports team or cut your boy's teams in half.

    And similarly, if your bank is approving 50% of the loans from a neighborhood that is predominantly rich people but only 10% of loans from a poorer neighborhood, you either have to lose 2/3 of your loan business by refusing 80% of the "rich people" loans (losing out on the interest payments from well-secured, low-risk loans), or relax the rules so you can approve 40% more of the apps from poor people (increasing your risk by a large amount). And the answer is almost always based on the demands of the local community activists who want more loans to poor people.