MY VIEWS
Bringing IoT Device Manufacturers to Account for Sub-standard Cyber Security Given the relentless rise of the Internet of Things (IoT), and the fact that the very devices that are being hacked to orchestrate these types of incidents are the same ones finding their way into our lives at an ever-expanding rate, the cascading effects of this latest attack have implications at every level of digital transformation.
HARSHUL JOSHI
SENIOR VICE PRESIDENT OF CYBER GOVERNANCE, RISK AND COMPLIANCE AT DARKMATTER
L
ate last year reports surfaced that the entire internet infrastructure of the African nation of Liberia had been knocked off-line after it was targeted by hackers using the same weapon that caused the largest cyber attack in history only a month earlier. The attack on Dynamic Network Services Inc., (Dyn), a New Hampshire-based Domain Name Server (DNS) on October 21 was a massive distributed denial of service (DDoS) incident. This type of attack is not new, and is based on standard techniques where a network of infected computers – a botnet – are directed to bombard its target with traffic, overloading its servers. The weapon used in the October attack, the Mirai botnet, was particularly effective because it harnessed infected, internet-connected devices, or so-called ‘Internet of Things’ devices, which, ominously from an expanding cyber threat landscape standpoint, are finding their way into more households around the world. The same weapon was reportedly used for several days in continued attacks on the West African nation of Liberia, where two companies
that co-own the only fibre going into the country are being targeted. During the attacks, websites inside the country are rendered unavailable. The incident in Liberia raises alarm even further given: 1. The national level impact of the attack on Liberia, which could affect the functioning of critical national infrastructure, which could in turn have devastating real-life consequences, even resulting in the loss of life. 2. The particular Mirai botnet that attacked Liberia, officially named Botnet 14, had a Twitter account and is open source, meaning it can and is being shared, and anyone with the requisite technical skill can use it. 3. DDoS are successfully targeting connected devices with lower cyber security postures to gain access to high-value networks and targets, with severe consequences. It has been suggested the rise of IoT is likely to prompt similar attacks in the future as inadequately secured IoT devices will continue to be an engine to facilitate breaches. Protecting digital environments in the age of the IoT and ultimately IoE (Internet of Every-
thing) requires a new type of standardisation and regulation approach to be adopted, which ultimately penalises the vendors flooding the market with insecure devices. At present there is no regulation or standardisation requiring a base-line security standard for IoT, meaning there is little incentive to make device manufacturers meet any minimum criteria of security, as there are few, if any commercial repercussions for not having done so outside of successful third-party litigation. For as long as device manufacturers are removed from the negative financial and logistical impacts triggered by the compromise of poorly secured devices, we will continue to count the escalating costs of botnet attacks through IoT devices. Minimum cyber security levels should not be an optional feature for IoT device manufacturers, but rather there should be mandatory standards and controls introduced, and high commercial sanction to the vendors that fall short of them, given that such oversights jeopardise the security of the digital eco-system for all connected stakeholders. ë
JA N U A R Y 2017
MEA
31