The House took a serious, and mostly bipartisan, look Wednesday (Nov. 16) at the cybersecurity threat posed by the Internet of Things.
A joint hearing, "Understanding the Role of Connected Devices in Recent Cyber Attacks," was held in the Communications Subcommittee, chaired by Rep. Greg Walden (R-Ore.), and the Subcommittee on Commerce, Manufacturing and Trade, chaired by Rep. Michael C. Burgess (R-Texas).
The hearing was held in the wake of the distributed denial of service attack on Oct. 21 that restricted access to some major websites.
Apparently, the attack only employed 150,000 of about 1.5 million IoT devices still infected with the botnet that allows them to be commandeered to deliver similar or larger attacks in the future.
The seriousness of the issue was highlighted by the fact that the witnesses agreed that that the DDOS attack, which affected Netflix, Twitter and others -- was relatively benign compared to, say, an attack on critical systems that could cost lives.
Rep. Pete Olson (R-Tex.), a former Navy aviator, said the biggest threat to security is not bombs and missiles but ones and zeros and that, in the current environment, the government has to be proactive.
In fact, Republicans and Democrats were both using the R word (regulation) to talk about addressing the threat, as were all of the witnesses to some degree, though Dale Drew, SVP and chief security officer at Level 3 Communications, focused on standards and existing regs rather than new ones.
Rep. Anna Eshoo (D-Calif.), ranking member of the Communications Subcommittee, also suggested that approach. When one witness said a new government agency might be needed to deal with IoT cybersecutiry, she said that would not happen in the new administration. Walden joked that for every new agency created, they could eliminate two, a reference to President-elect Donald Trump's proposed requirement that two regulations be scrapped for every one added.
But Walden got serious, saying that the IoT cybersecurity issue was bipartisan and the Republican leadership would continue to address it.
Walden told the witnesses he was concerned about the government stepping into the marketplace, but primarily because he had heard cybersecurity witnesses before warn government to "first do not harm" and to be careful not to lock things into statute.
Rep. Frank Pallone (D-N.J.), ranking member of the Communications Subcommittee, pointed out that some have argued that regulating devices will constrain innovation.
Witness Bruce Schneier, adjunct Lecturer, Kennedy School of Government, Harvard University, conceded the point, but said the government would definitely need to step in because the risk was too great. He said there's "a fundamental difference between your spreadsheet crashing and losing your data, and a connected car crashing and losing your life."
He emphasized that it was a catastrophic risk, crashing all connected cars, for example.
"It is an arms race, and the current edge is to the attacker," Schneier said, adding that given the scale of the Web and the ability to affect physical objects via IoT, "it might be that the Internet of fun and games is over."