The Need for Regulation of IoT Devices to Increase Secure Software and Reduce DDoS attacks
In October 2016, a distributed denial-of-service (DDoS) attack carried out by a new cyber weapon, the Mirai botnet, caused both European and U.S. citizens using a certain internet server to lose internet access and downed the sites of large companies like Twitter, Netflix, and the Guardian. A large-scale DDoS attack, however, is not new and has instead increased in both volatility and numbers since the infamous 2007 DDoS attack that took down Estonia’s internet and critical infrastructures.
In response to the Mirai botnet attack, David Fidler, cybersecurity fellow for the Council on Foreign Relations said, “we have a serious problem with the cyber insecurity of Internet of Things (IoT) devices and no real strategy to combat it.” Fortunately, DDoS attacks that exploit poorly secured IoT devices have begun to gain attention in the national consciousness, and it is probable that a norm regarding IoT device insecurity will emerge in 2017. A plausible 2017 cyber norm between the U.S. and Estonia, for instance, can require the production of more secure IoT devices, which can help prevent but does not actually call on adversaries to stop attempting DDoS attacks.
A cyber norm calling for stricter regulations on the security of IoT devices first presents itself as a cost-effective way to prevent DDoS attacks and improve cybersecurity. It is increasingly evident that as the cyber domain rapidly expands, the U.S.’s cybersecurity and critical infrastructures are becoming increasingly exposed and unprotected. However, because of the rapid and unpredictable expansion of the cyber domain, creating defense systems to monitor and reverse-hack an IoT device breach is expensive and requires significant time and resources. Thus, instead of spending money on defensive measures for insecure devices, a more effective and economic solution would be to create a cyber norm that targets the source of the DDoS attack issue: the production of insecure IoT devices. By preventing DDoS attacks, critical infrastructure systems reliant on the Internet (banks, transportation, government, etc.,) and large companies like Netflix and CNN can improve the security of their information and better protect their customers, respectively.
Furthermore, a cyber norm that regulates and standardizes the production of IoT devices offers a few-state solution to a worldwide problem. Cyber norms are deeply rooted in and influenced by international politics; and thus, the creation of norms is typically slow and often frozen in diplomatic disagreements. Even if a norm is collectively agreed upon between foreign governments, there is no international police to enforce that countries continue to fulfill their obligations and act with accountability. However, if the U.S. and Estonia — two major consumers and producers in the technology market — collectively agree to implement stricter security regulations through a cyber norm, then international manufacturers will have to comply and upgrade their IoT devices if they wish to continue making profits in U.S and Estonian markets. Thus, without delving into the complicated politics of persuading China or Russia, for example, to stop DDoS attacks on the U.S., the U.S. can enforce that they will only produce and purchase IoT devices of a certain caliber. Thus, upgrades that other countries then “make in their software will be available in products wherever they are sold, simply because it makes no [economic] sense to maintain two different versions of the software.” In other words, a cyber norm between just the U.S. and Estonia can influence standards of IoT device security on a world-wide platform.
However, a cyber norm for increases in IoT device security is not void of limitations, particularly because it does not call on foreign governments to stop attempting DDoS attacks. Foreign governments may need to comply to a U.S.-Estonia cyber norm about IoT software upgrades and standardization to remain competitive in their markets, but this norm is not a collective agreement that can compel compliance to not carry out DDoS attacks. In other words, this norm does not clarify liabilities or consequences if a foreign government tries to launch a DDoS attack. Instead, it simply tries to reduce the risks associated with insecure IoT devices. However, there is reasoning for not creating a norm that calls on foreign governments to stop using DDoS attacks. As pointed out by the Global Commission on the Stability of Cyberspace, cyber norms that have too much “depth” and develop deeper expectations tend to have greater political disagreements. Foreign governments are less likely to respect or sign a cyber norm that takes away their capabilities. In fact, by keeping the cyber norm to just improving insecure IoT devices, other countries may ask to join. Overall, a cyber norm regarding IoT devices is limited in that it specifically does not call out governments from attempting to use a DDoS attack, but is more effective in the end by not directly banning cyber-attack methods.
Another limitation of this cyber norm is that old devices with insecure software still exists in the cyber domain and will continue to for a while. Because the norm does not specifically address potential limitations on carrying out a DDoS attack, foreign governments could still attempt to compromise technology with older security software to use in the attack. As a result, the cyber norm may need to further evolve to include more specificity on perhaps “expirations” of technology and set deadlines for when citizens must purchase new, updated devices. Creating more specificities to the norm, however, will make it potentially more difficult to create a collective agreement between foreign governments. Overall, if this norm were to emerge in 2017, countries of interest would need to address topics of old, outdated technology still in the market and households.
Likewise, the success of this norm is not just dependent on agreements between two or more foreign governments, but is also contingent on compliance and efforts from many other stakeholders. Changing IoT security standards would require device manufacturers like Microsoft and Apple, Internet service providers like Comcast and Time Warner Cable, and internet governance organizations like the UN or ICANN, among other stakeholders to put out coordinated efforts in reducing IoT insecurity. Because so many stakeholders will be involved outside of government, the norm may be harder to implement than anticipated. Different stakeholders have different values as “the culture of Silicon Valley tech firms differs markedly from that at Cyber Command or the NSA.” However, it is noteworthy that norm disagreements are inevitable present because, fundamentally, norms and the stakeholder values change with time and the problems that arise. Briefly, differing values and interpretations of an IoT security norm may limit efficiency in implementation and slow cybersecurity efforts.
DDoS attacks that exploit insecure IoT devices are on the rise, increasingly complex, and have more potential to seriously compromise critical infrastructures with time. Estonia 2007 demonstrated the dependency of modern nations on the Internet and to what extent a DDoS attack can undermine a government. October 2016’s Mirai attack was a reminder of large scale DDOS attacks and, thus, hopefully a catalyst to new cyber norms in 2017. Although norms are inherently political in nature and difficult for countries agree upon, a norm regulating IoT devices to promote greater software security against DDoS attacks offers foreseeable potential. Such a norm can be cost-effectively implemented by only a few states to have a worldwide impact. In the end, limitations exist with every norm, but the U.S. should not remain complacent in these limitations and instead keep pushing innovative and necessary cyber norms to improve cybersecurity.
Finnemore, Martha. “Breakthrough Group Working Papers.” Global Cyberspace Cooperation Summit VII (n.d.): n. pag. Cyber Summit. Global Commission on the Stability of Cyberspace, 17 Feb. 2017. Web. 16 Apr. 2017.<http://cs.brown.edu/courses/csci1800/static/files/documents/2017_EWI_ShortPrimerOnNorms.pdf>.
Schneier, Bruce. “Regulation of the Internet of Things.” Schneier on Security. IBM Resilient, 10 Nov. 2016. Web. 16 Apr. 2017. <https://www.schneier.com/blog/archives/2016/11/regulation_of_t.html>.
Woolf, Nicky. “DDoS Attack That Disrupted Internet Was Largest of Its Kind in History, Experts Say.” The Guardian. Guardian News and Media, 26 Oct. 2016. Web. 16 Apr. 2017. <https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet>.