Stopping small devices from causing massive Internet disruptions

A machine’s size doesn’t necessarily match its digital impact.

In October, millions of tiny, digitally-enslaved gizmos sent an enormous surge of junk information to the backbone of the Internet, an effort that overwhelmed Twitter, Netflix and Airbnb, among others, sending their services offline.

The malware reportedly used in the attack, known as Mirai and which is now freely available online, took advantage of the weak, default passwords of DVR machines and Internet-connected cameras, among other connected-but-insecure products.

“In this world of [the Internet of Things, or IoT] and interconnectedness, we need to understand that the lines between what is critical infrastructure and what is modern technology are very blurry,” said Kiersten E. Todt, the executive director of the Presidential Commission on Enhancing National Cybersecurity, which  released  cybersecurity recommendations for the next administration on December 1st.

“Something that is a technology that is meant to be a modern [convenience can] become critical infrastructure through varied ways of interdependencies and interconnectedness.”

Ultimately, it’s the small things that matter the most to the digital protections we all rely on. Collectively, it’s these tiny details that can add up to expose larger systems.

Todt was speaking on a panel at The Chertoff Group Security Series event in Washington DC.

The day’s events — which spanned several panels, and keynotes — tackled the difficult question of “how do we create growth and  jobs securely, while at the same time protecting public safety and individual privacy?” said Jim Pflaging, a principal at Chertoff.

Indeed, the Mirai attack proved that this entire class of seemingly insignificant things could be compromised to far greater ends than just endangering a user’s DVR-ed episodes of Everybody Loves Raymond.

Fixing that problem requires tighter coordination between the public and private sector, a variety of experts agreed.

Perhaps the government and the private sector could be more proactive in the future, taking down botnets instead of watching them roam, said Frank Cilluffo, the Director of the Center for Cyber and Homeland Security at George Washington University.

“When we are really talking public-private partnership, if you ask me, that’s where we have had real effect: industry has taken a lead role and coordinated with government to take down botnets proactively,” he said on the panel, adding that there are already a series of successes that prove government and industry can collaborate in that way.

Todt further advocated for baseline standards for measuring security that these IoT devices need to contain in order to ward off serious attacks.  

While Todt was speaking generally, the National Institute of Standards and Technology and the Department of Homeland Security both recently issued complementary sets of security guidelines for connected device makers.

One of the DHS recommendations specifically called out passwords, asking that manufacturers consider enabling “unique, hard to crack default usernames and passwords.”  

“I think the password is losing whatever appeal it ever had as a principal way of verifying identity,” said former Homeland Security Secretary Michael Chertoff, co-founder of his namesake Chertoff Group, in reference to unique passwords and not the recently released guidance. “We are going to start seeing more sophisticated technological developments moving forward such as biometrics and multi-factor authentication. These are the kinds of things that we can build in that will reduce the risk (of using) these new smart devices.”