Hackers launched a massive cyber attack that brought down some of the internet’s most popular websites in October: Spotify, Reddit, Netflix, and Twitter among them. But this attack — known as a distributed denial of service (DDoS) — was far more powerful that previous DDoS attacks, which merely used computers. This one used the Internet of Things.
Connected toasters, pet cams, printers, and more are all connected to the internet and can be used to engage in DDoS attacks, where a coordinated network of devices all spam an online target with information. In the October attack, some 1.2 trillion bits of “junk data” every second were hitting the servers of a company called Dyn, a domain name services company. The server infrastructure that housed those websites crashed under the weight, and the sites were down for hours.
A group called the New World Hackers claimed responsibility for the attack and announced it was just a dry run for a bigger target. The attack was big enough to catch the eye of the U.S. Government — or part of it at least.
California Congressman Jerry McNerney is leading the charge to take on large-scale abuses of the fragile Internet of Things. McNerney spent over two decades working in industry, and has a Ph.D. in mathematics, so he’s a good candidate for tech legislation. He’s also served in the House for ten years; his fifth term just ended, and, on Wednesday, California’s 9th District elected him once again.
The day of the Dyn attack in October, McNerney released a statement calling for congressional action; the following week, he and other Energy and Commerce Committee Democratic leaders sent this letter to call for a hearing.
As things stand, there’s no incentive for device-makers to fortify IoT security. People will pay for a gadget that lets them turn on their lights from their iPhone, but won’t pay another ten bucks to ensure it won’t be drafted into a DDoS attack. With advances in artificial intelligence, there’s no telling what’s next — and President-elect Donald Trump hasn’t exactly demonstrated ample knowledge on “the cyber.”
With the prospect of deregulation under Trump, it seems unlikely that consumer protections will be established. In short, the New World Hackers weren’t wrong: It’s just a matter of time before another DDoS takedown, perpetrated by internet-connected appliances. (So update your passwords on your IoT devices and change your router passwords from the factory default.)
McNerney and co. might be the last line of defense. If they can spur Congress into action, at least enough to fully understand what happened to Dyn systems, there might be a chance at improving the country’s digital security. “There’s been a lot of anxiety about the security of the internet in Congress, for the past year or more,” McNerney told Inverse in a recent interview about the IoT. The conversation continues below.
What’s the prevailing attitude in Congress about the internet and Internet of Things?
There’s an unease, now, in Congress, and I’m sure that [the Dyn cyberattack] just amplified that.
Do you share the same unease?
Certainly. We’re putting more and more information on the internet. With the Internet of Things, there are so many devices out there that will give nefarious actors access to personally identifiable information, to health information, to financial information, to national security information. There’s a tremendous opportunity for bad actors.
Can Congress move quickly enough to respond to these threats?
I think so. But, again, it is going to take a concerted effort. What I’m calling for, and what the Ranking Members of the Committee are calling for, is to hold hearings on this specific sort of attack. But I think that will open up a wider conversation on how we secure the internet.
What are you hoping to learn from an investigation?
What I want to learn is what is being done for DDoS and other attacks. The private sector’s out there; they must be taking steps, and I want to understand what they’re thinking. I also want to understand what federal agencies are doing. We would ideally have at least one hearing. One panel would be the private sector, and another panel federal agencies.
Also, we’d like to get an idea from them about what legislation would be helpful. We don’t want to do something that’s going to make it worse, or not have any effect. Is it a matter of providing incentives? Is it a matter of asking industry to establish standards? We want to understand what it is that we can do as a federal agency, because, if we don’t, then all these private entities, and all the different federal agencies, are going to do their own thing. I think that will potentially cause even more problems. It’d be good to have a standard for people to look up to.
Experts believe that the solution might come from the private sector, it might come from public-private cooperation, or it might come from the top down. Do you have any idea what the correct response would be?
It’s not going to come from the top down, and I don’t think the private sector can do it. It’s going to have to be some sort of a cooperation. That might end up looking like legislation, especially if we get a little consensus, and a buy-in from certain actors. Then, I think, we can move forward.
There’s little incentive for companies to include security in its products. Presumably legislation would require that these companies include security.
I think that would certainly have to be part of it. If you see all these devices out there, without any security, or with hardware passwords, and so on, that’s not going to be acceptable in the future. We really have to have enough control to be able to ramp up security in these places.
Then it would be regulation with the manufacturers, and not the consumers?
It’ll have to be with the manufacturers. There might be opportunities to educate the public on data hygiene, but the manufacturers are going to have to provide reasonable access to security for their customers.
Do you expect your fellow Congressmen and -women to cooperate?
I don’t think this is really a partisan issue. I think people are interested in making sure the internet is safe. Because, if it’s not safe, then what? It’s going to hurt our economy, and it’s going to hurt people’s private information — maybe their accounts will be vulnerable. And also national security: A DDoS attack may not compromise your personal information, but it could compromise the ability of the nation to respond to certain sorts of attacks.
If there were such a bill in the future, you would expect it to get through?
Yeah. I would. You know, one thing I’ve learned is that, if you want to get things done, you have to cooperate with people you may not agree with, and compromise with people you may not agree with. And I think a lot of people in Washington understand that, now. So I think there’s an opportunity for us to get something done. Although, I have to say: The timescale is pretty short. Two months is a short time frame in Washington. If there’s an urgency — if people understand the urgency — I think we can do it.
This interview has been edited for brevity and clarity.