Policymakers are starting to ask questions.
It’s still unclear who is responsible for Friday’s massive internet outages, according to President Obama.
The attack was comprised of hundreds of thousands, possibly millions, of internet-connected devices that sent junk traffic to Dyn, a major domain name service provider.
The attack took down major sections of the internet across the United States for hours.
Basic security flaws found in webcams and other internet-connected recording devices were compromised in the attack, according to Chinese device manufacturer Hangzhou Xiongmai Technology, which admitted its products were partially to blame. A recall of Hangzhou Xiongmai products has been initiated. But other IoT device makers were targeted, too.
Still, no one seems to know who perpetrated it. And it may take weeks to find out.
“We don’t have any idea who did that,” said President Obama last night on “Jimmy Kimmel Live!” in reference to the internet outage.
No matter who is responsible, security researchers say the attacks, dubbed Mirai, foreshadow a future where internet threats stemming from our increasingly networked lives — with household IoT devices and connected cars — could become commonplace.
Yet the global economy depends on a reliable internet, and measures to prevent attacks that are as crippling as last Friday’s, where websites like Twitter, Netflix and the New York Times are shut down, need to be taken.
Lawmakers in D.C. are starting to chime in. Homeland Security Secretary Jeh Johnson said Monday that the Mirai malware attack had largely been “mitigated” and that Homeland Security has “been working to develop a set of strategic principles for securing the Internet of Things, which we plan to release in the coming weeks.”
Also Monday, Senators Angus King, I-Maine, and Martin Heinrich, D-NM, urged the Obama Administration to establish government policies to secure U.S. networks by sharing known vulnerabilities with industry.
Another Senator, Mark Warner, D-Va., sent letters asking the Department of Homeland Security, the Federal Trade Commission and the Federal Communications Commission if the agencies are prepared to grapple with the looming threat of millions of infected electronic devices.
Federal regulation, however, takes years. And poorly written legislation has the potential to codify into federal law practices that may rapidly become outdated. Various industry groups are moving to create guidelines for certifying the security of IoT products, like the IoT Security Foundation and the Open Connectivity Foundation. But these processes have yet to yield industry-wide standards.
Part of the problem is that no single agency or entity regulates the security of the internet. Individual websites are supposed to invest in their own security.
But the coming of 5G in 2020 is supposed to usher in a new wave of connected devices. Cisco predicts that by 2020 there will be 50 billion internet-connected devices worldwide, up from 15 billion online today, and that means securing the internet is going to become even more critical and a whole lot more complicated.