Understanding the Role of Connected Devices in Recent Cyberattacks - Cyber

We live in a world that is increasingly connected. Our smartphones are now capable of locking and unlocking our front doors at home, turning on lights, checking the camera for packages left on the doorstep. We are able to measure our steps, check our baby monitors, record our favorite programs from wherever we have connectivity. We will soon be able to communicate-or, excuse me, we can communicate with our offices, too-but commute to our offices in driverless cars, trains, buses, have our child's blood sugar checked remotely, and divert important energy resources from town to town efficiently. These are incredible potentially life-saving benefits that our society is learning to embrace, but we are also learning that these innovations do not come without a cost. In fact, recently we encountered a denial of service attack on a scale never before seen. This attack effectively blocked access to popular sites like Netflix and Twitter by weaponizing unsecured network connected devices like cameras and DVRs. Once these devices came under the command and control of bad actors, they were used to send a flood of DNS requests that ultimately rendered the DNS servers ineffective. As I understand it, at the beginning of this attack it was virtually impossible to distinguish malicious traffic from other normal traffic, making it particularly difficult to mitigate against attack. So how do we make ourselves more secure without sacrificing the benefits of innovation and technological advances? A knee-jerk reaction might be to regulate the Internet of Things. And while I am not taking a certain level of regulation off the table, the question is whether we need a more holistic approach. The United States cannot regulate the world. Standards applied to American-designed, American-manufactured, American-sold devices won't necessarily capture the millions of devices purchased by the billions of people around the world, so the vulnerabilities might remain. Any sustainable and effective solution will require input from all members of the ecosystem of the so-called Internet of Things. We will need a concerted effort to improve not only device security, but also coordinate network security and improve the relationships between industry and security researchers. We are all in this thing together and industry, Government, researchers, and consumers will need to take responsibility for securing this Internet of Things. So today we will hear from a very distinguished panel of witnesses on some of the approaches that can be brought to bear on this challenge. My hope is that this hearing will help to sustain and accelerate conversations on our collective security and foster the innovation that makes the Internet the greatest engine of communications and commerce the world has ever seen.