Modern field guide to security and privacy

Stopping small devices from causing massive Internet disruptions

Internet of Things devices — from Web routers to smart refrigerators — can be overcome by malware and used to affect an Internet we all rely on if simple changes aren’t made

Joyce Boghosian, The Chertoff Group
Pictured, from left to right at this November 18 event in Washington, DC: Frank Cilluffo, Associate Vice President & Director, Center for Cyber and Homeland Security, George Washington University; David Perera, Vice President for Government and Public Policy, Internet Security Alliance; Kiersten Todt, Executive Director, Presidential Commission on Enhancing National Cybersecurity; Jason Kaufman, President, The Chertoff Group (moderator)

A machine’s size doesn’t necessarily match its digital impact.

In October, millions of tiny, digitally-enslaved gizmos sent an enormous surge of junk information to the backbone of the Internet, an effort that overwhelmed Twitter, Netflix and Airbnb, among others, sending their services offline.

The malware reportedly used in the attack, known as Mirai and which is now freely available online, took advantage of the weak, default passwords of DVR machines and Internet-connected cameras, among other connected-but-insecure products.

“In this world of [the Internet of Things, or IoT] and interconnectedness, we need to understand that the lines between what is critical infrastructure and what is modern technology are very blurry,” said Kiersten E. Todt, the executive director of the Presidential Commission on Enhancing National Cybersecurity, which  released  cybersecurity recommendations for the next administration on December 1st.

“Something that is a technology that is meant to be a modern [convenience can] become critical infrastructure through varied ways of interdependencies and interconnectedness.”

Ultimately, it’s the small things that matter the most to the digital protections we all rely on. Collectively, it’s these tiny details that can add up to expose larger systems.

Todt was speaking on a panel at The Chertoff Group Security Series event in Washington DC.

The day’s events — which spanned several panels, and keynotes — tackled the difficult question of “how do we create growth and  jobs securely, while at the same time protecting public safety and individual privacy?” said Jim Pflaging, a principal at Chertoff.

Indeed, the Mirai attack proved that this entire class of seemingly insignificant things could be compromised to far greater ends than just endangering a user’s DVR-ed episodes of Everybody Loves Raymond.

Fixing that problem requires tighter coordination between the public and private sector, a variety of experts agreed.

Perhaps the government and the private sector could be more proactive in the future, taking down botnets instead of watching them roam, said Frank Cilluffo, the Director of the Center for Cyber and Homeland Security at George Washington University.

“When we are really talking public-private partnership, if you ask me, that’s where we have had real effect: industry has taken a lead role and coordinated with government to take down botnets proactively,” he said on the panel, adding that there are already a series of successes that prove government and industry can collaborate in that way.

Todt further advocated for baseline standards for measuring security that these IoT devices need to contain in order to ward off serious attacks.  

While Todt was speaking generally, the National Institute of Standards and Technology and the Department of Homeland Security both recently issued complementary sets of security guidelines for connected device makers.

One of the DHS recommendations specifically called out passwords, asking that manufacturers consider enabling “unique, hard to crack default usernames and passwords.”  

“I think the password is losing whatever appeal it ever had as a principal way of verifying identity,” said former Homeland Security Secretary Michael Chertoff, co-founder of his namesake Chertoff Group, in reference to unique passwords and not the recently released guidance. “We are going to start seeing more sophisticated technological developments moving forward such as biometrics and multi-factor authentication. These are the kinds of things that we can build in that will reduce the risk (of using) these new smart devices.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to