Modern field guide to security and privacy

Opinion: How to fix an internet of broken things

The recent cyberattack that crippled much of the web last week took advantage of vulnerabilities in home products connected to the internet. Fixing those flaws is possible but it requires public action and industry cooperation. 


Jim Cole/AP
Malicious hackers directed a cyberattack last week at Dyn, a New Hampshire internet service company. The company was hit with a flood of internet traffic that originated from insecure connected devices.

The massive distributed denial of service, or DDoS, attack that paralyzed much of the web last week focused a bright spotlight on insecurities in the so-called Internet of Things.

That attack took advantage of rampant insecurities in gadgets such as web cams, which were corralled into a vast botnet that unleashed the DDoS on the tech company Dyn, which provides a core piece of internet infrastructure. (Click here to find out everything you need to know about the botnet.) 

While the rise of smart products holds the promise to revolutionize business and society, the burning question now is whether security can scale alongside the fast pace of innovation. The market for internet-connected devices is growing so quickly that Samsung recently announced that all of its products would be connected to the Internet by 2020. 

There's a way of developing connected gadgets that aren't easily susceptible to outside attack, that have more security protections, and are designed with security in mind. But it'll take more pressure on industry to make sure that happens. 

First, we need more cooperation amongst stakeholders including information sharing within defined boundaries, along with graduated sanctions being in place for rule breakers. The auto industry Information Sharing and Analysis Center (ISAC) is one example of this approach that should be replicated in other IoT sectors. 

Second, we should set standards for IoT devices. One model is the National Institute for Standards and Technology's (NIST) Cybersecurity Framework, along with its work on Cyber-Physical Systems. Over time, these standards could help establish a standard of IoT cybersecurity care, including new approaches to proactive cybersecurity measures.

Third, for the time being policymakers should push flexible, guidance-driven frameworks, not prescriptive regulation. Still, a range of policy options are available to incentivize cybersecurity investments, from tax breaks to public bug bounty programs.

In particular, more attention should be paid to the intersection of IoT and the need to secure supply chains. Since IT systems control everything from phones to factories, ensuring these systems are secure is of vital importance to the global economy. Yet this is a daunting proposition given varying sources of insecurity, from malicious – a 2012 Microsoft report found malware being installed in PCs at factories in China – to conflicting commercial incentives, such as Lenovo’s installation of advertising software that weaken security in 2015.  

Fourth, IoT providers should be encouraged to undertake good governance best practices, which can be accomplished by effective monitoring of IoT peers and an active role for civil society in shaming outliers. The power of supply chains could be brought to bear to help encourage the dissemination of best practices, such as firms requiring NIST Cybersecurity Framework compliance from their suppliers, along with mandating the ability to do software updates for IoT devices. Similarly, an active dialogue between public and private sector supply chain governance is needed.

Fifth, government should be willing to allow industry to react to data breaches without overly broad, harsh or punitive fines, except in egregious circumstances as has begun to be defined in the US context through recent Federal Trade Commission litigation.

More broadly, policymakers can consider a range of policy options to enhance cybersecurity ranging from the manageable (offering grants to establish a nationwide network of cybersecurity clinics geared toward serving under-resourced stakeholders such as local governments and school corporations) to potentially helpful but politically challenging (national data breach notification that includes "reasonable" cybersecurity practices along with product recalls for insecure devices). And other questions loom, such as whether or not the FBI or another agency should be allowed to hack a botnet to stop these sorts of IoT-enabled cyber operations.

Already, the European Union is taking some steps in this direction with the Network Information Security (NIS) Directive, which, among other things, calls for a standard of cybersecurity for all businesses based upon risk management, information sharing and breach reporting between EU Member States, and multistakeholder participation in coordinated responses to cyberthreats.

We’ve come a long way since Kevin Ashton first used the expression "Internet of Things" as the title of a presentation he gave for Proctor & Gamble in 1999. The promise of networked smart devices is finally being realized, but in order to avoid the same litany of cyberattacks and data breaches we've seen in other contexts it's vital to adopt proactive policies that help drive the evolution of effective and secure IoT governance before cyber insecurity becomes replete in the Internet of Everything.

Scott Shackelford is an associate professor at the Indiana University Kelley School of Business where he teaches cybersecurity law and policy. He is the director of the Ostrom Workshop’s Program on Cybersecurity and Internet Governance, a Research Fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, and a senior fellow at the Center for Applied Cybersecurity Research. This article was adapted from When Toasters Attack: 5 Steps to Improve the Security of Things, which was published by Cyber Magazine.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: How to fix an internet of broken things
Read this article in
QR Code to Subscription page
Start your subscription today