Regulations May Decrease IoT Botnets, but Won’t Stop Them

The Internet of Things brings a host of advantages to consumers and businesses, but it also presents a slew of cyber security concerns. The most prominent concern is that hackers continue to “recruit” IoT devices to create zombie botnets that launch distributed denial of service (DDoS) attacks. This MIT Technology Review article states:

Security experts have warned Congress that this is a very real problem, which is likely to be solved only via regulations on Internet of Things devices. The Trump administration has vowed to crack down on botnets, but its proffered solutions are at best a long shot. That means botnets remain a potent security threat that is incredibly difficult to defend against. And while ransomware may be making the headlines right now, it would pay to remember the bots are still out there.

Some believe that government (s) should impose stricter regulations around the manufacturing of IoT devices, to have the manufacturers bake in better security architecture to their products.

The mandates would undoubtedly mean more regulations, not intended to burden manufacturers but rather to protect everyone who uses the Internet. It’s a step in the right direction; good cyber hygiene should start with the security architecture of devices. However, the regulatory approach is not a panacea:

  1. Even if an IoT device is built with good security, it must be properly maintained once installed; it is up to humans to change the default password on such devices and install security patches or updates. Unfortunately, we all know how fallible humans tend to be when it comes to cyber maintenance.
  2. U.S. regulations can’t offer blanket protection; some manufacturers in the U.S. will likely fail to abide by the regulations, either willfully or unintentionally.
  3. IoT devices are a global problem; the U.S. government can’t mandate the manufacturing of other nations.
  4. There are still millions of IoT devices that cannot be upgraded, or may fall out of compliance with any new security regulations.

Ultimately, no matter how heavily IoT devices are regulated, many (millions) of devices will be unsecured, worldwide It’s a good idea to have more secure IoT devices; that would make life a bit more challenging for DDoS hackers. But you can’t count on that to solve the problem of IoT botnet-driven DDoS attacks.

Others share this belief. A June 29, 2017 Federal Computer Week (FCW) article, “Why the cyber EO won’t solve botnets,” discussed U.S. President Trump’s Executive Order on Cyber Security, which was signed last month. FCW interviewed AT&T’s Chris Boyer, chair of the National Institute of Standards and Technology Information Security and Privacy Advisory Board (NIST ISPAB), and wrote:

“Boyer and other board members stressed the need to focus on resiliency and not simply prevention or elimination of botnets. The latter would be unrealistic, they said because botnets will continue to exist and attacks will happen.”

You can’t completely prevent hackers from remotely controlling IoT devices to create zombie botnets as part of DDoS attacks. But you can control your network security, and you can implement a sound DDoS protection solution, whether you bring it in-house or purchase protection via your Internet Service Provider or Hosting Provider.

For more information, contact us.

Leave a Reply