On the morning of Oct. 21, Netflix and Twitter were kicked offline by hackers – annoying binge-watchers and prolific tweeters for several hours.
But the hacking of popular websites is a harbinger of what’s to come for consumers using devices connected to the internet, and Congress faces a tough question of how to protect consumers and businesses without over-regulating the tech industry.
“Many consumers do not recognize they need strong protection on everyday devices,” said Texas Republican Rep. Michael Burgess of Lewisville. Burgess spoke Wednesday at a House hearing to understand how connected devices factored into the Oct. 21 hack and other recent incidents. “The balance between functionality and security is not going to be solved in the near term. In fact, the most common password is the word ‘password.’”
In the past decade, an increasing number of devices are now connected to the internet, including smartphones, cars and talking refrigerators. That leads to an increasing number of entry points for hackers and criminals to disrupt lives in malicious ways.
“Everything is a computer. Your phone is a computer that makes calls, your refrigerator’s is a computer that keeps things cold,” testified Bruce Schneier, a special adviser to IBM security and a lecturer at Harvard University. “Attack is easier than defense, complexity is the worst enemy of security, and the internet is most complex thing ever built.”
In the past decade, an increasing number of devices are now connected to the internet, including smartphones, cars and talking refrigerators – all entry points for hackers and criminals.
Schneier argued that the federal government must regulate and set standards for devices connected to the internet like it does for the safety of cars. He wants to create a new government agency and argued that Republicans swiftly created the Department of Homeland Security after 9/11 in response to safety threats.
But House Republicans like Burgess, chairman of the House Subcommittee on Commerce, Manufacturing and Trade, are unlikely to support a new regulatory agency that would likely cost billions of dollars.
“Regulation needs to be a cop on the beat. People do need to know that they are protected, but there does need to be a light touch,” Burgess said. “We ought to be enforcing current law before we write new ones.”
Despite the disagreement over creating new regulations, there was agreement by both Democrats and Republicans that cybersecurity hygiene must be improved, at the consumer and corporate level.
For every consumer who inputs a weak password into an electronic device, hospitals and public utilities frequently employ outdated security systems to protect valuable medical records and internal infrastructure like keeping the power on.
“Windows XP is being used at a water treatment plant in Michigan,” said Kevin Fu, an associate professor of computer science and electrical engineering at the University of Michigan, who also testified at the hearing. “Most hospitals have capital equipment costs. This is why you see Windows 95 and Windows 98 machines in hospitals.”
Fu said a “kid in a basement” is capable of hacking such dated systems and causing potential damage to life and property.
In addition, a panel of experts told the committee that traditional passwords are largely obsolete, as human-created security systems are susceptible to hacking. Instead, devices should employ technology like fingerprint recognition and two-step authentication to thwart criminals.
“There’s always been a role for passwords, but in general passwords have outlived their usefulness,” Schneier said. “There are many other systems that give us more robust authentication.”
But specifically mandating what types of technology should be regulated to keep people secure could have negative effects because technology changes so fast. The experts testifying to the committee on Wednesday urged Congress to consider regulation that is “technologically invariant,” meaning that a new feature on the next iPhone should not cause the rules to be obsolete.
“The committee and agency need to be careful to be technology-neutral because things change so fast,” Burgess said.
The October attacks on consumer-facing websites were relatively benign, but increasingly sophisticated criminals trying to hack simple security systems could have far-reaching impacts on daily life for millions.
“I like the world where the internet can do whatever it wants whenever it wants,” Schneier said. “It’s fun, but we don’t live in that world anymore.”