The poor security of Internet of Things (IoT) devices from web-connected lightbulbs to refrigerators may be partly the result of penny pinching by consumer and business shoppers, the U.S. Chamber of Commerce told a Senate panel focusing on cybersecurity Tuesday.
“Most people’s intuition is to buy the least expensive device even if the device’s security is not strong—and possibly contrary to their own best interests,” Chamber Cybersecurity Policy Vice President Matthew Eggers contended.
He buttressed his claim by asserting it is unclear if buyers—including individuals, households, businesses, and public institutions—will pay for the cost of additional security features or be able to identity a strong device without a new way to help them make educated choices.
The chairman of the Senate panel, Alaska Republican Dan Sullivan warned the unprecedented security challenges of the Internet-connected devices are likely to grow as their numbers potentially balloon to over 50 billion next year.
He called China the biggest foreign bad actor threatening the cyber safety of IoT devices in American homes, offices and medical facilities.
“Last year alone, U.S. authorities issued 19 Chinese indictments related to cyber espionage, the most in any recent year.,” Senator Sullivan said.
Cyberspace hazards are nothing new, the lead Democrat on the Senate unit, Massachusetts’ Edward Markey pointed out.
Over a quarter of a century ago, Markey noted he held hearings as chairman of the House Subcommittee on Telecommunications and Finance which revealed a cellphone could be reprogrammed to become a scanner capable of eavesdropping on other people’s phone calls.
“That was back in 1993. Before Facebook and WikiLeaks. When only birds tweeted and a “hack” was what I called a New York Yankees or Knicks player,” Markey recalled.
As a more recent example of the harm hackers can cause, he noted in 2016, hackers commandeered hundreds of thousands of IoT devices including cameras, baby monitors and home routers.
“Ultimately, several major websites were disrupted, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, and The New York Times,” said Markey.
He said consumers would be helped in making wise security choices on IoT devices if there was a simple, voluntary cyber rating system tagged on the equipment much like Energy Star is for energy efficiency.
“5,4,3,2,1 we want that for consumers,” said the Senator who has embedded the tactic in his proposed Cyber Shield Act.
But the Chamber’s Eggers cautioned the voluntary rating system may not be able to keep up with IoT security best practices.
Robert Mayer, cybersecurity chief for the telecommunications trade group, USTelecom said it is important not to give consumers a false sense of security.
A major problem in the Internet of Things arena is many organizations aren’t aware of the large number of IoT devices they have and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices do, National Institute of Standards and Technology (NIST) Information Technology Laboratory Director Charles Romine said.
After the session, the executive of the government research center agreed IoT devices could be seen as easy ways to break into a personal computer much like an open basement window is an easy way for a thief to break into a home with multiple deadbolts on its doors.
“Adversaries like everyone else want to do the least work possible,” Romine said.