Michael Greenberger and Diana Burley on the Dyn DDoS attack
The cyberattacks on October 21 that denied web users access to popular websites such as Twitter, PayPal, Netflix and others was a stark reminder of weak security in an increasingly internet-driven world. The attacks on internet DNS (domain name services) provider Dynamic Network Services, or Dyn, of Manchester, NH, underline the urgent need for consumer education, legislative mandates to force device makers to install adequate security features, and for internet-driven companies to elevate security issues to top management.
The attacks worked by marshalling networks of ordinary household devices such as child monitors or webcams to hurl an estimated 1.2 trillion bits of data every second at Dyn’s servers, causing them to crash. Dyn helps connect the browsers of internet users to the websites they choose, by matching the site address with the IP addresses that identify their computers. Dyn contained the problem later in the day, but was shaken by its unprecedented nature.
“This was a sophisticated, highly distributed attack involving tens of millions of IP addresses,” noted Kyle York, chief strategy officer at Dyn about the so-called distributed denial of service (DDoS) operation. In a DDoS attack, large numbers of internet-enabled devices send massive amounts of requests to DNS providers, overwhelming them and rendering them incapable of fulfilling those requests.
A group called New World Hackers that claimed responsibility for the Dyn attacks in a tweet the following day said, “We just broke a couple of records and did a few things that can be broken again.” However, the group also indicated that it may not attack again: “We are done hacking and we have considered retirement.”
Some experts branded New World Hackers as imposters. But their message was clear. The hackers “demonstrated how bad the situation could be,” says Michael Greenberger, founder and director of the University of Maryland Center for Health and Homeland Security, who is also a professor at the university’s law school. “This is to show people how vulnerable we all are,” he notes, and warns of future attacks that could extend to life-saving systems at hospitals or electrical grids. “This is not the end of the problem. It is the beginning of it.”
Users of devices connected to the internet must be more vigilant themselves and pressure device makers to install the requisite features, says Diana Burley, executive director and chair, Institute for Information Infrastructure Protection at George Washington University, where she is also professor of human and organizational learning.
“This is not the end of the problem. It is the beginning of it.” –Michael Greenberger
“Right now, consumers focus on convenience and on being able to do everything that they think that they should be able to do as quickly and as efficiently as they possibly can,” says Burley. She explains that consumers seem to want only speed and convenience with their devices and don’t think about the underlying vulnerabilities they are exposing themselves to when they use those devices, she adds. “If consumers demand that these devices be secure and they are able to use them safely, that will begin to push these requirements into the product development cycle.”
Greenberger and Burley discussed ways to meet the challenges exposed by the Dyn attacks on the Knowledge@Wharton show on Wharton Business Radio on SiriusXM channel 111. (Listen to the podcast at the top of this page.)
What Users Must Do
“Computer hygiene is important,” says Greenberger. Household devices such as child monitoring systems, webcams and digital recorders that are connected to the internet often come with default passwords that hackers can easily obtain, he notes.
When users don’t replace those default passwords with their own passwords, hackers can easily take over those devices and get them to send IP signals in an attack, he notes. “They begin to take these things over and they become weapons.” Burley adds: “We may not think about our DVRs or our automobiles or our cameras as computers but they are in fact computers, and so we can’t simply use them as we would an old-fashioned device that is not connected to the internet.”
On their part, manufacturers of devices must make it clear to users that they have to replace the default passwords with their own, says Greenberger. Device makers must also pay attention to how they bring products to market, says Burley. “The focus with IoT (Internet of Things) devices is on speed-to-market and not sufficiently on securing those devices,” she adds.
Greenberger says the onus of ensuring adequate security is more on device makers than on consumers. “The product itself has to be developed in a way that doesn’t make it vulnerable.” He notes that a “theory of negligence, or what we call tort law” is beginning to develop, where if device makers don’t make it clear to consumers that they need to change passwords, they could be held “negligently liable for any damage that is caused.” The possibility of that liability is causing corporations to become more conscious of their obligations in ensuring adequate security in their products, he adds.
In earlier times, company managements often relegated internet security to their IT departments. However, more and more C-suite executives are now beginning to deal with the issue corporation-wide so that it receives the requisite attention, notes Greenberger. The scale of that challenge is huge. Greenberger says statistics show that only about 25% of companies have in-house computer expertise to deal with these problems.
According to Burley, identifying where the liability ultimately lies is important. She notes that the software development process is complex, where device makers may pool different types of software code from multiple vendors.
Burley also points out that although the latest attack was focused mostly on the U.S. East Coast, the problem of internet security extends beyond. “This is a global problem; the Internet has no boundaries.”
“When we start to think [about] the impact of denial of service on medical devices or things that can produce loss of life, we will start to see even more people paying attention.” –Diana Burley
Agenda for Action
Greenberger says more attention should be paid to mandate security controls. He notes that the federal government and many state governments have been “pleading” with private manufacturers of devices to embed best practices in their products, adding that 85% of the internet infrastructure is privately owned. “We’re begging people to do the right thing, and a lot more attention must be paid to mandating [best practices],” he adds. “For example, when you put a new drug on the market, you don’t plead with drug manufacturer to do it safely. We are in the same situation here.”
Greenberger also says he doubts the benefit to consumers from household devices that are internet-connected. “The cost-benefit analysis of connecting household devices to the internet works out badly for the consumer…. [It] is just not worth it to be connected to the internet with these things.”
The responsibility to make internet-connected devices safer has to be shared by consumers, governments and product makers, says Burley. “It is not an either/or situation – it is all of the above.”
However, Burley feels only a dramatic event may propel the changes that are required. “When we start to think [about] the impact on denial of service on medical devices or things that can produce loss of life, we will start to see even more people paying attention,” she says. “You don’t want a catastrophic event, but the way you get attention is through catastrophic events.”
Greenberger agrees. “Eventually, we’re going to have something happen that will be equivalent of the 9/11 attacks, and the mandates are going to start coming.”
Article by Knowledge@Wharton