House lawmakers on Tuesday voiced fears about cyber threats to mobile and internet-connected devices, soliciting feedback from authorities in the private sector about how to ensure their security.
At a hearing Tuesday morning, members of a House Energy and Commerce subcommittee heard from a panel of cybersecurity experts about the compounding threats to smartphones as well as the expanding attack surface resulting from the rapid growth of what's commonly referred to as the "Internet of Things" (IoT), the ecosystem of everyday appliances and devices that are connected to the internet.
“It’s a powerful, connected, handheld computer,” Bill Wright, government affairs and senior policy counsel at Symantec, said of smartphones. “We need to start viewing these as computers and we need to protect them as computers.”
“Mobile devices are an attack vector that cannot be ignored, and they are increasingly targeted for access to sensitive information or financial gain,” said Kiersten Todt, who served as executive director of an Obama-era cybersecurity commission. “But, mobility should not be at odds with security.”
Rep. Debbie Dingell (D-Mich.) specifically raised concerns about the threat of ransomware to smartphones, given that the devices have become a home for personal and financial information.
“It’s happening now and in the near future. People are going to be locked out of their phones,” Dingell said. “We’re going to see this high level and we’ve got to pay attention to it.”
The hearing explored cyber risks to wireless networks and covered a number of topics — including the state of the cyber workforce and risks to the U.S. power grid — but homed in on threats to smartphones and what the proliferation of internet-connected devices means for the security of the cyber ecosystem.
There has been heightened concern about the vulnerability of IoT devices to hacking in the wake of the distributed denial-of-service attack against web service provider Dyn last October that leveraged thousands of infected internet-connected devices.
The attack surface will continue to grow, experts said Tuesday, as billions more internet-connected devices are brought into the market.
“It is essential that this vulnerability be addressed,” said Rep. Leonard Lance (R-N.J.), vice chairman of the subcommittee.
Charles Clancy, a professor of national security and technology at Virginia Tech, explained that the challenges of securing IoT are manifold because of the range of technologies and the risk of less expensive technologies — particularly those from overseas — being produced without security protections built in.
“The threats to an internet-connected home appliance are very different than the threats to an internet-connected nuclear reactor and the technologies are very different,” Clancy said.
Those testifying signaled that the federal government and private sector should work together on developing recommendations for IoT security and said that the optional cybersecurity framework developed by the National Institute of Standards and Technology (NIST) would present a good starting point for the conversation.
“I think the NIST cybersecurity framework is probably the best place to begin the dialogue around Internet-of-things security,” said Amit Yoran, chairman and CEO of Tenable Network Security. “At the end of the day, we have to take a holistic approach.”