[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
UNDERSTANDING THE ROLE OF CONNECTED DEVICES IN RECENT CYBERATTACKS
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY
AND THE
SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
NOVEMBER 16, 2016
__________
Serial No. 114-175
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
23-438 PDF WASHINGTON : 2017
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Chairman Emeritus Ranking Member
JOHN SHIMKUS, Illinois BOBBY L. RUSH, Illinois
JOSEPH R. PITTS, Pennsylvania ANNA G. ESHOO, California
GREG WALDEN, Oregon ELIOT L. ENGEL, New York
TIM MURPHY, Pennsylvania GENE GREEN, Texas
MICHAEL C. BURGESS, Texas DIANA DeGETTE, Colorado
MARSHA BLACKBURN, Tennessee LOIS CAPPS, California
Vice Chairman MICHAEL F. DOYLE, Pennsylvania
STEVE SCALISE, Louisiana JANICE D. SCHAKOWSKY, Illinois
ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington DORIS O. MATSUI, California
GREGG HARPER, Mississippi KATHY CASTOR, Florida
LEONARD LANCE, New Jersey JOHN P. SARBANES, Maryland
BRETT GUTHRIE, Kentucky JERRY McNERNEY, California
PETE OLSON, Texas PETER WELCH, Vermont
DAVID B. McKINLEY, West Virginia BEN RAY LUJAN, New Mexico
MIKE POMPEO, Kansas PAUL TONKO, New York
ADAM KINZINGER, Illinois JOHN A. YARMUTH, Kentucky
H. MORGAN GRIFFITH, Virginia YVETTE D. CLARKE, New York
GUS M. BILIRAKIS, Florida DAVID LOEBSACK, Iowa
BILL JOHNSON, Ohio KURT SCHRADER, Oregon
BILLY LONG, Missouri JOSEPH P. KENNEDY, III,
RENEE L. ELLMERS, North Carolina Massachusetts
LARRY BUCSHON, Indiana TONY CARDENAS, California
BILL FLORES, Texas
SUSAN W. BROOKS, Indiana
MARKWAYNE MULLIN, Oklahoma
RICHARD HUDSON, North Carolina
CHRIS COLLINS, New York
KEVIN CRAMER, North Dakota
(ii)
Subcommittee on Communications and Technology
GREG WALDEN, Oregon
Chairman
ROBERT E. LATTA, Ohio ANNA G. ESHOO, California
Vice Chairman Ranking Member
JOHN SHIMKUS, Illinois MICHAEL F. DOYLE, Pennsylvania
MARSHA BLACKBURN, Tennessee PETER WELCH, Vermont
STEVE SCALISE, Louisiana JOHN A. YARMUTH, Kentucky
LEONARD LANCE, New Jersey YVETTE D. CLARKE, New York
BRETT GUTHRIE, Kentucky DAVID LOEBSACK, Iowa
PETE OLSON, Texas BOBBY L. RUSH, Illinois
MIKE POMPEO, Kansas DIANA DeGETTE, Colorado
ADAM KINZINGER, Illinois G.K. BUTTERFIELD, North Carolina
GUS M. BILIRAKIS, Florida DORIS O. MATSUI, California
BILL JOHNSON, Missouri JERRY McNERNEY, California
BILLY LONG, Missouri BEN RAY LUJAN, New Mexico
RENEE L. ELLMERS, North Carolina FRANK PALLONE, Jr., New Jersey (ex
CHRIS COLLINS, New York officio)
KEVIN CRAMER, North Dakota
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)
------
Subcommittee on Commerce, Manufacturing, and Trade
MICHAEL C. BURGESS, Texas
Chairman
LEONARD LANCE, New Jersey JANICE D. SCHAKOWSKY, Illinois
Vice Chairman Ranking Member
MARSHA BLACKBURN, Tennessee YVETTE D. CLARKE, New York
GREGG HARPER, Mississippi JOSEPH P. KENNEDY, III,
BRETT GUTHRIE, Kentucky Massachusetts
PETE OLSON, Texas TONY CARDENAS, California
MIKE POMPEO, Kansas BOBBY L. RUSH, Illinois
ADAM KINZINGER, Illinois G.K. BUTTERFIELD, North Carolina
GUS M. BILIRAKIS, Florida PETER WELCH, Vermont
SUSAN W. BROOKS, Indiana FRANK PALLONE, Jr., New Jersey (ex
MARKWAYNE MULLIN, Oklahoma officio)
FRED UPTON, Michigan (ex officio)
C O N T E N T S
----------
Page
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 2
Prepared statement........................................... 3
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 3
Hon. Anna G. Eshoo, a Representative in Congress from the State
of California, opening statement............................... 4
Hon. Michael C. Burgess, a Representative in Congress from the
State of Texas, opening statement.............................. 5
Prepared statement........................................... 6
Hon. Janice D. Schakowsky, a Representative in Congress from the
State of Illinois, opening statement........................... 7
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, prepared statement................................... 80
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, prepared statement........................ 81
Witnesses
Dale Crew, Senior Vice President and Chief Security Officer,
Level 3 Communications......................................... 9
Prepared statement........................................... 12
Bruce Schneier, Fellow, Berkman-Klein Center at Harvard
University, and Lecturer and Fellow, Harvard Kennedy School of
Government..................................................... 17
Prepared statement........................................... 20
Kevin Fu, Ph.D., Chief Executive Officer, Virta Laboratories,
Inc., and Associate Professor, Department of Electrical
Engineering and Computer Science, University of Michigan....... 26
Prepared statement........................................... 28
Submitted Material
Statement of Craig Spiezle, Executive Director and President,
Online Trust Alliance, November 16, 2016, submitted by Mr.
Burgess........................................................ 83
Letter of November 15, 2016, from Kyle Pitsor, Vice President,
Government Relations, National Electrical Manufacturers
Association, to Mr. Walden, et al., submitted by Mr. Burgess... 92
Statement of the College of Healthcare Information Management
Executives and the Association for Executives in Healthcare
Information Security, November 16, 2016, submitted by Mr.
Burgess........................................................ 121
Statement of the Advanced Medical Technology Association,
November 16, 2016, submitted by Mr. Burgess.................... 125
Statement of Gary Shapiro, President and Chief Executive Officer,
Consumer Technology Association, November 16, 2016, submitted
by Mr. Burgess................................................. 126
UNDERSTANDING THE ROLE OF CONNECTED DEVICES IN RECENT CYBERATTACKS
----------
WEDNESDAY, NOVEMBER 16, 2016
House of Representatives,
Subcommittee on Communications and Technology
joint with the
Subcommittee on Commerce, Manufacturing, and Trade,
Committee on Energy and Commerce,
Washington, DC.
The subcommittees met, pursuant to notice, at 10:05 a.m.,
in Room 2175, Rayburn House Office Building, Hon. Greg Walden
(chairman of the Subcommittee on Communications and Technology)
presiding.
Members present: Representatives Walden, Burgess, Lance,
Latta, Barton, Shimkus, Blackburn, Guthrie, Olson, Kinzinger,
Bilirakis, Johnson, Long, Ellmers, Brooks, Mullin, Collins,
Pallone (ex officio), Schakowsky, Eshoo, Rush, DeGette, Matsui,
McNerney, Welch, Lujan, Loebsack, and Kennedy.
Staff present: Grace Appelbe, Staff Assistant; James
Decker, Policy Coordinator, Commerce, Manufacturing and Trade;
Paige Decker, Executive Assistant; Graham Dufault, Counsel,
Commerce, Manufacturing, and Trade; Blair Ellis, Digital
Coordinator/Press Secretary; Melissa Froelich, Counsel,
Commerce, Manufacturing, and Trade; Gene Fullano, Detailee,
Communications and Technology; Giulia Giannangeli, Legislative
Clerk, Commerce, Manufacturing, and Trade, and Environment and
the Economy; A.T. Johnston, Senior Policy Advisor; Grace Koh,
Counsel, Communications and Technology; Paul Nagle, Chief
Counsel, Commerce, Manufacturing, and Trade; Dan Schneider,
Press Secretary; Olivia Trusty, Professional Staff Member,
Commerce, Manufacturing, and Trade; Gregory Watson, Legislative
Clerk, Communications and Technology; Jessica Wilkerson,
Professional Staff Member, Oversight and Investigations;
Michelle Ash, Democratic Chief Counsel, Commerce,
Manufacturing, and Trade; Jeff Carroll, Democratic Staff
Director; David Goldman, Democratic Chief Counsel,
Communications and Technology; Lisa Goldman, Democratic
Counsel; Elizabeth Letter, Democratic Professional Staff
Member; Jerry Leverich, Democratic Counsel; Lori Maarbjerg,
Democratic FCC Detailee; Dan Miller, Democratic Staff
Assistant; Caroline Paris-Behr, Democratic Policy Analyst; Matt
Schumacher, Democratic Press Assistant; and Ryan Skukowski,
Democratic Senior Policy Analyst.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. I will call to order the Subcommittee on
Communications and Technology in our joint committee hearing
with the Subcommittee on Commerce, Manufacturing, and Trade.
Good morning, everyone. I will start with opening
statements for our side and for our subcommittee, and then I
think we go back and forth. So we will work this out.
I want to thank the two subcommittees for coming together
on this very important topic that I think we all share a deep
concern about.
We live in a world that is increasingly connected. Our
smartphones are now capable of locking and unlocking our front
doors at home, turning on lights, checking the camera for
packages left on the doorstep. We are able to measure our
steps, check our baby monitors, record our favorite programs
from wherever we have connectivity. We will soon be able to
communicate--or, excuse me, we can communicate with our
offices, too--but commute to our offices in driverless cars,
trains, buses, have our child's blood sugar checked remotely,
and divert important energy resources from town to town
efficiently.
These are incredible potentially life-saving benefits that
our society is learning to embrace, but we are also learning
that these innovations do not come without a cost. In fact,
recently we encountered a denial of service attack on a scale
never before seen. This attack effectively blocked access to
popular sites like Netflix and Twitter by weaponizing unsecured
network connected devices like cameras and DVRs. Once these
devices came under the command and control of bad actors, they
were used to send a flood of DNS requests that ultimately
rendered the DNS servers ineffective. As I understand it, at
the beginning of this attack it was virtually impossible to
distinguish malicious traffic from other normal traffic, making
it particularly difficult to mitigate against attack.
So how do we make ourselves more secure without sacrificing
the benefits of innovation and technological advances? A knee-
jerk reaction might be to regulate the Internet of Things. And
while I am not taking a certain level of regulation off the
table, the question is whether we need a more holistic
approach. The United States cannot regulate the world.
Standards applied to American-designed, American-manufactured,
American-sold devices won't necessarily capture the millions of
devices purchased by the billions of people around the world,
so the vulnerabilities might remain.
Any sustainable and effective solution will require input
from all members of the ecosystem of the so-called Internet of
Things. We will need a concerted effort to improve not only
device security, but also coordinate network security and
improve the relationships between industry and security
researchers. We are all in this thing together and industry,
Government, researchers, and consumers will need to take
responsibility for securing this Internet of Things.
So today we will hear from a very distinguished panel of
witnesses on some of the approaches that can be brought to bear
on this challenge. My hope is that this hearing will help to
sustain and accelerate conversations on our collective security
and foster the innovation that makes the Internet the greatest
engine of communications and commerce the world has ever seen.
So I thank our witnesses for being here. We appreciate your
willingness to come and share your expertise. It is very
helpful in our endeavors, and I look forward to your testimony.
[The prepared statement of Mr. Walden follows:]
Prepared statement of Hon. Greg Walden
Good morning. We live in a world that is increasingly
connected. Our smart phones are now capable of locking and
unlocking our front doors at home; turning on lights; and
checking the camera for packages left on the doorstep. We are
able to measure our steps; check our baby monitors; and record
our favorite programs from wherever we have connectivity. We'll
soon be able to commute to our offices in driverless cars,
trains, and buses; have our child's blood sugar checked
remotely; and divert import energy resources from town to town
efficiently.
These are incredible, potentially life-saving benefits that
our society is learning to embrace, but we are also learning
that these innovations do not come without cost. This past
month, we encountered a Denial of Service attack on a scale
never before seen. This attack effectively blocked access to
popular sites like Netflix and Twitter by weaponizing unsecured
network-connected devices like cameras and DVRs. Once these
devices came under the command and control of bad actors, they
were used to send a flood of DNS requests that ultimately
rendered the DNS servers ineffective. As I understand it, at
the beginning of this attack it was virtually impossible to
distinguish malicious traffic from other normal traffic, making
it particularly difficult to mitigate against the attack.
How do we make ourselves more secure without sacrificing
the benefits of innovation and technological advances? The
knee-jerk reaction might be to regulate the Internet of Things,
and while I am not taking that off the table, the question is
whether we need a more holistic solution. The United States
can't regulate the world. Standards applied to American-
designed, American-manufactured, or American-sold devices won't
capture the millions of devices purchased by the billions of
people around the world.
Any sustainable and effective solution will require input
from all members of the ecosystem for the so-called ``Internet
of Things.'' We'll need a concerted effort to improve not only
device security, but also coordinate network security and
improve the relationship between industry and security
researchers. We're all in this together and industry,
Government, researchers, and consumers will need to take
responsibility for securing the Internet of Things.
Today we'll hear from a panel of distinguished witnesses on
some of the approaches that can be brought to bear on this
challenge. My hope is that this hearing will help to sustain
and accelerate conversations on our collective security and
fostering the innovation that makes the Internet the greatest
engine of communcations and commerce the world has known. I
thank the witnesses for their willingness to come and share
their expertise. I'm looking forward to your testimony.
Mr. Walden. At this time, I would yield to Mrs. Blackburn
for an opening statement.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Mrs. Blackburn. Thank you, Mr. Chairman.
And I also want to welcome our witnesses, and we appreciate
your time. You know, we did an Internet of Things hearing in
March 2015, and at that point I talked a lot about the
convenience that this brings to us in our daily lives and about
the opportunities that it will open for us. I think now as we
look at it, as the chairman said, you look at the cost, you
look at the maximized use that exists. I think that by 2020,
the expectation is 3.4 billion devices that would be in this
universe of connected. That means we have vulnerabilities that
exist, entry points, and we will want to discuss some of those
vulnerabilities with you today, get your insight, and see how
we as policymakers work with this wonderfully exciting,
innovative area in order to make certain that Americans have
access, but they also know that there is, as the chairman said,
security as we approach this.
And with that, Mr. Chairman, I yield back.
Mr. Walden. The gentlelady yields back the balance of her
time. I will yield back the balance of my time as well.
We will now turn to my friend from California, the
gentlelady Ms. Eshoo, for opening comments.
OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Ms. Eshoo. Thank you, Mr. Chairman.
First of all, I want to express our collective thanks from
this side of the aisle to you for responding to our request to
have this hearing. Mr. Pallone, Mr. McNerney, Ms. Schakowsky,
Ms. DeGette, and myself all made the request, and we are
grateful to you for holding the hearing, because we think that
this is, obviously, a very large issue and something that
concerns the American people.
In fact, Americans are connecting more devices to the
Internet than ever before. Most of us carry at least one in our
pocket, but as technology evolves, we are seeing a
proliferation of everyday items and appliances that connect
online. This is good. Today, everything from washing machines
to light bulbs are now capable of connecting to the Internet.
The business world also relies more and more on the Internet,
in fact, Internet-enabled objects, to drive their efficiencies
to produce lower cost.
There are as many as 6.4 billion--billion with a B--
Internet of Things products in use worldwide just this year.
The growth in this market is expected to be significant,
including estimates of over 20 billion Internet-enabled
products connected worldwide by 2020. So this is not a small
market. It makes it a very large issue. It is an economic one,
and we don't want to damage that, but it is something that
needs our attention.
There is great potential for innovation as more devices
become connected, but there is also the potential for serious
risk if they are not properly secured. That is really what we
are pursuing here. We need to look no further than the major
attack on October 21st that crippled some of the most popular
Web sites and services in our country. The distributed denial
of service attack against Dynamic Network Services, known as
Dyn, was made possible by unsecure Internet of Things devices
that attackers were able to infect with malware. This army of
devices was then harnessed by the attackers to bring down Dyn's
servers. Similar attacks in October targeted a journalist and a
French cloud services provider.
These attacks raise troubling questions about the security
of Internet-enabled devices and their potential to be used as
weapons by cyberattackers. For example, it has been reported
that some devices used in these attacks may have lacked the
functionality to allow users to change the default username and
password. We already know that an important way to prevent
cyberattacks is to practice good cyberhygiene, which includes
changing default usernames and passwords. When products lacking
the commonsense functionality are manufactured, shipped, and
eventually connected, they put users and the Internet as a
whole at risk. So it seems to me that this is an area that we
need to explore with our witnesses.
There is also the issue of how long these unsecured devices
can remain in use. The Dyn attack reportedly used infected
devices that were first manufactured as early as 2004.
Manufacturers may no longer update products that have been in
use for so long, further exposing users and the Internet to
security risks.
Finally, we have to recognize that this is a global issue.
Level 3 Communications estimates that a little more than a
quarter of these devices infected with the malware that was
used in the Dyn attacks are located in the United States. One
of the major manufacturer of products that appear to be
particularly vulnerable is based in China. This is important to
keep in mind as we explore how to address this problem going
forward.
So this hearing, I think, is a very important step in
helping us, first of all, to all understand what lessons we
should take away from these recent attacks. The Internet of
Things offers exciting possibilities for innovation, but we
can't afford to ignore the risks that come when devices are
designed without security.
Whatever the ultimate solution is, I think industry must
play a central role in the effort to address these issues, and
I look forward to hearing from our witnesses today. You play a
very important role in this.
So, with that, thank you again, Mr. Chairman, for allowing
this hearing to take place, and I yield back the balance of my
time.
Mr. Walden. The gentlelady yields back the balance of her
time.
The Chair now recognizes the gentleman from Texas, Dr.
Chairman Burgess.
OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF TEXAS
Mr. Burgess. Thank you, Mr. Chairman. And good morning to
our witness panel today. Thank you, Mr. Chairman, for holding
the hearing and allowing us to have this discussion about the
recent cyberattacks.
Several popular Web sites were knocked offline for several
hours on October 21 of this year. Hackers used malware to
create a botnet, sort of a gargantuan, amorphous mass of
connected devices, to flood a domain server with terabytes of
traffic, overwhelming the system and preventing legitimate
traffic from accessing those devices.
In this case, the result was brief, but the outages were on
consumer-facing Web sites. The incident is unique in that it
wasn't someone's desktop or laptop, but it was the armies of
compromised devices that launched these attacks without the
knowledge of the device owners. Many of the devices are regular
household items, such as baby monitors, DVRs, Web cams. And
many consumers do not realize they do need strong
cyberprotections on even these everyday devices.
But that is exactly why this attack and others like it has
been so successful. The malware that created this botnet spread
to vulnerable devices by continuously scanning the Internet for
Internet of Things systems protected only by the factory
default manually generated usernames and passwords.
The balance between functionality and security is not going
to be resolved in the near term. Consumers want the newest and
fastest device, they want it as soon as possible, and they have
not employed adequate security protections. In fact, the most
common password is the word ``password.'' The culture
surrounding personal cybersecurity must change to ensure that
the Internet of Things is not vulnerable to a single insecure
device.
The Subcommittee on Commerce, Manufacturing, and Trade has
explored cybersecurity through a number of hearings, including
our Disrupter Series. Cybersecurity, the issue of cybersecurity
has been raised and discussed at each of these hearings. The
Government is never going to be big enough to have the manpower
and the resources to address all of these challenges as they
come up, which is why it is so important and why I am grateful
that we have industry here today to discuss this with us,
because they must take the lead.
Recent attacks present a unique opportunity to examine the
scope of the threats and the vulnerabilities presented by
connected devices and to learn how stakeholders are considering
these risks throughout the supply chain, as well as how
consumers are responding in the market. We have learned about a
number of best practices and the standard-setting projects that
are ongoing with various groups.
It is an exciting time. And the growth of interconnected
device, the growth of the Internet of Things, it is really
going to be life-changing in so many industries, but we also
need to see meaningful leadership from industry about how to
address these real challenges.
Again, I want to welcome our witnesses, and then I am
pleased to yield the balance of my time to the gentleman from
Ohio, Mr. Latta.
[The prepared statement of Mr. Burgess follows:]
Prepared statement of Hon. Michael C. Burgess
Good morning and welcome to our joint hearing examining
recent cyber-attacks. Several popular Web sites were knocked
offline for a couple of hours on October 21, 2016. Hackers used
malware to create a botnet, or massive group of compromised
connected devices, to flood a domain server system with
terabytes of traffic, overwhelming the system and preventing
the server from responding to legitimate traffic.
In this case, the result was brief outages on consumer
facing Web sites. However, the incident is unique in that it
utilized armies of compromised devices, rather than computers
and laptops, to launch attacks without the knowledge of device
owners. Many of these devices are everyday household items--
such as baby monitors, DVRs, and webcams--that many consumers
do not realize need strong cyberprotections.
But that is exactly why this attack, and others like it,
has been successful. The malware that created this botnet
spread to vulnerable devices by continuously scanning the
Internet for Internet of Things systems protected only by
factory default or manually generated usernames and passwords.
The balance between functionality and security is not going
to be resolved in the near term. Consumers want the newest and
fastest device as soon as possible, but they have not employed
adequate security protections. In fact, the most common
password is the word password. The culture surrounding personal
cybersecurity must change to ensure the Internet of Things is
not vulnerable to a single insecure device.
The Subcommittee on Commerce, Manufacturing, and Trade has
explored cybersecurity throughout a number of hearings,
including our Disrupter Series.
Cybersecurity has been raised and discussed at each of
these hearings. Government is never going to have the man power
or resources to address all of these challenges as they come
up-which is why we need industry to take the lead.
Recent attacks present a unique opportunity to examine the
scope of the threats and vulnerabilities presented by connected
devices and learn how stakeholders are considering these risks
throughout the supply chain, as well as how consumers are
responding in the market.
We have learned about a number of best practices, and
standards-setting projects are on-going with various groups.
We are facing exciting growth in the connected device
industry, but we also need to see meaningful leadership from
industry about how to address these challenges.
Mr. Latta. Thank you very much, and I appreciate the
gentleman for yielding. And I also appreciate both chairmen of
both subcommittees for holding this very important subcommittee
hearing today on the cybersecurity risks associated with
connected devices.
As has been mentioned, that last month we witnessed one of
the largest distributed denial of service attacks caused by
devices connected to the Internet or the Internet of Things.
The attack against Dyn revealed the impact that a lack of
adequate security measures in these devices can have on the
broader Internet community. By simply exploiting weak security
features, such as default usernames and passwords, hackers
could easily leverage hundreds of thousands of networked
devices and compromise several major Web sites.
That is why it is essential, under the Internet of Things,
device manufacturers build in security by design and have the
ability to deploy patches or upgrades. Additionally, consumers
must be vigilant in securing devices through good cyberhygiene
practices in order to guard data and fully experience the
benefit of the Internet of Things.
As the co-chair of the committee on the Internet of Things
Working Group, I am all too familiar with this issue.
Cybersecurity is among one of the most common things that is
mentioned in all of our working group briefings. No matter what
type of IoT, from health to energy applications, securing
devices and protecting consumer data is a top priority.
Today, we are reminded again that there is a need for IoT
security guidelines that keep pace with rapidly evolving
technologies. However, there is a delicate balance between
oversight and regulatory flexibility, and we must encourage the
industry to establish best practices that will not hinder
innovation and protect consumer privacy and security.
And, with that, I appreciate the gentleman for yielding,
and I yield back.
Mr. Walden. The gentlemen yield back their time.
We will now turn to the gentlelady from Illinois, Ms.
Schakowsky, for opening comments.
OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS
Ms. Schakowsky. Thank you, Mr. Chairman.
With each report of a new cyberattack, Americans
increasingly realize how vulnerable their devices are. On
October 21, Americans lost access to sites such as Twitter,
Amazon, and Spotify because of a massive distribution denial of
service, or DDoS, attack against Dyn, a domain naming system
company.
In the wake of that cyberattack, I joined with
Representatives Pallone, Eshoo, DeGette, and McNerney in
requesting a hearing like this--and I appreciate it very much
that we are having it--on this important issue. We need to
better understand our vulnerabilities and update Federal policy
to stop such attacks in the future.
The motivations of hackers vary from identity theft to
actually undermining public trust. They go after consumers,
businesses, and even Presidential elections.
The U.S. intelligence community found that hackers
supported by the Russian Government put their thumb on the
scale in 2016. I strongly believe that use of cyberattacks by a
foreign actor to manipulate our democracy should be troubling
to everyone. This problem does not go away now that the 2016
election is over.
The day after the election, a Wired article reported,
quote, ``That Russia perceives those operations as successful,
experts say, will only encourage similar hacks aimed at
shifting elections and sowing distrust of the political
processes in Western democracies,'' unquote. Everyone, whether
your candidate won or lost last week, must grapple with this
threat, and I hope that we will work on a bipartisan basis to
protect our democracy from foreign interference.
Russian hackers exploited holes in security on computers
and servers. The hackers that carried out the October 21 DDoS
attack directed their attack through the Internet of Things.
The Internet of Things is uniquely vulnerable to
cyberattacks. IoT devices often have less protection from
malware and manufacturers are often slower to install security
patches. Manufacturers put consumers at further risk by using
default passwords or hard-coded credentials. Once hackers find
out what those passwords are, they can hack hundreds,
thousands, or even millions of devices. That is what happened
in the Dyn attack.
Hackers accessed an army of IoT devices by exploiting
default passwords. They then used that army to attack Dyn.
Traffic from the IoT devices overwhelmed the service and shut
it down, which, in turn, cut off Americans' access to many
popular Web sites. You don't have to be a tech expert to see
the terrifying potential for future cyberattacks. So it is time
now for action.
Two weeks ago, Ranking Member Pallone and I called on the
Federal Trade Commission to work with IoT manufacturers to
patch vulnerabilities on their devices and require the changing
of default passwords. We also called on the FTC to alert
consumers about potential security risks. We need stronger
cybersecurity standards for all devices that could be attacked
or used to launch a cyberattack.
Given the nature of cyberattacks, we cannot count on IoT
manufacturers to do the right thing on their own. They have
little financial incentive to improve security, and their
customers may not even realize when their devices are being
used to harm others. Consumer watchdogs, like the FTC, must
take a leading role in promoting cybersecurity and holding
companies accountable when they fail to provide adequate
protections.
Unfortunately, at the same time that the threat to
consumers from cyberattacks are rising, the Republican majority
is pushing legislation to reduce the FTC's authority and
cripple its enforcement capabilities. Stopping irresponsible
behavior by companies requires strong consent orders and the
ability to pursue privacy cases. The so-called, quote,
``process reform,'' unquote, bill that Republicans reported out
of committee would threaten the FTC's ability in those areas.
Instead of rolling back consumer protections, we need to face
today's cyberthreats head on. Consumers can't afford to be left
vulnerable. And in the long run, manufacturers can't survive a
pattern of high-profile cyberattacks that undermine consumer
trust in their products.
In Mr. Schneier's written testimony, he called the Dyn
attack, quote, ``as much a failure of market policy as it was
of technology,'' unquote. We should not be content with failure
any longer.
I want to thank the chairman for listening to our request
for a hearing, and we have to continue our work on this issue
in the months and years to come.
Mr. Walden. The gentlelady yields back her time. We thank
you very much for your request. We share in this concern,
obviously. It is a bipartisan issue.
We look forward now to the testimony from our expert
witnesses. We are glad you are all here, and we will start with
Mr. Dale Drew, who is the senior vice president/chief security
officer for Level 3 Communications.
Mr. Drew, welcome. Thank you very much. Turn on your
microphone and have at it.
STATEMENTS OF DALE DREW, SENIOR VICE PRESIDENT, CHIEF SECURITY
OFFICER, LEVEL 3 COMMUNICATIONS; BRUCE SCHNEIER, FELLOW,
BERKMAN-KLEIN CENTER AT HARVARD UNIVERSITY, AND LECTURER AND
FELLOW, HARVARD KENNEDY SCHOOL OF GOVERNMENT; AND KEVIN FU,
PH.D., CEO, VIRTA LABORATORIES, INC., AND ASSOCIATE PROFESSOR,
DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE,
UNIVERSITY OF MICHIGAN
STATEMENT OF DALE DREW
Mr. Drew. Chairmen Walden and Burgess and Ranking Members
Eshoo and Schakowsky, thank you for the opportunity to testify
on behalf of Level 3 Communications regarding the recent
cyberattacks on our Nation's communications landscape and the
risks posed by vulnerabilities found in IoT devices.
Level 3 is a global communications company serving
customers in more than 500 markets in over 60 countries. Given
our significant network footprint and the amount of traffic we
handle on a daily basis, Level 3 has a unique perspective on
threats facing our communications landscape. Several years ago,
Level 3 established the Threat Research Labs to actively
monitor communications for malicious activity, helping to
detect and mitigate threats on our networks, our customers, and
the broader Internet. Every day our security team monitors more
than 48 billion security events, detecting over 1 billion
unusual or suspicious pieces of traffic.
The proliferation of IoT devices represents tremendous
opportunities and benefits for consumers by connecting devices
such as cameras, light bulbs, appliances, and other everyday
items to the Internet. However, the lack of adequate security
measures in these devices also poses significant risks to users
in the broader Internet community.
Vulnerabilities in IoT devices stem from several sources.
Some devices utilize default and easily identifiable passwords
that hackers can exploit. Others utilize hard-coded credentials
that users are not able to change. Many devices also lack the
capability of updating their firmware, forcing consumers to
monitor for and install the updates themselves.
The global nature of the IoT device marketplace means many
products are manufactured in and shipped to foreign countries
that have yet to embrace sound and mature cybersecurity
practices. IoT devices are also particularly attractive targets
because users often have very little way to know when they have
been compromised. Unlike your personal computer or phone, which
have endpoint protection capabilities and the user is more
likely to notice when they perform improperly, compromised IoT
devices may go unnoticed for longer periods of time.
In September of 2016, Level 3's Threat Research Labs began
tracking a family of malware targeting IoT devices. The bad
actors were leveraging the infected devices to create DDoS
botnets, impacting not just those devices but potentially
anyone on the Internet. The new malware, known as Mirai and its
predecessor BASHLITE has affected nearly 2 million devices on
the Internet. Mirai resulted in multiple major Web sites going
offline, and the new attacks are alarming for their scope,
impact, and the ease in which the attackers have employed them.
Also worrisome is that these attackers relied on just a
fraction of the total available compromised IoT nodes in order
to attack their victims, demonstrating the potential for
significantly greater havoc for these new threats. Level 3
detected, for example, approximately 150,000 IoT devices were
used to generate more than 500 gigabits per second of traffic,
a significant amount of bandwidth that threatens the fabric of
the global Internet.
The primary motivation for these attacks appear to be
financial. Hackers utilize DDoS to overwhelm businesses,
threatening to take their business offline unless they pay a
ransom for the attacker. In other cases, attackers are simply
out to create mischief.
Although Level 3 has not been a direct victim of these
attacks, we are proactively taking steps to address these. We
have contacted manufacturers of compromised devices to inform
them of the problem and for them to take appropriate action,
such as firmware updates or recalls. We have engaged in a
public awareness campaign to educate consumers and businesses
about the risk of IoT botnets and steps they can take to
protect themselves. We are also working collaboratively with
our industry partners to monitor this evolving threat and
implementation of mitigation techniques.
With the exploding proliferation of IoT devices, so too
will the threats they pose continue to expand and evolve. It
will be imperative for all relevant stakeholders to continue to
work collaboratively and address and mitigate IoT security
risks so that we can reap the benefits of this exciting and
transformative technology.
Thank you again very much for the opportunity to testify,
and I look forward to taking your questions.
[The prepared statement of Mr. Drew follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. Mr. Drew, thank you for taking time out of your
schedule to be here as well. We greatly appreciate it.
I now turn to Mr. Bruce Schneier, a fellow at the Berkman
Klein Center at Harvard University; lecturer and fellow,
Harvard Kennedy School of Government; and special adviser to
IBM Security.
Mr. Schneier, thank you for being here. We look forward to
your testimony, sir.
STATEMENT OF BRUCE SCHNEIER
Mr. Schneier. Thank you, Chairman Walden, Chairman Burgess,
Ranking Members Eshoo and Schakowsky. Committee members, thank
you for having me and thank you for having this, I think, very
important hearing.
I am Bruce Schneier. I am a security technologist. And
while I have an affiliation with both Harvard and IBM, I am not
speaking for any of them and I am not sure they know I am here.
Mr. Walden. It is a secret. Nobody on the Internet knows
either.
Mr. Schneier. As the chairman pointed out, there are now
computers in everything, but I want to suggest another way of
thinking about it, in that everything is now a computer. This
is not a phone, this is a computer that makes phone calls; or a
refrigerator is a computer that keeps things cold; an ATM
machine is a computer with money inside. Your car is not a
mechanical device with computers, but a computer with four
wheels and an engine, actually, a hundred-computer distributed
system with four wheels and an engine. And this is the Internet
of Things, and this is what caused the DDoS attack we are
talking about.
I come from the world of computer security, and that is now
everything security. So I want to give you four truths from my
world that now apply to everything.
First, attack is easier than defense for a whole bunch of
reasons. The one that matters here is that complexity is the
worst enemy of security. Complex systems are hard to secure for
an hour's worth of reasons, and this is especially true for
computers and the Internet. The Internet is the most complex
machine mankind has ever built by a lot and it is hard to
secure. Attackers have the advantage.
Two, there are new vulnerabilities in the interconnections.
The more we connect things to each other, the more
vulnerabilities in one thing affect other things. We are
talking about vulnerabilities in digital video recorders and
Web cams that allowed hackers to take down Web sites. There are
stories of vulnerabilities in a particular account.
One story. A vulnerability in an Amazon account allowed
hackers to get to an Apple account, which allowed them to get
to a Gmail account, which allowed them to get to a Twitter
account. Target Corporation, you remember that attack. That was
a vulnerability in their HVAC contractor that allowed attackers
to get into Target. And vulnerabilities like these are hard to
fix because no one system might be at fault. There might be two
secure things come together and create insecurity.
Truism three: The Internet empowers attackers, attack
scale. The Internet is a massive tool for making things more
efficient, and that is also true for attacking. The Internet
allows attacks to scale to a degree impossible otherwise. We
are talking about millions of devices harnessed to attack Dyn,
and that code, which somebody smart-wrote, has been made
public. Now anybody can use it. It is in a couple of dozen
botnets right now. Any of you can rent time on one on the dark
Web to attack somebody else. I don't recommend it, but it can
be done. And this is more dangerous as our systems get more
critical.
The Dyn attack was benign, a couple of Web sites went down.
The Internet of Things affects the world in a direct and
physical manner: Cars, appliances, thermostats, airplanes.
There are real risks to life and property and there are real
catastrophic risks.
The fourth truism: The economics don't trickle down. Our
computers are secure for a bunch of reasons. The engineers at
Google, at Apple, at Microsoft spent a lot of time at this, but
that doesn't happen for these cheaper devices. Ms. Eshoo has
talked about this. These devices are lower profit margin, they
are offshore, there are no teams, and a lot of them cannot be
patched. Those DVRs, they are going to be vulnerable until
someone throws them away, and that takes a while. We get
security, because I get a new one of these every 18 months.
Your DVR lasts for 5 years, your car for 10, your refrigerator
25. I am going to replace my thermostat approximately never.
So the market really can't fix this. The buyer and seller
don't care. And Mr. Burgess pointed this out. The buyer and
seller want a device that works. This is an economic
externality. They don't know about it and it is not part of the
decision. So I argue that Government has to get involved, that
this is a market failure, and what I need are some good
regulations. And there is a list of them, and Dr. Fu is going
to talk about some of them, but this is not something the
market can fix.
And to speak to Mr. Walden's point, I mean, yes, I am
saying that a U.S.-only regulatory system will affect the
products in the world, because this is software. Companies will
make one software and sell it everywhere, just like, you know,
automobile emissions control laws in California affect the rest
of the country. It makes no sense for anybody to come up with
two versions. And I think this is going to be important,
because for the first time, the Internet affects the world in a
direct and physical manner.
And the second point I want to make very quickly is we need
to resist the FBI's calls to weaken these devices in their
attempt to solve crimes. We have to prioritize security over
surveillance. It was OK when it was fun and games, but now, you
know, already this stuff on this device that monitors my
medical condition, controls my thermostat, talks to my car, I
mean, I have just crossed four regulatory agencies and it is
not even 11 o'clock.
This is going to be something that we are going to need to
do something new about. And like many new technologies in the
20th century, new agencies were created: Trains, cars,
airplanes, radio, nuclear power. My guess is this is going to
be one of them, and that is because this is different. This is
all coming. Whether we like it or not, the technology is
coming. It is coming faster than we think. I think Government
involvement is coming, and I would like to get ahead of it. I
would like to start thinking about what this would look like.
And we are now at the point, I think, where we need to start
making moral and ethical and political decisions about how
these things worked.
When it didn't matter, when it was Facebook, when it was
Twitter, when it was email, it was OK to let programmers, to
give them the special right to code the world as they saw fit.
We were able to do that. But now that it is the world of
dangerous things, that is, cars and planes and medical devices
and everything else, that maybe we can't do that anymore. And I
don't like this. I like the world where the Internet can do
whatever it wants whenever it wants at all times. It is fun.
This is a fun device. But I am not sure we can do that anymore.
So thank you very much, and I look forward to questions.
[The prepared statement of Mr. Schneier follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. Mr. Schneier, thank you very much. I appreciate
your comments.
We will now go to Dr. Kevin Fu, CEO of Virta Labs and
associate professor, Department of Electrical Engineering and
Computer Science, at the University of Michigan.
Dr. Fu, thank you for joining us. Please go ahead.
STATEMENT OF KEVIN FU
Dr. Fu. Good morning, Chairmen Walden, Burgess, Ranking
Member Eshoo and Schakowsky, and distinguished members of the
joint committee.
My name is Kevin Fu. I represent the academic cybersecurity
research community. I am at the University of Michigan, where I
conduct research on embedded security. My laboratory discovers
how to protect computers built into everyday objects, ranging
from mobile phones and smart thermostats to pacemakers and
automotive airbags. I am also CEO and cofounder of the
healthcare cybersecurity startup Virta Labs.
I am testifying before you today on the insecurity of the
Internet of Things as related to the recent attacks on Dyn. I
will provide a perspective on the evolving cybersecurity risks
framed in the broader societal context. In short, IoT security
remains woefully inadequate. None of these attacks are new.
None of these attacks are fundamentally new, but the
sophistication, the scale of disruption, and the impact on
infrastructure is unprecedented.
Let me make some observations. We are in this sorry and
deteriorating state because there is almost no cost to a
manufacturer for deploying products with poor cybersecurity to
consumers. Has a consensus body or Federal agency issued a
meaningful IoT security standard? Not yet. Is there a national
testing lab to verify and assess the premarket security of IoT
devices? No. Is there tangible cost to any company that puts an
insecure IoT device into the market? I don't think so.
So I would like to highlight eight observations about this
IoT insecurity.
Number one, security needs to be built into IoT devices,
not bolted on. If cybersecurity is not part of the early design
of an IoT device, it is too late for effective risk control.
Two, good security and bad security look the same at the
surface.
Three, the healthcare community does not issue different
advice for flu transmitted by cough versus flu transmitted by
sneeze. Similarly, both connected and disconnected IoT devices
carry significant cybersecurity risks, so it is important to
consider both conditions.
Four, the millions of insecure IoT devices are just a small
fraction of what the IoT market will resemble in 2020, and it
will get much worse if these security problems remain
unchecked.
Five, unlike inconvenient security problems for your
tablets or notebook computers, IoT's insecurity puts human
safety at risk, and innovative systems will not remain safe if
they are not secure.
Six, I consider security a solution, not a problem. Better
cybersecurity will enable new markets, promote innovation, and
give consumers the confidence to use new technologies that
improve the quality of life.
Seven, it may be surprising, but there are over 209,000
unfilled cybersecurity jobs in the USA, and that is just this
country.
And eight, the Nation lacks an independent testing facility
at the scale of a federally funded research and development
center as a proving ground for testing premarket IoT
cybersecurity crashworthiness and for testing embedded
cybersecurity defenses.
Let me conclude with five recommendations to protect our
national infrastructure.
Number one, incentivize built-in basic cybersecurity
hygiene by establishing meaningful milestones encouraging use
of strong cryptography in these products.
Two, support agencies such as the National Science
Foundation, the National Institute of Standards and Technology,
to advance our understanding of IoT security and to train the
hundreds of thousands of students necessary for a robust
cybersecurity workforce.
Three, study the feasibility of standing up an independent
national embedded cybersecurity testing facility modeled after,
for instance, post-incident initiatives, such as the National
Transportation Safety Board; incident prevention initiatives,
such as the National Highway Traffic Safety Administration,
NHTSA; and then more unusual places like the survivability and
destruction testing at the Nevada National Security Site.
Number four, I recommend leveraging the existing
cybersecurity expertise with an agency such as NIST, NSF, DHS,
and DARPA.
And finally, five, I believe that universities, industry,
and the Government must find the strength and the resolve for
protecting our national infrastructure through partnerships,
and that investments in embedded cybersecurity will pay great
dividends to our society and our economy.
I would like to close, just thank you for the invitation to
testify on what I think is a very important subject for our
country. The committee can also find photos of illustrative IoT
problems in water treatment facilities, hospitals and more in
the appendix of my written testimony. And I would be happy to
take your questions. Thank you.
[The prepared statement of Dr. Fu follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. Dr. Fu, thank you.
And thank you to all of our witnesses. This has been very
enlightening. We greatly appreciate your testimony and your
recommendations for our consideration.
I guess I will start with a couple of questions as we try
and wrestle this issue. Over the last 6 years, we have done
multiple hearings on cybersecurity threats to the United
States. We have had multiple panels come before us and testify.
And I think almost entirely they said, first, do no harm. Be
careful when you lock things into statute because you can
misallocate our resources and our opponents will know what we
have to go do and we can't get out of it and they will just go
do a workaround.
So how do we establish a framework that would both be
appropriate here but have an effect internationally, because we
don't make all the devices and we may have market power, but we
are not the biggest market anymore? But how do we create a
national framework where the stakeholders really are driving
this in realtime and we don't do something stupid like lock
certain requirements into statute?
Mr. Drew, can I start with you, and we will just work down
the panel?
Mr. Drew. I think the best place to start is with
standards. I think the best place to start is for us to define
how we intend on solving this problem on the devices
themselves. Industries have a number of standards with regards
to how they operate these platforms once they purchase them,
but they don't have standards on how they are supposed to be
manufactured to be secure premarket.
So I believe if we were to start with standards and then
apply pressure--so as an industry, I am under pressure to
implement standards in order to be able to serve businesses and
serve the consumers. I think if we start with that standard,
then we are able to apply that pressure. And to the extent that
pressure can be applied globally, I think that we can get some
traction and some momentum before we have to start regulating.
Mr. Walden. All right.
Mr. Schneier?
Mr. Schneier. I am also a fan of standards. And I think
your question is a really important one, how do you do it
properly as to not stifle innovation?
Mr. Walden. Right.
Mr. Schneier. And I think the answer is to make them
technologically invariant. And I tend to look at the pollution
model as something--what works and what doesn't. And what works
is, you know, here is the result we want. Figure out how to do
it in the most cost-effective way possible, rather than
legislate here's the process, here's the technology. The
standard has to be technologically invariant.
And I heard, you know, you had a driverless car hearing
yesterday, and I think it is somewhat similar. We are going to
make standards on the driverless car manufacturers to do things
properly, but we are going to assume an environment where there
exists, you know, malicious cars out to get you. So we will
have to deal with the rogue devices. We can't assume that
everything on the Internet, or everything on the roads, is
going to be benign and secure. But standards will raise the
tide, but yes, we have to do them properly, because you do them
wrong and it will stifle innovation. Do them right, I think it
will help innovation.
Mr. Walden. All right.
Dr. Fu?
Dr. Fu. Yes. I think there are ways you can do this
effectively without stifling innovation. In fact, I believe
that a well-designed cybersecurity framework will actually
promote innovation. I will try to avoid the technical side, but
I will just say, you know, of course, encoding mechanism would
be unwise. For instance, if you decide to encode that all forms
must be signed in blue ink, that didn't, you know, assume the
existence of e-signatures in the future. So you should be very
careful of encoding mechanism.
However, principles I think you can encode. I would
actually say that NIST has done a relatively good job at
encoding principles. There is no perfect standard. But it will
be very difficult to build in security if we don't have these
principles set in place. And it needs to have buy-in from
industry. It needs to have Government leadership as well. But
it is all about setting those principles, which many of which
are already known for over 30 years in the cybersecurity
community.
Mr. Walden. All right. Most helpful. The extent to which
you all can think about this some more and give us kind of your
ideas on how to actually get it to the right place. Because
this is my concern, that if we are not careful, we lock
something in, it is so hard to change statute.
And we don't want this to be an innovation killer in
America. We actually want to lead on this and get it right.
But, you know, I don't think I want my refrigerator talking to,
you know, some food police somewhere, you know. It just is what
it is. So we need to get this thing right. So thank you for
being here.
At this point, I will return the balance of my time and
turn to my friend and colleague who has been very involved in
this, Ms. Eshoo, from California.
Ms. Eshoo. Thank you, Mr. Chairman.
And thank you to each one of you, the witnesses. I think
you were absolutely terrific.
I have legislation that I introduced that speaks to this
issue. It hasn't really gained much traction. But what you said
today I think puts some wheels on it, because it is about
security without damaging innovation.
We talk a lot about the attacks that take place, but we
don't really focus on prevention. Throughout the Valley,
Silicon Valley, no matter who I have met with, I have asked
them the same question: What would you do about this? And to a
person, they have spoken about hygiene, the lack of hygiene in
systems, number one; and number two, the lack of good solid
security management.
I don't think--let me put it in a positive. I think we need
a Good Housekeeping Seal of Approval on this, and I think
that--and my bill called for NIST to set the standards, not the
Congress, because we really don't know anything about that. And
we miss the mark, we will miss it by a wide mile. Exactly.
So I also think in listening to you, especially Mr.
Schneier, that this is an issue that should be included in
national infrastructure legislation, because this is part of
our national infrastructure. And it deserves the kind of
protection that you spoke to, because, as you said, everything
is a computer, everything. It is not just the computers over at
the DOD. We are carrying them around in our pockets, we are
driving them, et cetera, et cetera.
So given that, what is the framework for it? How would
both--Mr. Schneier and Dr. Fu and Mr. Drew, what would it look
like? What would it look like? I am giving you a blank slate.
What would you write on that slate to be placed in a national
infrastructure bill? So whomever wants to start.
Mr. Schneier.
Mr. Schneier. I actually think we need a new agency. The
problem we are going to have is that we can't have different
rules if the computer has wheels or propellers or makes phone
calls or is in your body. That is just not going to work, that
these are all computers and we are going to have to figure out
rules that are central.
Ms. Eshoo. We have a continuing new new majority. So I
don't think they want to create an agency, honestly, but this
thing needs to get done.
Mr. Walden. For every one we create, we delete two.
Ms. Eshoo. They don't like that stuff.
Mr. Schneier. I think you are right.
Ms. Eshoo. You know, new agencies, new regulations, we are
dead in the water. But we can't leave this issue to be dead in
the water. Our country deserves much better. And so I am really
not joking. I mean, it is a little bit of fun, but, you know.
Mr. Schneier. I understand. But I actually think it is not
going to go that way. I mean----
Ms. Eshoo. Oh, good.
Mr. Schneier [continuing]. Because I think the Government
is getting involved here regardless. The risks are too great
and the stakes are too high. And, you know, nothing motivates a
Government into action like security and fear.
In 2001, we had another small-Government, no-regulation
administration produce a new Federal agency 44 days after the
terrorist attacks. Something similar happens in the Internet of
Things, and there is no cybersecurity expert that will say,
well, sure, that could happen. I think you are going to have a
similar response.
So I see the choice is not between Government involvement
and no Government involvement, but between smart Government
involvement and stupid Government involvement. I would rather
think about it now, even if you say you don't want this,
because when something happens and the public says something
must be done, what do you mean, a thousand people just died,
that we have something more than a, ``I don't know, let's
figure it out fast.'' So I agree with you. I am not a
regulatory fan, but this is the world of dangerous things. We
regulate dangerous things. So----
Ms. Eshoo. Dr. Fu, can you do something, in 5 seconds?
Thank you.
Dr. Fu. I would say just we are going to have some serious
trouble if we don't answer these questions. I fear for the day
where every hospital system is down, for instance, because an
IoT attack brings down the entire healthcare system.
I do think you need to spend more time on the premarket. I
know from my working with manufacturers that the engineers
there are brilliant, but they often are not given the time of
day from their executives. They are often not given the
resources to do their jobs. What you need to do is give those
people who can do a good job at those companies the ability to
do so and incentivize their executives.
Ms. Eshoo. Thank you very much. Most helpful.
Thank you, Mr. Chairman.
Mr. Walden. Thank you. I would just point out we are all
engaged in this on both sides. My friend and I have some back-
and-forths from time to time. She likes to characterize what we
are for or against, which we may or may not be, but we are all
committed to trying to figure out how to find a solution, and
this is bipartisan.
So we appreciate your testimony. We scheduled this hearing
back in October right after the attack, and as soon as we were
back in town we are having it, and we will continue to march
forward.
With that, I would turn to the gentleman from Texas, Mr.
Burgess.
Mr. Burgess. Thank you, Chairman Walden.
And it has been a fascinating discussion back and forth.
Many years ago before I knew about the Internet of Things, I
was invited up to Microsoft in Washington and they showed me
the house they had. In fact, the house was named Grace. And,
you know, you walk up to the door and Grace knew you were
coming to the door. Grace turned the lights on, set the
thermostat for the temperature that you wanted. As you came
into the kitchen, Grace might suggest a meal for you. Like Mr.
Walden, I worried that Grace's refrigerator would communicate
with the bathroom scale and lock down the Blue Bell ice cream
on me. So it is an interesting world in which we have arrived.
Mr. Drew, I am really fascinated by your comment in your
written testimony about the incentive for someone to do this in
the first place. And we have all heard, since 9/11, that
sometimes you have got to think like a criminal or think like a
terrorist in order to outsmart them. And you referenced the
monetization. I don't even see--I mean, I get on ransomware
when you lock down a hospital and you have got to come up with
so many thousands of dollars in bitcoins to some dark Web site,
but how do you monetize that your doorbell is conversing with
Twitter? I mean, I don't know how that works.
Mr. Drew. What we are seeing in these botnets is the botnet
operators are operating, you know, hundreds of thousands of
nodes and then renting out a small portion of those nodes to
people to be able to attack Web sites and hold those Web sites
for ransom. So if you don't pay me $20,000, your Web site will
be offline for the next 3 days. So a very successful
enterprise. It is 40 to 45 attacks a day at 16 grand an attack.
So----
Mr. Burgess. That is happening right now?
Mr. Drew. It is happening right now.
Mr. Burgess. I know you are not in law enforcement. What is
the response of our law enforcement agencies that are supposed
to be enforcing the laws?
Mr. Drew. They are working very diligently to identify the
operators of the botnet as well as the renters of the botnet,
as well as making some arrests in those cases to be able to
curtail this. But what we have seen is the IoT of Things has
changed the nature of the game of this to where it is much
easier to break into those devices and they go unnoticed for
longer periods of time.
Mr. Burgess. This is one of the things that bothers me
about this, because until we had this headline-grabbing attack
because it was just so massive, you don't hear about someone
being busted for holding someone hostage for $17,000 so you
unlock their hospital records or whatever was going on.
I mean, one of the things that is talked about is making
the public aware. You got to change, you got to practice good
hygiene, you can't have your password as password or 1234. But
you also--there needs to be a societal understanding of
reporting the crimes when they occur and, to some degree, these
need to be publicized much more than they are.
I mean, I have heard from folks in the FBI that, yes, there
is a risk that a hospital that gets stuck with one of these
things, they are just simply embarrassed and they don't want to
go public with the fact that they were hacked. Pay the $17,000.
You are given instructions on how to get the bitcoins and where
to deliver them. So that is actually easier than going to law
enforcement and dealing with all of the things that would
happen with law enforcement. But that is absolutely critical.
And then never in any of the discussion of this, that I
have seen so far, has there been really the discussion of what
happens to people who are caught who perpetrate this, and it
should be swift and severe and public. I suggested at another
hearing, shot at sunrise. And I am not trying to be overly
dramatic, but if you lock down an ICU's medical records and an
ICU's worth of patients die as a consequence, I mean, that is a
capital crime.
So anyway, I know we are not going to solve all of the
problems today, but I just wanted to put those concepts out
there. This is relatively new for most of us.
I think one of the things that I like about--you know, Mr.
Chairman, one of the things I like about what the Commerce,
Manufacturing, and Trade Subcommittee did on data breach
notification was, we will set the standard, but we don't
prescribe the technology, because the technology changes much
faster than the Congress.
Yes, I am nervous too about creating new Federal agencies.
The concept that we could delete two Federal agencies for every
one we create, I have got two to recommend to leave very
quickly. They deal with health care. But I know the standards
need to be there.
And the other thing is we have got a massive job as far as
informing the public, and that is part of this hearing today
and I hope we all carry that forward quite seriously.
Thank you, Mr. Chairman. I will yield back.
Mr. Walden. The gentleman yields back.
The Chair recognizes the gentlelady from Illinois, Ms.
Schakowsky.
Ms. Schakowsky. So let me ask actually all of you, but let
me start with Mr. Schneier. You talked about how markets have
failed us and that Government has to play a role. But I am
wondering, from you and from anyone, given that computers are
ubiquitous--and your example that got into Target through the
HVAC system is just shocking to me. But is there a role for
consumers, for consumer education, for consumer action, or is
this beyond us now for individuals to actually play a role in
security?
Mr. Schneier. Yes. I think there is a role for some, but,
really, we are asking consumers to shore up lousy products. It
shouldn't be that there are default passwords. It shouldn't be
that you have to worry about what links you click on. Links are
for clicking on. I mean, these devices are low profit margin.
They are made offshore. The teams that--after they make them
disband. And the buyer and seller don't care. I mean, so this--
I might own this DVR, you might own it. You don't know if it
was used. You don't know if it is secure or not. You can't test
it. And you fundamentally don't care. You bought it because of
the features and the price. It was sold to you because of the
features and the price.
And this is an externality. The fact that it was used by
this third party, not him but, you know, by the third party to
attack this other site, and it is something that the market
can't solve because the market isn't involved in that. So I
don't think I can educate the consumer. It is putting a sticker
on that says, you know, this device costs $20 more and is 30
percent less likely to annoy people you don't know. I am not
sure I am going to get a lot of sales.
Ms. Schakowsky. So in 2015, the Federal Trade Commission
suggested best practices for device manufacturers to address
security vulnerabilities. For example, device manufacturers
should test security measures before releasing their products,
minimizing the data they collect and retain.
And, frankly, it seems surprising to me that manufacturers
are not already taking these steps. But you are saying that
right now there are no real incentives. So is that what we need
to focus on?
Mr. Schneier. I think we should. I think if we get the
incentives right, the technologists will figure this out. I
mean, this isn't--some of it is rocket science, most of it
isn't. But these are solvable problems. The incentives just
aren't there to build the security in. We incentivize price. We
incentivize time to market. We incentivize features. I mean,
that is what we buy, that is what we want, because that is what
we can see.
I don't think I can get consumers to pry open the hood and
look at the details. It is beyond the consumers I know and it
shouldn't be their problem. It shouldn't be something they have
to worry about.
Ms. Schakowsky. So let me ask Mr. Drew and Dr. Fu if you
want to comment on that.
Mr. Drew. I would largely agree with my colleague here. I
would say that, from a business perspective, there is a lot of
incentive for me to make sure that the products that I buy, the
software that I buy follow specific standards, have been
manufactured correctly before I put them in the network.
I would like to see more in that area. I would like to see
more responsibility put on the manufacturer than there is
today, but I do provide that incentive to those manufacturers.
Consumers, on the other hand, don't have that incentive.
What they do have is the incentive of public events, right, and
the Internet has been very adaptable and very flexible to that,
that when there is a large sort of trip over--or a mistake over
security that they become more aware, and then they push those
requirements and those demands back to the manufacturers by
purchasing products they feel more comfortable with.
So I am going back to standards. I am going back to
certifications and standards. You see that seal of approval on
the device and you know that is a device that is going to be
more protected than another device, because you don't want your
refrigerator talking to your scale or you don't want your
thermostat talking to your doorbell. And so I think----
Ms. Schakowsky. Let me just interrupt you because my time
is running out, but I would like Dr. Fu to be able to join in.
Dr. Fu. Sure. I would just paint a darker picture. Even if
a consumer wants to have--so not many consumers are aware they
need security, but when they even want security, it is hard to
get. Let me take the example of the hospitals, asking questions
about why ransomware gets into hospitals. It is not because
they are not clueful about it. They can't get the manufacturers
to provide them with these IoT medical devices that can
withstand the threats of malware.
And it comes down to plain old economics. The question is,
well, how much will you pay for it? Well, we think it should be
built in. We think it is a public good. Well, how much are you
going to pay for it? So everything is going to be driven by the
economic factors. And I think the problem is, you know, the
consumer group thinks that, you know, it ought to be a public
good. And then from the manufacturing standpoint the question
is, well, how much are you going to pay for it? And that is a
question that needs to be resolved.
Ms. Schakowsky. Thank you.
Thank you. I yield back.
Mr. Latta [presiding]. The gentlelady yields back.
And the Chair now recognizes the gentlelady from Tennessee
for 5 minutes.
Mrs. Blackburn. Thank you so much, Mr. Chairman.
I want to go back. I mentioned the Cisco stats, and I think
they rolled out of my mouth the wrong way. I want to clarify
that for the record.
We are currently at 3.4 IoT devices per person, and by
2020, we are going to be at 50 billion IoT devices. And that is
the magnitude of this vulnerability that we have, because we
are seeing it across our entire economy as we move from a
physical application in so many arenas to the virtual space.
And, Professor Fu, I want to come to you. And Ms.
Schakowsky just mentioned hospitals. Let's stay with that
medical device component, because of the area that I represent,
Nashville area, there is a lot of healthcare informatics and
work that is done utilizing IoT devices in the medical field.
And as you look at the security, of course, that is a concern.
You look at information share, you know, you get
vulnerabilities.
But you mentioned in your testimony, going back on pages 5
and 6, IoT devices tend to have safety consequences or involve
physical manipulation of the world that could easily lead to
harm. And then you go on to say a number of hospitals expressed
concern about the IoT devices.
So talk to me about mitigation strategies and what you see
with these devices, and then what special considerations must
be given to healthcare technology and to the medical devices,
and how should we go about addressing that?
Dr. Fu. Thanks for the question. Unfortunately, I don't
think I will be able to give a satisfying answer, because at
the moment, if you were to be a fly on the wall in the
boardroom when the hospitals are discussing the topic of how
does IoT security affect their assurance of the clinical
operations being continuous, at the moment, it is--they don't
have a plan. It is more, well, we need to get a plan, what can
we do. And it is usually some of the security officers saying,
well, the problem is we don't really know what devices we have
in our hospital, we don't have a very good inventory, we get a
lot of contraband coming in. This contraband is known as shadow
IT. It has got a great acronym. But the shadow IT that comes
in, typically it is a clinician who accidentally connects a
device to a very important network, but maybe it is a music
player that is simply providing comfort to the patients during
surgery, and they don't realize it is introducing new safety
and security risks, because they don't have the security baked
into these devices.
So the IoT risk is more about having unvetted assets coming
in to a very safety critical arena. They don't have a good
answer right now and that is because it is not built in.
Mrs. Blackburn. OK. Well, then let me go to Mr. Drew. And
the article in the New York Times yesterday that I am sure you
all saw and are aware of, ``Secret Backdoor in Some U.S. Phones
Sent Data to China.''
Mr. Schneier. Yes.
Mrs. Blackburn. And, Mr. Schneier, I assume you read that.
Looks like you did. But this is the kind of thing where
consumers are unaware. And if you take a device like that and
then you have the concerns if it does get into an environment
such as a hospital or a medical facility with patient
information, things of that nature.
So these malicious actors are out there, and with the
vulnerability of these IoT devices, you have some of these
concerns that are going to manifest themselves. So how do we
make sure that the consumers and the users are alerted to the
vulnerabilities in the software and in these devices when they
purchase them so that if they get something like this, they
know to get rid of it? So, Mr. Drew?
Mr. Drew. I would say that the biggest sort of benefit of
IoT devices--the reason IoT devices can get compromised so
quickly is because they all look the same. So at a device
manufacturer, all the devices look the same, the users are not
really configuring the operating system at all, that is why
devices can get compromised very, very quickly, very wide
scale.
Having those devices ability to auto patch so when a new
exposure comes out, that that device can call home, get a new
software update and automatically update, that--that is getting
the thing that keeps that infrastructure healthy.
Mrs. Blackburn. Thank you. I yield back.
Mr. Latta. The gentlelady, the vice chair of the full
committee, yields back.
The Chair now recognizes the gentleman from New Jersey, the
ranking member, for 5 minutes.
Mr. Pallone. Thank you, Mr. Chairman.
I wanted to ask Mr. Schneier a couple of questions. Looking
at the attack on Dyn 3 weeks ago, I am concerned some people
may dismiss it as only a few Web sites going down for a few
hours. But in your view, what does the attack on Dyn expose
about cybersecurity generally and why are these attacks moving
from benign to dangerous?
Mr. Schneier. It is really what I talked about the world
moving. The Internet is becoming something that affects the
world in a direct physical manner. And the computers are the
same. When we are talking about these computers in our phones,
in our computers, it is the same computers that are in these
cheaper and smaller devices. But while the software is the
same, the engineering is the same, there is a fundamental
difference between your spreadsheet crashes and you lose your
data and your car crashes and you lose your life. The computer
is the same, the software is the same, but the effects are
night and day different.
And as these computers start--I live in Minnesota. I have a
thermostat I can control from my phone and, you know, if
someone hacks it, they can--well, not this weekend, but in the
middle of winter, they can burst my pipes when I am here, and
that is real property damage. And that is different than a few
Web sites going down. Which I agree, I mean, Dyn was benign. It
annoyed some people for a while. It didn't hurt anybody. We are
talking about hospitals, we have seen DDoS attacks against 911
services. We are looking at our critical infrastructure, our
power grid, our telecommunications network. These are systems
that are being controlled by computers.
We had hackers break into a dam a couple of years ago. They
didn't do anything, but, you know, next time you might not get
lucky. We had Russia attack Ukraine's power grid. These are now
tools of war and of national aggression. I mean, even the
attacks against our election system, which in the scheme of
things are pretty benign, might not be next time. I had a piece
in the New York Times a couple days ago that talked about, we
need to think about this now, because election machines are
computers you vote on.
Mr. Pallone. Sure. Well, let me get to--that kind of leads
me to the next question, because you and others have said that
the insecurity of devices connected to the Internet stems from
market failure, and you even compare the problem to invisible
pollution. Being an environmentalist, I would like to better
understand what you mean. Can you expand on the market failure
at play here, and how are these insecure devices like
traditional environmental pollution?
Mr. Schneier. It is because the insecure effects are often
not borne by the buyer and the seller. The person who bought
that DVR who is still using it, will use it for the next 5, 10
years, will not bear any of the costs of the insecurity. So the
manufacturer and the buyer too reap the benefit. The device was
cheaper. It was easier to make because it is insecure. And
there is a societal cost that it can be used to attack others,
to cause other vulnerabilities, to be used in conjunction to
cause other insecurities.
So like pollution, it is something in the environment that
neither the buyer nor the seller, when they enter their market
agreement to purchase the product, will fix. So I think the
solutions are along those lines. We have to think about what is
the risk to us as a group; you know, what is the national
security risk of this, for example. I mean, there is one, but
it is not going to be borne by, you know, the person who bought
that. It will be borne by all of us.
So it is incumbent on all of us to secure our critical
infrastructure against this risk, and that is--so I think the
solutions are very similar in conception. The tech is very
different.
Mr. Pallone. All right. Let me ask you one last question.
You seem to believe that regulation of some kind might be part
of the solution, but I have heard some at the FCC argue that
regulation of devices connected to the Internet will constrain
innovation. Would you agree with that?
Mr. Schneier. Yes, it will. I mean, I don't like that, but
in the world of dangerous things, we constrain innovation. You
cannot just build a plane and fly it, you can't, because it
could fall on somebody's house. And you might not care, I mean,
it might be a drone, but we societally care. True for medical
devices, true for dangerous things. And it might be that the
Internet era of fun and games is over, because the Internet is
now dangerous.
I mean, we haven't even started talking about actual
robots, but, you know, a robot is just a computer with arms and
legs that can do stuff. And I personally don't like killer
robots. I think they are a mistake and we should regulate them.
So, yes, this is going to constrain innovation. It is not
going to be good, I am not going to like it, but this is what
we do when innovation can cause catastrophic risk. And it is
catastrophic risk here. It is crashing all the cars, it is
shutting down all the power plants. I mean, the Internet makes
this possible because of the way it scales, and these are real
risks.
Mr. Pallone. Thank you.
Thank you, Mr. Chairman.
Mr. Latta. Thank you. The gentleman yields back.
The Chair now recognizes the gentleman from New Jersey for
5 minutes.
Mr. Lance. Thank you. Good morning to the distinguished
panel. And I certainly agree with Congresswoman Eshoo that this
is one of the more interesting panels that we have had on this
extremely important topic.
Professor Fu, of your observations and recommendations, the
eight of them you have given to us, I would like to concentrate
on three of them.
Number one, you state that security needs to be built into
the Internet of Things, devices, not bolted on. Could you
expand on that as to how you think that might occur, that the
security occurs before the device has been manufactured?
Dr. Fu. Right. Thank you. So often when we talk about
security problems in the media or the news, you think, oh, this
was a poorly implemented product, where, in fact, it was a
poorly designed product, and there is a subtle difference. If
you don't get security built in to the early design of these
IoT devices, it doesn't matter how smart the engineers are,
they will never be able to succeed at creating a secure device,
and so that is why you really need to build it in.
If you have this residual risk that you then hand off to
the consumer, there are some sweet spots where you can try to
mitigate the risk after the fact, but it is extremely rare,
extremely hard, and extremely----
Mr. Lance. So how do we do that? How do we build it in
initially?
Dr. Fu. Right. There is actually quite a bit of--this is
going to get deep into engineering, but let me just say it in
one sentence. It is about hazard analysis. It is all about
understanding and enumerating those risks and having the
manufacturer choose which risks to accept, which risks to
mitigate, which risks to pass on to the consumer.
Mr. Lance. And can that be done through the consumer market
or would it require some sort of governmental control? We have
mandated, of course, airbags in automobiles, seatbelts in
automobiles to be built into the automobile initially and not
to be added to the automobile. Is it your recommendation that
this will require some sort of governmental mandate or not?
Dr. Fu. I do believe in the long-term, this will likely
require some kind of governmental mandate only because, in my
experience working with the industry, even though they mean
well, even the people who can do it don't have the authority to
do the right thing, because they don't have the economic
drivers. You often have different constituencies within each
company.
And let me just cite an example from the medical world. We
didn't think about the safety of over-the-counter drugs until
1982 with the cyanide poisonings in Chicago. Until that day,
consumers had quite a bit of faith in those pharmaceuticals. We
haven't seen that moment for IoT, but we know that that is
there and we know that it can cause harm.
Mr. Lance. Thank you. Moving on, number 4 of your
observations for devices already deployed, we should take some
comfort that millions of insecure devices are just a small
fraction of what the market will resemble in 2020. I suppose
you mean by that that this is just at the beginning and there
will be many, many more by 2020.
Dr. Fu. That is correct. I would say, on a positive side,
it means if we take an action now, we could actually win this,
we could actually have a very secure ecosystem. So even though
there are terrible, terrible problems today, we can fix it, so
we shouldn't give up hope.
Mr. Lance. And can you give us a rough estimate, if we have
X number of devices now, how many devices will we have in 2020?
Dr. Fu. Well, I have heard the number double in the last 62
minutes from 20 billion to 50 billion, so somewhere between 20-
to 50 billion, I think, is a reasonable estimate.
Mr. Lance. I see. And then number 7 of your observations,
there are tens of thousands of unfilled cybersecurity jobs in
this country. Existing approaches are insufficient to train a
large number in the workforce for what we need in this area.
Based upon your experience first at MIT and more recently
in Ann Arbor, what do the great universities need to do in this
regard and what do we need to do at the level of community
colleges, for example?
Dr. Fu. That is a very good question. I think community
colleges play a very important role as we develop the different
kinds of skill sets. So actually, in fact, there are 209,000
unfilled cybersecurity positions as of a year ago in the U.S.,
over a million unfilled positions globally.
The problem is, I think, universities need to shift and
adapt to the changing marketplace. Right now we are overrun
with students. We cannot teach the number of students who want
to take our security courses, and yet we are still not meeting
the needs. In Michigan, for instance, we have the automotive
companies talking about they have 30 unfilled FTE positions for
cybersecurity and they are wondering why no one applies.
Mr. Lance. Well, thank you. My time has expired. I hope to
continue the discussion with all on the distinguished panel and
particularly with you, Dr. Fu. Thank you very much.
Mr. Latta. Thank you. The gentleman's time has expired. The
Chair now recognizes the gentleman from California for 5
minutes.
Mr. McNerney. Well, I thank the Chair and I thank the
panel. This is why I love this subcommittee and this committee.
Great stuff happening. I am going to start with Mr. Drew.
In your testimony, you noted that about 2 million of these
IoT devices have been affected by this bot, botnet, and only
150,000 were used in the attack. That means there are, what,
1.85 million left. Are they still capable of carrying out new
attacks, or have they been neutralized in any way?
Mr. Drew. We have taken--the Internet as a whole has taken
steps to try to neuter portions of it, but it is still a 1.5-
or 1.6-million-strong-node botnet.
Mr. McNerney. And they can attack not just Dyn servers, but
they can attack real physical devices. Is that right?
Mr. Drew. Yes, correct. I mean, the one fear about a botnet
like this or a botnet of this size is that they are capable of
doing something called a shaped attack, meaning that the
operators of that botnet are able to generate any protocol, any
application they want from those machines to be able to direct
attacks of very specific nature to their targets.
Mr. McNerney. So we have sort of a Damocles sword hanging
over us right now?
Mr. Drew. Yes. I think the saving grace we have had so far
is that no one has been able to afford to rent all 1.7 million
nodes. They have been renting them at 80 to 150,000 nodes at a
time. Our biggest fear is that another adversary sees the power
of this total force and begins to adopt attacks that follow a
similar nature.
Mr. McNerney. Mr. Fu, in your testimony, you recommended we
should incentivize built-in security. I am kind of following up
on Mr. Lance's question. What type of incentives do you believe
would be effective to prevent the risks that you have outlined?
Dr. Fu. I think that it all comes down to accountability,
whether that be economic accountability or liability. Right
now, there just isn't any kind of tangible cost to a
manufacturer who deploys something with poor security. Also,
there is no benefit if they deploy something with good
security.
Mr. McNerney. Well, thank you. This is a question to all
witnesses. I want you to answer it with a yes or no.
IoT devices span a wide range of products. Would it be
feasible to create one set of security standards for all IoT
devices? Starting with Mr. Drew.
Mr. Drew. Yes.
Mr. McNerney. Good.
Mr. Schneier. No.
Mr. McNerney. No?
Dr. Fu. No.
Mr. McNerney. No. Oh. OK.
In the alternative, the Federal Government could establish
minimum security standards for IoT devices and then direct the
relevant Federal agencies to provide additional sector-specific
requirements. Would that be feasible, yes or no, please?
Mr. Drew. I am sorry. I missed the question.
Mr. McNerney. Well, since there is a wide range of
products, it might be feasible to ask the Federal Government to
have the different agencies apply specific standards to those
devices. Would that be feasible?
Mr. Drew. Oh, absolutely, because that allows people to
apply specific requirements and regulations to the area in
which those devices operate.
Mr. Schneier. I think no, because devices do multiple
things.
Dr. Fu. I think it depends.
Mr. McNerney. OK. Good. Or not.
Mr. Fu, several things. So many questions, so little time.
You said that there is no cost to produce devices with poor
security, that is pretty clear, but that IoT security is a
solution--I mean, it should be a solution, not a problem. Could
you expand on that a little bit----
Dr. Fu. Right. So my fear is that consumers will not
embrace technologies that will improve their quality of life in
the future because they don't trust that it will be safe. It
won't take too many more horror stories before people start to
go back to their analog ways.
So I view security as a solution enabling innovation. In
the short term, yes, I would agree with the other witnesses
that you may see a short-term problem, because you are going to
be interrupting the product development and lifecycle. But in
the long-term, we are going to see, I think, this actually
producing new innovation, just like what we saw with the car
safety regulation many decades ago.
Mr. McNerney. Very good. Now, you also mentioned that
devices should incorporate strong crypto security,
cryptography. Isn't that asking a lot for these cheap devices
to incorporate strong cryptography?
Dr. Fu. Cryp---stop leading me, Bruce.
Crypto--you can implement crypto on these devices. However,
there are certain special cases, like medical devices, where it
is more challenging. For instance, cryptography does draw more
electrical power and it can actually reduce the battery, and so
it does cause this sort of risk question. But in the general
case, I think it is almost always the right answer to deploy
the cryptography.
Mr. McNerney. Well, I have one more important question, but
my time has run out, so I yield back.
Mr. Latta. Thank you. The gentleman's time has expired, and
the Chair now recognizes the gentleman from Kentucky for 5
minutes.
Mr. Guthrie. Thanks. I appreciate you all being here. And
thanks, Mr. Chairman.
And this has been really informative to me. Usually when I
get memorandums getting ready for a meeting and it uses words
like bots and terabytes, it kind of--my eyes glaze over. But
this is important and it is interesting and I have appreciated
what you are moving forward.
One thing that--actually, Mr. Lance asked one of the
questions I was going to ask. I was going to let Dr. Fu finish
a thought, but one thing that you said earlier, that when we
write the regulation or the law, that we are going to have to
address this if and when we do, that we can't be too
prescriptive, because the sign in blue ink, example you used,
and I certainly understand that. And I think a lot of things
that we have done in legislating has deferred a lot of that to
the agencies and we say, well, everything is going to go in
good faith, but we also have to be careful to make sure, as we
have seen in a lot of other areas, not necessarily this area,
that when an agency gets a little leeway, sometimes they go
farther than Congress wants them to go, so that forces us to be
more specific as we move forward. So we just have to find the
right balance in that.
You were talking about--I am interested in auto industry, I
am interested in computer science technology, and jobs
available. And you were talking about the auto industry and 30
full-time equivalents, and then all of a sudden time ran out
and you didn't finish your thought. Do you remember that
thought, and can you finish, if you can.
Dr. Fu. Sure, sure. So, I mean, Michigan is known as a
State with quite a bit of manufacturing, and many of these
industries are trying desperately to hire cybersecurity
experts. I found one. Many of them have come to me from the
automotive industry. They also tend to quit fairly often to go
get other jobs. You have got to understand, at the career fair,
you will see a line out the door for the Silicon Valley
companies, the Googles, the Facebooks of the world. And for
these other industries, it is very difficult for them to
compete for this talent, not only because of the insufficient
number of qualified skilled workers who are trained in
appropriate security, but because just the competition is so
great.
Mr. Guthrie. So hence, one of the major companies,
industrial companies, General Electric's ads about--so when the
kid--the young man going or woman going to work for General
Electric say, I am going to go work for a high tech company,
they go, well, you are going to work for General Electric. So
maybe that is why they are pursuing that----
Dr. Fu. It is a good marketing strategy.
Mr. Guthrie [continuing]. Marketing strategy to try to get
people to come work for them, yes, absolutely, because they
are--exactly proves the point we are saying here. As a matter
of fact, they make refrigerators right outside of my district
in Louisville, just so that--and they are very high tech. They
are very high tech. As a matter of fact, they were showing me
one, I couldn't figure out how to operate the refrigerator. It
was automatic coffee, pods, and everything in it.
Dr. Fu. My refrigerator tweets.
Mr. Guthrie. Yep. That is what they do there.
So let me ask you, in your testimony, you start with the
basic premise that cybersecurity threats--this is Dr. Fu--are
constantly evolving. This is a truism that we have heard
reinforced many times. One of the issues is the identification
of vulnerabilities. Can you tell us about how vulnerabilities
are shared nowadays and if you have any recommendations moving
forward on information sharing?
Dr. Fu. Sure. So there are many different ways to share
vulnerabilities. In the consumer world, for instance, there is
the US-CERT, which is a coordinating agency, works in concert
with DHS, works in concert with Idaho National Labs and other
places to collect information from security researchers and
then provide it to manufacturers. That is just one pathway.
Other pathways are things like bug bounties rewards
directly between the researchers and the companies. And then
the third way that is becoming a little more disturbingly
popular is just to sort of drop it in the public before there
is a chance to deploy any kind of mitigating control or
evaluate whether or not the report is true.
Mr. Guthrie. OK. And you sort of talked about this earlier
about that the hackers are going to look at the least secure
device and then get into the system through that way, so--but I
was going to ask you this again, what is the general level of
security included in consumer grade Internet of Things devices,
and have the recent attacks prompted any conversations that you
are aware of about the security included in those devices with
manufacturers?
Dr. Fu. I have seen no good news about any security in any
IoT device. Even in my own home, I have seen devices where I
could trivially--anyone on the Internet could just break in and
take complete control. This was a device I just picked up in
one of those big box stores. I have no good news on the
security built in to IoT devices today.
Mr. Guthrie. Well, thank you.
Mr. Chairman, that concludes my questions. I yield back.
Mr. Latta. The gentleman yields back, and the Chair now
recognizes the gentleman from New Mexico for 5 minutes.
Mr. Lujan. Thank you very much, Mr. Chairman. And thank you
for holding this important hearing, to you and to our ranking
member.
As we all know, this is an important discussion since the
proliferation of cyberattacks represents a serious challenge to
both our digital and to our physical space. We saw the
proliferation of cyberattacks this year all across the country,
including with foreign actors as well being called out by our
national security teams.
Pertaining to the development of Internet of Things, which
will provide a robust and important infrastructure for America,
we also know that there is going to be more conflicts and
dynamic networks that will result from that.
Dr. Fu, you talked about shadow devices. Currently, Los
Alamos National Laboratory is looking at ways to use the data
they collect from all devices connected to a network to monitor
and protect against malicious attacks. The LANL work addresses
the issue of dynamic and ill-defined networks with devices
joining and leaving. It constantly monitors these ever-changing
networks to detect and respond autonomously to malicious
behavior.
Can you talk about the importance of us moving in that
direction as well in developing this, maybe looking to national
assets like our national laboratories and what we can learn
there for tech transfer opportunities, whether it is in a
secure space or an open space, to help us with these endeavors?
Dr. Fu. Well, I think what I can do is I can say there is--
NIST has a document that talks about how to do this kind of
security well, and I hope LANL is implementing these. And one
is you have to know your assets at risk, so you enumerate that,
and it sounds like that is what you are referring to. The
second is to deploy compensating controls that match those
specific risks. And then the third one that we often forget as
consumers and industry is to continuously monitor the
effectiveness of those controls, and that is where it gets to
the shifting threat landscape. You deploy a security product
today, might be effective tomorrow, might not work at all.
Now, here is where I am a little skeptical of LANL and
other agencies that claim they know all of their networks. I
know as a fact that most hospitals refuse to look at the
security of their most sensitive networks because they are
afraid of tipping over things like linear accelerators,
radiation therapy devices, very sensitive machines. They have
actually rebooted from very simple security products. So if you
are in a facility that has nuclear materials, fissile material,
I would be very skeptical of a claim where they have thoroughly
vetted the embedded systems to see how well they have survived,
unless they have actually tipped something over.
Mr. Lujan. Is there a benefit, though, with working with
these national assets to assist us in the private sector?
Dr. Fu. I think there can be a benefit for safety-critical
issues for places like LANL. I think there is quite a bit of
expertise in what is called embedded security at many of the
national labs. However, this is a very interdisciplinary
problem, and I have seen this come up already in my
vulnerability reports to different agencies. They will often
tell me, I am sorry, we don't have an in-house expert on that
particular subject of this healthcare situation, let me try to
help you, and they usually have a difficult time finding a
partner.
Mr. Lujan. Mr. Schneier, as more and more of our critical
health, energy, and finance infrastructure is brought online,
the things connected to the networks will need to be secured
from inception to delivery. Are you able to speak specifically
to what we can do with securing the technology foundations and
supply chains through the Internet of Things, whether it be
through semiconductor chips, secure IoT device operating
systems, secure communication protocols, or secure device
access management?
Mr. Schneier. So this is actually, I think, you know, part
of the big problem. Security has to go all the way down. So
someone there, I think, who left talked about that phone that
surreptitiously, unbeknownst to the consumer, would send copies
of your text messages to China. Now, on the plus side, it was
cheaper, but you are not going to know, and that could be the
software. We are worried about switching equipment that we use
in our country that comes from China, because we worry about
the hardware, that there might be some hardware switch that
will eavesdrop or turn off in the face of hostilities. And
these are very complicated questions. And any place in the
stack, we can cause an insecurity that affects the others. Lots
of people are working on this, there is a lot of tech here, but
this is, I think, an extreme worrisome issue when we deal with
global manufacturing.
So this is an American device made, I believe, in China.
And many of our devices are made in countries that might not be
as friendly to us at all times as we would like. And while we
have tech that will hopefully detect these things, it is an
arms race, and right now there is an edge on the attacker. It
is easier to hide a vulnerability in something like this than
it is to detect it.
Now, we also use that, right? I mean, the NSA uses that to
spy on our enemies, so there is some good here too, but I think
by and large it is dangerous for us.
Mr. Lujan. And, Mr. Chairman, as my time runs out, I think,
Dr. Schneier, I will maybe submit a question to you pertaining
to maybe expanded use of trusted foundries pertaining to
hardware, and then we can have an expanded conversation in that
space.
Mr. Schneier. I would be happy to.
Mr. Lujan. Thank you, Mr. Chairman.
Mr. Latta. Well, thank you. The gentleman's time has
expired, and the Chair now recognizes the gentleman from Texas
for 5 minutes.
Mr. Olson. I thank the Chair.
And welcome, Mr. Drew, Mr. Schneier, and Dr. Fu. I have to
admit, last night I lost a little sleep preparing for this
hearing all because we focused on September 21st of this year
when a Mirai botnet launched a DDoS strike on the
KrebsOnSecurity. Over 600 gigabits per second swarmed them. And
then a month later, October 21st, the same bad actor went after
Dyn.
I lost sleep because after 9 years in our Navy as a naval
aviator, 8 years working with the Senate side as a senior
staffer for two Texas senators, and four terms in the House, I
know the biggest threat to our security and our prosperity is
not bombs, it is not missiles; it is cyberattacks and
cybersecurity, ones and zeros.
What bothers me most about what happened earlier this year
is that the attacks--the execution was exactly what Coach
McHugh told me when I was 9 years old on the football field. He
got his little--drew a play in the sand: Here are the
defenders, there are two over there. We will swarm them with
four offensive people, score a touchdown. That is exactly what
these guys did, nothing hard, nothing new, and yet they had the
success of having 600 gigabits per second swarm
KrebsOnSecurity.
And so in this environment, we can't be reactive. We have
to be proactive. Our Government has to be proactive. Now, I
said the word ``Government'' and said ``proactive.'' Looking
around the room here, some people shook their heads and smiled.
They know those words don't go together, but somehow we have to
come together to address this problem.
And, Dr. Fu, I love your term about we have to have it
built in, not bolted on. I know Mr. Lance asked questions about
that, but I want to further elaborate on it. Say you went
crazy, you ran for Congress, you won, you are a member of this
committee. How would you ask--what do you think we should do to
help out our American economy to make sure we control these
attacks and be proactive instead of reactive? What is our role
here in DC?
Dr. Fu. All right. Thank you. Let me first correct the
build it in, not bolted on is actually a phrase my community
has been using for many years, including Mr. Schneier is behind
that quite a bit.
But I would say to really get out in front of this problem
and be proactive, we haven't even done what I would consider--
if I were talking with my students, I would say, you have to do
your prelab first before you do the real work. And the prelab
is actually going out and actually getting firsthand
information from some of these constituents. I am doing that
and that is where I am getting my firsthand information, from
the executives themselves, from the engineers, and I am just
picking up horror story after horror story. I can't relay that
to you in this manner, because you haven't seen the people I
have talked to. I think that needs to happen. I think there
needs to be some congressional visits to these sites. I think
they need to go to the universities, I think they need to see
where the struggles are happening, what are the barriers.
I believe that likely after you see the same problems that
I am seeing, you are probably going to start thinking about, we
need to have incentive systems built in economically. I don't
know what these are going to resemble. Could they be
regulations? Maybe. Could they be more financial incentives or
financial penalties? Maybe. Is it more about corporate
liability? Perhaps. I don't know the answer on the mechanism,
but I know that we need to get more people doing congressional
visits to these sites to understand where the problems are
borne.
Mr. Olson. Thank you.
Congressman-elect Drew, your concerns about that how as we
get involved in DC, how laws--if you could write laws, how
would you write the laws to help your organization overcome
this incredible challenge we have with these cyberattacks?
Mr. Drew. I agree entirely with regards to us having the
right incentives to make sure that, whether I am a business
buying technology or whether I am a consumer buying technology,
that we have the right incentives, whether they are economic,
liability, or regulation. I completely agree with that mind-
set.
And I do think that there are a significant number of
existing frameworks with regards to each of those ideals around
health, safety, convenience, and use with regards to these
threats, as well as with regards to these technologies.
Mr. Olson. And very quickly, Congressman-elect Schneier,
your comments about how would you approach this from a Federal
Government role.
Mr. Schneier. So I think you have a serious problem here,
and I think we have in a lot of areas, that we are now at the
point where the speed of technology exceeds the speed of law.
And that has probably changed in the past decade or so. It used
to be laws could lead technology and now it has reversed. And
so we need to figure out a regulatory structure, an incentive
structure, liability structure that is technologically
invariant; that we can't focus on technology and rely on them,
but focus on people and incentives, because that is what is
invariant. Technology will change.
And you are right, these DDoS attacks are kindergarten
stuff. It is basic, it is not sophisticated, and yet highly
effective. The sophisticated stuff is worse.
Mr. Olson. Thank you. I yield back the balance of my time.
Mr. Latta. Thank you very much. The gentleman yields back,
and the Chair now recognizes for 5 minutes the gentleman from
Ohio.
Mr. Johnson. Thank you, Mr. Chairman. And thank you,
gentlemen, for joining us today.
Having spent nearly 30 years of my professional career in
information technology, I want to get a little bit more into
the technical aspects of some of the things we are talking
about this morning, particularly traditional DDoS attacks
versus these connected device DDoS attacks.
Mr. Drew, as I understand it, these DDoS attacks have been
around almost as long as the Internet itself has. They have
certainly gotten worse over the last few years, but at least
for traditional DDoS attacks, we know that--we know how to
defend them against--using techniques like IP address
blacklisting or white listing and IP packet inspection, among
other techniques. Can you tell us a bit more about those
defensive techniques, why they have been successful in
defending against traditional DDoS attacks?
Mr. Drew. I would say about every 3 years or so we
encounter an evolution of capability with regards to DoS
attacks. Every 3 years or so, we have somewhat of a backbone
impairment event on the global Internet that is resulting of
adversaries developing new capability based on either new
weaknesses or new technology and then directing that capability
to the backbone. And so I would say that the community at large
has been fairly proactive as well as reactive in investigating
what those bad guys are doing, the techniques that they are
evolving and shaping, and making sure that our capability to
respond is built into the platform, or in some cases, bolted
onto the platform by redirecting traffic and scrubbing it.
So what I would say is what scares us about IoT attacks is
just the enormous potential scale, whereas, you know, the
typical botnet that is involved in these attacks over the past
handful of years to up to a decade has been in the tens of
thousands. We now have the potential of devices in the
millions. And network capability for filtering and scrubbing
has not scaled at that sort of a factor. So it is something
that we are taking with great notice and great pause to make
sure that we can invest in our capability and technology to
prepare for that.
Mr. Johnson. Is it safe to say that the majority of these
defensive techniques have worked because they target the way
that traditional DDoS attacks use spoofing and amplification?
Mr. Drew. I would say that with regards to what the traffic
looks like itself, meaning how that traffic is executed upon
the victim, there have been slight evolutions in the way that
that traffic looks, but for the most part, that the definition
that has an upper and lower control in it, that is fairly well
understood. And so the technology is geared to be able to
operate within that sort of control parameter. It is really--
the big issue is the scale in which that the devices are coming
at that victim and being able to launch those sorts of attacks.
Mr. Johnson. OK. So to get kind of to the heart of the
matter of why we are here today, because from what we have been
told, this Mirai botnet doesn't use spoofing or amplification.
Is that accurate?
Mr. Drew. That is correct. It uses what is called a shaped
attack where it can send any protocol or any packet that it
wants to.
Mr. Johnson. OK. Instead, the botnet is built out of these
individual connected devices, and you would say now there are
potentially millions of them out there that are so numerous
that spoofing and amplification aren't even necessary. It is
the total--it is just a deluge of traffic from those connected
devices, correct?
Mr. Drew. That is correct. If you wanted to send a large
amount of traffic in the past, you would use an amplification
attack.
Mr. Johnson. OK.
Mr. Drew. Now with devices like this, you don't need that.
Mr. Johnson. Well, you know, I think we need to dig into
this a little more then, because when we were talking about
defensive techniques before, most of those defensive techniques
seem to rely on DDoS attacks that use spoofing and
amplification. If a DDoS attack doesn't use spoofing or
amplification, and you began to allude to it a little bit, how
do techniques like IP address blacklisting or white listing or
IP packet inspection work and how effective are they?
Mr. Drew. I would say, in fact, they are probably more
effective on nonspoofed traffic. And so the overall capability
to inspect and mitigate is more capable when the traffic is not
spoofed. Again, I am going to go back to the scale issue, is
that a lot of that technology is built for the, you know,
hundreds of thousands of inspections at the same time as
opposed to the millions of inspections at the same time.
Mr. Johnson. My time has expired, but I guess it is safe to
say we have got a lot of work to do and we have got to stay on
this because we have got to develop new techniques to handle
this new threat. Correct?
Mr. Drew. Absolutely.
Mr. Johnson. OK. Thank you, gentlemen.
Mr. Chairman, I yield back.
Mr. Burgess. The Chair thanks the gentleman. The gentleman
yields back.
The Chair recognizes the gentleman from Missouri, Mr. Long.
Five minutes for questions, please.
Mr. Long. Thank you, Mr. Chairman.
And, Mr. Drew, I understand that newer brand name devices
are generally safer and less vulnerable to cyberattacks, but
how much blame would you put on low end manufacturers cutting
corners on security with the type of attack that happened in
October?
Mr. Drew. Well, with specific regards to the type of attack
that happened in October, a vast majority of the devices were
those low end manufacturers from other countries. We spoke to a
vast majority of those vendors. Those vendors had not really
contemplated the idea that their devices could be used in that
sort of fashion. Some were mortified and were trying to wrap
their head around how they could deploy cybersecurity. And,
frankly, other manufacturers had no interest in deploying
because they had every belief that their consumers would
continue to purchase their product.
Mr. Long. OK. This is directed to all of you. I guess we
will start with Dr. Drew since he is T'd up there, but what are
some ways hardware and software manufacturers can band together
to prevent a cyberattack like the recent one?
Dr. Fu. So I would say----
Mr. Long. Maybe we won't start with Dr. Drew.
Dr. Fu. Oh.
Mr. Long. No. That is fine. I was just----
Dr. Fu. OK. Were you referring to me? I am sorry.
Mr. Drew. He is Dr. Fu, I am Mr. Drew.
Mr. Long. Oh, OK. I am sorry.
Dr. Fu. But together we are interdisciplinary, and I would
say the key point here is interdisciplinarianism for the
hardware and the software.
There is a good--function follows form. And if you look at
the educational system, you will see that the people trained on
hardware and the people trained on software don't actually have
sort of the closest cultures in terms of education. I think it
is going to be very important to educate people in a way that
brings hardware and software together, because otherwise you
are not going to have the workforce that is going to be skilled
and trained to be able to solve these problems. So that is
certainly something I am trying to do personally, is when I
train students, I train them in both hardware and software,
because you just can't abstract it away anymore.
Mr. Long. So, Dr. Schneier.
Mr. Schneier. So I think this is a particular challenge----
Mr. Long. Mister. I am sorry. I have got too many--I can't
see this angle with my glasses. I need new glasses or a
different angle, I guess. There you go.
Mr. Schneier. I think it is a particular challenge, because
engineering operates in silos. The companies that made those
DVRs got a chip with software on it. They didn't inspect it,
because it is a blob, and they put it in their device. They
sold that device to some other company that put their name on
it, and sold it to the consumer. And you have this chain which
is very opaque, and companies will hand off to each other. So
banding together, I think, is going to be very difficult. And
the way we can do that is to incent it. If I have liabilities
that go up the chain, if I have regulations that will affect
each other, then I am giving the companies reason to not just
say, yep, this works, I am going to put it in my device and I
am going to sell it cheaply. This is hard, and I don't have a
good, crisp answer. Hopefully Mr. Drew does.
Mr. Long. That is why we put him last.
Mr. Drew. Yes. I would say that I agree with regards to
cheap IoT. I think with regards to cheap IoT, the focus
primarily is on the specific set of application that they are
looking to develop. They get hardware from another
manufacturer, they get the baseline operating system from
somebody else, and they just develop their application and
don't really know how it all interconnects together as a global
ecosystem.
I would say on more emerging IoT that is a bit more
integrated and a bit more capable of being interconnected to
other IoT devices, we are seeing a lot more sort of discipline
and knowledge with regards to marrying both hardware and
software disciplines together, as well as being able to achieve
higher security standards as they interact with each other from
device ecosystems. So a long way to go, but a lot of growth in
that particular area.
Mr. Long. Let me ask you something else. Could the recent
cyberattacks have been avoided if the targeted sites registered
with more than one company that provided the same services that
Dyn provides?
Mr. Drew. Presumably, yes. What we did see, though, on the
Dyn attack is that a number of the domains that were targeted,
they fell back to another authoritative server, and the bad guy
detected that and then launched an attack against that other
authoritative server. So, you know, in this case, the bad guy
was following specific victims and reacting to them as they
mitigated and moved.
Mr. Long. OK. Yes. I heard you say that earlier in the
opening. I think--Dr. Fu, how's that? Is that OK? Dr. Fu, to
what extent did default passwords play a role in these recent
cyberattacks we have been discussing today?
Dr. Fu. So default passwords played a key role because it
was the entry point to take over this army of unwitting agents
to attack Dyn.
Default passwords are everywhere. In my testimony, I
provided a graphic of default passwords for medical devices.
There is nothing stopping the same attack from happening to
another industry, other IoT products. Default passwords are a
big problem. The fact that we are even relying on passwords at
all is a big problem.
Mr. Long. OK. Thank you all.
My time has expired, and I yield back.
Mr. Burgess. The gentleman yields back. The Chair thanks
the gentleman.
The Chair recognizes the gentleman from Florida, Mr.
Bilirakis. Five minutes for questions, please.
Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it
very much.
On October 21st, the attack is unprecedented in size, and
thought unforeseeable. On January 2015, the FCC staff reported
the outlined security risks--thank you--Internet of Things
devices present, including potential attacks on other systems.
Dr. Fu, it appears that one of the reoccurring problems
identified in your testimony is the use of insecure operating
systems, which are actually easier to infect a target for
distributed denial of service attacks. Have you seen industry
react to these issues and move forward more stable operating
systems, and are there impediments to making such a switch?
Dr. Fu. I have seen industry move to better operating
systems, but like most communities, there is a wide
distribution. There is a leader, there is maybe not the leader.
I still see Windows XP, which is a decades-old operating
system, in critical systems. There is a photograph of one
Windows XP system in a water treatment facility in Michigan in
my testimony controlling water pumps for the city.
Windows XP is susceptible to the last decade of already
released malware. It doesn't take anyone, more than a kid in
their basement, to be able to cause a problem. It hasn't
happened, because no one's wanted it to happen.
It is all about the economics. Certainly on the high-end
devices, like linear accelerators, for example, or radiation
therapy devices, you are talking multimillion-dollar machines.
Certainly when a hospital buys a new device, they are more
likely to get a new operating system because it just comes with
the new system. However, most hospitals have capital equipment
costs. And they don't want to have to buy a new MRI or whatnot
every 10 years. You know, it should last 20 or 30. This is why
you will still see Windows 95 machines, you will see Windows 98
machines--the year is important--in hospitals, because when
they go to the manufacturers saying, hey, we really want to
have an operating system that we can keep secure, they will
say, oh, sure, just why don't you buy a whole new machine.
And so there was this unwritten assumption that the
software would be maintained. It may not have been written into
the agreement, but the healthcare community felt that it should
have been kept secure, kept maintained, but from the
manufacturing standpoint, it was, we have provided you this
device.
Mr. Bilirakis. Thank you. Reports show that many devices
used in the October attack were situated overseas. While some
seek to regulate devices in our own country, how do we protect
ourselves from devices that are outside the U.S.?
Dr. Fu, and then if someone wants to chime in, that is OK
too.
Dr. Fu. Sure. Let me just comment briefly, and I will let
my fellow witnesses opine.
I think the important thing about computer security is not
to be able to put yourselves in a secure environment, but you
need to be able to tolerate an insecure environment. We are
never going to be able to make networks, you know, blissful
places full of rainbows. The networks are always going to be
hostile. So we need to make sure that whatever we put on there
is going to be able to tolerate malicious traffic. DDoS
attacks, however, are extremely hard to defend against because
they cut at the core of where we are least prepared, and that
is high availability.
Mr. Bilirakis. Anyone else want to comment on that?
Mr. Schneier. So it is two things. I think that U.S.
regulation, especially if it is U.S. and Europe and some more
major markets, can cause a new environment, which raises the
tide for everybody, because companies are not going to make two
devices. They are just going to make one device and sell it. So
we can make a difference with us and like-minded countries,
like we can in so many other industries.
But Dr. Fu is correct that we can't assume ever a benign
environment; that it is going to be a combination of making the
devices that we can touch more secure, which means the
integrated devices are more a minority, and then building
infrastructure controls to secure against this malicious
minority. And it will always be that.
Mr. Bilirakis. Thank you.
Mr. Drew, do you want to comment quickly, because I have
one more question?
Mr. Drew. I was just going to say that we have a
fundamental belief of ensuring that we can try to route packets
on the backbone that are based on reputation. So the more that
businesses and backbones can collaborate together on data and
route traffic based on reputation, I think the better prepared
we are going to be.
Mr. Bilirakis. Thank you.
One of the biggest concerns--for Dr. Fu. One of the biggest
concerns of the future distributed denial of service attacks is
the potential impact on hospitals and their patients. We
already know that hospitals are targets in other areas, such as
ransomware hacks. Question for Dr. Fu: How can hospitals best
protect themselves from these threats and their current
technology, and should industry prioritize the healthcare
sector in preventing current cyberthreats?
Dr. Fu. Right. Well, in the short term, hospitals are in a
sticky place. There is not a whole lot of mitigating solutions.
So the best medicine I can recommend for hospitals right now is
to really know their inventory of medical devices. I saw some
discussion yesterday in a DHS report about a bill of materials
of software. Hospitals don't even know what software is running
on the inside of their facility because the manufacturers don't
know themselves what are on those medical devices. If we only
knew what was on the medical devices, we could better
understand what risks we are taking.
Mr. Bilirakis. Thank you very much.
I yield back, Mr. Chairman. I appreciate it.
Mr. Burgess. The Chair thanks the gentleman. The gentleman
yields back.
The Chair recognizes the gentlelady from Indiana, Mrs.
Brooks. Five minutes for your questions.
Mrs. Brooks. Thank you. I am going to follow up, Dr. Fu,
and if you would explain a bit more about what--your concern is
is that the devices that are being used actually in the
hospitals, the hospitals are not aware of what is on those
devices. And so what kind of mechanisms should we have so that
hospital systems are fully aware of what is in their hospital?
Dr. Fu. Right. So let me just frame the context. So
hospitals want to make sure that they have continuity of
operations of their clinical work flow so they don't have to
shut down, like the MedStar system shut down in this area for
several days. And so the problem is when you don't know what
your assets are, how are you going to protect that, if you
don't know what ports are open? The manufacturers, they are
not, I would say, willfully causing harm, as far as I know, but
they are simply not providing enough information so that the
hospital staff can do their jobs to assure the continuity of
their clinical facilities.
So providing a bill of materials of what software comes on
a device when it enters the hospital, it won't completely solve
the problem, but it is going to really help, because you can't
do step two until you do step one. You have to know your
assets, you have to know your inventory before you can
effectively control security mitigation controls.
Mrs. Brooks. And so while that has obviously lifesaving or
life-ending implications, what other sectors are you most
concerned about--and this is for the panel--that--you know,
that the sector integration, so to speak, of devices within
maybe the system is not known?
Dr. Fu. I will just say public utilities, water, gas,
electric. It surprises me how people just sort of laugh about,
oh, we don't have security, hahaha. And, you know, we are not
going to be laughing when the lights go out.
Mr. Schneier. So I think looking at it in sectors is almost
self-defeating. So what we are worried about is interactions.
And, you know, if you asked somebody a month and a half ago
whether a vulnerability in a Web camera can affect Twitter, you
know, people would say no. And in a lot of ways, we barely know
how the Internet works. I mean, Mr. Drew's answer of whether
this particular defense would have mitigated this particular
attack, and the answer was we are not really sure. And it is
the emergent properties of interconnecting everything that
causes the vulnerabilities.
We focus on a sector, we risk missing the big picture. And
they are all computers, whether they have wheels or propellers
or in your body, and they affect each other, they are on the
same Internet. So I urge you to think holistically and not--I
mean, there are sectors that are more vulnerable, more
critical, that is obvious, but the cause of the vulnerability
could come from nowhere.
Mrs. Brooks. Mr. Drew, a question whether or not--what your
thoughts are as to whether or not hacking back or some other
form of active defense should be permissible. Thoughts on that?
Mr. Drew. I know that this has been a fairly large debate
within my industry. It has been a fairly large debate within
the U.S. We have these conversations on a regular basis about
green viruses where if we know a particular exposure exists and
we know that we can write software to go out and patch this
system on the user's behalf to get the malware off the system,
then we would be better protecting both the consumer as well as
the Internet as a whole. And I think that that is a fairly dark
road to go down. I think that it is an excuse for us not fixing
the ecosystem and providing the right incentives in the right
locations, and potentially has impacts that, you know, the
author writing that software isn't necessarily aware of, as he
is touching a pretty broad set of devices out on the ecosystem.
So I would say I fear more of the consequences of that than I
do pushing the right incentives in the right layers.
Mrs. Brooks. And going back to the question about whether
or not we have the appropriate safeguards in place, we have
209,000 job openings right now, according to Dr. Fu, and what
are the programs, degree programs or other types of
certification programs, that should be offered that we are not
offering enough in our higher ed institutions or training
programs? And, you know, are degrees necessary or do we need to
have different types of certifications short of degrees?
Dr. Fu. I think we need all of the above, especially it is
a little known discipline called embedded cybersecurity, but
this is very related to IoT, bridging the hardware and the
software. I think we need both at the community college level,
I think we need both at the 4-year college, both in the
graduate studies, also especially in advanced master's programs
for already skilled workers who are perhaps experts at building
cars or designing cars but need to know how do you build
security into that thinking. There aren't enough opportunities
for those workers to come back to get that training.
And a final comment is the pipeline. I think in the
engineering, in some of the sciences, we have difficulty, I
think, attracting, tapping new resources, different
demographics. I think we need to be much more--doing much more
outreach to high schools and some of the kids who are coming up
to encourage them to go into these fields, and especially women
and minorities.
Mrs. Brooks. Thank you all for your work. I yield back.
Mr. Burgess [presiding]. The Chair thanks the gentlelady.
The gentlelady yields back.
And the Chair recognizes the gentleman from Illinois, Mr.
Kinzinger. Five minutes for questions.
Mr. Kinzinger. Thank you, Mr. Chairman.
Thank you all for being here, taking the time and
elaborating on these issues.
Mr. Drew, for you, is it accurate to categorize the recent
DDoS attacks as an international issue?
Mr. Drew. It absolutely is an international issue. The
device manufacturers were foreign. The majority of the
locations where the devices were located was foreign. You know,
most of what we are talking about here today, from a regulation
perspective, wouldn't have a direct significant impact on at
least the adversaries that were involved in the October 21
attacks.
Mr. Kinzinger. Do you know, are there any other countries,
international groups, et cetera, focused on these security
issues right now?
Mr. Drew. I mean, yes. I mean, there are a number of
countries that are focused on very progressive cybersecurity
controls. In Great Britain, as an example, there is a
significant amount of cybersecurity work with regards to
integrating that into the telecommunications sector, so--
meaning that if you are going to be offering telecommunication
services or if the Government is going to be purchasing
services, you have to be certified at a certain cybersecurity
level.
Mr. Kinzinger. So are you seeing, through these groups and
countries, any kind of a consensus on how to move forward? And,
I guess, what recommendations would you give to Congress to, in
essence, marry up to that or work together on those issues, to
help the conversation?
Mr. Drew. You know, I am going to go back to one of my
original points, which is I do believe that we are missing, you
know, defined standards in this space, that we can get some
adoption around, that we can get some pressure focused on, and
we can change buying and investment patterns.
I think that by setting those standards and by setting them
by both domestic and international groups, whether it is NIST
or ISO, you know, setting these standards so that you can force
buying behaviors in both consumers as well as businesses I
think is going to be a major step forward.
Mr. Kinzinger. A lot of reports are indicating, as we have
discussed, a staggering increase in the number of connected
devices over the next few years. It is a number we heard today
anywhere between 20 and 50 billion devices, which is unreal.
What do you think policymakers and stakeholders should think
about, in general, regarding cybersecurity and interconnection
moving forward? What would be kind of the takeaway you would
want us to leave with?
Mr. Drew. I think innovation is progressing faster than
discipline. And, you know, what tends to happen is we go on a
biorhythm of a lack of discipline causing significant
unintended and unforeseen consequences. Our ability to adapt
and respond to those is the thing that is going to keep that
infrastructure protected and as well as continue to evolve it.
So I think that, you know, the average CSO has to manage 75
separate security vendors, and that is to bolt on security
controls for products and services that they are purchasing.
And when we get one of those dials wrong, there are some
significant consequences as a result. And so focusing on making
sure that premarket controls are placed in that infrastructure
is going to be a significant adaptable win for us.
Mr. Kinzinger. Dr. Fu, Congressman Long brought up the
issue of default passwords, and you stated that we should get
away from passwords all together. Can you elaborate on that?
Dr. Fu. I mean, so passwords are just intrinsically
insecure. You know, we are human. We write them down. We choose
poorly. So pretty much any password system is going to
encourage unwise security behavior. There are some technologies
out there. There is one company in Ann Arbor, for instance,
Duo, that does something called two-factor authentication where
you have, for instance, a mobile phone in addition to a
password.
But at the heart of it, we need to figure out other ways.
And I am going to defer to the other witnesses for suggestions
on that. But I just feel we really need to retire passwords. We
need to kill those off, because these are going to be bringing
down our most sensitive systems.
Mr. Kinzinger. Do any of you want to elaborate on that at
all?
Mr. Schneier. So I largely agree. I mean, there will always
be a role for passwords. There will be low-security devices,
applications, low amounts of latent time, times when you
generally need security for a short amount of time. But, in
general, passwords have outlived their usefulness, and there
are other technologies. You can secure your Gmail account now
with a code that comes to your phone as a second factor. I can
sure this with my fingerprint.
There are many other systems that give us more robust
authentication, and I think that would go a long way in a lot
of our systems to help secure them. Because we are talking
about two different ways to break into things. We are talking
about vulnerabilities, which are exploited; we are talking
about bad user practice, which is also exploited. And if I can
get rid of one of them or at least reduce it, I am going to go
a long way to making things better.
Mr. Kinzinger. OK. Great. Well, I am out of time, and thank
you all for your time.
And I will yield back.
Mr. Burgess. The Chair thanks the gentleman. The gentleman
yields back.
The Chair would recognize Mr. McNerney for the purposes of
followup questions.
Mr. McNerney. I want to thank the Chair for an opportunity
to ask another question. This one is a little philosophical, so
I hope you don't mind.
Mr. Schneier, you mentioned that the attacks are easier
than defense on this complex system and making more complexity
opens up new vulnerabilities. But biological systems work in
the other way. They build complexity in order to defend
themselves. Is there some kind of parallel we can learn from on
this?
Mr. Schneier. So in the past decade or so, there has been a
lot of research on sort of moving the biological metaphors of
security into IT, and there are some lessons and there are some
things that don't work. Biological systems tend to sacrifice
the individual to save the species, which is kind of not
something we want to think about in IT or even, you know, in
our society.
But, yes, there are ways of thinking about a security-
immune system, but the complexity of a biological system is
complexity that is constrained. So, for example, you know, we
all have a different genome, and that gives us a resistance,
our species, against a disease. And you might be able to do
that with an operating system, but it is not going to be two or
three, it is going to be billions of different operating
systems, which is suddenly much more expensive by, you know,
orders and orders of magnitude.
So a lot of the lessons don't apply. Some do, and the
researchers are trying to learn from them. And that is kind of
the new cool way of thinking, and I think there is a lot of
value there. But still, complexity, unintended consequences,
interconnections, the attack surface, the enormous attack
surface we are talking about, makes it so that in at least the
foreseeable future, attack will have the advantage. My guess is
there will be some fundamental advances in security which will
give us, maybe not in our lifetimes but eventually, a defensive
advantage, but no time soon.
Mr. McNerney. All right. Thank you.
Mr. Chairman, I yield back.
Mr. Burgess. Thank you.
Mr. Schneier--just recognize myself for a followup
question. You had mentioned along this line and then you had
mentioned in, I think, response to an earlier question about
the autonomous vehicles. And, yes, yesterday in our Commerce,
Manufacturing, and Trade Subcommittee, we did have a hearing on
autonomous vehicles. So particular vulnerabilities or places
where the focus should be as autonomous vehicles, self-driving
vehicles develop as a separate entity?
Mr. Schneier. So I think it is a really interesting test
bed for what we are thinking about. And I don't know how much
detail you went into on the vulnerabilities. What we learn is
the vulnerabilities are surprising. There is one attack that
used the DVD player as a way to inject malware into the car
that controlled the engine. Now, that shouldn't be possible,
but surprise. And similarly, I am worried about the USB port on
the airplane seat potentially controlling the avionics. The
airline companies will say that is impossible, but those in
computer security don't believe it.
So, again, the more holistic we can be, the better. There
are always going to be surprises. So to get back to the immune
system model, how do we build resilience into the system? How
do we ensure that it fails safely and fails securely? How do we
ensure or at least make it more likely that a vulnerability
here doesn't migrate to another vulnerability there causing
something more catastrophic? So the more we can look at the big
picture, the less we focus on this or that, because it is the
connections. And so if you think about it, it is exponential.
I mean, I have five things, that is 25 connections. I have
100 things, that 10,000 connections. It goes up by a factor of
square. I just did some math--so sorry--here, but--now, that is
the vulnerability, and that is why this is so--that is why
complexity is such a problem.
Mr. Burgess. Well, I mean, I had posed the question
earlier, and, really, this is for any of the three of you who
wish to answer, you know, the question of thinking like a
criminal. But, you know, really, we are still playing checkers
and they are playing three-dimensional chess or perhaps a
multifactorial level of three-dimensional chess. So, I mean,
what are the things that keep you all up at night? What are the
things that you have wondered about?
Mr. Drew. I would say the best advancement in the security
space for us, as an example, is behavior analytics. It is being
able to monitor the network, monitor the enterprise, monitor
our infrastructure, and look for behavior that we have never
seen before to determine whether or not that is unauthorized
traffic or not.
But no matter what, that technology is based on a
compromise already having occurred, a bad guy already being in
the network. And so our ability to be more proactive, our
ability to get ahead of that attack and predict those attacks
before they occur and change the technology before they can be
exploited, that is where we need to migrate.
Mr. Burgess. Mr. Schneier.
Mr. Schneier. I worry about catastrophic risk. You know,
the Dyn attack is interesting. It was one person had the
expertise to figure out how to do it. He encapsulated his
expertise in software, and now anybody can do it. So it is
unlike my home where I only have to worry about the burglars
whom driving to my home is worth the bother. And there is some
bell curve of burglar quality, and the average burglar is what
I care about. On the Internet, it is the most sophisticated
attacker I care about, anywhere in the world, because of the
way computers encapsulate expertise into software.
Mr. Burgess. Dr. Fu.
Dr. Fu. I worry about something a little more human, and
that is sort of bureaucracies. I worry about the inability to
change. I worry about being stuck saying, well, we have never
done it that way before. I worry about saying things like, you
know, well, that is unprecedented. Well, the Internet of Things
is unprecedented and so there are going to have to be some
changes. So I do worry that we won't have the strength and
resolve to do it. It will take some guts, I think, but this is
foresight.
In the safety world, we saw this with handwashing. In the
1840s, handwashing was not even a thought that crossed your
mind until after Ignaz Semmelweis. It took 165 years to get to
the point where handwashing is common. It is going to take some
time for security, but the time is ripe to do something now and
to do something wise.
Mr. Burgess. And I would just note for the record, I think
Dr. Semmelweis did end up dying of a strep infection from not
handwashing. So it----
Dr. Fu. He also messed up his experiments. He didn't write
them up well.
Mr. Burgess. Well, wonderful. This has been a very
informative hearing.
Seeing no further members wishing to ask questions, I do
want to thank our witnesses for being here today.
Before we conclude, I would like to include the following
documents to be submitted for the record by unanimous consent:
A letter from the Online Trust Alliance; a letter from the
National Electrical Manufacturers Association; a letter from
the College of Healthcare Information Management Executives; a
letter from AdvaMed, the Advanced Medical Technology
Association; and a letter from CTA.
[The information appears at the conclusion of the hearing.]
Mr. Burgess. Pursuant to committee rules, I remind Members
they have 10 business days to submit additional questions for
the record. I ask the witnesses to submit their response within
10 business days upon receipt of the questions.
I didn't say it, but, without objection, so ordered that
all those things are inserted into the record.
And, without objection, the subcommittee is adjourned.
[Whereupon, at 12:19 p.m., the subcommittees were
adjourned.]
[Material submitted for inclusion in the record follows:]
Prepared statement of Hon. Fred Upton
The explosive growth of connected devices--or the Internet
of Things--has the potential to make a major impact on how
consumers, industry, and even State governments measure and
manage information from their homes and communities.
Companies back in my home State of Michigan are on the
leading edge of this industry. From established businesses to
startups, businesses are looking to the future and that,
undoubtedly, includes IOT. For example, Herman Miller, the
furniture manufacturer based in Zeeland, Michigan; the Detroit
business accelerator, TechTown; and startup Tome, in Royal Oak,
Michigan, are all focused on the future of connectivity,
automation, and security with IOT devices.
As we learn more about how these devices can help consumers
in their daily lives and how industry is moving to meet
consumer demand, it is critically important for all
stakeholders to keep security top of mind.
The recent cybersecurity attacks against Dyn illustrated
just how pervasive Internet of Things connected devices are in
our daily lives while also demonstrating the balance between
functionality and security. Consumers should not be expected to
have a degree in computer science to operate the devices they
purchase to make their lives a little easier.
While perfect security is an aspirational goal, the
increased level of attention these issues have received over
the last decade has caught the attention and focus of
executives across the country. Basic cyberhygiene, like
password vigilance, running routine security scans, and
maintaining your online health, is another component that has
gained mainstream attention, and I am interested to hear how
industry is moving forward to address these issues.
Today's hearing is a good opportunity to learn about what
happened in the recent attacks and what issues we should be
focused on moving forward. While some may point to Government
regulation as the answer--I would strongly encourage caution
here. This technology moves as fast as the hackers who are
constantly trying to work around industry designs. Regulations
have never proven capable of keeping up with that rate of
change.
I thank both Chairman Burgess and Chairman Walden for
holding today's joint hearing and the witnesses for taking the
time to come and testify this morning.
Prepared statement of Hon. Frank Pallone, Jr.
There is truth to the saying--you don't know what you have
until it's gone. Three weeks ago, a cyberattack on a single
company--Dyn--left millions of Americans without access to some
of the most popular Web sites on the Internet.
This was a disruptive attack coming at a critical time.
Citizens couldn't get access to major news and weather sites.
Commerce slowed. Online payment services went down.
And even though no one knew exactly what was happening,
many guessed that the Internet itself was under attack. We
didn't know how much bigger the outage could get or who was
attacking us.
Fortunately, we now know that this particular attack was
not as bad as it could have been. Looking ahead, we still don't
know if the last attack was a dry run or a road map for a
larger, more crippling attack. But we do know now just how
vulnerable our systems can be. As some of the witnesses
testifying before us today have noted, future attacks could
target our health care systems or critical infrastructure.
Everything from the stock market to the energy grid is
connected in some way.
That's why I, along with ranking members Eshoo, DeGette,
and Schakowsky, as well as Congressman McNerney, asked for this
hearing. I was gratified that our Republican colleagues agreed
that our committee needs to better understand these
vulnerabilities.
So, what exactly happened? It appears a few hackers
attacked a particularly crucial part of the Internet's
infrastructure-the domain name service provider, Dyn. This one
company helped keep a number of major Web sites online. So by
attacking just one company, these cybercriminals were able to
knock out a number of others.
But the way that these attackers went after Dyn is just as
important as the effect of the attack. The hackers were able to
turn our devices against us. They hijacked hundreds of
thousands of seemingly innocent devices that so many consumers
have in their homes-simple gadgets like digital video recorders
and webcams.
The attackers were able to take over these connected
devices because they could easily find the default passwords
used by the device manufacturers. Some of these passwords were
hardwired into the devices so that consumers couldn't change
these weak passwords even if they wanted to.
That's why manufacturers of these devices need to take
steps to address this problem. Better security is obvious.
Hardwired default passwords are not acceptable.
And consumers may also have a role to play when it comes to
device security. Using strong, unique passwords is critical.
But the recent attack on Dyn makes it clear that consumers
can't, and shouldn't be expected to fix this problem.
In fact, most people probably don't even know that their
devices were used and those devices owners were not the ones
affected by the attack. Instead, it was millions of Internet
users across the country who couldn't access many popular Web
sites who were affected. Because of this dynamic, I am
concerned that although device owners and manufacturers may be
in the best place to fix the problems, they have the least
incentive to do so. That's why, if we are going to really fix
this, the Government may need to take additional steps to keep
us safe.
But before we reach that conclusion, we need to answer some
tough questions. For instance, will regulations be effective,
and what tradeoffs are we making if we regulate? What industry,
if any, should be regulated? And what agency should be charged
with this responsibility? I am hopeful that today's hearing
will bring us closer to these important answers-and it's not a
moment too soon because the next attack can come at any time.
With that, I'd like to thank all of our witnesses for being
here today, and I'd like to yield the remaining balance of my
time to Congressman McNerney.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]