Government regulation is a sticky issue in any industry, perhaps even more in cyber security. Every time the government creates a rule or an obligation, goes the argument, it merely opens a hole to be exploited. Exhibit number one is the call for makers of any product with encryption to create a secure back door police and intelligence agencies can use to de-crypt possibly criminal communications.
Of course there’s no such thing as an absolutely secure back door, so it will end up being used by criminals or nation states.
I raise this because last week security expert Bruce Schneier again raised the issue of whether governments should step in to help give more protection against distributed denial of service DDoS attacks.
It’s easy for attackers to build powerful DDoS botnets that leverage insecure Internet connected devices like consumer webcams, he argues, the most recent of which was the attack last month on U.S. domain name service provider Dyn Inc., which temporarily impaired the ability of a number of online businesses including Twitter.
It doesn’t matter, Schneier argues, if DDoS attacks are state-based or not. The fact the software is so easily available to their build a botnot or buy it as a service that can pour 1 TB and more of data at a target is the threat.
“The market can’t fix this because neither the buyer nor the seller cares,” he has written. One logical place to block DDoS attacks is on the Internet backbone, he says, but providers have no incentive to do it because “they don’t feel the pain when the attacks occur and they have no way of billing for the service when they provide it.”
So when the market can’t provide discipline, Schneier says, government should. He offers two suggestions:
–impose security regulations on manufacturers, forcing them to make their devices secure;
–impose liabilities on manufacturers of insecure Internet connected devices, allowing victims to sue them.
Either one of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure, he argues.
I’m not sure. For one thing litigation is a long and expensive process. How do I sue a company headquartered in another country (say, China) that sells devices used by a person in a third country (say, Brazil) which is part of a botnet assembled by a person in another country (say, the U.S.) used to attack me in Canada?
There’s also the problem of defining secure. What can a manufacturer do if it forces creation a long password for a device, but users insist on insecure passwords (like “password123456879.”)
Still, we need to discuss short-term solutions because, as Schneier points out, with the huge number of insecure Internet connected devices out there the DDoS problem is only going to get worse.
Let us know what you think in the comments section below.
