Government regulation is a sticky issue in any industry, perhaps even more in cyber security. Every time the government creates a rule or an obligation, goes the argument, it merely opens a hole to be exploited. Exhibit number one is the call for makers of any product with encryption to create a secure back door police and intelligence agencies can use to de-crypt possibly criminal communications.
Of course thereโs no such thing as an absolutely secure ย back door, so it will end up being used by criminals or nation states.
I raise this because last week security expert Bruce Schneier domain name service provider Dyn Inc., which temporarily impaired the ability of a number of online businesses including Twitter.
It doesnโt matter, Schneier argues, if DDoS attacks are state-based or not. The fact the software is so easily available to their build a botnot or buy it as a service that can pour 1 TB and more of data at a target is the threat.
โThe market canโt fix this because neither the buyer nor the seller cares,โ he has written. One logical place to block DDoS attacks is on the Internet backbone, he says, butย providers have no incentive to do it because โthey donโt feel the pain when the attacks occur and they have no way of billing for the service when they provide it.โ
So when the market canโt provide discipline, Schneier says, government should. He offers two suggestions:
โimpose security regulations on manufacturers, forcing them to make their devices secure;
โimpose liabilities on manufacturers of insecure Internet connected devices, allowing victims to sue them.
Either one of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure, he argues.
Iโm not sure. For one thing litigation is a long and expensive process. How do I sue a company headquartered in another country (say, China) that sells devices used by a person in a third country (say, Brazil) which is part of a botnetย assembled by a person in another country (say, the U.S.) used to attack me in Canada?
Thereโs also the problem of defining secure. What can a manufacturer do if it forces creationย a long password for a device, but users insist on insecure passwords (like โpassword123456879.โ)
Still, we need to discuss short-term solutions because, as Schneier points out, with the huge number of insecure Internet connected devices out there the DDoS problem is only going to get worse.
Let us know what you think in the comments section below.