The massive October 21 denial-of service cyberattack that shut down major websites across the Internet has raised concerns in Congress about the vulnerability of Internet of Things (“IoT”) consumer devices. The cyberattack, in which domain name service (“DNS”) provider Dyn was flooded with traffic from tens of millions of Internet protocol addresses that were tied to IoT devices infected by Mirair malware, has led ranking members of the House Committee on Energy and Commerce and Subcommittee on Commerce, Manufacturing and Trade to propose that the Federal Trade Commission (“FTC”) require IoT device manufacturers to implement stringent security measures before marketing their devices in the U.S.
The lawmakers, Reps. Frank Pallone Jr. (D-N.J.), and Jan Schakowsky (D-Ill), sent a letter to FTC Chairwoman Edith Ramirez, calling on her to “use all the tools at [the FTC’s] disposal” to ensure that IoT devices with deficient security mechanisms – including easily deciphered default passwords – not be marketed to consumers.
These lawmakers want the FTC to, among other things, require device manufacturers to shore up security deficiencies in their products and require consumers to timely reset default passwords. They also strongly encouraged the FTC to notify consumers about the security risks of continuing to use the “stock” passwords that are included with new IoT devices.
Mandating security measures for IoT devices would be an abrupt about-face for the FTC, which previously advocated a hands-off, market-based approach to the issue. When asked about IoT consumer privacy and security earlier this year, FTC Commissioner Terrell McSweeny said that prescribed regulations would not likely come from the FTC. McSweeny said that the the biggest issue facing IoT is “getting the balance right between protecting consumers and optimizing innovation,” which did not include imposing security regulations on IoT device manufacturers.
That may soon change. The cyberattack also prompted Senator Mark Warner (D-Va.) to write to the FTC and other federal regulatory agencies, stating that unsecured devices such as refrigerators, smart thermostats and internet-enabled cameras are attractive targets for future cyberattacks, and urged the regulators to beef up cybersecurity standards for these connected consumer products.
If you would like additional information concerning Congressional action on IoT devices or about current IoT equipment marketing rules, please contact IoT attorney Ronald E. Quirk, Jr. at (703) 714-1305 or req@commlawgroup.com. Further information about The CommLaw Group’s Internet of Things practice is available here.