In the wake of last week’s widespread and well-publicized cyberattack which targeted web-connected home devices in a successful effort to force Netflix, Twitter, PayPal and other websites offline, Senator Mark Warner (D-VA) wrote to FCC Chairman Tom Wheeler on Tuesday to ask for the FCC’s help in clarifying the role of Internet service providers (ISPs) in combating cyberattacks and promoting the security of networks and devices connected to the Internet of Things (IoT). Last week’s incident consisted of a distributed denial of service (DDOS) attack launched via the “Mirai” botnet which targets and infects IoT devices such as smart thermostats, connected refrigerators and baby monitors.
Warner’s letter stressed that “the weak security of many IoT devices provides an attractive target for DDOS attackers, leveraging the bandwidth and processing resources of millions of connected devices.” Warner also advised Wheeler that manufacturers are compounding the problem by “flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind.” Citing analyst projections that the number of IoT devices will jump from 13.4 billion to 38.5 billion by 2020, Warner warned: “there is no requirement that devices incorporate even minimal levels of security.” Acknowledging that FCC rules bar ISPs from blocking the attachment of “non-harmful” devices to their networks, Warner told Wheeler: “it seems entirely reasonable to conclude under the present circumstances . . . that devices with certain insecure attributes could be deemed harmful to the network.”
As he encouraged the FCC “to provide greater clarity to [ISPs] in this area,” Warner asked Wheeler to respond to a series of questions which concern the security and protection of ISP networks as IoT devices continue to proliferate. Among other things, these questions cover (1) what types of network management practices are available to ISPs in addressing DDOS and similar threats, (2) how or whether the FCC has engaged with IoT device retailers with respect to the security risks connected with such devices, and (3) what strategies the FCC could take in removing from the stream of commerce IoT devices that are deemed harmful to ISP networks. Warner further questioned whether it would be a “reasonable network management practice for ISPs to designate insecure network devices as ‘insecure’ and thereby deny them connections to their networks?” FCC officials offered no comment.