Top official: Feds can’t stop all internet attacks

A top federal cyber official is warning that we may never be totally safe from massive cyberattacks such as one Friday that took down a number of major websites.

“We will always have legacy issues,” Allan Friedman, the director of cybersecurity initiatives for the Department of Commerce’s National Telecommunications and Information Administration (NTIA), told reporters on a conference call Monday.

{mosads}Friedman said there may be no way to protect all of the low-cost, low-security internet of things devices that have already been purchased by consumers and are connected. 

On Friday, attackers took over a broad number of these devices to interrupt internet service. Friday’s attack was brief but affected a number of prominent websites, including The New York Times and Twitter. The attack flooded servers run by the company Dyn that act like an internet switchboard. The servers were hit by too much traffic to function correctly, in what are commonly known as distributed denial of service (DDoS) attacks.

To generate massive amounts of traffic, DDoS attackers synchronize gigantic networks of hijacked computers. Friday’s attack provided well over a terabit per second of bandwidth, more than enough bandwidth to send the English text of Wikipedia twice each second. The attack is the largest DDoS attack in history. 

Researchers at the company Flashpoint identified the tool used to organize the attack as Mirai, a free-to-download DDoS tool. Mirai was used in an attack on cybersecurity journalist Brian Krebs beginning in late September. That held the record for largest attack until Friday. 

Mirai is one of a new breed of DDoS tools that use the wide range of new devices that connect to the internet to form its hijacked network rather than traditional computers. That allows it to take advantage of extremely lax security on low-cost devices.

Even before the attack, NTIA has been trying to address the issue by encouraging stakeholders to create better industry standards and their own solutions. Meetings on the issue began this month in Austin, Texas, and participants are already brainstorming how to improve future devices.

“An idea that was floated was to create an open framework for upgradability that small business could use so they didn’t have to invent this practice from the start and that we could also use for orphan devices,” said Friedman. 

But even if all companies comply with new industry standards there are still concerns. First, security can affect costs. Second, many devices already purchased and installed by consumers will still be a threat.

On Monday, a company Hangzhou Xiongmai Technologies, which makes internet-connected cameras, announced it would recall devices heavily used by Mirai in the attack.

Hangzhou Xiongmai also threatened legal action against any Western media outlets that defamed its brand, reports Krebs.

Friedman spoke on a call organized by the Atlantic Council’s Cyber-Statecraft Initiative along with the head of the initiative, a long time internet of things security advocate, Josh Corman.

Corman said he expected it may take a few more disasters like Friday’s for the government to take decisive action. 

“We often refer to the Cuyahoga River in Cleveland that caught on fire over 20 times before we actually did something to introduce the Clean Water Act,” said Corman. 

“I don’t know if you can count this as an internet on fire — I know a lot of the people who were affected called it an internet on fire — but it may take several of these before we are sufficiently motivated,” he continued.

This story was updated on Oct. 25 at 2 p.m.

An earlier version of this story misattributed comments made by Josh Corman to Allan Friedman.