Friday, November 18, 2016

Do Export Controls on Computer Security Make Us Less Secure?

This post's title is posed as a question, not as a declaration, as is the post itself.  But I think that recent events highlight a conundrum in embedded system security that has been brewing for quite some time: our embedded devices can be used to attack our own computer systems.
The recent DDOS attacks against DNS provider Dyn were conducted by an army of zombie IoT devices.  IoT devices, simple as they are, have enough capability to play roles in these sorts of attacks. And given that we have many more IoT devices than desktop or laptop computers, they are obvious fodder for attackers.
It is certainly true that many IoT devices are shoddily designed and constructed, making it easy for attackers to commandeer them. Some simple steps on the part of manufacturers could make these devices more secure. But it is also true that U. S. export control laws make it difficult to export security-related hardware and software that would allow an extra level of protection for these devices. And the vast majority of these inexpensive IoT devices are manufactured overseas.
If we allowed more computer security equipment to be exported, would it be used against us? Probably. Would the net threat be larger than the one we now face?  I really don't know but I think we should have this discussion.  I think that Congress and technical experts should work together to identify ways to make the United States and the world safer and more secure from IoT-based threats. Everyone should consider guidelines or regulations on how devices are certified at a given level of safety. As part of that process, we will probably end up considering what types of security devices, both hardware and software, we want to see more broadly used and what techniques we want to keep in reserve.  An ounce of prevention is worth a pound of cure.

No comments:

Post a Comment