House Energy and Commerce Committee ranking member Frank Pallone (D-N.J.) and Commerce, Manufacturing, and Trade Subcommittee ranking member Jan Schakowsky (D-Ill.) want the Federal Trade Commission to take action to protect consumers from cyberattacks on their Internet of Things.
In a letter to FTC chairwoman Edith Ramirez, they pointed to the Oct. 21 distributed denial of service attacks that affected East Coast access to some major websites, in which a botnet was used to scan for poorly secured (as in still using default passwords in some cases) IoT devices, then connect to some 400,000 of them to launch the attack, which affected Twitter and PayPal among others.
The commerce committee oversees most communications issues, while the trade subcommittee has oversight over the FTC.
They commended the FTC for advising manufacturers in a 2015 report that they should require consumers to change default passwords during set-up. But they also said while commendable, such warnings are insufficient given the "current environment." They suggest the FTC should weigh in after the Oct. 21 attack
The legislators want the FTC to require IoT device manufacturers to implement security measures, including patching vulnerabilities and requiring users to change default password settings. They also want the FTC to alert consumers to the risks of using default passwords.
They pointed out that IoT devices are the "fastest growing" category of connected devices, projected to reach 12.5 billion by 2020, about the same time that the Obama Administration wants there to be ubiquitous mobile broadband access.
They said the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures to best protect consumers from cyberattacks. Future devices should not be sold in the U.S. streams of commerce with deficient security mechanisms." The Obama Administration has already held the first of several planned meetings among IoT stakeholders to come up with voluntary guidelines for IoT security upgrades and patches.
In March 2015, the National Telecommunications & Information Administration sought comment on identifying cybersecurity issues related to IoT and the rise of an interconnected economy.