DDoS Attacks: Time to Regulate Internet Connectivity, IoT Cybersecurity?

As the FBI and government agencies continue to investigate last week's massive DDoS attacks, it's time for U.S. industry and citizens to face a challenging question: For the sake of cybersecurity, should Internet connectivity be regulated?

Think of it this way: When you attempt to purchase a car, there's a basic understanding that the process involves:

  • A buyer who is licensed to drive, and insured to use the car.
  • A car that includes basic safety features -- brakes, headlights, turning signals, airbags, etc.

Those "regulated" requirements protect the overall ecosystem of drivers, roadways, etc. Perhaps it's time for a similar "regulation" approach to Internet access. Imagine a world where PCs, mobile devices and IoT (Internet of Things) connections actually require basic security in place before signing onto the Internet.

Stopping Botnets, DDoS Attacks Before They Start

Here's the situation: Just last week a botnet spanning millions of IP addresses attacked Dyn. The attack essentially blocked assess to popular Internet services like Twitter, Spotify and NetFlix.

As InfoWorld put it:

"It's apparently possible that a DDoS attack can be big enough to break the internet -- or, as shown in the attack against ISP Dyn, at least break large parts of it.

The DDoS attack against Dyn that began Friday went far past taking down Dyn's servers. Beyond the big-name outages, organizations could not access important corporate applications or perform critical business operations."

Here's a suggestion worth pondering. What if all devices "called home" to check their security settings... before they were permitted to link to the public Internet or some key Internet services. In other words, an IoT device (say, a Webcam) would call home to its maker or software supplier. The connection would ensure the latest security patches and perhaps other safeguards were in place before fully activating the device's Internet connection.

Fearing Big Brother

Of course, a "phone home" approach requires careful privacy considerations -- especially when users want less (not more) tracking of their connections and online habits. I'm not even sure a phone home approach is practical or workable.

But, it's clear that the current approach -- trusting users and businesses to implement basic security patches -- isn't working. Similar to how we immunize kids before they go to school here in the U.S., maybe it's time to make sure all of our IT devices are immunized each and every time they attempt to link to the web...

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.