Computer security needs more federal regulation, says US senator

Sen. Maggie Hassan, a rising Democrat from New Hampshire, is vocal about the risks the US faces from bad security practices.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
6 min read
Maggie Hassan, Democratic senator from New Hampshire, has spoken on issues including data breaches, national defense, and the security of smart gadgets.

Maggie Hassan, Democratic senator from New Hampshire, has spoken on issues including data breaches, national defense and the security of smart gadgets.

Justin Sullivan/Getty Images

Sen. Maggie Hassan has seen firsthand how much damage a cyberattack can do to a community.

While the Democrat from New Hampshire was running for US Senate last year and still serving as governor, hackers nailed Dyn, one of the largest internet management companies in the US, and shut down major websites for hours. The attack hit home for Hassan: Dyn is based in Manchester, New Hampshire.

She saw the hack as a warning sign for what could happen in the future. As we come to rely more and more on web services, and as the net-connected gadgets of the "internet of things" gain in popularity, the risk of attacks will continue to rise.

IoT security has been notoriously ineffective over the last few years, with hackers taking advantage of vulnerabilities to launch assaults. Hassan has called out IoT makers for their lack of security. She's co-sponsored an IoT bill for the federal government, which she says will bring connected devices up to speed on security without restricting innovation.

She's also questioned companies like Equifax and introduced a bill for government bug bounty programs.

CNET spoke with Hassan last week about the rapid expansion of the internet of things and why she thinks the government needs to step in. Here's an edited transcript.

Q: Where do you see the state of security when it comes to consumer technology?
Hassan: There are 5.2 billion IoT devices this year alone, and there will be more than 50 billion by 2020. While these interconnected and Internet accessible devices have played a critical role in improving the efficiency of our daily routines, there are also significant risks involved with having so many of these things connected to one another and the internet without a lot of consumer understanding and very little standardization to really help us navigate this.

Why is it important for Congress to play a role in regulating IoT security?
Hassan: We know already that hackers have co-opted internet-connected devices that have had little or no security and then turned those devices into cyberweapons.

In my home state of New Hampshire in 2016, these devices flooded the servers of Dyn, a sophisticated web-hosting company. And that overwhelmed and incapacitated not only Dyn, but dozens of companies that use Dyn services.

So the attack on Dyn led to dozens of major retailers and media going offline for several hours, causing an unknown amount of loss of revenue for these companies.

You can see an attack like the one they did on Dyn also being deployed in terms of public safety or other critical infrastructure. So that's why I think it's so important that we come together and set some standards here.

But not only set standards, as we've been trying to do, for instance with Sen. [Mark] Warner's bill, but also raise consumer awareness about what they need to do to ensure that their IoT devices can't be weaponized.

Do you think we would be where we are today in security if government had played a bigger role during the rise of the personal computer?
Hassan: I certainly think that our understanding of the vulnerability of our internet and cyber world has evolved. What's very important now is that there is bipartisan attention to this issue and bipartisan support for addressing it.

There are differences, obviously, on how exactly to go about it, but what I focused on is working with [Democratic] Sen. Warner and Sen. Ron Wyden, a Democrat from Oregon, and Sen. Cory Gardner, a Republican from Colorado, for instance, on Sen. Warner's bill, making sure that we move forward and setting standards that allow consumers, for example, to judge what kind of IoT devices they're going to get, based on their understanding of what standards the companies follow.

Cars have been heavily regulated for safety before they can be sold. Do you see that sort of thing happening with consumer technology?
Hassan: What's really important to balance here is the need to spur innovation in this space with the need to make sure that there are standards in place to protect people. So one of the reasons that I am a co-sponsor of Sen. Warner's bill is that the bill would require that anytime the US government purchases an internet-connected device, that device would have to adhere to certain baseline cyberstandards.

Because the federal government is such a massive consumer of these types of devices, that would incentivize private companies to improve their cyberstandards, but also allow them to innovate in terms of their own cybersecurity standards as they do that.

Have you seen cybersecurity being treated as a bipartisan issue, or have you seen political lines drawn?
Hassan: It is a bipartisan issue on the Homeland Security Committee on which I sit. I am co-sponsoring a bill with Sen. Rob Portman, a Republican from Ohio, that would try to help us strengthen Homeland Security cybersystems. There's a lot of bipartisan support, because we do understand how important this issue is.

It's important, obviously, in terms of the way the internet of things can be weaponized. It's important for our Homeland Security systems. It's important for our election systems, and we all understand that.

Are tech companies willing to work with Congress on fixing their products and their platforms?
Hassan: What the companies are beginning to understand is that our networks and our data are only as secure as the weakest link in the chain. And so, if you just leave it up to the market to eliminate unsecured devices or raise standards, that's not going to be a short-term or long-term solution. Companies are beginning to understand that.

We always have to work with the private sector to balance their needs to be able to innovate and be nimble in their competitive market with the government's needs to make sure that we have some standards in place that would protect the consumers, and protect all of us in this increasingly interconnected world.

But I am encouraged by the kind of constructive dialogue that we've been able to have with industry, and again, encouraged that there's bipartisan attention to this, which should help us continue that kind of constructive dialogue with industry.

Silicon Valley's way of working is usually to push forward first and deal with the issues after. Why doesn't that fit in with how Capitol Hill operates?
Hassan: What you're seeing now is a recognition by tech companies that some of their approach to innovation and development has had a series of unintended consequences. Understanding history now, we want to turn our attention to ways in this tech space that we can be intelligent about the kinds of standards we set.

We need to listen to tech companies to be sure about how we go about doing this so that they can continue to innovate, but it's our job to make them aware, as well as consumers, that we really do have threats we have to address.

That's something the public sector should be doing in partnership with the private sector, listening to the public's concerns.

Do you think Americans are getting a bad deal with security when it comes to the technology they buy?
Hassan: It is really important that consumers are aware that the products they purchase actually have internet connectivity, and I think there are a fair number of consumers who may not understand that.

So one of the things we need to be doing is encouraging consumers to read instructions that come with their devices. So that, for instance, they can change their default passwords for some of these internet-connected devices. They can make sure that the software of the device is up-to-date, they can make sure they have the latest security patches.

But it's the job of the producers to make clear to consumers that their devices are internet-connected, and include instructions about how to change these passwords and take other very simple security measures.

The federal government has a role to play in strengthening awareness of internet connected devices, so that consumers can recognize the devices and what they need to do in order to maintain good cyberhygiene.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

'Alexa, be more human': Inside Amazon's effort to make its voice assistant smarter, chattier and more like you.