Cybercrime and the War on Digital Free Speech




The internet is increasingly a target for those who want to silence speech. An Oct. 21 cyberattack rendered social media sites like Twitter and Reddit and news sites like Fox News and CNN inaccessible to millions of users. Another attack took down the website of independent cybersecurity researcher Brian Krebs.

This is a problem for civil society. As citizens spend more and more of their time on the internet, it is increasingly where they seek to express themselves. According to the Pew Research Center, 87 percent of American adults use the internet and spend an average of 6.2 hours online every day. Roughly 76 percent of Americans report having a social media account, and most consume news through social media outlets. Cyberattacks that target both social media and traditional media sites threaten Americans’ digital free speech.

But as a locus of economic and social activity, the internet also attracts criminal activity. The Oct. 21 distributed denial of service (DDoS) attacks on social and traditional media used botnets — networks of unprotected, interconnected devices, such as DVRs, security cameras, and routers. A botnet sends a barrage of requests to a target — in this case the domain name service provider Dyn. DDoS attacks are a type of asymmetric warfare, the popular refuge of terrorists and cybercriminals.

Shortly before the attacks on Krebs and Dyn, Krebs and Dyn’s Doug Madory published research suggesting their findings of collusion between DDoS mitigation services and cyber-criminals who perpetrate DDoS attacks. The attack on Dyn happened just hours after Madory finished a public presentation on their joint research. It’s too early to reach any definitive conclusions, but it certainly seems someone wanted to silence them.

The attacks on Krebs and Dyn were built on the Mirai source code, the same malware now estimated to have infected nearly half a million internet-connected devices. As more unprotected devices connect to networks through what has come to be known as the “internet of things,” DDoS attacks will intensify. A research firm found the average North American home now contains 13 internet-connected devices. Business Insider forecasts there will be 34 billion devices connected to the internet by 2020.

Director of National Intelligence James Clapper believes the attacks likely came from nongovernmental actors. An anonymous hacker affirmed that conclusion, telling the Associated Press the recent attack was a test to measure the tool’s capabilities and suggested the next target would be the Russian government. Because they came from a dispersed network of compromised devices, it’s hard to identify the source, much less infer intention.

But they certainly are drawing the interest of policymakers. In a letter to the Federal Communications Commission, Federal Trade Commission, and the Department of Homeland Security’s cybersecurity center, Sen. Mark Warner, D-Va., solicited expert advice on device-patching practices and how to secure the “internet of things.” He also asked the agencies to explore whether it would be legal or and viable for internet service providers to block insecure devices from using their networks and how vendors should warn their customers of security risks.

Before we resort to new laws or regulations, it’s worth exploring how to better align market incentives to encourage companies to consider cybersecurity concerns in their products, from conception through rollout and beyond. More than 500,000 devices used in the Mirai botnet had weak default passwords and could not be patched or upgraded after the fact. This problem could be mitigated, if companies focused on building and adopting open-source industry standards and protocols specifically designed for the internet of things.

Other practices that would help secure devices include authentication processes — such as digitally signed drivers — for updates; performing static and dynamic pre-market device testing; avoiding generic default passwords; minimizing or eliminating backdoors; and notifying users of meaningful changes in a device’s behavior. Private firms and government employers also should encourage vendors to invest in cyber insurance to help companies internalize the risk of device insecurity.

To be sure, there is a role for government to encourage industry to develop and adopt these practices. The National Telecommunications and Information Administration already fills that role by consulting stakeholders.

But there also is a clear market opportunity for third-party accreditors and consumer ratings organizations to provide information about the security of internet-of-things devices. Some of this is already under way. Underwriters Laboratories announced a new cybersecurity testing and certification program in April, which offers incentives for firms to consider how to work security into product designs and how to make those features transparent to consumers.

If the internet isn’t secure, our platforms for free speech won’t be either.