BERLIN (Reuters) - Talks on forming a new German government offer a chance to revive plans that would put the onus on network operators and device makers to make the so-called Internet of Things safe from hacker attacks, a senior lawmaker told Reuters.
Many connected devices, like web cameras or ‘smart’ fridges, have software vulnerabilities that can be exploited to recruit thousands of them into ‘botnets’ and launch cyber attacks.
These can be hard to fix because owners are not aware of the problem or manufacturers fail to provide adequate after-sales support - issues that tougher regulation could address.
“We need a stronger responsibility regime for the whole Internet of Things (IoT),” Thomas Jarzombek, digital affairs spokesman for Chancellor Angela Merkel’s Christian Democratic Union, said in an interview.
Merkel’s last government tried to pass legislation to strengthen the anti-botnet regime but the initiative failed due to internal disagreements over whether equipment makers should be held liable for damages from such attacks.
She won re-election last month with a reduced vote and has begun informal talks with the smaller Free Democrat and Green parties on forming a new coalition.
Jarzombek, speaking before a working group on digital policy convenes on Thursday, said the other parties were more “pragmatic” on the cyber security issue than erstwhile coalition allies the Social Democrats.
“There are some sharp people in the other parties - I think we can work with them on this,” he said.
In one high-profile botnet attack a year ago, hackers used a piece of software known as Mirai to cripple an internet infrastructure provider, blocking access to PayPal, Spotify, Twitter and dozens of other websites for hours.
Now, experts are warning about the emergence of what appears to be a more powerful strain of attack malware — variously named “Reaper” and “IoTroop” — that spreads via security holes in IoT software and hardware.
There are indications that over a million organizations may be affected already, Internet security expert Brian Krebs wrote in a recent blog post.
Jarzombek proposes empowering Germany’s Federal Network Regulator to warn network operators if a device is found to be part of a botnet and, if necessary, act to shut it down.
Manufacturers would be required to provide software updates until a specified date to guard against attack, and consumers should have the right to exchange a product that can’t be made safe, he said.
Reporting by Douglas Busvine and Emma Thomasson; Editing by Andrea Shalal and Mark Potter