On Oct. 21, 2016, a massive distributed denial of service (DDoS) attack occurred against the domain name system (DNS) provider Dyn, causing widespread disruption of internet activity against the United States. A DNS is the part of the internet infrastructure that is responsible for translating domain names into numeric IP addresses, which ensures that information requests are routed to the proper server. The DDoS attack was accomplished when the attackers hacked a large number of unsecured internet-connected digital devices, such as CCTV videocameras and digital video recorders (i.e., the “Internet of Things” (IoT)), and directed the devices to transmit huge amounts of traffic to Dyn’s servers. The hack of the IoT devices was made possible because the owners of these devices continued to use default user names and passwords and the utilization of the Mirai bot, which scans the internet for IoT devices that use those usernames and passwords.
The DDoS raised public awareness and concern about the lack of adequate security in IoT devices. Approximately three weeks later, two federal agencies—the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST), an agency in the Department of Commerce—released their guidance concerning security for IoT devices.