The Rise of IoT Botnets and Global Cybersecurity Measures

On this website, Google uses specific Blogger and Google cookies, including those for Google Analytics and AdSense, as well as other data collected by Google.
 

🛡️Dear #Network, I would like to share a few thoughts on the impact of cyberattacks on law.

✏️Big cyberattacks, like the SolarWinds hack in 2020—also called Solorigate—and the Colonial Pipeline attack in 2021, pushed companies and authorities to adopt stronger protections, such as Zero-Trust security, multifactor authentication (MFA), and encryption to safeguard data.

✏️Another attack, the Mirai botnet, took control of millions of devices with weak or default passwords. In 2016, hackers used Mirai malware to take over Internet of Things (IoT) devices, such as routers, refrigerators, cars, medical devices, cameras, and other connected devices with weak passwords. Mirai scanned for IoT devices that still had their default username and password. Once it found them, it logged in, took control, and turned them into a botnet used to attack the Domain Name System (DNS) provider Dyn. The attack on October 21, 2016, disrupted Dyn’s services, causing major websites to go offline across North America and Europe in three waves.

✏️In November 2024, the threat actor Matrix turned smart devices into a global botnet, using it for DDoS attacks that flooded websites with traffic. They installed Mirai malware to take control of infected IoT devices. As the botnet grew, they began promoting DDoS-for-hire services, allowing users to rent access to compromised device networks to carry out DDoS attacks.

✏️As a response, the UK became the first country to enforce cybersecurity regulations for IoT devices through legislation. The UK National Cyber Security Centre (NCSC) mandated in 2024 that smart device manufacturers eliminate default passwords. Since January 2020, a California cybersecurity law has banned default passwords and required connected devices to have reasonable security features.

✏️The Cyber Resilience Act is the first EU regulation to establish minimum cybersecurity standards for all connected products sold in the European market. The regulation applies to all EU Member States. The CRA takes effect on December 11, 2024, with implementation occurring in stages. Newly introduced products must fully comply with its requirements by the end of 2027.

✏️Storing data in other countries carries risks, such as data leaks, unauthorized access, and government surveillance. Different countries have different privacy laws, which can lead to conflicts with national regulations.

✏️Operating in both the EU and the USA means navigating two distinct legal systems. Currently, the EU has fewer data centers than the US and China, affecting its ability to store and process large amounts of data.

✏️Personal data can only be transferred outside the EEA if it follows the rules in Chapter V of the EU GDPR. These rules must be followed alongside other GDPR regulations.

✏️The USA’s ITAR regulations control the export of technical data to non-US citizens, including those in other countries. This means that information related to defense and technology, as well as other sensitive data, might need special approval from the US State Department  before being shared internationally.

✏️The US CLOUD Act allows US law enforcement to access data from US companies, no matter where it is stored—even outside the US. Currently, US-based servers are the standard choice for handling ITAR-controlled technical data.

✏️In the EU, the process of creating the  Cloud Act is underway as part of the EU Initiative Cloud and AI Development Act. The public can provide feedback between April 9, 2025, and July 3, 2025.