“We often refer to the Cuyahoga River in Cleveland that caught on fire over 20 times before we actually did something to introduce the Clean Water Act,” says Allan Friedman, the director of cybersecurity initiatives for the Department of Commerce’s National Telecommunications and Information Administration (NTIA), in conference call on Monday. “I don’t know if you can count this [Friday’s masive DDoS attack] as an internet on fire—I know a lot of the people who were affected called it an internet on fire—but it may take several of these before we are sufficiently motivated. ... Given the very uncomfortable nature of some of the policy responses and the very long lead time to implement them and bring new problems to market, I think now is the time to start.” Government should start working to prevent future attacks immediately, Friedman warned.

— “Baby Steps” / Tim Starks reporting in Politico, quoting Homeland Security Secretary Jeh Johnson: “The recovery from last week’s attack that downed major websites like Twitter and Netflix appears to be complete. But preparing for the next huge distributed denial-of-service attack like the one that hit domain name system provider Dyn is still making baby steps. ... the department is working with law enforcement and the private sector to defend against Mirai and similar threats. And he pledged that DHS [Department of Homeland Security] would produce a strategic plan “in the coming weeks” to protect internet of things devices.”

— “Internet Under Siege: The Cost of Connectivity,” Rachel Ansley reporting from the Atlantic Council: “In the rush to produce cost-effective connected devices, not enough focus has been placed on security measures. ... [Joshua] Corman [the director of the Atlantic Council’s Cyber Statecraft Initiative] described how the widespread dependence on connected technology is exceeding the ability to secure devices. ‘In our race to adopt technologies for their immediate and obvious benefits, we seldom do the cost-benefit equation to notice the deferred cost in security risks these [devices] incur,’ he said. Once the devices are sent to market, security is no longer accounted for. Corman claimed that if the default posture of these devices is insecure, they will continue to pose a greater and eventually unmanageable threat.”