Oct 12 2016

NSA, DHS and DOJ Highlight Security Threats Posed by IoT

Federal agencies are sounding the alarm over the need to secure thousands — soon to be millions — of connected devices inside the government.

The Internet of Things (IoT) is expected to continue to grow in the years ahead, with research firm Gartner predicting that the number of connected devices worldwide will skyrocket form 6.4 billion in 2016 to 20.8 billion in 2020. For the federal government, all of those Internet connections present both an opportunity and a potential threat.

Agencies are using the IoT in a variety of ways, including via drones and connected sensors that measure data for research and track cargo and fleets of vehicles. But in the last few weeks, officials from three federal agencies have raised concerns about the potential cybersecurity threats from connected devices.

The Department of Homeland Security and the National Cyber Security Alliance (NCSA), a public–private partnership, have for the past 13 years recognized October as National Cyber Security Awareness Month. The cybersecurity threat from the IoT is something the DHS is likely to highlight this month and for months to come.

Officials from the DHS, the National Security Agency and the Justice Department have raised concerns about how IoT devices could be exploited by malicious actors. A top DHS cybersecurity official has proposed a new set of “unifying principles” to secure the IoT, but some commentators think such an effort would be duplicative. Either way, the debate over how best to secure the IoT in the federal government is sure to continue.

NSA, DOJ and Highlight Concerns

Over the past few weeks, federal officials have used various cybersecurity forums to discuss their approaches to securing the IoT, which relies on a combination of wireless connectivity standards.

Speaking at the U.S. Chamber of Commerce’s 5th Annual Cybersecurity Summit on Sept. 27, NSA Deputy Director Rick Ledgett noted that “it is a fundamental truth of cybersecurity that your network is only as secure as the weakest piece of hardware or software on [it],” FedScoop reported.

“And the connection to our networks of hundreds of thousands, maybe millions, of internet-connected devices that come from multiple vendors and have differing software and hardware upgrade paths — without a coherent security plan — means that there are vulnerabilities [created] in those networks,” he added.

Ledgett noted that many IoT devices are designed to last for more than a decade and may not receive regular security patches via over-the-air updates, FedScoop reported, which could make them vulnerable to attackers. He also warned that IoT devices could be hacked and turned into botnets and used to drive distributed denial-of-service attacks.

The IoT carries both benefits and security risks, Ledgett said, adding that, as it evolves, “the focus on security is going to continue to grow.”

Meanwhile, the DHS is developing a set of “unifying principles” and best practices to help IoT device vendors and end users secure connected gadgets. Robert Silvers, assistant secretary for cyber policy for the DHS, speaking at the Security of Things Forum 2016 on Sept. 22, in Cambridge, Mass., urged those involved in IoT security to “accelerate” their efforts, according to Network World.

“The challenge of addressing IoT security on the front end is outweighed only by the far greater challenge of trying to bolt on or patch on security on the back end once an ecosystem is deployed,” Silvers said. “So we all need to think about what we can do right now to get this architecture built the right way.”

The DHS principles will focus on how to patch devices already deployed and may involve cloud security, Network World noted. Silvers said such principles are needed as more Americans rely on the IoT for “life-sustaining” devices and services, eWeek reported.

“We’re growing a national dependency [on connected devices] and it’s important that we recognize that and that internet of things security … is now a public safety issue,” Silvers said, according to eWeek.

Additionally, Reuters reported that the Justice Department announced earlier in September that it had created a threat-analysis team to explore how best to secure the IoT. John Carlin, assistant attorney general and head of the Justice Department’s national security division, said the team is looking at how to protect the IoT from exploitation by “terrorist threats” and those who might hack into devices to cause loss of life or achieve political or economic gain.

What Should Be Done to Secure the IoT?

The Online Trust Alliance (OTA), a nonprofit working with businesses and policy makers while promoting ways to boost cybersecurity, found last month that “every vulnerability or privacy issue reported for consumer connected home and wearable technology products since November 2015 could have been easily avoided” with better security policies. OTA found that the vulnerabilities were due to factors such as insecure credential management, a lack of rigorous security testing as products were developed, and a lack of transport security and encrypted storage.

“If businesses do not make a systemic change, we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings,” OTA President and Executive Director Craig Spiezle said in a news release.

Yet some question the rush to implement more and more security standards. Independent analyst and freelance writer Ariel Robinson, who focuses on technology, security and defense policy, wrote in an op-ed on Nextgov that the DHS is “late to the game, in terms of IoT industry and governance, and its duplicative efforts may have an adverse effect on overall security by confusing stakeholders with yet another list of best practices and policies. DHS should leverage its resources (and taxpayer funding) to drive awareness and adoption of existing frameworks, rather than reinvent the wheel.”