Federal officials know the benefits and dangers that Internet of Things devices represent — they likely have them in their homes, and they read the news when IoT devices are hacked. However, according to a recent survey of federal officials, more than a third of feds say they don’t know what their agency is doing to secure IoT devices, even though security is viewed as the top priority for IoT.
The survey, conducted by the Government Business Council (GBC) and underwritten by Brocade, found that 60 percent of respondents rate security as the top priority for IoT devices, outranking other features like stability (17 percent), accuracy (13 percent) and speed (11 percent). Moreover, while two in three respondents say the ability to capture and share information from such devices is important, 89 percent say the security of these devices is of paramount importance when executing their agencies’ missions.
Further, a large majority — 74 percent — of respondents believe IoT should be as tightly secured as core infrastructures, like data centers and core servers, to keep pace with more sophisticated threats.
The survey paints a portrait of a federal workforce that is aware of IoT’s benefits, unsure of how their agencies are securing such devices, yet confident that more needs to be done to enhance cybersecurity from connected devices.
GBC sent the survey to a random sample of federal respondents in January 2017. The pool of 442 respondents includes a largely senior audience, with 69 percent holding positions at the GS/GM-12 level or above. Fully 53 percent are supervisors with direct oversight of one or more employees, and 25 percent hold ranking positions in the Defense Department. Respondents represent more than 30 federal agencies and hold a variety of job functions, with the highest input coming from project/program managers, technical/scientific personnel and administrative staff.
Appreciating IoT — and IoT Security Concerns
The survey found that feds are aware of and appreciate IoT. About a quarter (24 percent) of respondents say their agency has increased adoption of IoT devices and applications within the last year, indicative of IoT’s continuing growth and utility in public sector services, Brocade’s report on the survey notes. Another 45 percent say IoT adoption has held steady, 8 percent say it has decreased and 23 percent said they did not know. Further, 57 percent of respondents believe IoT expansion will merit at least some level of priority status for their agency in the year ahead, with 17 percent describing it as critical or high priority.
Feds also see the advantages of deploying IoT. When asked which benefits were most responsible for driving IoT expansion at their agency, respondents point to enhanced mission capabilities (55 percent) and the ability to work flexibly from home or in remote locations (50 percent) as the top drivers. Additionally, 72 percent of respondents believe the capability to capture and share information with IoT devices in the field to be very (39 percent) or extremely (33 percent) important to their agency’s mission.
However, despite the enthusiasm for IoT, security is always lurking as a concern. The survey found that 89 percent think it is very (38 percent) or extremely (51 percent) important that such devices operating at the network edge are secure from malicious attackers.
When it comes to current IoT security policies, there is a split among feds on how it is being tackled. The survey found that 21 percent say all or most IoT devices are secured at the edge (e.g., via built-in encryption, authentication, service management, etc.), 20 percent say all or most IoT devices are secured by the core network (e.g., via central data center or the agency’s cloud), 15 percent say security is shared between the core and the edge, and 9 percent say their organization does not yet have an IoT security strategy. However, a whopping 35 percent say they simply don’t know.
The Way Forward on IoT Security
Moving forward, feds want stronger security for IoT. The survey found that 74 percent of respondents agree (32 percent) or strongly agree (42 percent) that the government should set baseline standards governing IoT security, as opposed to relegating this governance to individual agencies.
IoT security needs to be approached in a comprehensive way and designed into federal IoT devices from the start, according to Judson Walker, chief technology officer of Brocade Federal. He notes that as hundreds of millions and potentially billions of devices get connected to the internet in the years ahead, no one agency can handle that.
“There has to be more of a conversation around built-in security, not security in a bolted-on way,” he says.
Insufficient funding (39 percent) and slow procurement processes (39 percent) were the most cited impediments to improving IoT security at the network’s edge, according to the survey, as were a lack of technical expertise (30 percent) and an inability to adapt as new threats emerge (23 percent).
Walker cited the National Security Agency’s Commercial Solutions for Classified (CSfC) program as a potential model for a governmentwide security standard for IoT. The program was launched several years ago after IT leaders concluded that traditional procurement was unable to keep pace with changing mission objectives and evolving user needs, the report notes.
“Instead of gathering requirements and contracting a vendor to produce a unique product, CSfC provides a set of baseline security requirements that allow the development of packages which are turnkey commercial solutions for agencies,” the report notes.
Yet 66 percent of survey respondents had never heard of the program, which gives agencies access to an a la carte menu of vendors. Since agencies are not aware of the program, they have not tried to implement it, Walker says.
Moving forward, Walker says, agencies need to be “more nimble” in cybersecurity, especially with IoT, because malicious actors should not be allowed to gain access to hundreds of thousands or potentially millions of connected devices. Agencies can use technology like software-defined networking to infuse intelligence into connected devices and set security policies that can be automatically applied to many devices at once in real time, he notes.
“Those interactions need to happen as quickly as we can, as we deal with the manipulation of cyberspace,” Walker says of adversaries’ capabilities. “We’re not dealing with minutes or seconds, we’re dealing with milliseconds or less.”