How IoT Changes the Role of the Federal CISO
The Internet of Things has the potential to let agencies deploy innovative solutions, from wireless beacons that make it easier to track first responders to self-driving cars. Yet as the private sector has discovered, IoT also presents new security risks as more connected devices are added to networks.
Federal CISOs and IT security professionals need to rethink how they protect their IT environments by mapping their IoT connections and ensuring they are as protected as other IT elements like PCs, federal officials say. They also need to work with the private sector to make IoT devices more secure by design. Doing so will help protect federal IT environments while also allowing agencies to more fully tap into novel technologies.
To that, lawmakers in Congress have introduced legislation to strengthen security standards on connected devices the government purchases. Last week, Rep. Robin Kelly, the ranking member of the IT subcommittee of the House Oversight and Government Reform Committee, circulated but did not formally introduce new legislation on the issue.
This week is also the start of the third week of National Cyber Security Awareness Month, “Today’s Predictions for Tomorrow’s Internet,” focused on how IoT presents both new opportunities and new threats.
Speaking at a recent cybersecurity event in Washington, D.C., Katerina Megas, program manager for the IoT cybersecurity program at the National Institute of Standards and Technology, said “lines are blurring” on how the public and private sectors use IoT, according to Federal News Radio.
“I don’t know if we can say any longer, ‘What’s the path forward for the U.S. federal government and IoT?’” she said. “I think we need to solve the problem as a nation.”
NIST is considering publishing a report that would introduce agencies and industry to IoT. “When you purchase a device, are you asking whether that device has connectivity, because it has an embedded wireless chip, and the manufacturer may have embedded that chip because it serves their purposes,” Megas said. “You don’t know what you don’t know, that is always the worst; you don’t know to ask the questions. So what we’re trying to do is bring around some awareness to federal agencies to start asking the right questions.”
How to Get a Handle on IoT Devices
Rod Turk, the CISO and acting CIO of the Commerce Department, said at the same event that CISOs and those who work for them need to evaluate IoT security holistically and assess the risks associated with connecting new devices.
“Know what’s in your environment,” he said, according to Federal News Radio. “You may not know all of your IoT, but I’ve got a good hunch that you’ve probably got a sense of where it all is. You know your printers, you know your copiers now have computers in them.”
All of those devices store information and can send it out to random locations, Turk said.
IoT devices use sensors to collect information, which then gets sent to aggregators that format, translate and send the information back to individuals or networks. CISOs must have detailed information about all the elements of that process and control the flow of data.
“You need to spend more time on that high risk stuff. You may have low risks that you’re not worried about, then put the low-rated controls on those and don’t spend as much time,” Turk said. “While there is a lot of chaos, a lot of complexity in IoT, I think a lot of the basic cybersecurity discussions still apply. You’ve still got to know what those IoT devices are if you can, and then apply in that chain of how that data is accessed and moved, try to manage that flow of data within that scenario.”
Framing IoT Security Requirements
In August, a group of U.S. senators introduced legislation that would require vendors who supply the federal government with IoT devices “to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements,” according to a statement.
The legislation, the Internet of Things Cybersecurity Improvement Act of 2017, directs the Office of Management and Budget to develop alternative network-level security requirements for devices with limited data processing and software functionality. Agencies could then ask OMB for permission to buy some noncompliant devices if other controls, such as network segmentation, are put in place.
Additionally, it would direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines for each agency with respect to any connected device in use by the government, and include policies and procedures for conducting research on the cybersecurity of an IoT device.
Kelly circulated a discussion draft of similar legislation in the House, FCW reports.
IoT security is complex, Megas said, and industry should provide a framework for each agency to assess its own cybersecurity risks. “There might be areas in healthcare where you may opt to expose yourself to some risk because you just cannot have a connective pacemaker be less than reliable,” Megas said. “You can’t allow it to skip a beat.”
Michael Valivullah, CTO at the Agriculture Department’s National Agricultural Statistics Service, said at the industry event that there needs to be ways for agencies to test whether IoT devices are performing as they are supposed to, Federal News Radio reports.
“That could be risk management, that could be putting more controls on it, more compliance on it,” he said. “I think we need to help industry understand our needs and help them devise those things that we consider important in terms of control and security.”
IoT device-makers and designers need to work with users to help improve the security of connected devices, Valivullah said, as they try to strike a balance.
“We don’t want to suffocate innovation and put all these restrictions on it, but at the same time we don’t want to be at a place where it is all wild wild west and a free for all and you lose control of the device,” he said.