Security

Feds Need a Defense Strategy for IoT

Agencies, manufacturers and regulators must work together to secure the billions of connected devices coming online.

James Scott is a senior fellow with the Institute for Critical Infrastructure Technology.

The rapid growth of Internet of Things devices offers benefits to government agencies and the general public, as well as economic growth for U.S. businesses. However, IoT technology brings with it boundless opportunities for attackers.

From across the globe, adversaries are weaponizing connected devices using devastating distributed denial of service attacks. IoT botnets, such as Mirai, leverage devices in DDoS attacks against critical infrastructure, private organizations, federal agencies and individuals.

Government can address this, but it helps to consider what makes IoT devices dangerous.

Some IoT manufacturers lack financial incentive to design vulnerability-free devices. Others make devices to be less expensive, and security takes a back seat.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

The Best Way to Defend Against IoT Threats

Prescriptive, rigid government regulations are not the solution. Internet service providers and IoT manufacturers do not yet have the economic incentive to eliminate vulnerabilities. Rigid regulation could lead to opportunity costs for manufacturers who struggle to meet requirements and guidelines that could become outdated. Further, a legislative remedy would not regulate IoT devices manufactured internationally.

Adequate IoT security must compensate for this. Automatic updates would be more useful to agencies, other organizations and consumers. However, if the delivery mechanism is not secured and verified, then it becomes another attack vector for adversaries who inject malicious code into software bundles, many signed by trusted sources.

Instead, the IoT threat landscape can be secured in two ways: by focusing on security during development, and through a standardized adaptive cybersecurity framework.

Make IoT Devices Secure by Design

The National Institute of Standards and Technology has promoted security by design. In addition, the National Security Agency’s Information Assurance Directorate, former Federal CIO Tony Scott and others have pushed for responsibly manufactured technologies. In this scenario, attention to security would start during design and be maintained through manufacturing and after distribution, with patches and updates to minimize attack targets.

Still, more can be done. In 2014, NIST published a cybersecurity framework that has been highly praised in the public and private sectors for its effective guidance, ease of implementation and scalability. A similar framework from NIST focused on IoT devices would enable device makers to implement cybersecurity despite evolving threats.

Finally, the culture around securing IoT devices must change. Gartner estimates that as many as 20.4 billion IoT devices will be in use by 2020. Roughly 4,000 new IoT devices are connected to the internet every day. Of those, at least 4.6 percent are susceptible to unsophisticated malware that infects devices using default credentials or known exploits. Using malware such as Mirai, a few thousand devices could overwhelm critical infrastructure. A hundred thousand or more could threaten the internet.

To minimize this risk, the IT community must take action. Agencies and users should change default settings. Manufacturers should incorporate security by design throughout a device’s lifecycle. And regulators should establish an adaptive and comprehensive IoT cybersecurity framework.

If stakeholders fail to act, then we could face a frightening prospect: Internet usage and connectivity may be controlled by cyberthreats.