The U.S. is government is starting to lock down the Internet of Things (IoT). Last week, Senators Mark Warner (D-Va.) and Cory Gardner (R-Co.) introduced a new bill to help enforce security measures on IoT products sold for government use. The bill is titled the Internet of Things Cybersecurity Improvement Act of 2017 and will affect any wearables, sensors, or internet-connected tools sold to federal agencies.
In a study conducted by the Center for Data Innovation in 2016, the U.S. government is using the IoT devices in key areas to help improve facilities and reduce costs. Below is a list of how IoT products are currently being used.
- Smart buildings. The General Services Administration (GSA) by 2014 installed thousands of low-cost connected sensors into 80 high-energy-use government buildings . The sensors had identified 10,000 in efficiencies in federal buildings.
- Vehicle fleet monitoring. The GSA uses telematics to track, locate, and monitor the emissions of 204,000 vehicles, so as to ensure compliance with the March 2015 executive order to reduce government vehicle greenhouse gas emissions 4% by 2017, 15% by 2021, and 30% by 2025.
- Asset monitoring. The Department of Defense (DoD) uses RFID tags and sensors from connected devices to track and manage military supplies, such as clothing, construction materials, and medical supplies. By 2011, the Defense Logistics Agency and the U.S. Transportation Command was monitoring 3.5 billion transactions per month from 67 DoD logistics systems and 250 commercial transportation carriers.
- Automate manual processes. Agencies in the federal government have been using IoT to reduce cost by automating manual processes. An example would be the Department of Agriculture’s National Agricultural Statistics Services have been collecting data automatically from connected farm technologies via soil moisture sensors instead of employing individuals to manually collect data.
- Future services. The federal government hopes to use IoT-connected sensors and devices to improve the DoD’s communication capabilities, data collecting services, connected aircraft, and network-centric warfare, in addition to improving supply chains and providing better care to soldiers through asset and human monitoring technologies. They also help to provide better weather prediction services via enhanced monitoring, providing more accurate timetables for natural disasters.
The Internet of Things Cybersecurity Improvement Act of 2017 would ensure that the devices used by the government are secure by creating a list of requirements for IoT providers:
- Manufacturers and distributors of internet-connected devices for federal government use would be required to ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords that cannot be changed at a later time, and do not contain any known security vulnerabilities. The latter would be verifiable against National Institute of Standards and Technology’s (NIST) National Vulnerability Database.
- The legislation also makes critical changes to the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act to remove legal risks for cybersecurity researchers engaging in good-faith research or ethical hacking.
- The Office of Management and Budget would develop alternative network-level security requirements for devices with limited data processing and software functionality.
- The Department of Homeland Security’s National Protection and Programs Directorate would create guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. government.
- An inventory would be created for all IoT-connected devices in use by the federal government.
Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, Calif., said he would like to see three more additions to the law: “A country of origin-based limitation on storage, a similar limitation for purchases, and extending these requirements to those with active top-secret clearances.” These additions help protect IoT devices from foreign attacks.
“Only manufacturers headquartered in a Five Eyes alliance country should be allowed to sell IoT devices to the U.S. government that store unencrypted data remotely or use remote processing,” Weaver notes. As an example, he said the U.S. could purchase devices from a French company, but only if the cloud-connected device in question encrypts the stored data.
According to Steve Brumer, a partner at global advisory and execution firm 151 Advisors—which specializes in mobility, IoT, smart cities, security, and cloud-based technologies—the expansion of government funding into security will allow for the development of resources necessary to stay ahead of hackers and cyberattacks. However, the true answer is to develop standards for IoT devices going forward.
“Regulation is often good for business because it will force government agencies to spend money—via IoT security companies, in this case—and it propels the adoption for needed solutions with or without standards,” Bumer said. “Most companies and agencies do not want to allot a budget to security because security does not generate revenue. Spending on security is purely reactive. No one would have spent any budget on security without Target, Sony, and the many other security breaches.
“The largest threat to security are known security flaws, since most hackers exploit security flaws that have been sent patches, but consumers and companies have not downloaded,” he continued. “Government funding will provide security companies with the revenue they need to expand and develop tools that will be less expensive for companies in the next couple years. But without addressing the need for worldwide standards in IoT, this will be a Band-Aid reactionary model.”
In an interview with Recode.net, Warner admitted that there is no way to fully account for all the IoT devices under the government’s possession. Nevertheless, the time to develop standards and regulations is now if the future of cybersecurity is to be ensured.