NIST official: Internet of Things is indefensible

Ron Ross of the National Institute of Standards and Technology (NIST).

According to NIST fellow Ron Ross, the interconnectivity of the Internet of Things makes cyber threats inevitable.  (Image: Ron Ross / LinkedIn)

The interconnectivity of the Internet of Things (IOT) leaves public and private computer systems essentially indefensible, and no amount of security guidance can provide salvation.

That's the sobering assessment of a top analyst at the National Institute of Standards and Technology -- the agency responsible for providing such guidance. Federal officials can implement as many security controls as they want, said Ron Ross, a fellow in NIST's Computer Security Division, and hackers will still "have a slice of that pie that will always be accessible because there are things that are off our radar due to their complexity,"

"You can comply perfectly with all of that stuff and you can still have a very vulnerable infrastructure because of the complexity," Ross, who was speaking at an April 16 event hosted by AFCEA's Bethesda chapter, added. "There are things that those standards and guidance … don't touch."

NIST is one of the primary dispensers of federal security guidance, which is not in short supply. As Ross put it, agencies are "drowning in guidance." His answer to the challenge is, ironically, more guidance.

Ross and his colleagues are working on a publication he hopes will be a rubric for applying security controls throughout the life cycle of IT systems. His goal for the document, he told FCW, is to "do a better job of engaging the right people in the organization, the decision makers who are taking those risk-based decisions, and get them involved early in the process."

A draft of that publication, NIST 800-160, has been published. Ross hopes to have a second out in the next four to five months, and a final version ready at the end of the year or early in 2016.

The non-binding document is aimed at anyone involved with or affected by IT engineering, in the public and private sectors alike. That means systems and software engineers, acquisition managers and C-suite security officials, to name a few.

During the panel discussion, Ross said tackling the insecurity wrought by the Internet of Things would require the kind of collaboration among government, the private sector and academia that helped the United States in its space race with the Soviet Union in the 1960s.

In a separate interview, Robert Bigman, a former chief information security officer at the CIA, said that a lack of federal policy governing the Internet of Things left a security vacuum. "There's a bigger problem" than the need for voluntary security standards, he said: "we don't have any governance policy or regulations at the … federal level, over this entire issue of the Internet of Things."

"No one's tackled this issue, and frankly, no one wants to tackle the issue," he added.

Bigman, now a private IT security consultant, suggested that the Office of Management and Budget task NIST with coming up with recommendations for regulating the IOT.

IOT hacks have occasionally raised eyebrows, but "no one's paying attention to the bigger issue," he said, referring to a lack of federal regulation.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.

Nominate Today!

Nominations for the 2018 Federal 100 Awards are now being accepted, and are due by Dec. 23. 


Reader comments

Wed, Jul 1, 2015 Bryant

"No one's tackled this issue, and frankly, no one wants to tackle the issue." This article is a huge light bulb for hackers; the sad part is that the article is very true and it will be for the next decade until someone decides to step up to the plate. I found an interesting company out of California that is starting small but is about to release a new product for consumers. Check it out:

Tue, Jun 23, 2015 Simon Hartley Washington, DC

All is not doom and gloom. Recent DoD funded research in this area has thrown up a bright prospect for IoT hardening using one-time binary transformation with RASP technologies. RASP holds the promise of effective, fast and affordable IoT security. Reston-based Kaprica Security recently made a presentation on the subject to InfoSec professionals in the US and UK --

Mon, Jun 15, 2015 ken austin

Relying on federal standards to keep IOT devices secure is suicide. Lock your systems down. If a fed agency wants you to do it a certain way, ask them for their spec. If they have one, make a business decision on cost/risk of using it. If they have none, take your changes or walk away.

Wed, May 20, 2015 D. Scott CA, USA

I see all the typical buzzwords here, which typically cause great concern when discussing security: "complexity", "guidance", and "government". I also see "collaboration" mentioned, so there is hope... Glad Ron called it like he sees it...this level of honesty and straight shooting is sorely needed in the space.

Tue, May 5, 2015 Jeff Rutherford

Without a doubt, the IoT will open up new avenues for IT attacks for both public and private computer systems. Will monitors feeding data to the IoT be easily updatable with security fixes - next year or the years after? Many will not.

According to KMPG’s Technology Risk Radar report, government IT is the number 2 target for IT incidents. The Technology Risk Radar is developed by evaluating and assessing 10,000 news articles related to IT incidents around the world to determine common themes, failures, and risks. You can read more about the KMPG Technology Risk Radar here:

Jeff Rutherford commenting on behalf of IDG and KPMG

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group