NASA official warns of 'the internet of dangerous things'

The dangers emerging from the expansion of the internet of things requires rethinking decades-old security practices and education curriculums, according to a top IT official at NASA.

At the GITEC conference April 2, Director of the IT Directorate and CIO at NASA's Ames Research Center Jerry Davis said while the "internet of dangerous things" has the potential to improve data analytics and increase efficiency, this greater connectivity is "beginning to change our lives as we know it, in not such a good way."

With billions of devices connecting to the internet, security practices have to address the possibility of once-improbable "black swan" events becoming the order of the day.

"Security has always been everyone's problem," he said. "We have to rely on everybody that's in the community to mitigate these issues."

Davis pointed to recent instances where IoT attacks have taken place, such as when researchers remotely hacked a Jeep's steering, transmission and brake systems and when Iranians accessed a computer at a New York dam.

Davis said that much of the technology users rely on is built on "60 years of bad software development," which has resulted from a rush to get new technology to market.

Software "runs everything" and "continues to be the primary attack vector," he said, adding that widespread reliance on poorly written and insecure software creates a safety issue.

The reason why software security is weak, Davis said, is because industry is "all about speed to market." Plus, there are "not enough people out there who can actually build these things the correct way," he said.

Exacerbating the concerns about the internet of things, Davis said, is that the information-sharing systems currently in place are "just completely broken."

Even though security groups share the same mission to protect users, Davis pointed to shareholder issues and concerns about attribution and embarrassment as reasons why both public and private groups are reluctant to share.

To keep up with the emerging security problems, Davis said that industry and government alike must work to foster security skill sets.

Both government and industry have to navigate the shortage of cybersecurity specialists, but government is at a disadvantage because of its protracted hiring process and inability to compete with top private-sector compensation, Davis said.

In addition to hiring challenges, "once you get them in, trying to fight to keep [qualified employees] is extremely tough to do," he said. "NASA is a cool place to work… but 'cool' only lasts so long until someone throws a 65 percent pay raise at you."

In terms of where the administration views cybersecurity as a priority, Davis said that the White House has been sending "mixed signals."

Although President Donald Trump's budget proposal slashed funding for civilian agencies, NASA received a $30 million boost to enhance its cybersecurity.

Davis said that could be a good signal "if you can extrapolate that into the national policy… but I'm getting so many mixed signals, it's really hard to say."