Drone cybersecurity policy still up in the air

By Mark Rockwell

By Mark Rockwell

|

Federal agencies are facing a policy gap when it comes to IoT cybersecurity, but basic due diligence is still the best approach, experts say.

By PixOne Stock illustration ID: 544685116
 

The internet-of-things ecosystem poses new challenges for supply chain and data security, but experts say cybersecurity assessments should focus more on hard facts than suspicions about a particular country of origin.

A memo sent in August from an Immigration and Customs Enforcement intelligence office in Los Angeles to law enforcement organizations across the nation underlined concerns among some in government about the potential for backdoors into connected devices that could compromise U.S. interests.

Citing a drone industry source with "first and secondhand access," the memo warned that small drones sold in the U.S. by Chinese drone maker Da Jiang Innovations (DJI) were most likely downloading sensitive data gathered in the U.S., including data on gas and water critical infrastructure sites, to the Chinese government's cloud.

The memo also accused the company and the Chinese government of "dumping" the drones on the U.S. market in hopes of making them more attractive to law enforcement and critical infrastructure providers. The report, which was recently leaked to the Public Intelligence website, claims, among other things, that the Chinese were using the technology to get the upper hand in California wine country real-estate deals.

Alan Chvotkin, executive vice president and counsel at the Professional Services Council, told FCW that IoT cybersecurity "is largely unknown and unaddressed."  Up until recently, the federal government's main exposure to IoT gear has been in "smart building" components. However, IT solutions, he said, are becoming a bigger part of the IoT mix.

Even though there are numerous efforts underway in Congress, the National Institute of Standards and Technology, the General Services Administration and other federal agencies to address IoT security, Chvotkin said a possible year-long gap looms in the ability of federal laws and regulations to catch up with cybersecurity concerns and the galloping IoT market.

Collaborative efforts

A former Obama administration cybersecurity official told FCW in an email that in the past, the Department of Homeland Security's National Cybersecurity and Communications Integration Center and the FBI worked together on alerts and briefings around cybersecurity issues. The official said that formerly, the collaborative effort produced alerts that went out to electric companies and hospitals dealing with specific concerns.

It's unclear whether the ICE drone memo was written and released under such collaboration. ICE declined to comment on the memo.

A former senior Customs and Border Protection official told FCW that memos sent to outside organizations, particularly those to law enforcement, should be "carefully vetted and approved"  and checked for accuracy before they're sent out because they reflect the organization's credibility. "Nothing is worse than having to withdraw a notice because of an inaccuracy," the official said.

"All that said, there have been instances when someone takes it upon themselves to write something and send it out," the former official said.

In emails and an interview with FCW, DJI's Managing Director for North America, Michael Perry said his company takes the concerns listed in the memo very seriously, but he added that none of them are warranted or supported.

Perry ticked off a list of objections to the ICE memo, including the fact that users can switch off data transmission, that data collected in the U.S. is stored  on Amazon Web Services servers in the U.S., not on servers in Asia and that physical storage options like micro SD cards are available. Perry stated that pricing for the drones in the U.S. and China is almost identical.

Perry said the company started becoming aware of U.S. government users' cybersecurity concerns this past summer when the Army issued a memo citing possible cyber vulnerabilities in its aircraft, even though Perry said those concerns were "unclear."

The ICE memo, he said, was of more concern because of the specificity of the allegations. At the heart of the concerns in the memo is the suspicion the Chinese company is in league with the Chinese government to steal data.

Perry said his company is aware that its Chinese ownership is a challenge, particularly with cybersecurity issues. He said the company is listening to its customers about the issue and understands that new technologies can make people nervous and can foster unwarranted fears.

"This is similar to when the smart phone was introduced," he said of the burgeoning, relatively new, drone market. "The iPhone didn't get the official go-ahead from the [Defense Department] until, what, the iPhone5?" Perry said.

Due diligence

Katherine Gronberg, vice president of Government Affairs at security solutions provider ForeScout Technologies acknowledged that the internet of things was a particular challenge "because [IoT devices] can't run the same kind of agent-based security tools that computers or even mobile devices can." However, she noted, agencies also stand to save money when they use commercial off-the-shelf gear.

"Agencies need a way to ensure devices -- from anywhere -- cannot operate unchecked on their networks and cannot compromise data or, more importantly, the mission," Gronberg said.

She noted that the DHS Continuous Diagnostics and Mitigation program for civilian agencies and the Comply to Connect  program for the DOD are big steps towards doing that for federal networks.

The former CBP official said it is becoming increasingly difficult to track the origins of gear and goods given global manufacturing practices. It's up to acquisition systems to identify products that meet performance and security tests, the official said.

Chvotkin also pointed out that IoT technology is turning up in some mundane, less cutting-edge places and locations. Teleconferencing gear common in offices, he said, has cameras that are mostly open to the internet.

Risk management, according to Israel Barak, chief information security officer at cybersecurity firm Cybereason, is indeed key to protecting against products and technology that may be outside of an agency's "comfort zone."

"Let's face it, it wouldn't be that difficult for a vendor to compromise a product where some companies could have dozens or hundreds of products on the approved government vendor list," said Barak in an email to FCW. "And it isn't a matter of whether the company is based in the U.S. The real issue is whether or not a threat actor could gain access to that product. Given the amount of technology products … agencies purchase, they will inevitably be in a situation where a purchase is outside of that comfort zone. "

He advised federal agencies to stop trying to determine whether a technology is a threat by analyzing the device's code or looking to "see what it is doing." He also advised against intricate searches for backdoors that allow illicit access. Those methods, he said, are inefficient uses of time and resources.

"If you deny the ability that an adversary has to communicate with that software, you eliminate the threat," Barak said.

One of the best resources for IoT users, said DJI's Perry, is to simply talk to the vendor about how a device operates. Understand its technological capabilities and don't rely on rumor and innuendo to determine how you use it, he said.

Gronberg added: "Before connecting an IoT device, any device, you have to be sure your security program, security tools and team are prepared to be able to continuously monitor the device as it connects and leaves the network and determine in real time if the device is acting maliciously."

NEXT STORY: Feds look to get creative about cyber hiring

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.