Federal agencies are facing a policy gap when it comes to IoT cybersecurity, but basic due diligence is still the best approach, experts say.
The internet-of-things ecosystem poses new challenges for supply chain and data security, but experts say cybersecurity assessments should focus more on hard facts than suspicions about a particular country of origin.
A memo sent in August from an Immigration and Customs Enforcement intelligence office in Los Angeles to law enforcement organizations across the nation underlined concerns among some in government about the potential for backdoors into connected devices that could compromise U.S. interests.
Citing a drone industry source with "first and secondhand access," the memo warned that small drones sold in the U.S. by Chinese drone maker Da Jiang Innovations (DJI) were most likely downloading sensitive data gathered in the U.S., including data on gas and water critical infrastructure sites, to the Chinese government's cloud.
The memo also accused the company and the Chinese government of "dumping" the drones on the U.S. market in hopes of making them more attractive to law enforcement and critical infrastructure providers. The report, which was recently leaked to the Public Intelligence website, claims, among other things, that the Chinese were using the technology to get the upper hand in California wine country real-estate deals.
Alan Chvotkin, executive vice president and counsel at the Professional Services Council, told FCW that IoT cybersecurity "is largely unknown and unaddressed." Up until recently, the federal government's main exposure to IoT gear has been in "smart building" components. However, IT solutions, he said, are becoming a bigger part of the IoT mix.
Even though there are numerous efforts underway in Congress, the National Institute of Standards and Technology, the General Services Administration and other federal agencies to address IoT security, Chvotkin said a possible year-long gap looms in the ability of federal laws and regulations to catch up with cybersecurity concerns and the galloping IoT market.
A former Obama administration cybersecurity official told FCW in an email that in the past, the Department of Homeland Security's National Cybersecurity and Communications Integration Center and the FBI worked together on alerts and briefings around cybersecurity issues. The official said that formerly, the collaborative effort produced alerts that went out to electric companies and hospitals dealing with specific concerns.
It's unclear whether the ICE drone memo was written and released under such collaboration. ICE declined to comment on the memo.
A former senior Customs and Border Protection official told FCW that memos sent to outside organizations, particularly those to law enforcement, should be "carefully vetted and approved" and checked for accuracy before they're sent out because they reflect the organization's credibility. "Nothing is worse than having to withdraw a notice because of an inaccuracy," the official said.
"All that said, there have been instances when someone takes it upon themselves to write something and send it out," the former official said.
In emails and an interview with FCW, DJI's Managing Director for North America, Michael Perry said his company takes the concerns listed in the memo very seriously, but he added that none of them are warranted or supported.
Perry ticked off a list of objections to the ICE memo, including the fact that users can switch off data transmission, that data collected in the U.S. is stored on Amazon Web Services servers in the U.S., not on servers in Asia and that physical storage options like micro SD cards are available. Perry stated that pricing for the drones in the U.S. and China is almost identical.
Perry said the company started becoming aware of U.S. government users' cybersecurity concerns this past summer when the Army issued a memo citing possible cyber vulnerabilities in its aircraft, even though Perry said those concerns were "unclear."
The ICE memo, he said, was of more concern because of the specificity of the allegations. At the heart of the concerns in the memo is the suspicion the Chinese company is in league with the Chinese government to steal data.
Perry said his company is aware that its Chinese ownership is a challenge, particularly with cybersecurity issues. He said the company is listening to its customers about the issue and understands that new technologies can make people nervous and can foster unwarranted fears.
"This is similar to when the smart phone was introduced," he said of the burgeoning, relatively new, drone market. "The iPhone didn't get the official go-ahead from the [Defense Department] until, what, the iPhone5?" Perry said.
Katherine Gronberg, vice president of Government Affairs at security solutions provider ForeScout Technologies acknowledged that the internet of things was a particular challenge "because [IoT devices] can't run the same kind of agent-based security tools that computers or even mobile devices can." However, she noted, agencies also stand to save money when they use commercial off-the-shelf gear.
"Agencies need a way to ensure devices -- from anywhere -- cannot operate unchecked on their networks and cannot compromise data or, more importantly, the mission," Gronberg said.
She noted that the DHS Continuous Diagnostics and Mitigation program for civilian agencies and the Comply to Connect program for the DOD are big steps towards doing that for federal networks.
The former CBP official said it is becoming increasingly difficult to track the origins of gear and goods given global manufacturing practices. It's up to acquisition systems to identify products that meet performance and security tests, the official said.
Chvotkin also pointed out that IoT technology is turning up in some mundane, less cutting-edge places and locations. Teleconferencing gear common in offices, he said, has cameras that are mostly open to the internet.
Risk management, according to Israel Barak, chief information security officer at cybersecurity firm Cybereason, is indeed key to protecting against products and technology that may be outside of an agency's "comfort zone."
"Let's face it, it wouldn't be that difficult for a vendor to compromise a product where some companies could have dozens or hundreds of products on the approved government vendor list," said Barak in an email to FCW. "And it isn't a matter of whether the company is based in the U.S. The real issue is whether or not a threat actor could gain access to that product. Given the amount of technology products … agencies purchase, they will inevitably be in a situation where a purchase is outside of that comfort zone. "
He advised federal agencies to stop trying to determine whether a technology is a threat by analyzing the device's code or looking to "see what it is doing." He also advised against intricate searches for backdoors that allow illicit access. Those methods, he said, are inefficient uses of time and resources.
"If you deny the ability that an adversary has to communicate with that software, you eliminate the threat," Barak said.
One of the best resources for IoT users, said DJI's Perry, is to simply talk to the vendor about how a device operates. Understand its technological capabilities and don't rely on rumor and innuendo to determine how you use it, he said.
Gronberg added: "Before connecting an IoT device, any device, you have to be sure your security program, security tools and team are prepared to be able to continuously monitor the device as it connects and leaves the network and determine in real time if the device is acting maliciously."
NEXT STORY: Feds look to get creative about cyber hiring