In their 2017 report, the US Government Accountability Office (GAO) defined the Internet of Things (IoT) as the technologies and devices that sense information, communicate it to the Internet or other networks, and even, sometimes, act upon that information. True to the laws of capitalism, a past decade of increased demand and increased competition has yielded an exciting abundance of increasingly compact, inexpensive processing and sensing technologies. As the GAO observed, these computing advances are fueling “a global proliferation” of interconnected devices. While pregnant with potential benefit to the evolution of a happier, healthier, wealthier, connected societies, there exists a shadow-side to the IoT that governments, enterprises and individuals cannot afford to disregard.
The exponential explosion of inexpensive, interconnected, communicating devices, sensors and applications affects a parallel expansion of opportunities to exploit existing vulnerabilities of traditional IP/TCP networks. Further, with this growth of the IoT, new issues of data ownership, individual privacy, and non-consensual surveillance present unanticipated risks of both malicious and non-intentional exposure of secure information, for governments, organizations, and individuals. US federal laws and national-defense policies currently fail to consider the unique security risks emerging from ubiquitous connectivity and device communication — a neglect that presents the greatest security vulnerability of all for the IoT.
The Shadow-side of IoT
In a 2016 report released by the Department of Defense, Chief Information Officer Dana Deasy identified that both the rapidly proliferating number of IoT-enabled devices and the limited processing-power within these devices for running firewalls and anti-malware present quantitative and quantitatively different security vulnerabilities that current security policies fail to address. Not only does the sheer number of connected devices enlarge the “surface-area” of attack vulnerability, it also introduces more complexity via the variety of participants and the directions of potential network attacks. Additionally, the proliferation of IoT-capable devices necessitates supervision the device’s exposure to risk along its entire supply chain. As best exemplified by the Chinese company, Hangzhou Xiongmai Technology, devices may be compromised – both unintentionally and maliciously – with the introduction of “back-doors” at various points in the manufacturing and distribution chain. Further, the ubiquity of IoT-embedded devices for supply-chain applications introduces risk that must be managed not only for one’s own organization, but also throughout one’s manufacturing-supply base.
Less directly, the potential integration of devices within private domains presents new risks for individuals in terms of information security and privacy. Federal-government practices of mass surveillance using IoT-embedded devices generate new tensions between US government policies and its citizens’ rights to privacy and freedom from unreasonable search and seizure. Additionally, the ownership, control, and publication of data generated by individuals and organizations are subject to the policies of external agencies, the implications of which are not always transparent. Through a continuous barrage of user-acceptance terms and privacy agreements, through the practice of imbedding hidden RFID-tags into products, through linking of personally identifiable information with anonymous data, users are not only increasingly desensitized to the exchange of individual privacy for services, they are also more vulnerable to non-consented collection and use of personal information for individual tracking and monitoring. The IoT blurs the realms of private and public spheres.
As mandated by the Federal Information Security Management Act of 2002, all US government agencies must exercise measures to secure and to protect both personal and various levels of classified information. Since 2010, state-wide mitigation of its vulnerability to cyber-attack is progressively a part of this mandate. Both the departments of Homeland Security and of Defense play an essential role in executing responsive, defensive cyber strategies. Established in 2002, the US Department of Homeland Security mitigates and manages all federal-government information system cybersecurity risk. For the US Defense Department, this mitigation takes form not only in the proactive defense of “critical” infrastructures from network exposure, degradation and disruption; it also means strengthening and defending non-critical and industrial-base information infrastructures (Cyber Strategy 2018).
With the proliferation of both cloud-based platforms and IoT-enabled devices, stablished information and cyber security policies must now consider the rapidly-evolving nature of Internet- and intranet-connected devices in new ways. First, there is a need to classify risks inherent in IoT-devices themselves. Second, there is a need to identify risks inherent in how these technologies are used. Recently, in response to an unintentional release of classified information regarding the location of hidden military bases, the DoD issued a temporary ban on all GPS-enabled devices and applications in operational areas. Meanwhile, they are developing new decision-support guidance and training to support geolocation risk management. As exemplified by this incident, an unforeseen risk of IoT-enabled technologies emerged, not so much from the GPS-enabled fitness-tracking technologies themselves, although GPS is notoriously vulnerable to cyber-attack. Instead, it emerged from the aggregation and visualization of vendor-acquired, seemingly innocuous user data.
According to the GAO, security vulnerabilities in IoT-enabled devices arise from a variety of reasons, which include (1) the decreasing size (and computational power) of IoT-enabled devices, (2) the lack of security standards addressing unique IoT needs and (3) the lack of better incentives for developing secure devices. The limited processing capability of sensor devices presents risks in both the security design as well as the limited ability for vendors to patch/upgrade their technologies as vulnerabilities are exploited. Next, although national information and cyber security polices exist, they fail to align to (or even define) the emerging security risks emerging from ubiquitous computing. Finally, because federal policies are reactive to the poor security design of technologies, not only do they fail to present timely risk-management frameworks to agencies and their dependencies, these policies and laws fail to act as incentives for shaping an adaptive demand for stronger technological design.
There is a natural trade-off between government regulation and the “free market” of capitalism. Bureaucratic polices tend to ossify adaptive networks into monolithic structures that, once in place, are slow to shift and neigh-impossible to remove. However, these polices serve an essential role in supporting state’s ability to provide for its people the protection of a national defense. On one hand, we find that government regulations hinder innovation by providing bailouts to struggling industries; on the other, we find in continuous innovation an innately destructive tendency whereby new industries are born from the ashes of old. Yet, the reach of its national defense is a direct reflection of a country’s economic growth via the mechanism of innovation (Eccles, 1997). In considering the purpose and function of nationally-led IoT-specific laws, polices, strategies and guidance, we must not only understand, but anticipate existing and future trade-offs between individual liberty, free-market competition, and national security.
Policy and design can, indeed must, work together in this climate of continuous technological change. Particularly for the US Defense Department, which approaches modernization via “rapid acquisition” of commercial-off-the-shelf technologies, the need to for clearly-defined procurement standards for IoT devices is as essential as the need to clearly define data ownership within licensing agreements (i.e. it’s vital). In fact, by defining, then establishing these security standards as mandatory-minimum criteria within the Federal Acquisition Regulation (FAR), the DoD would help focus the competitive space of commercial-IoT innovation by initiating a specific demand for the wide-spread adoption of both general and IoT-specific information-security standards and best-practices. As a potentially powerful consumer of sensing and IoT-enabled devices for defense applications, the defense industry can create a demand that will enforce commercial industry-standards along its entire supply-manufacturing-logistics chain.
Additionally, federal policies must also extend to reach not only all government agencies, but all of their dependencies. In the newly released 2018 US National Cyber Strategy, the president identified the need to raise the information security risk-management standard for all government contractors. To maintain defense “readiness”, the US Government must both maintain and strengthen its industrial and supply-chain base. Since the close of World War II, this base is comprised primarily of government contractors. As the internet begins to permeate all aspects of business and individual life, the onus of national security necessarily shifts outward to every node; man does not exist in isolation, and neither do his technologies. The approach to national security of both critical and non-critical infrastructures must cascade, not unlike a DDoS attack, as broad initiatives to manage risks at all levels of national, organizational, and individual information security.
Finally, without imposing undue regulations upon either the individual or upon the free market, national security of all information infrastructures depends upon a well-informed public, making consumer decisions consistent with the interests of national defense. The government shares responsibility with the individual to protect personal privacy and individual security. Further, the individual shares responsibility with the government to defend and preserve their democratic freedoms. Trust between the government and its people is non-negotiable. Federal laws and policies must establish standards that hold both itself and vendors accountable to the protection of individual freedoms through transparency in the collection, uses, and risks inherent in IoT-device data collection and vulnerabilities.