IoT: Is tech the easy part?
Connecting state and local government leaders
Federal information security experts warn that IoT technology is advancing faster than the policies to guide it.
The Internet of Things is coming, federal information security experts agree. But the technical challenges may be the easier part, compared to policy and cultural concerns.
"Our infrastructures are ready to try and take this on," Federal Energy Regulatory Committee CIO Sanjay Sardar said during an IoT discussion at the ACT-IAC's Management of Change conference in Cambridge, Md. "We have to plan carefully for it, [but] we've just got to get out there and do it."
Mike Howell, the deputy program manager for the Information Sharing Environment, said that in the law-enforcement arena, he feared the rapid adoption of IoT could outrun the policy guidelines surrounding its use -- and ultimately take valuable tools off the table for agencies. He pointed to earlier technologies like unmanned aerial systems, license plate-reading cameras, body-mounted video systems and "Stingray" monitors of cell-phone traffic -- "there's a pattern that I think we need to watch for with the IoT," he said.
Law enforcement agencies are " losing the ability to use certain technologies," he said, "because they don't have the policy framework in place, they don't have the community outreach" to explain and justify the use.
Brad Nix, the deputy director of the Department of Homeland Security's U.S Computer Emergency Readiness Team (US-CERT), argued that "the biggest challenge that we face is a cultural challenge."
After more than two decades dominated by Windows and Unix platforms, he said, "we've been lulled into this mindset" that everything has a client-server relationship, and "people take it for granted that things are being secured along the way." Yet operating systems are now being embedded in a tremendous range of devices, and manufacturers "aren't always taking into consideration that that system may need to be upgraded at some point."
"How do we change that conversation," Nix asked, and make sure that when vendors talk about quality, they understand that covers how their device "connects with the Internet as well."
A better mindset alone, of course, is not enough to address challenges with the technology itself. The sheer scale -- Gartner predicts the IoT will include 25 billion devices by 2020 and Cisco predicts IoT traffic will overtake human-driven traffic by 2018 -- means there is arguably too much to secure.
"We're talking about a geometric increase in the number of endpoints on the networks connected to your networks," Howell said. "Every one of these extensions of connectivity is going to create new vulnerabilities and new points for potential attack. Are we ready to secure that?"
Steps are being taken to get ahead of those risks. Nix said, for example, that US-CERT is "working to prototype a component-relationship database," which could help identify instances where software vulnerabilities "could be inherited by other components."
Ultimately, though, the speakers agreed that IT leaders need to help their agency heads and other policymakers make sure the IoT does not outrun its guidance. "It's not just how to make tech work," Howell said. "It's dealing with the human elements around it that can make or break a program."
And, as Sanjar noted, "We can't not plan for it. IoT is not going to stop."