How to Begin to Craft Policy Around the Internet of Things
In the rush to make cities smarter, state and local governments have fallen behind on cybersecurity.
State and local policymaking around cybersecurity hasn’t kept up with the Internet of Things, said data experts Tuesday, during a Multi-State Information Sharing & Analysis Center webinar on smart cities.
Governments must play catch-up as a result by reevaluating how they interact with each other and the private sector to create a more collaborative security environment.
The Mirai botnet, named after the Japanese word for future, was weaponized in a distributed denial-of-service cyberattack last year that crippled components of the web through IoT devices like routers and televisions. And, by 2020, 20 billion IoT devices will be in use.
“A smart community is a community that engages its citizens and connects its infrastructure electronically,” said Thomas MacLellan, Symantec’s director of policy and government affairs, quoting the state of Virginia’s official definition.
By that logic, cities rushing to become smarter without ensuring backend security, as they connect new IoT devices to their networks, are rapidly creating new threat vectors.
Westchester County, New York is experimenting with predictive analytics based on cell phone use among other smart projects, which have added more than 100,000 new endpoints, said Chief Information Officer John McCaffrey. The county has spent time crafting policy around its data analysis, so when a planned cloud pilot begins it will remain separate from other systems until inferences can be made.
“We’d love to have, from the county’s perspective, a top-down approach,” McCaffrey said, referring to the cyber assistance it provides to rural areas and small towns.
Officials in Virginia partnered with the National Institute of Standards and Technology to tailor its framework to the state level and mitigate cyber risk.
Particularly when governments lack large IT staffs, the number of vendors presenting them with products and services can be overwhelming and possession of data can become muddled.
When states and localities share a vendor, that interconnectedness could prove a threat in the event any of the partners in the equation are breached—one that could jeopardize infrastructure as critical as the electric grid, said Karen Jackson, Virginia’s secretary of technology.
Trying to get manufacturers to take greater responsibility for security with policy is hard to pass, and smart technologies like license plate readers with benefits for public safety often raise privacy red flags.
“There’s a company that drives through neighborhoods that produces maps,” Jackson said. “If that were a government vehicle doing the same thing, we would be fired upon.”
Maricopa County, Arizona’s chief information security officer, Bob O’Connor, views the challenge as one of digital trust and identity. The county is piloting everything from in-road sensors to predictive analytics around flooding to drone GIS and has established the position of chief privacy officer to minimize concerns.
IoT devices, applications and processes must be trusted, O’Connor said, and government must decide how best to manage identities.
MacLellan seconded the importance of the NIST framework to such discussions but encouraged government to go beyond simply checking off its boxes.
“These systems are going to get so big and so complicated that it’s not going to be a person’s job to do it,” MacLellan said. “It’s going to be a person’s job to monitor it.”
Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C.
NEXT STORY: What we learned building a mobile app