With the increasing ubiquity of internet of things (IoT) devices and the vast expansion of the cyber attack surface that those devices create, National Security Agency (NSA) IoT Enterprise Functional Team Lead Arlene Santos is emphasizing the importance of the IoT Cybersecurity Improvement Act reintroduced in Congress last month as way to address the cybersecurity concerns posed by rapid IoT device growth.
The bill, sponsored by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., aims to create and strengthen cybersecurity requirements for IoT devices purchased, used, and controlled by the Federal government.
The measure is having another chance at becoming law after a previous version first introduced in 2017 never made it out of Senate Homeland Security and Governmental Affairs Committee. Companion legislation has been introduced in the House by Rep. Robin Kelly, D-Ill.
The legislation would put the National Institute of Standards and Technology (NIST) in charge of identifying IoT cybersecurity standards, and the Office of Management and Budget (OMB) would issue subsequent guidance to Federal agencies. The prior version of the legislation specified that NIST would only provide limited guidance and mostly focused on OMB’s role, but the 2019 bills put more emphasis on NIST’s role in setting the course for Federal IoT cybersecurity.
In an exclusive interview with MeriTalk, Santos spoke about the growing importance of securing IoT devices. She called IoT “the next disruptive technology that’s changing our lives,” and cited that between 2016 and 2017, cyberattacks involving IoT devices increased by about 600 percent.
Part of that statistical uptick is due to the rapid growth of IoT in all areas of society, Santos said, and emphasized that the latest legislation push expands the scope of IoT beyond computers, and to infrastructure or other devices that are connected to networks.
“Before, you wouldn’t think that a refrigerator would be connected to the internet, or a crockpot, or your cardiac pacemaker,” Santos said. “But things like that – it’s ubiquitous. It’s everywhere, and one of the things that we’re finding and the big challenge is that there’s security challenges.”
That ubiquity, Santos said, increases the overall cyberattack surface. Adding to the problem for government is that IoT entry points tend to have lower security, and there are currently no standards that regulate the use and management of the IoT devices by the Federal government.
Without security standards, high-security networks like those of the Federal government are left vulnerable to compromise through IoT entry points. Santos emphasized the need for IoT security infrastructure, with two main target areas: identifying both the vulnerability and the concerned scope of risk.
If the legislation becomes law, NSA and other Federal agencies will provide assessments and input for NIST to consider in developing its standards. In turn, NIST will work on standards development and provide recommendations for agencies by March 2020. Santos said providing that input to NIST will be a “team” effort by the intelligence community, the military, and civilian agencies.
Although the bill would require only Federal organizations to adopt the NIST IoT standards, Santos said industry would likely follow in the same direction as it creates products that are compliant with those standards, especially if the government is a large buyer of their products.
“Because the Federal government is such a significant buyer of things, … if you want to be on our provider list, you must meet these requirements, and that clearly influences the major manufacturers,” Santos said. “Can you imagine if you were a provider of the internet of things that would be used primarily, significantly, in the Department of Defense? And all of a sudden, if that’s 50 percent of your sales, that’s pretty significant.”
Given the pace of technological change, Santos said that securing IoT devices and infrastructure will become an interwoven project of securing networks and cloud services, since “they feed each other significantly.”
“You can’t look at them as individual pieces alone,” Santos said. “You need to look at holistically what the fabric is on the communications and look at the cybersecurity implications of all the cybersecurity of the cloud, the cybersecurity of 5G, the cybersecurity of your endpoint devices themselves.”
Santos argued that IoT has been a positive societal gamechanger, from creating more accessible devices to improving healthcare technology. Setting standards and creating a collaborative environment in which to promote standards are a must to maintain the benefits of IoT and improve security, she said.
“For us to be able to reap what I’ll call social and economic benefits of IoT, the whole nation – which includes industry, government, and academia – needs to have an awareness of the risks,” Santos said. She added that the effort “has to be layered. That’s why we need the manufacturers, the industry, to move forward in that direct. It helps government and the commercial.”