Over the past several months, increased attention has been paid to U.S. federal government policies surrounding internal use of IoT devices. In January 2018, researchers discovered they could track the movements of fitness tracker-wearing military personnel
over the Internet. In July, a similar revelation occurred with fitness app Polar, which was exposing the locations of military and intelligence personnel
around the world.
Shortly thereafter, on August 3, the U.S. Department of Defense announced
a partial ban on geolocatable cell phones:
Effective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and non-government-issued devices, applications, and services while in locations designated as operational areas.
At the time, I wrote
that this was a good “first step” but pointed out that it still failed to address a number of gaps in U.S. federal government IoT policies. In addition to a lack of device standards and clear cybersecurity frameworks for the Internet of Things, federal employees are currently left without much guidance on which IoT devices they can and cannot use in the workplace and while on the job—and they’re also left without clear guidance on the cybersecurity and data privacy mechanisms that must be in place within said devices.
This is what a fellow researcher and I detailed in our recent paper
on gaps in U.S. federal government policies surrounding the Internet of Things. We comprehensively reviewed all federal laws and regulations that either directly address or could possibly apply to the IoT with the aim of identifying gaps and pitfalls in the guidance of future policy creation.
Gaps in cybersecurity policies
While the Federal Information Security Modernization Act (FISMA) requires each federal agency to establish, document, implement and monitor information security programs for their assorted ICT systems, it leaves many decisions to the Chief Information Officer in each agency or department. This results in significant variance across organizations, particularly when it comes to IoT where individual implementations will differ already—for instance, a grid sensor monitored by the Department of Energy versus a smart speaker used in a CIA office. This means cybersecurity standards will greatly vary across federal agencies.
There are also no federal cybersecurity frameworks that explicitly address security or management of IoT. Some non-governmental organizations like the Industrial Internet Consortium have issued
IoT security frameworks, but (a) there is no clear consensus on these frameworks anyway and (b) they have no authority within the U.S. federal government. This combines with the previous issue (policy variance across agencies) to generate a convoluted approach to securing IoT devices: the same devices could be used by two different agencies but could have entirely different security protocols, which increases the likelihood that some agencies will set weak cybersecurity baselines (if they set them at all).
Finally, there is no language in the Federal Acquisition Regulation (FAR) to mandate security baselines in federally procured IoT devices. This means that federal contractors are not required to use IoT-specific security mechanisms in their IoT devices.
Gaps in privacy policies
The United States—unlike the European Union with its General Data Privacy Regulation
—has no overarching statute to address the data privacy of individuals. In this light, it remains unclear how protections like the Fourth Amendment extend to data collection through IoT devices, which also means that federal agencies are left without clear guidance on how federally used IoT devices should collect, store and transmit data about systems, individuals and their surrounding environments.
COPPA, the Children’s Online Privacy Act, and the Privacy Act of 1974 establish guidelines for federal agencies to acquire and maintain information on individuals, but IoT again raises new questions about data privacy and informed consent.
What happens, for example, when a parent buys an insecure IoT toy for a child that collects information on the child without the parent’s knowledge? This might seem irrelevant in the federal context, but when federal agencies use devices in their offices, similar questions arise surrounding what data is collected, how regularly that data is collected, how the data is stored, where and why it’s transmitted and so on. Data privacy is a serious concern for national security, as the previous months’ incidents have demonstrated.
Finally, agencies from the National Institutes of Health to the National Security Agency require different forms of privacy training for their employees, but agencies lack entirely new education modules to address the scale and complexity of IoT data collection. This also must be addressed if federal agencies are to properly protect the data stored, collected and transmitted through Internet of Things systems.
Recognizing that President Donald Trump recently eliminated
the position of National Cybersecurity Coordinator, the President should empower the federal CIO Council to develop policies for federal IoT systems. This could at once fill the gaps previously mentioned while doing so from a single entity, thereby ensuring some baseline IoT cybersecurity and data privacy mechanisms across federal organizations.
Further, the FAR should contain language about IoT cybersecurity and data privacy mechanisms. Doing so would require all organizations conducting business with the federal government to adopt certain cybersecurity and data privacy protocols in their IoT devices such as robust encryption or regular renewal of digital certificates, measures which would not only strengthen the federal government’s cybersecurity posture but incentivize private-sector IoT investment as well.
This, of course, isn’t everything. We still need to develop clear industry standards for IoT device cybersecurity and data privacy. We need required IoT education for all federal employees. We need robust cybersecurity cultures across the federal government that supplement these technical and operational practices in addition to cultures that respect and value the protection of data privacy. This is, however, where the U.S. federal government should start: addressing these fundamental gaps in their IoT security and privacy policies.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.