Not that much, if the Homeland Security Department has its way when it comes to the Internet of Things.
Robert Silvers, assistant secretary for cyber policy at DHS, told an audience gathered at a National Institute of Standards and Technology Aug. 31 workshop, that IoT provides enormous opportunities as well as security challenges for the public and private sector, which is why the department is issuing strategic principles in the coming months to address this “full blown phenomenon.”
“We need to accelerate everything we’re doing, we need to make tough decisions now because they’re not going to get easier,” Silvers said. “I think we all need to resist the gravity that induces one to put off a decision, because another meeting is coming up or because another round of product development is about to come to a close. It’s always easier to say that we’ll get to it next Wednesday, and I think we’re going to pay a steep cost if that kind of mentality sets in. So I think we need to issue ourselves a wake-up call and challenge to make the tough decisions now and to frankly not let the perfect be the enemy of the good.”
The way to do that in the short term, Silvers said, is through those strategic principles, which will be designed for consideration by IoT stakeholders as they build and deploy internet-connected devices.
“An internet sensor in a coffee maker is different than a sensor in a nuclear reactor. The two should be treated differently in the manufacturing, deployment and the decision whether or not a connection to the internet is appropriate,” Silvers said.
The principles will include best practices and other things related to knowing one’s supply chain, quality of subcomponent security, and patching and updating strategies — things that might not sound too controversial to a NIST audience.
“Like the Cyber-Physical Systems architecture that NIST has promulgated, we are planning on this being a living endeavor and it’s going to be a collective endeavor,” Silvers said. “This is not going to be a regulatory affair, it’s not going to be overly prescriptive, we’re not going to recommend the specific methodologies with which best practices or principles are implemented. I think we have to have the humility to know that we’re not going to be able to do that well, right now , but I don’t think we can wait to promulgate a document until we have that kind of certainty, that granularity, because it will be years.”
Set it and forget it
Silvers and his department aren’t the only ones actively working to address the evolving cybersecurity environment.
Recalling the 2015 Office of Personnel Management cyber breaches, Federal Chief Information Officer Tony Scott said the hacks weren’t caused by OPM being asleep at the wheel, but rather “it’s a culture of what I would call set it and forget it.”
“Go put something in and then assume that your work is done, and in fact much of the automation that’s taken place in industry and government, took place a long time ago in its initial instantiations,” Scott said. “We used information technology to automate manual processes but the underlying processes themselves remained almost the same.”
That was “generation one,” Scott said, and in many places within the federal government, that generation is the one being relied upon.
OPM’s systems were designed decades ago without expecting them to be connected to a network or web front-end, Scott said. Thirty or 40 years later, “when you try to repurpose something that wasn’t designed for the task, you often run into trouble.”
As a result of the breaches, the federal government took a look at itself and found a bunch of gaps, including “not a strong enough signal to management and to the people who can make decisions around upgrade, funding and replacement of information technology.”
Scott pointed to the July 28 update issued by Office of Management and Budget for Circular A-130, and his stumping for the $3.1B IT Modernization Fund as examples for how the government is working to close these gaps.
Scott also said the administration is about to announce who is taking on the role of federal chief information security officer.
“Probably the biggest contribution that I think that role can make is the influence it can have across the entire ecosystem if it’s done right,” Scott said. “Look at the subject of security much more broadly and move the needle on that, not just [make] us feel good.”