GAO warns IoT system security spread too thin could create cyber gaps, increase risk of attack

Federal systems so far have been spared by the WannaCry ransomware attack crippling computers around the world, highlighting the importance of government IT systems security.

But a recent technology assessment from the Government Accountability Office shows inconsistencies in the public and private sectors’ adoption of the Internet of Things (IoT), leaving the increasingly popular network — and the people and devices that depend on it — vulnerable to harm.

“The growing ubiquity and pervasive connectivity of IoT devices and networks may pose significant security risks,” the assessment stated. “Unauthorized individuals and organizations may gain access to these devices and use them for potentially malicious purposes, including fraud or sabotage. As cyber threats grow increasingly sophisticated, the need to manage and bolster the cybersecurity of IoT products and services is also magnified.”

The assessment was requested by five lawmakers, including Rep. Jason Chaffetz (R-Utah).

Advertisement

“The Internet of Things has the potential to transform the way we live, work, and organize our society,” Chaffetz said in a statement to Federal News Radio. “I requested this report with my colleagues in order to assist in analyzing the privacy, cybersecurity, economic, and other issues associated with the Internet of Things. We need to embrace the opportunities for increased safety, health, productivity, and quality of life that the IoT can bring.”

GAO’s assessment is based on feedback from the Federal Trade Commission (FTC) and the Federal Communications Commission, along with researchers and industry members. The draft assessment was also provided to 10 agencies for input, including the Homeland Security Department, National Science Foundation, Office of Science and Technology Policy and Energy Department.

The assessment is the product of two years of work, conducted from September 2015 to May 2017.

This isn’t the first time GAO has reported on IoT cyber threats. In 2015, auditors raised the alarm that without keeping up with rapidly evolving threats, IoT systems are left vulnerable to attacks.

Source: GAO

Areas of overlap

Cutting-edge technology and ease of use are responsible for both the public and private sectors’ dependency on IoT. What started in 1974 with the first scan of a pack of gum’s barcode has grown into a web of interconnected systems that do everything from regulating a pacemaker in someone’s heart, to monitoring the air quality above a city.

The products created by and for IoT systems are useful for government at all levels, but they pose particular challenges for federal agencies.

“There is no single U.S. federal agency that has overall regulatory responsibility for the IoT,” GAO reported. “Various agencies oversee or regulate aspects of the IoT, such as certain devices or management of certain kinds of data. However, some issues, such as privacy and security, are crosscutting, and sector-specific oversight efforts in these areas could overlap.”

Experts who contributed to GAO’s report said federal regulation of IoT could get murky when a device is reviewed across multiple agencies.

“For example, certain mobile health applications may be regulated by the Food and Drug Administration for their effectiveness as potential medical devices, while other offices within the Department of Health and Human Services oversee the privacy of health data collected by the application,” GAO reported. “The FTC investigates false or misleading claims about the applications’ safety or performance, and the Department of Justice addresses the law enforcement aspects, including cyberattacks, unlawful exfiltration of data from devices and/or networks, and the investigation and prosecution of other computer and intellectual property crimes.”

Both agencies and Congress are looking at ways to address this regulatory quandary.

In January, Sen. Deb Fischer (R-Neb.), and Rep. Erik Paulsen (R-Minn.) introduced the Developing Innovation and Growing the Internet of Things (DIGIT) Act, which calls on the Commerce Department to create a federal stakeholder group to provide recommendations to lawmakers on IoT.

The National Telecommunications and Information Administration (NTIA), a Commerce Department component, in 2016 started looking at “the benefits, challenges, and potential roles for the government in fostering the advancement” of IoT, and released a green paper in January that analyzes the public comments, GAO reported.

The National Institute of Standards and Technology (NIST), and the Center for Internet Security, have also each released IoT cyber guidelines.

Remaining vulnerable

Among some of the other issues GAO considered in its assessment, is security around cloud computing and IoT.

IoT systems are using the cloud because the technology is able to handle big data, offer continuous access, and can cut down on hardware.

“However, many of the features that make cloud computing attractive can also pose security challenges,” GAO reported. “One major challenge is the loss of control of the computing environment that supports the device. Using the cloud as a platform requires a transfer of information and system components to the cloud provider that would otherwise be under the company’s direct control.”

Moving to the cloud also means potentially increasing the number of users who have access to that data, which can increase the risk of unauthorized use of that data.

Another issue GAO highlighted in its assessment is that there is no single, “universally recognized set of standards or definitions” for IoT.

The Institute of Electrical and Electronics Engineers, according to GAO, said gaps are created by organizations and companies who decide on their own standards.

“Designing products to proven standard specifications can lower risk,” GAO said. “IEEE notes that some standard bodies do not have a global reach, thus standards bodies need to collaborate and coordinate efforts. Additionally, there is no common definition of the IoT among the different standards organizations. Establishing one common definition of the IoT would simplify the coordination among standards bodies.”