Want Safer Internet of Things? Change Government Buying Rules.
Federal agencies could shape the security of connected devices by using the Federal Acquisition Regulation.
There’s a lot of worry about securing the internet of things—about Russia hacking our infrastructure, China spying on our conversations, evildoers tracking our military personnel in real time. The national permeation of IoT devices—such as smart speakers, thermostats and electrical grid sensors—poses a growing risk to national security that the U.S. federal government is struggling to address.
In January, researchers discovered they could track U.S. military personnel over the internet in real time. Why? They were wearing fitness trackers like Fitbit, and there were no Defense Department policies to prevent the troops from wearing them—despite what were evidently dismal privacy protocols.
Something similar occurred in July, when researchers geo-tracked military and intelligence officers around the world, once again through wearable devices. They reportedly followed over 6,400 users in sensitive locations around the world, including the National Security Agency, the White House, MI6 in London, and Guantanamo Bay in Cuba. They even exposed the names of some of those individuals, such as intelligence officers at the French DGSE in Paris and the Russian GRU in Moscow.
All of this once again happened thanks to IoT devices, which were used by government personnel in absence of any clear or responsible policies. But the problem also lies with the tech itself: IoT devices are plagued by weak or default passwords, usually no encryption, minimal data privacy protections, and other terrible practices.
While the federal government is currently struggling to address this growing web of threats, it overlooks a necessary and relatively simple step: using the Federal Acquisition Regulation.
The Federal Acquisition Regulation, as part of the Code of Federal Regulations, contains the policies and procedures that govern how agencies can (generally speaking) acquire goods and services. In 2015, Defense used this mechanism to enforce minimum security requirements and cyber incident reporting timelines for contractors handling certain classes of information. This follows a clear and documented history of using the FAR to incentivize behavior in federal contractors, especially when it comes to protecting the nation against cyber threats.
So, instead of hand-wringing about how to secure the IoT, federal policymakers need to embed IoT cybersecurity and data privacy standards in the FAR. The message to federal contractors will be clear: invest in your IoT devices, or don’t do business with the government. (Between the time I wrote this article and the date it was published, actually, this very point about the FAR appeared in the new National Cyber Strategy.)
Any smart speaker in a conference room or office could be turned into a surveillance device, which means this FAR specification should include mechanisms for data privacy. Federal agencies and their employees should know exactly what kind of data is collected by a device, how much of that data is collected, where that data is stored, and where, why, and how that data is transmitted—over the internet, to another IoT device, back to the manufacturer. Devices should then protect that information with responsible software and hardware security techniques. The incidents over the past several months have made it clear: We cannot pretend as if privacy protocols don’t have an impact on national security. Clearly, there is a near-direct connection.
The same goes for cybersecurity protocols, which need to be robust in all IoT systems. From stealing sensitive information to spying on conversations to manipulating critical infrastructure, an attacker who compromises a federally used IoT device could wreak havoc in any number of ways. Last year, in fact, the hackers who broke into a Saudi Arabian petrochemical facility demonstrated just how an industrial system could be dangerously compromised over the internet. Putting requirements into the FAR like robust encryption, strong passwords, and the regular renewal of digital certificates would compel stronger cybersecurity in systems used and acquired by the federal government. Again, it’s common sense.
When the U.S. government thinks about IoT security—protecting infrastructure, safeguarding conversations, isolating sensitive systems from public ones—it cannot overlook the fundamentals. Since the private sector creates and distributes the millions and millions of IoT devices around us, we must begin incentivizing that same group to invest in protection. And it starts with putting minimum IoT standards in the FAR.
Justin Sherman is studying computer science and political science at Duke University. Justin researches federal cyber policy and digital strategy with the Laboratory for Analytic Sciences, an industry-intelligence-academia group focused on cyber and national security. The views expressed here are his own.