The Internet of Things Poses Security Risks in the Defense Department

IoT is a term used to describe the broad set of Internet-connected devices – including smartphones and wearable Bluetooth devices, etc. – that interact with the physical world and usually have various sensors and capabilities to process, communicate, and affect physical things, (e.g. a remotely-set thermostat adjusting the NVAC system to change the temperature.) IoT brings benefits, but also has security implications. In a recent report, Internet of Things: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD, the Government Accountability Office (GAO) found that while the DOD has made progress in addressing some of the security challenges brought by IoT, significant challenges persist.

Progress Made

According to GAO’s assessment, the DOD has made progress in addressing the following security challenges:

• Identifying a number of IoT security risks and notional threat scenarios;
• Examining security risks of IoT devices by conducting assessments on critical infrastructure;
• Developing policies and guidance for IoT devices; and
• Establishing ongoing efforts, such as research programs, to mitigate the security risks with these devices.

The security challenges that IoT devices pose will need to be addressed in specific ways as well as part of a holistic risk management approach.

Challenges Persist

Much of the challenges that were identified center around IT governance issues related to IoT and security. GAO suggested that DOD could capitalize on their progress by further addressing the following challenging areas:

• Lack of operations security surveys that could identify and mitigate security risks of IoT;
• Insufficient DOD policies and guidance for specific IoT devices and applications of concern (e.g., smart televisions and smartphone applications); and
• The need for DOD core security policies (e.g., cybersecurity, operations security, physical security, information security) that provide clear guidance on the IoT and related devices.

By addressing these challenges, GAO argues that the DOD could better ensure that it is identifying security issues with IoT devices and more effectively safeguarding and maintaining the security of DOD information.

Recommendations by GAO

To address these concerns, GAO recommended that the DOD take the following actions, again largely focused on governance and policy:

• Conduct operations security surveys that identify IoT security risks and protect DOD information and operations, or address operations security risks posed by IoT devices through other DOD risk assessments.
• Review and assess existing departmental security policies and guidance—on cybersecurity, operations security, physical security, and information security—that may affect IoT devices
• Identify areas where new DOD policies and guidance may be needed—including for specific IoT devices, applications, or procedures—and where existing security policies and guidance can be updated to address IoT security concerns.

By taking these steps to address the challenges posed by IoT in its current operational environment, the DOD could be confident that it is identifying and addressing the security issues brought on by IoT and position itself to leverage these capabilities for greater effectiveness.

As the line between cyber- and kinetic operations has largely disappeared, failure to overcome the security challenges of IoT poses a major risk.