Breaking Down Silos to Combat the IoT Threat
The Defense Department is hearing the IoT alarm bells.
Every time federal information technology professionals think they’ve gotten in front of the cybersecurity risks posed by the Internet of Things (IoT), a new and unexpected challenge rears its head. Take, for instance, the heat maps used by GPS-enabled fitness tracking applications, which the U.S. Department of Defense (DOD) warned showed the location of military bases, or the infamous Mirai Botnet attack of 2016. The former led to the banning of personal devices from classified areas in the Pentagon, as well as a ban on all devices that use geolocating services for deployed personnel. While the latter may not have specifically targeted government networks, it still served as an effective wakeup call that connected devices have the potential to create a large-scale security crisis.
Indeed, the federal government is evidently starting to hear the alarm bells, considering the creation of the IoT Cybersecurity Act of 2017. The act emphasizes the need for better controls over the procurement of connected devices and assurances that those devices are vulnerability free and easily patchable. It’s a step in the right direction—but it’s not enough.
Physical and cultural silos
Technical, physical and departmental silos could undermine the government’s IoT security efforts. The DOD is comprised of about 15,000 networks, many of which operate independently of each other. Cultural silos abound as well. According to respondents cited in SolarWinds’ 2018 IT Trends Report, federal agencies are susceptible to inadequate organizational strategies and lack of appropriate training on new technologies. They also mentioned a need for deeper strategic collaboration with leadership, which makes sense.
These are the people that are on the front lines of our nation’s defense against cyber attacks. It’s time to provide them with a seat at the table when making decisions and formulating policies focused on how to best mount that defense.
Breaking the silos
Bringing technology, people and policy together to protect against potential IoT threats is a tricky business, particularly given the complexity of DOD networks. But it is not impossible, as long as defense agencies adhere to a few key points.
Focus on the people
First, it is imperative that federal defense agencies prioritize the development of human-driven security policies. All of the legislation in the world will be ineffective if agencies do not enforce security at the user level.
Malicious and careless insiders are real threats to government networks, perhaps just as much, if not more so, than external bad actors. It is important to take every precaution to mitigate these concerns. Policies regarding which devices are allowed on the network—and who is allowed to use them—should be established and clearly articulated to every employee.
Agencies must also try to ensure everyone understands how those devices can and cannot be used, and continually emphasize those policies. Implementing a form of user device tracking—mapping devices on the network directly back to their users and potentially detecting dangerous activity—can assist in this effort.
Gain a complete view of the entire network
The Defense Information Systems Agency (DISA) continues to evolve the Joint Information Environment and consolidate the DOD’s many networks into several. It is an extremely ambitious initiative, but the organization is not quite there yet.
Until that day, each DOD agency should provide their IT teams with tools that allow them to gain a complete, holistic view of their entire networks. They must institute security and information event management to automatically track network and device logins across these networks, and set up alerts for unauthorized devices.
Get everyone involved
But, who takes this holistic view? Often, agencies have teams and individuals dedicated to single jobs. For example, the network team may be exclusively worried about penetration testing, while the virus team might only be concerned with keeping viruses off the network. This isolated approach can be ineffective when dealing with rapidly evolving security threats.
It is incumbent upon everyone to be vigilant and involved in all aspects of security, and someone has to set this policy. That could be the chief information security officer or an authorizing official within the agency. People will still have their own unique roles and responsibilities, but just like travelers in the airport, all agency employees need to understand the threats and be on the lookout. If they see something, they need to say something.
Finally, remember that networks are evolutionary, not revolutionary. User education, from top management on down, must be as continuous and evolving as the actions taken by adversaries. People need to be regularly updated on and taught about new policies, procedures and tools, and the steps they can take to be on the lookout for potential threats.
As events like the fitness tracking apps and Mirai Botnet incidents have shown, connected devices and applications have the potential to do some serious damage. While government legislation like the IoT Cybersecurity Act is a good and useful step forward, it’s ultimately up to agency information technology professionals to be the last line of defense against IoT security risks. The actions outlined here can help strengthen that line of defense and effectively protect DOD networks against external and internal threats.
Paul Parker is chief technologist, federal and national governments, at SolarWinds.