Internet of Things

Every time federal information technology professionals think they’ve gotten in front of the cybersecurity risks posed by the Internet of Things (IoT), a new and unexpected challenge rears its head. Take, for instance, the heat maps used by GPS-enabled fitness tracking applications, which the U.S. Department of Defense (DOD) warned showed the location of military bases, or the infamous Mirai Botnet attack of 2016.

Wary that the Internet of Things (IoT) could be used to introduce unwanted and unchecked security risks into government networks, senators last year created a piece of legislation that placed minimum security standards around IoT devices sold to and purchased by government agencies.  The IoT Cybersecurity Improvement Act of 2017 specifically cites the need for regulation of “federal procurement of connected devices,” including edge computing devices, which are part of the IoT ecosystem.

The days of the United States’ stature as a force without equal appear to be over. The threat of near-peer competition with increasingly sophisticated adversaries is growing. As Secretary of Defense James Mattis says in the National Defense Strategy, "America has no preordained right to victory on the battlefield."

The Department of Homeland Security (DHS) Science & Technology Directorate (S&T) is announcing today that Ionic Security Inc., based in Atlanta, is the first company to successfully complete prototype testing and move to the pilot deployment phase as part of the Silicon Valley Innovation Program (SVIP).

The U.S. Army Research Laboratory (ARL) has awarded a $25 million contract to a group that includes SRI International and several universities. They will work to develop and secure the Internet of Battlefield Things (IoBT), as part of the IoBT Research on Evolving Intelligent Goal-driven Networks (IoBT REIGN) program.

With the Internet of Things promising—or perhaps threatening—to connect many more millions of devices, experts from industry, government and the military are urging action.

The critical infrastructure covers a lot of territory, including banking and finance, gas and oil, health care, agriculture, water distribution, transportation, communication, law enforcement and emergency services. Many outdated and poorly secured computers, experts say, operate a great deal of that infrastructure. Additionally, commercial or private entities own the vast majority of the infrastructure, meaning that government has little authority to protect it.

The increasing nature of computing capabilities, the number of technologies that are interconnected to the cyber world, the amount of data generated, and the speed at which data is reported are all reshaping everyday life. To harness this new dynamic, the commercial computer industry has already switched to a more agile way of developing software. More and more, the military is moving to advance the development of cyber-based infrastructure under this changing environment.

How many software engineers does it take to screw in a light bulb? None. It’s a hardware problem. That joke, though, soon might be on its way to becoming wrong with the speed of technology, joked Lt. Gen. Alan Lynn, USA, director of the Defense Information Systems Agency (DISA) and commander of the Joint Force Headquarters–Department of Defense Information Networks (DODIN).

Though the U.S. Defense Department has spent much time and money to protect high-value network assets such as emails from cyber intruders, the systems remain vulnerable to attacks. So imagine the weaknesses to systems that haven’t garnered as much defense attention or reinforcements, a senior official said.

“We have spent a lot of time—and have been very successful at—protecting our email information,” said Daryl Haegley, program manager for Business Enterprise Integration (BEI) in the Office of the Assistant Secretary of Defense for Energy, Installations and Environment. “But what about the control systems, manufacturing systems, facilities networks, medical devices? What we’re finding is ‘not so much.’