IoT Security Is a Top Federal Tech Concern

As the Internet of Things, or IoT, steadily migrates from fantasy to reality, the accompanying cybersecurity challenges posed by billions of connected devices have become not only evident, but a leading concern for federal technologists.

The lack of IoT security tops a list of critical concerns for surveyed professionals wrestling to address the challenges increasingly front and center as the sheer number of connected devices and sensors grows, according to results of a recent Brocade survey.

When it comes to the devices and sensors that agencies use to transmit all sorts of data, 60 percent of survey respondents said security takes top priority over other issues. The concern eclipsed stability, accuracy, speed, service delivery and even data accuracy, the last rather revealing given the focus that users, particularly those in the military, place on trust in the data used to make life-or-death decisions, says Judson Walker, chief technology officer for federal at Brocade Communications.

Along with listing security as a top worry, 58 percent say they are only somewhat, not very, or not at all confident in the security of their edge devices, or those in the field that provide access to networks, Walker points out.

With Gartner’s predictions of more than 20 billion connected devices by 2020, there is reason to be concerned. “By looking at this survey, we have identified that the biggest challenge around security, especially security of the IoT, is awareness,” Walker offers. “Consumers are asking, ‘Is this really as big a problem as we perceive it to be in the news and the tech [magazines], or is it just something interesting to talk about?’ But if you look at the numbers … people can clearly see that that number is astronomically large and the concept of trying to secure all those devices is simply daunting.”

Brocade surveyed 442 technologists from 30 agencies, largely senior staffers. Sixty-nine percent are at the GS-12 level or higher, 53 percent are supervisors and 25 percent hold ranking positions in the Defense Department.

The survey results reflect a mix of IT professionals’ perception and reality regarding the security of connected devices, Walker says. While cybersecurity within the IoT ecosystem is not all the doom and gloom that some make it out to be, the lack of industry standards and the rush to push apps and devices to market does make the environment rather unstable.

“If you look at the IT professionals in the industry now, and they look at the challenges regarding funding as well as procurement process, there is definitely an awareness that, ‘Hey there are some vulnerabilities out there that we need to address now as it pertains to the IoT,’” Walker says.

The mobile device and sensor industries lack uniform security standards and a system of checks and balances, Kevin Kelly, CEO of LGS Innovations, has said. “It’s really left the door wide open for bad actors, bad practice and people being careless with developing devices.”

The National Institute for Standards and Technology (NIST) attempted to bridge that gap with the release of its mobile device security guidelines that served as the backbone for protecting devices and data in the health care sphere.

Established standards could go a long way toward securing devices and allaying users’ fears, particularly within the Defense Department, Walker offers. “One thing consumers are looking for in the public sector is consistency,” he says. Coming as no surprise, survey takers noted that the sluggish acquisition process and tight budgets pose major challenges to securing platforms. Even though 74 percent believe the IoT should be as tightly secured as core infrastructures, limited investment funding and inadequate procurement processes add to the list of woes. Additional worries include the shortage of technical expertise, the inability to adapt to new threats and lack of leadership buy-in.

Enforcing stringent password requirements, built-in encryption and automated security patches are the most cited practices for securing data, the survey notes. But a surprisingly high 48 percent of respondents said they do not know how agencies plan to secure its IoT in the near future. “Those are immediate red flags,” Walker says. “Even though you’re a consumer of information, there should always be, in the back of your mind, some level of concern and awareness about security and concerns about being compromised. We’ve been trying to articulate that we have a real problem within the public sector.”

That result could be reflective of a subset of technologists who are consumers rather than managers within the government work force and are not in tune with the IoT security side of their agencies, Walker offers. “Maybe they made assumptions and assumed that when they get a device or object, turn it on and use it for work, that someone down the line took the appropriate steps to secure that device,” he says. “They assume it’s been done and so continue to use the device to complete mission or job.”

Survey respondents offered some securing resolutions, including strongly supporting a system of government-approved commercial security solutions, a standardized yet tailorable application program interface (API) and mirroring the National Security Agency’s Commercial Solutions for Classified (CSfC) framework.