Taking Action on Military Internet of Things Devices
With the increase of available equipment that connects to the Internet, the military needs to address the associated cybersecurity risks. The Defense Department is lacking a comprehensive strategy of how to harness these so-called IoT devices, which could be based on existing cybersecurity frameworks, advised experts at an October 31 AFCEA Quantico-Potomac Chapter luncheon.
The chapter’s 7th annual Cyber Security event, held at the U.S. Marine Corps Base Quantico, included moderator Ray Letteer, compliance branch deputy chief for cybersecurity and senior information security official, Headquarters, U.S. Marine Corps, and panelists: Jean-Paul Bergeaux, Guidepoint Security; Will Bush, security controls assessor, Marine Corps System Command, U.S. Marine Corps; and Lisa Lee, intelligence chief information officer, Marine Corps Intelligence Activity, U.S. Marine Corps.
“[It is far from] the 1980’s, with a V-86 processor, a hardrive, two or three floppy disks and a modem,” Letteer said. “With IoT, we are now getting into other computing constructs.” The key question is how the DOD can adjust, respond and address the cybersecurity issues related to the use of IoT devices, he noted.
One of the main concerns is that the consumer sector is pushing the IoT market, not DOD, and devices are not cyber-secured. Essentially consumers want inexpensive, convenient devices and they are willing to forgo security. “We want IoT to be operational, [but] I am not confident that IoT is going to get better anytime soon,” warned Bergeaux. “Until we as consumers are willing to pay more for secure IoT, it is not going to get any better.”
As such, DOD has to handle IoT equipment in a stringent way, as cybersecurity experts sound the alarm bell as far as the cyber-related vulnerabilities of IoT. “As cybersecurity practitioners, what we need to do is to put IoT in a place that separates it from what is important, to continue to ‘DMZ’ it off, and treat it as a hostile device,” Bergeaux stated.
Before even considering bringing IoT devices onto a network, military leaders are going to have to come up with a schema, plan or comprehensive process that initially approves devices, includes an assessment, provides cyber protections and performs monitoring, Lee said.
As to how the military handles devices now, it depends on the environment, the intelligence CIO explained. “If you are in a SCIF [sensitive compartmented information facility], you can’t bring your phone in,” she said. “We keep a lot of the smart devices or other things that can be hacked into or are vulnerable on a completely separate network. [The devices] do not touch the backbone [network].”
Cybersecurity risk management frameworks (RMFs), the government’s set of conditions for architecture, security and monitoring of information technology, would certainly apply to Internet of Things devices, Bush suggested. “We would still be looking at having a risk management framework control set for these devices,” he stated. “It is because we don’t know what could happen, and we need to make sure we are covering our bases with IoT devices. So I think we are going to see the RMF control set increase and I think we are going to see different controls come into play as these IoT devices become more prevalent.”
Lee emphasized that continuous monitoring, which is employed in current RMF structures, has to be part of any IoT solution. “We can bring these things on board and we can do the initial assessments, but to keep them, they have to be monitored. We have to make sure that they are not breached or aren’t doing funny things that they shouldn’t be doing.”
The panelists all agreed that awareness and education about IoT security measures will be needed. When DOD started using RMF, it was all about awareness, Lee observed. “And with IoT it is the same thing,” she stated. “So we in cyber need to train and teach our non-cyber professionals or our engineers, what cybersecurity related to IoT is all about, why it is important and what happens if we don’t do it.”
From his security-related role, Bush recognized that program managers do not always understand why RMF controls will still need to be in place. “Making the PMs and Pfms [program managers and portfolio managers] and other leaders understand the need for cybersecurity in regard to IoT, and beginning some level of security, is the most important piece we’ve been doing at Systems Command,” he noted. “And we are working with the operational side to make sure those security controls meet their needs.”
In addition, any cybersecurity awareness effort has to address the tendency of employees to use unsanctioned devices, Bergeaux continued. Already an existing problem, employee use of so-called shadow IT, or unsanctioned information technology use, can easily spread to the realm of IoT devices. “I think this is going to be shadow devices,” he warned. “if we don’t know going in this is possible, that people are going to use IoT even if it is not allowed, then we are kidding ourselves.”
The problem is that IoT devices can be useful or practical and people will rationalize that it is okay to use the digital tools because it helps complete tasks. Employees will say, "I’m not supposed to have that device, but I’m trying to getting the mission done,” Letteer said.
“We have to continue to push against the desire of users to break the rules,” Bergeaux stressed. He acknowledged that there are some technologies coming into the marketplace that will start to address IoT security, but until then, the military has to handle IoT as hostile devices. “That is what we can do now,” he said.
Lee added that the sheer frequency of cyber attacks and awareness about the breaches is helping to bring attention to military leaders for the need for secured devices. “With all the things in the news lately, I think the leaders are finally starting to get the importance of it and they are starting to listen more,” she stated. “All these things are coming and we need to be smart about it.”
