IoT Security: The Time for Governments to Develop Organizational Policies Is Now

As more things connect, experts say security should be a main consideration, especially in sensitive government environments.

Hollywood has been portraying the Internet of Things for decades. In Terminator 2, it took the form of Skynet, an artificial intelligence platform that decided humans were dead weight and subsequently nuked ‘em. In Minority Report, the connected landscape acted as both a protagonist and antagonist that was used to hunt down future murderers and, of course, eventually the main character played by Tom Cruise. And, in the Dick Tracy franchise, an old-school “smart watch” featured two-way voice communications and a TV picture. 

While Hollywood attempts to share with the masses a view of the Internet of Things (IoT), it skips over the inconvenient, real-world security implications posed by connecting everything to everything else in our homes and our workplaces, and on our bodies and the street. 

If we look back at the not-too-distant past and consider what the advent of the floppy disk meant for organizational security, or how connecting the Internet to every computer affected things, it’s not difficult to imagine how millions of devices — from toasters to cellphones to T-shirts — could throw a wrench in our nation’s best laid security plans.

Not many people will argue that IoT is without convenience and the occasional bout of awe, but too often, we don’t stop and consider the implications of surrounding ourselves with devices connected to the outside world. Consider for a moment what might happen if a smart television, located in a conference room, was breached and allowed someone outside to hear a privileged legal conversation. We’ve already seen attacks against financial institutions routed through the IP address of connected refrigerators and the complete takeover of connected vehicles, so what’s next?

For those in government, IoT security is — or should be — of very real concern. Director of National Intelligence James Clapper already testified before a U.S. Senate Special Committee that the gelatinous and ever-expanding network could eventually be used to spy – implying both risk and benefit for the American people. 

And as Ars Technica reported in January, a glaring example of some of the vulnerabilities lies in the fact that search engines have cropped up that specifically allow users to log in and view sleeping children through susceptible baby monitors.

Policy: The First Line of Defense 

As organizational security goes, the experts will tell you a policy around connected devices in the workplace isn’t the worst idea. In fact, it’s something you should probably consider.

In the days before everything was connected, security officials had to worry about data leaving secured facilities on a laptop or disk. Today, that game is exponentially different. 

Tony Sager, senior vice president of the Center for Internet Security (CIS) and former information assurance professional for the National Security Agency (NSA), said the ever-expanding IoT poses a challenge to security professionals. 

The inexpensive and abundant nature of connective technology has made embedding everyday things with sensors and Internet access almost irresistible for companies without a security-minded background. 

“It really costs you nothing, or almost nothing, extra to embed a lightbulb, a refrigerator, device, baby monitors, you know, everything being Internet accessible," he said. "The cost to do that is very negligible anymore and so, there this temptation to put everything online and that creates lots of problems."

Whereas it was once simpler to define security boundaries, Sager said the new realities of technology make boundaries fluid and subject to change. Additionally, he points to the consumer nature of many devices as a potential pain point.

“You can be pretty certain that the creators of the software and the engineering did not come up in the defense and security business,” he said. “They're doing things mass-market, inexpensive, so they come with lots of potential security problems. Their designs didn’t really anticipate the kinds of environments that they would be going into.”

Many of the devices jump between home, cell and work networks as they travel with the owner. This almost expected connectivity opens the potential for a connected device to become an attack mechanism if vulnerabilities are leveraged in the right environment.

“A lot of the stuff that’s going on under the hood that is designed to make things simple for us also hide what’s going on, by design,” Sager said. “From an intelligence perspective, if a target is carrying that technology, they are sort of carrying your attack system in with them.”

If Consumer Data is at Risk, so is Organizational Data

As consumers load up on the latest connected gadgets, the question of where data actually goes comes into play. The terms and conditions agreements are often skimmed — if read at all — and devices track our steps, our speech and, in some cases, even what we look like.

From the perspective of Shahid Buttar, director of Grassroots Advocacy at the Electronic Frontier Foundation, the future of government intelligence collection is bolstered by the prevalence of networked consumer devices.

But with the conveniences of these products, Buttar said it took many years before people began to realize that the ultra-convenient smartphone in their pocket was a potential tracking device with a wealth of personal information on it.

“It’s incredibly convenient to have a communications device in your pocket that you can use to surf the Internet, but people don’t think, for 10 years after they’ve become widespread that what we’ve essentially got in our pockets is a personal tracking device,” he said. “You can tell almost anything you want from someone’s smartphone.”

The explosion of smart televisions, gaming systems, connected thermostats and even refrigerators also pose data gathering implications for consumers and organizations. 

“Smart televisions create very similar problems as smartphones, because they can be two-way communications devices," Buttar said. "The Xbox Connect can basically map an array of a living room and monitor who comes through it at what time, and that’s incredibly sensitive data…”

In the workplace, he said policy and concern about potential data gathering and misuse are factors that must be taken into account. 

“I think it would make a great deal of sense for those agencies to promulgate policies to ensure that they are using Internet of Things devices [and] that they are not being used to collect information for example on government operations.” he said. “It’s not just the government that can misuse that data, any data anywhere is susceptible to being hacked.”

He said hacker and foreign intelligence agencies could try to leverage honeypots of data collected by IoT devices within homes and workplaces.

“A government agency CIO I would hope would be very concerned about the possibility that any data that the agency collects or is collected about the agency's operations through these devices could be susceptible not only to a hack by a hacker or a narco-trafficking syndicate, but also by the Mossad or Iranian [Ministry of Intelligence and Security]," Buttar said. "These are national security problems, as well as constitutional., and I would hope that the agencies get in front of it."

Stephen Miles, affiliate researcher with the Massachusetts Institute of Technology, agrees that there are risks associated with the gelatinous and widely defined Internet of Things, but he also points to the substantial benefits of its application.

In a hospital, for example, he points to radio frequency tracking devices as a means of keeping tabs on access to restricted areas, pharmaceutical cabinets, medical equipment and even patient vitals. The researcher also said the technology can help to spur efficiencies in industries like power production, where data from smart thermostats can provide analytical data about peak energy consumption.

“If we step back and look at industry at a whole, to the extent that as industries, as companies, as consumers we are all looking for smarter products, by definition that means we’re looking for new, better ways to connect and interact with things,” Miles said, adding that when we connect things, that brings a host of security challenges.

"To say on the one hand, are there security risks when you connect things? Yes. As we connect more and more of our infrastructure, are there risks? Yes. And are they challenging? Yes. And is it important? Yes, because somebody could take it down too. So you have to think through all of that."

As the technology evolves, Miles said security professionals will need to be aware of the potential implications on their organizations and develop policies that secure their data, but provide the right functional balance.

“We know and are aware that there are lots of vulnerabilities in these things," he said. "So there are tremendous security risks, so risk management and how we think about BYOD [bring your own device], that is all very important information to have policies around and a challenging area because it’s always evolving.”

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at