DOD risks ‘rogue’ apps under
current IoT policy
Although the Defense Department has identified many security risks associated with the internet of things and developed policies to address them, the Government Accountability Office said the current rules do not go far enough.
DOD has categorized IoT risks as operational or device-related. “Rogue” mobile applications used for malicious purposes and devices that can geotag are con- sidered to come with operational risks, while issues such as unpatched software, limited encryption and supply chain threats represent device-based risks.
In a new report, GAO concludes that although DOD has provided guidance for many portable connected devices, “these policies and guidance do not clearly ad- dress some security risks relating to IoT devices.”
The report also notes that there is no single office at DOD that is focused on IoT security.
In reply comments, then-acting DOD CIO John Zan- gardi, who is now CIO of the Department of Homeland Security, said an ongoing review of the relevant policies was nearing completion.
— Ben Berliner
  making their way onto home, factory and city networks, which could expose their users to security vulnerabilities. The National Institute of Standards and Technology is working with the Department of Homeland Security to develop an engineering framework to enhance the cybersecurity resilience of IoT devices.
However, Brian Done, deputy CTO at DHS’ Office of Cybersecu- rity and Communications, said more work is necessary to secure current devices. Although some companies are trying to address concerns related to possible attacks on their IoT devic- es, he said their efforts do not come close to alleviating the concerns of DHS officials.
— Sara Friedman
      Will warning labels shield users
against insecure IoT?
Two Democratic lawmakers are back- ing new cybersecurity standards for the internet of things that would in- clude a framework for identifying and labeling products.
In October, Rep. Ted Lieu (D-Calif.) and Sen. Ed Markey (D-Mass.) intro- duced the Cyber Shield Act, which would empower the Commerce Depart- ment’s secretary to create a program for grading and certifying the cybersecu- rity and data security of products that connect to the internet.
Itwouldalsoestablishanadvisorycom- mittee composed of industry representa- tives, cybersecurity experts and federal
employees to recommend new standards and guidelines for IoT security.
“The government and tech companies share an obligation to develop more trans- parency around the security of our favor- ite devices,” Lieu said in a statement.
According to IT research firm Gart- ner, by 2020 there will be more than 20 billion devices, products and other “things” connected to the internet worldwide. That potential reality has policymakers scrambling to determine how best to regulate IoT devices while preventing hackers from using their collective computing power to wreak havoc on public and private networks.
November/December 2017
FCW.COM 15
Congress