Robert Metzger is a shareholder at law firm Rogers Joseph O'Donnell PC, where he's a member of the Government Contracts Practice Group and head of the Washington, D.C. office.
Widely promoted, the Internet of Things is coming to the federal landscape. Advocates promise a veritable “new age” of efficiency. Skeptics see it as one more avenue for hacking into federal systems. But actually, the risks don't end there.
It's true that proliferation of connected devices supposedly will enable government to better accomplish existing tasks and achieve new, adaptive and responsive functionality. Of course, the IoT also connotes an enormous prospective market for providers at every level of the IoT “stack” – applications, devices and platforms, sensors, transport (connectivity), analytics and infrastructure.
But a number of federal agencies already are concerned about cyber vulnerability and the IoT. There are important privacy interests to protect as information is created, obtained, used or transmitted in the operation of the IoT. And some agencies are concerned that the IOT brings new risks to the reliability of consumer devices, such has medical equipment, or automobiles.
This blog, however, looks at IOT from the perspective of national defense and critical infrastructure. The IoT presents new “cyber/physical” risks that merit the attention of policy makers, regulators and private industry.
First, let’s calibrate relevant definitions. IDC, a consulting organization, defines the “IOT as a network of network of uniquely identifiable endpoints (or “things”) that communicate without human interaction using IP connectivity. NIST, in its draft framework for cyber-physical systems, released this September, defines cyber-physical systems as smart systems that include engineered interactive, interconnected and integrated networks.
The crucial overlap of these definitions is this: cyberattacks upon the IoT can produce adverse consequence upon physical systems that are IOT endpoints. Those consequences can include loss of functionality at the device, unit, system or platform, to the extent that the “mode” of failure moves upstream from the endpoint. Applying FIPS 199 nomenclature, cyberattacks upon IoT put at risk each of confidentiality, integrity and availability. Potential attack surfaces multiply as a function of the connectivity upon which the entire IoT “stack” depends. Conceivably, adversaries can attack complex systems by subversion or manipulation of firmware, embedded code or addressable software at the device level. An adversary, for illustration, could find a latent vulnerability in the operating code for a legacy electronic device and exploit that vulnerability by insertion of malicious code. In turn, and perhaps at the time of the adversary’s choosing, the tainted code could be used to exfiltrate information from host infrastructure, or to damage, disrupt or even deny service of connected devices and sponsoring systems.
If we accept cyber/physical risk in the IoT, let’s characterize the threat as this: an adversary may exploit cyber-active devices or the means by which these are connected to or managed by infrastructure to deny, disrupt or impair the functionality of defense systems and critical national infrastructure.
This prompts a question, for federal policy-makers to consider: How well do current federal government initiatives assure that that this threat is being addressed by the industrial base for defense and critical infrastructure?
The answer is – not well.
The Department of Defense has accomplished the most. But, as affects its contractors, DoD measures focus on counterfeit electronic parts, which could cause system failure, and the “cyber” threat to sensitive but unclassified federal information used, hosted or transmitted on contractor information systems. Neither DoD (nor any other federal agency) have used their acquisition authority to improve assessment of cyber/physical risks and today there are no generally applied or available contractual measures that impose proactive obligations on the industrial base to act on those risks.