In August 2017, U.S. Sens. Steve Daines, Cory Gardner, Mark Warner, and Ron Wyden introduced the "Internet of Things Cybersecurity Improvement Act of 2017," to ensure that vendors selling IoT devices to the U.S. government meet certain cybersecurity standards.
The legislation requires that IoT manufacturers no longer have default passwords that are searchable on the Internet, highlights how vendors cannot sell products that have known vulnerabilities to the government, and stipulates comprehensive patching updates.
In our meetings with all of the Senators sponsoring this legislation, each lawmaker recognized that mobile is a core component of all federal IoT efforts - although it's not explicitly referenced in the proposed bill.
Today's mobile devices are packed with sensors and systems that help seamlessly communicate with other devices, which include emerging IoT devices. For example, we are now seeing smartphones control smart homes, and in the federal arena, this type of IoT connectedness through mobile further reinforces the need for sound mobile security strategies. From the GSA's Smart Building initiative to government vehicle fleet management to advanced smart grid systems in many cities, mobile devices are the foundation for managing these connected efforts - yet come with inherent vulnerabilities.
Malicious actors have already staged some very well-known IoT breaches, which include the Mirai botnet, a DDoS attack that knocked out the building/climate controls system in Finland, and one unnamed university, that experienced a breached, compromising 5,000 IoT devices.
When you add mobile to the equation, IoT attacks have the means of becoming more prevalent in the future. In fact, according recent survey from Lookout of 200 government IT and cybersecurity specialists, 60.5 percent of government agencies reported they had experienced a security incident involving a mobile device. In addition, Lookout found that 50 out of 1,000 Android devices will encounter an app-based threat like Trojan malware every quarter. These threats include trojans, spyware, phishing attacks, and more, which could all compromise sensitive government data, and negatively impact mission effectiveness.
In the government arena, mobile devices contain a wide-range of personal and work data, and can easily become a platform for hackers to control microphones for listening to private conversations, and easily take photos of the surrounding areas.
In addition, while the recent IoT security legislation does not directly mention mobility, the National Institute of Standards and Technology (NIST) addresses it in its recent interagency report. To prevent future attacks, the report points to a need for a standardized set of cybersecurity requirements to protect IoT devices - from smart cars to the energy-efficiency sensors in the General Service Administration headquarters building.
With regards to mobility, the report states that connected vehicles must be protected from threats that may occur through a mobile device. It also highlights a number of standards that tie into mobile security, which include identity and access management, network security, and software assurance. This is a sound start when it comes to providing federal IoT security recommendations.
With mobile being a critical element of IoT, there is still much more that needs to be done from a security perspective. We are only beginning to address an issue that is making our world of ubiquitous connected devices a playground for malicious actors looking to inflict damage.