March of 2018 saw the United States Department of Defense (DoD) introduce a guidelines document through the Government Accountability Office (GAO) titled Enhanced Assessment and Guidance are Needed to Address Security Risks in DoD. Two months later, on May 15th, the Department of Homeland Security (DHS) has released a cybersecurity guidelines document of its own, titled US Department of Homeland Security Cybersecurity Strategy.
What the Guidelines Provide For
Its mission statement is to improve national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure by 2023. Homeland Security hopes to decrease illicit cyber activity, improve responses to cyber incidents, and foster a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and a close partnership with other governmental entities.
The strategy provides Homeland Security with a framework to implement their cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape. The Department hopes to achieve this by reducing vulnerabilities and building resilience, countering bad actors in cyberspace, responding to incidents, and making the ecosystem more secure and resilient.
The guiding principles for the guidelines are risk prioritization, cost-effectiveness, innovation and agility, collaboration, global approach, balanced equities, and national values.
John Grimm of Thales e-Security has written that countless devices lack basic security because neither sellers nor buyers are motivated to prioritize it. However, there are organizations connected to industrial and enterprise markets that are motivated to build security into their connected devices. These organizations are seeking clear and actionable guidance, as well as accessible tools and resources to shorten the development curve and facilitate implementation of best practices.
Grimm believes that DHS can have an impact in the aforementioned area, as some of today’s most critical infrastructure was not designed for today’s security environment. On the consumer side, waiting for market dynamics to shift in favor of security will take too long. Fast and direct action is required.
The DHS strategy identifies encryption as a challenge to law enforcement, but does not acknowledge the critical role it plays in protecting sensitive personal information of citizens or intellectual property and financial data. With properly understood minimum standards in place, users can know to treat their devices that do not meet them as hostile by default.
The DHS is in a position to encourage and facilitate more awareness throughout the industry. Organizations can work together, without compromising competition, to collectively increase incident preparedness and incident response. Initiatives such as Financial Services Information Sharing and Analysis Center (FS-ISAC) and Automotive Information Sharing and Analysis Center (Auto-ISAC) encourage such collaboration, at least in the financial services and automotive industries. The guidelines from the DHS have noble aspirations in its strategy around awareness and collaboration, but they will be meaningless without action. Secretary of Homeland Security Kirstjen Nielsen said at the RSA conference in April that “the bad guys are crowdsourcing their attacks, so we need to crowdsource our response.”
The Bottom Line
With the DHS joining the DoD and the European Union in laying out documentation for IoT security guidelines, there are signs that more government agencies are beginning to take cybersecurity issues seriously. The DHS guidelines address a number of important areas, including the improvement of cybersecurity for IoT products and minimum standards that all products should meet. Now it is up to the IoT device manufacturers to play ball.