Whether you know it or not, the Internet of Things (IoT) is becoming an increasingly important part of our government and society. IoT involves any device or sensor that is connected to the internet directly or indirectly, including smart phones, smart watches, and thermometers. These devices are becoming more prevalent in society, but there are significant challenges when trying to secure these devices and the data they collect.
To understand how government can maximize the benefits and prepare for new challenges with IoT, GovLoop and Brocade gathered cybersecurity experts from inside and outside of the public sector for a roundtable discussion on “The Internet of Things…or Threats?” The discussion was led by William Cerniuk, Technology Director at the Veterans Health Administration, and Judson Walker Jr., Engineering Director at Brocade Federal, who offered advice for examining IoT devices, implementation strategies, and security policies.
First, Cerniuk and Walker agreed that agencies need to determine what information is collected by IoT devices and sensors and how that data can help government employees advance their missions. This will help agency leaders and IT specialists get a better understanding of what devices and data need to be secured. For Cerniuk, the VA has been working to implement a system to track what medical devices are in the field so that they can bring health care to veterans anywhere in the country, but the down side to connectivity is that the data can be hacked at any time.
Meanwhile, Walker has seen how soldiers now have sensors all over them to help them adjust to situations or missions in the field, but he also recognized that securing the data from these devices is a huge challenge. Walker added that agencies need to have a better awareness of what data is collected from these devices, not just on the front end where users can find and analyze data, but also on the back end where it is stored and connected to global vulnerabilities.
Second, agencies should focus on the best form of security for all IoT devices because, as Cerniuk noted, “These devices need to be hard to break into but easy to use.” That means that the devices need to be easy for users to understand and access, but they might not be able to use firewalls or slow software for security. Walker added that the conversation around how to secure a piece of information should happen at the beginning of the process to ensure that the data is protected from point A to point B.
“It’s about managing risk and understanding what you want to secure because even though you may not care about one singular piece of data, that may lead to access of something bigger,” Walker said. A holistic and diversified approach to securing data should be used whether or not you are trying to protect something as important as medical records or something as minor as water temperatures because any type of hack can corrupt trust in your data or use it for malicious purposes.
Lastly, agencies should set standard policies for the use, privacy, and security of IoT devices and data. At the VA, Cerniuk has instituted a policy that puts veterans in control of the data. Patients must give consent to have their medical records and data released to other doctors, and by controlling access, veterans are given a better sense of privacy about their data.
Walker spoke about how IT leaders need to set realistic expectations about policies because once they are in place, they are difficult to change or roll back. Also, the policies should be easy to implement, dynamic, and based on agency risk assessments because they will likely be applied to thousands of IoT devices across the agency.
If agencies determine the information they have collected and need to collect, focus on a holistic approach to securing devices, and set baseline policies for privacy and security, then they can reap the benefits of IoT devices while maintaining their security. IoT devices and sensors can then be safely used to modernize government and progress agency missions.