DHS Offers Its Unsolicited 'Help' In Securing The Internet Of Things
from the STANDING-BY-TO-TAKE-CREDIT-FOR-ACTIONS-OF-OTHERS dept
It’s generally agreed that the state of security for the Internet of Things runs from “abysmal” to “compromised during unboxing.” The government — despite no one asking it to — is offering to help out… somehow. DHS Assistant Secretary for Cyber Policy Robert Silvers spoke at the Internet of Things forum, offering up a pile of words that indicates Silvers is pretty cool with the “cyber” part of his title… but not all that strong on the “policy” part.
The industry, according to Silvers, is demanding that IoT security is tackled “from a DHS perspective,” meaning a focus on public safety. And then he damned other government departments’ efforts with faint praise.
“This is complex stuff, but it’s not going to be regulatory or over prescriptive, it’s not even going to be highly technical,” he argued. “What we’re going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public’s attention.”
Shorter DHS: we’re going to take what the private sector and other government agencies have accomplished, print it out on a few pages of DHS letterhead, and call it good. All Silvers is promising is the DHS’s insertion into a crowded marketplace of vague ideas, many of them coming from other government agencies.
Even better, Silvers claimed the DHS’s intrusion into this overcrowded space won’t be “regulatory.” This statement arrived shortly before Silvers suggested regulation was on its way.
“We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems. While some of this may sound like common sense, it’s an undeniable fact that some companies are not being held accountable,” Silvers said.
“Companies not being held accountable” sounds like the sort of thing the government would feel compelled to fix with regulation. As Kieran McCarthy of The Register points out, the DHS seems mostly concerned with ensuring it’s cut in on the cybersecurity action.
The DHS’s current plan seems to be little more than shoving their foot in the door: Silvers could not give a timetable for the principles, or even a consultation plan. He didn’t highlight specific areas of concern, or point to the direction the DHS is expected to take.
Perpetually-increasing budgets are on the line here. Every agency wants a piece of the “cyber” pie, whether on the offensive or defensive side. The DHS is no different, even though its track record on cybersecurity is mostly terrible. (Its track record on “homeland” security isn’t that fantastic either…) Its Election Cybersecurity task force is composed of state politicians, rather than security experts. And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points — despite having had nearly 15 years to do so.
In front of a group of professionals actually putting together best practices for the Internet of Things, the DHS has announced its willingness to coattail-ride its way into the cybersecurity future — one promising to be full of government intrusion and steady paychecks. And, like others in the government who feel the government should do nothing more than make demands of the private sector, Silvers encouraged the forum attendees to “nerd harder.” Or, at least, faster.
Silvers issued a call of action to attendees, urging them to “accelerate everything” they’re working on and tackle issues that pop up in cybersecurity in real time.
Thanks, bossman. There’s nothing security professionals like more than being told how to do their jobs by government agencies without coherent future plans or the ability to secure anything more than a pension.
Filed Under: cybersecurity, dhs, iot, security
Comments on “DHS Offers Its Unsolicited 'Help' In Securing The Internet Of Things”
Knock knock. It's the government
We’re from the Government and we’re here to help!
DHS - Let's do SOMETHING
From the excerpts is sounds like what he is going to require shortly is that in some way, IoT merchandize is going to need to be registered (and some small but perpetually increasing fee paid to DHS) before it can be offered for sale.
This will cover the cost of all of the time it takes DHS personnel to make PR announcements. After all, businesses have no vote, so if a new business tax is passed people tend to be happy because they don’t have to pay it (isn’t that a joke), so the new law gets passed and we end up paying the tax with higher prices for every product sold anyway.
Re: DHS - Let's do SOMETHING
If this is not about taxes and fees, it about “Because SCARY!”
CFAA was a response to Wargames.
DHS and a bit of incoherent word salad inflatable-tubeman-arm-waving seems likely to be in response to…
Maximum Overdrive
Now that the IoT is a reality, with computerized self driving big-rigs and cars on the way too, WE NEED TO DO SOMETHING to prevent the wholesale slaughter of humans in preparation of the alien colonization of earth!
It is all very reasonable and sensible if you ask me.
Re: DHS - Let's do SOMETHING
well SOMEONE needs to do something. Even a name and shame would be good at this point!
As for them wanting a slice of the Cybersecurity action, go for it. cos there doesnt seem to be ANY Cybersecurity action in this space at the moment.
It may spur people who actually know what there doing to take an interest.
Yet another agency desperate to make themselves look like they have a purpose. The NYPD will be showing up soon to point out how much they can do also.
Re: Re:
That’s after they install unconstitutional backdoors on every New Yorker’s computer and monitor them 24/7.
Can't be regulatory
Simply because DHS has absolutely NO regulatory authority. That remains with the Legislature. The might have some rule making ability, but it remains to be seen if they can concoct a Constitutional rule, or if anyone will listen.
Re: Can't be regulatory
Since when has a rule, law (or lack thereof), or even the Constitution ever stopped a government agency looking to increase its fiefdom or budget?
Re: Re: Can't be regulatory
The funny thing is, DHS was created as an umbrella agency specifically to prevent any overstepping. DHS is really supposed to be there to coordinate communication between the other TLAs, not to actually do anything itself. But nobody stays happy for long just being the messenger….
Re: Re: Re: Can't be regulatory
The funny this is, every agency oversteps.
The whole idea of the Government having a “prevention” is a farce told as a bed time fairy tail for the fools that believe in big government.
What makes me sad is that Bush was a huge Big government politician despite fooling all the sheeple that “claimed” to be against such things. That and the fact that with the creation of the DHS Bush (and those that voted for it) pissed on the graves of EVERY fallen warrior that served the US until then.
I question the loyalty of ANY U.S. soldier that likes Bush.
Re: Re: Re: Can't be regulatory
Amusingly enough, my understanding is that the NSA was similarly created to be a central coordination and analysis entity for the existing intelligence agencies – to take in, analyze, and (if and/or as suitable) disseminate the intelligence which the other agencies gather, and specifically not to do any intelligence-gathering of its own.
If that’s accurate, it seems fairly clear that they’ve diverged pretty far from that ideal… and it would seem unsurprising for the DHS to do the same.
"Let me help you with that. No no, no need to watch what I'm doing..."
Beyond trying to look like they’re ‘doing something’ by ‘helping’, my second (perhaps tin-foilish) thought was that they’re looking for exploits that they themselves can use or pass on to another agency to use.
At this point the gross incompetence the various government agencies have displayed in all things security would have me hesitating to trust them to secure a freakin’ lemonade stand, I imagine any company would(or should) be extremely hesitant to let the DHS or any other government anywhere near their code/products.
To many
To many chiefs and NO INDIANS..
To many groups wanting to do something and its going to get SO BAD…
How many groups, agencies, Czars, Idiots have ANYTHING to do with this, or the knowledge to THINK they can do anything with this..
When the net went up it was interesting and you COULD find things..Now its like looking in the library to find porn..
There is so much BS out there, that its Scary and weird..
Re: To many
They all know that keeping the bad guys out is good, and keeping the government out is bad, and that is all the knowledge needed to to tell businesses what they want. How to meet those demands is somebodies else’s problem.
Robert Silvers - champion of internet secrity
I feel very optimistic about this. For one thing, I’m sure that Robert Silvers will, at any moment, march over to the NSA armed with a subpoena for the treasure chest of zero-day exploits that are the biggest threat to the USA’s internet security. Are you marching yet, Robert?
“I trust the government to help me with internet security” said no one ever.
Benefit of the the doubt...
While I know everyone here seems to be railing Robert Silvers for his speech, there is something they can do with a PDF. For example, I’m a network engineer, so I follow Cisco, Juniper, Mikrotik, Ubquiti, Vyos, et al alerts for flaws pretty regularly. Now with the latest NSA releases that were very detrimental for security, does the average IT person know how to contact support to get the patches? For something like Mikrotik, Ubiquiti and Vyos, it’s rather easy since while maybe not open-source, they do publicly release patches. For Cisco, Juniper, Brocade, et al it’s definitely going to be a bit harder without a current support contract.
So for Cisco as an example, you can contact PSIRT: http://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html
For Juniper, I’m actually clueless as I’ve always had a J-Care agreement, but they do have a security incident response team, so I’m sure it’s something similiar. For the vulnerabilities on ScreenOS just released though, I would assume they would tell you to trash it since it’s probably EOL.
Well, there you go, then
Glad to know that the DHS is going to beaurocrat harder.
Re: Well, there you go, then
I’d rather have them “do nothing” harder.
Accountable
If the government wants companies to be held accountable for their security lapses, then make them financially liable to their customers for breaches.
Stupidly, our “cyber protection” law that got rolled into the omnibus budget bill last year provides for some civil immunity if companies share data about breaches with DHS, which will only make security even less important to companies.
Re: Accountable
“If the government wants companies to be held accountable for their security lapses, then make them financially liable to their customers for breaches.”
That makes absolutely no sense… So grandma can sue the WordPress Foundation, because she didn’t update her site’s source code or used the wonderful password of “password”. Most companies actually do respond to vulnerabilities when alerted, of course not all, but read up on Full Disclosure and I’m sure it’s more patched than shamed.
Re: Re: Accountable
Not sure what your point was, but if Granny is unable to successfully run her business, IOT related or not, then it will probably fail – how is this the fault of any software she may have been using and why should patrons be left holding the bag when it does?
Re: Re: Re: Accountable
Holding companies responsible for the fault of end-users lacking security policies is bound to end up as a disaster. Looking at a quick Shodan search and using default passwords on just about anything from software packages to IoT products shows this is literally unenforceable. Another search for outdated software installs will lead to pretty much the same conclusion.
Re: Accountable
There must be one of those vague open-ended computer laws which could be used against companies selling insecure devices or refusing to fix them.
If only there was the same will to go after them as there is to go after lone hackers. Which one causes more damage?
Well. Companies should be held accountable, and in some way better than attempted civil litigation. Not that the DHS should be within 20AU of any such thing. And who knows why he is addressing security experts with this. Maybe fair warning the DHS might do something else idiotic in their space. He should be addressing the companies with the slapdash product “innovation”. Just like the security experts have been doing since… forever.
Most likely result of DHS involvement
Backdoors in every possible IoT device enabling surveillance and control.
The public wants to know.
Will IoT users have to remove their shoes?
“This is complex stuff, but it’s not going to be regulatory or over prescriptive, it’s not even going to be highly technical,” he argued. “What we’re going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public’s attention.”
Wow … really complex stuff huh.
Get my attention you say, I have no IOT – now go away.
DHS Boondoggle of the Century
And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points — despite having had nearly 15 years to do so.
What else would you expect from a boondoggle (DHS) that has squandered billions of dollars in the renovation of a defunct insane asylum as it’s headquarters (a project that will not be completed until 2020 something)?
https://www.washingtonpost.com/politics/planned-homeland-security-headquarters-long-delayed-and-over-budget-now-in-doubt/2014/05/20/d0df2580-dc42-11e3-8009-71de85b9c527_story.html
Re: DHS Boondoggle of the Century
But they have Powerpoint and therefore they are going to use it, okay? Because everyone knows Powerpoint slides make an average pay-grade bureaucrat into a thought-leader, okay! Add a black t-shirt, a slimmed-down gut (just breath in if necessary), a Ted talk and book deal, and any government servant previously demeaned and treated as laughable is now so cool it just hurts.
Be interesting to see if the DHS offers ‘criminal’ suggestions such as using encryption and strong passwords. If not, it’ll be interesting to see how they advise security without those two fundamentals.
blame travels down, credit travels up
Re: Re:
Shit happens, then it rolls downhill.
Re: Re: Re:
Trickle down
Gee thanks but maybe you guys should seriously figure out how to secure your own shit first and actually alert companies immediately about vulnerabilities instead of hoarding them so you can exploit them for years before sticking your nose in telling other people how to (not)secure things.
Origins?
This sounds exactly like a `fiber to the Press Release’.
So… What were mr. Silvers previous jobs?
Hum… Will DHS audit free software?
Re: Re:
Oh, that’d be nice.
Then you could safely avoid anything labeled “DHS approved”.
Got the conference name wrong!
Just FYI: The conference was The Security of Things Forum, not The Internet of Things Forum.
I’ve started writing this comment several times and each time I have realized that I am writing the opening chapter of a book. The gist of it is that developers AND marketers are feeding this monster of a population that believes technology is capable of handling all things, and if it’s not, it will be shortly.