DHS Offers Its Unsolicited 'Help' In Securing The Internet Of Things

from the STANDING-BY-TO-TAKE-CREDIT-FOR-ACTIONS-OF-OTHERS dept

It's generally agreed that the state of security for the Internet of Things runs from "abysmal" to "compromised during unboxing." The government -- despite no one asking it to -- is offering to help out… somehow. DHS Assistant Secretary for Cyber Policy Robert Silvers spoke at the Internet of Things forum, offering up a pile of words that indicates Silvers is pretty cool with the "cyber" part of his title... but not all that strong on the "policy" part.

The industry, according to Silvers, is demanding that IoT security is tackled "from a DHS perspective," meaning a focus on public safety. And then he damned other government departments' efforts with faint praise.

"This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention."

Shorter DHS: we're going to take what the private sector and other government agencies have accomplished, print it out on a few pages of DHS letterhead, and call it good. All Silvers is promising is the DHS's insertion into a crowded marketplace of vague ideas, many of them coming from other government agencies.

Even better, Silvers claimed the DHS's intrusion into this overcrowded space won't be "regulatory." This statement arrived shortly before Silvers suggested regulation was on its way.

“We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems. While some of this may sound like common sense, it’s an undeniable fact that some companies are not being held accountable,” Silvers said.

"Companies not being held accountable" sounds like the sort of thing the government would feel compelled to fix with regulation. As Kieran McCarthy of The Register points out, the DHS seems mostly concerned with ensuring it's cut in on the cybersecurity action.

The DHS's current plan seems to be little more than shoving their foot in the door: Silvers could not give a timetable for the principles, or even a consultation plan. He didn't highlight specific areas of concern, or point to the direction the DHS is expected to take.

Perpetually-increasing budgets are on the line here. Every agency wants a piece of the "cyber" pie, whether on the offensive or defensive side. The DHS is no different, even though its track record on cybersecurity is mostly terrible. (Its track record on "homeland" security isn't that fantastic either…) Its Election Cybersecurity task force is composed of state politicians, rather than security experts. And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points -- despite having had nearly 15 years to do so.

In front of a group of professionals actually putting together best practices for the Internet of Things, the DHS has announced its willingness to coattail-ride its way into the cybersecurity future -- one promising to be full of government intrusion and steady paychecks. And, like others in the government who feel the government should do nothing more than make demands of the private sector, Silvers encouraged the forum attendees to "nerd harder." Or, at least, faster.

Silvers issued a call of action to attendees, urging them to “accelerate everything” they’re working on and tackle issues that pop up in cybersecurity in real time.

Thanks, bossman. There's nothing security professionals like more than being told how to do their jobs by government agencies without coherent future plans or the ability to secure anything more than a pension.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 26 Sep 2016 @ 1:19pm

    Knock knock. It's the government

    We're from the Government and we're here to help!

    reply to this | link to this | view in chronology ]

  • icon
    TasMot (profile), 26 Sep 2016 @ 1:26pm

    DHS - Let's do SOMETHING

    From the excerpts is sounds like what he is going to require shortly is that in some way, IoT merchandize is going to need to be registered (and some small but perpetually increasing fee paid to DHS) before it can be offered for sale.

    This will cover the cost of all of the time it takes DHS personnel to make PR announcements. After all, businesses have no vote, so if a new business tax is passed people tend to be happy because they don't have to pay it (isn't that a joke), so the new law gets passed and we end up paying the tax with higher prices for every product sold anyway.

    reply to this | link to this | view in chronology ]

    • icon
      AricTheRed (profile), 26 Sep 2016 @ 2:52pm

      Re: DHS - Let's do SOMETHING

      If this is not about taxes and fees, it about "Because SCARY!"

      CFAA was a response to Wargames.

      DHS and a bit of incoherent word salad inflatable-tubeman-arm-waving seems likely to be in response to...

      Maximum Overdrive

      Now that the IoT is a reality, with computerized self driving big-rigs and cars on the way too, WE NEED TO DO SOMETHING to prevent the wholesale slaughter of humans in preparation of the alien colonization of earth!

      It is all very reasonable and sensible if you ask me.

      reply to this | link to this | view in chronology ]

    • identicon
      spodula, 27 Sep 2016 @ 12:42am

      Re: DHS - Let's do SOMETHING

      well SOMEONE needs to do something. Even a name and shame would be good at this point!

      As for them wanting a slice of the Cybersecurity action, go for it. cos there doesnt seem to be ANY Cybersecurity action in this space at the moment.

      It may spur people who actually know what there doing to take an interest.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 1:38pm

    Yet another agency desperate to make themselves look like they have a purpose. The NYPD will be showing up soon to point out how much they can do also.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 26 Sep 2016 @ 2:01pm

    Can't be regulatory

    Simply because DHS has absolutely NO regulatory authority. That remains with the Legislature. The might have some rule making ability, but it remains to be seen if they can concoct a Constitutional rule, or if anyone will listen.

    reply to this | link to this | view in chronology ]

    • identicon
      Norahc, 26 Sep 2016 @ 2:46pm

      Re: Can't be regulatory

      Since when has a rule, law (or lack thereof), or even the Constitution ever stopped a government agency looking to increase its fiefdom or budget?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Sep 2016 @ 2:55pm

        Re: Re: Can't be regulatory

        The funny thing is, DHS was created as an umbrella agency specifically to prevent any overstepping. DHS is really supposed to be there to coordinate communication between the other TLAs, not to actually do anything itself. But nobody stays happy for long just being the messenger....

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Sep 2016 @ 6:00am

          Re: Re: Re: Can't be regulatory

          The funny this is, every agency oversteps.

          The whole idea of the Government having a "prevention" is a farce told as a bed time fairy tail for the fools that believe in big government.

          What makes me sad is that Bush was a huge Big government politician despite fooling all the sheeple that "claimed" to be against such things. That and the fact that with the creation of the DHS Bush (and those that voted for it) pissed on the graves of EVERY fallen warrior that served the US until then.

          I question the loyalty of ANY U.S. soldier that likes Bush.

          reply to this | link to this | view in chronology ]

        • icon
          The Wanderer (profile), 28 Sep 2016 @ 6:57am

          Re: Re: Re: Can't be regulatory

          Amusingly enough, my understanding is that the NSA was similarly created to be a central coordination and analysis entity for the existing intelligence agencies - to take in, analyze, and (if and/or as suitable) disseminate the intelligence which the other agencies gather, and specifically not to do any intelligence-gathering of its own.

          If that's accurate, it seems fairly clear that they've diverged pretty far from that ideal... and it would seem unsurprising for the DHS to do the same.

          reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 26 Sep 2016 @ 2:07pm

    "Let me help you with that. No no, no need to watch what I'm doing..."

    Beyond trying to look like they're 'doing something' by 'helping', my second (perhaps tin-foilish) thought was that they're looking for exploits that they themselves can use or pass on to another agency to use.

    At this point the gross incompetence the various government agencies have displayed in all things security would have me hesitating to trust them to secure a freakin' lemonade stand, I imagine any company would(or should) be extremely hesitant to let the DHS or any other government anywhere near their code/products.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 26 Sep 2016 @ 2:17pm

    To many

    To many chiefs and NO INDIANS..
    To many groups wanting to do something and its going to get SO BAD...
    How many groups, agencies, Czars, Idiots have ANYTHING to do with this, or the knowledge to THINK they can do anything with this..

    When the net went up it was interesting and you COULD find things..Now its like looking in the library to find porn..
    There is so much BS out there, that its Scary and weird..

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Sep 2016 @ 2:52pm

      Re: To many

      How many groups, agencies, Czars, Idiots have ANYTHING to do with this, or the knowledge to THINK they can do anything with this..

      They all know that keeping the bad guys out is good, and keeping the government out is bad, and that is all the knowledge needed to to tell businesses what they want. How to meet those demands is somebodies else's problem.

      reply to this | link to this | view in chronology ]

  • icon
    Stan (profile), 26 Sep 2016 @ 2:49pm

    Robert Silvers - champion of internet secrity

    I feel very optimistic about this. For one thing, I'm sure that Robert Silvers will, at any moment, march over to the NSA armed with a subpoena for the treasure chest of zero-day exploits that are the biggest threat to the USA's internet security. Are you marching yet, Robert?

    reply to this | link to this | view in chronology ]

  • identicon
    Mark Wing, 26 Sep 2016 @ 3:04pm

    "I trust the government to help me with internet security" said no one ever.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 3:25pm

    Benefit of the the doubt...

    While I know everyone here seems to be railing Robert Silvers for his speech, there is something they can do with a PDF. For example, I'm a network engineer, so I follow Cisco, Juniper, Mikrotik, Ubquiti, Vyos, et al alerts for flaws pretty regularly. Now with the latest NSA releases that were very detrimental for security, does the average IT person know how to contact support to get the patches? For something like Mikrotik, Ubiquiti and Vyos, it's rather easy since while maybe not open-source, they do publicly release patches. For Cisco, Juniper, Brocade, et al it's definitely going to be a bit harder without a current support contract.

    So for Cisco as an example, you can contact PSIRT: http://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html

    For Juniper, I'm actually clueless as I've always had a J-Care agreement, but they do have a security incident response team, so I'm sure it's something similiar. For the vulnerabilities on ScreenOS just released though, I would assume they would tell you to trash it since it's probably EOL.

    reply to this | link to this | view in chronology ]

  • identicon
    Another Anonymous Coward, 26 Sep 2016 @ 3:27pm

    Well, there you go, then

    Glad to know that the DHS is going to beaurocrat harder.

    reply to this | link to this | view in chronology ]

  • icon
    HegemonicDistortion (profile), 26 Sep 2016 @ 3:28pm

    Accountable

    If the government wants companies to be held accountable for their security lapses, then make them financially liable to their customers for breaches.

    Stupidly, our "cyber protection" law that got rolled into the omnibus budget bill last year provides for some civil immunity if companies share data about breaches with DHS, which will only make security even less important to companies.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Sep 2016 @ 3:41pm

      Re: Accountable

      "If the government wants companies to be held accountable for their security lapses, then make them financially liable to their customers for breaches."

      That makes absolutely no sense... So grandma can sue the Wordpress Foundation, because she didn't update her site's source code or used the wonderful password of "password". Most companies actually do respond to vulnerabilities when alerted, of course not all, but read up on Full Disclosure and I'm sure it's more patched than shamed.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Sep 2016 @ 5:12am

        Re: Re: Accountable

        Not sure what your point was, but if Granny is unable to successfully run her business, IOT related or not, then it will probably fail - how is this the fault of any software she may have been using and why should patrons be left holding the bag when it does?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Sep 2016 @ 6:55am

          Re: Re: Re: Accountable

          Holding companies responsible for the fault of end-users lacking security policies is bound to end up as a disaster. Looking at a quick Shodan search and using default passwords on just about anything from software packages to IoT products shows this is literally unenforceable. Another search for outdated software installs will lead to pretty much the same conclusion.

          reply to this | link to this | view in chronology ]

    • identicon
      Terry Cyberist, 28 Sep 2016 @ 4:20am

      Re: Accountable

      There must be one of those vague open-ended computer laws which could be used against companies selling insecure devices or refusing to fix them.

      If only there was the same will to go after them as there is to go after lone hackers. Which one causes more damage?

      reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 26 Sep 2016 @ 3:42pm

    Well. Companies should be held accountable, and in some way better than attempted civil litigation. Not that the DHS should be within 20AU of any such thing. And who knows why he is addressing security experts with this. Maybe fair warning the DHS might do something else idiotic in their space. He should be addressing the companies with the slapdash product "innovation". Just like the security experts have been doing since... forever.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 3:46pm

    Most likely result of DHS involvement

    Backdoors in every possible IoT device enabling surveillance and control.

    reply to this | link to this | view in chronology ]

  • icon
    David (profile), 26 Sep 2016 @ 4:20pm

    The public wants to know.

    Will IoT users have to remove their shoes?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 4:51pm

    "This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention."

    Wow ... really complex stuff huh.
    Get my attention you say, I have no IOT - now go away.

    reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 26 Sep 2016 @ 5:46pm

    DHS Boondoggle of the Century

    And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points -- despite having had nearly 15 years to do so.

    What else would you expect from a boondoggle (DHS) that has squandered billions of dollars in the renovation of a defunct insane asylum as it's headquarters (a project that will not be completed until 2020 something)?

    https://www.washingtonpost.com/politics/planned-homeland-security-headquarters-long-delay ed-and-over-budget-now-in-doubt/2014/05/20/d0df2580-dc42-11e3-8009-71de85b9c527_story.html

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Sep 2016 @ 6:34pm

      Re: DHS Boondoggle of the Century

      But they have Powerpoint and therefore they are going to use it, okay? Because everyone knows Powerpoint slides make an average pay-grade bureaucrat into a thought-leader, okay! Add a black t-shirt, a slimmed-down gut (just breath in if necessary), a Ted talk and book deal, and any government servant previously demeaned and treated as laughable is now so cool it just hurts.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 7:32pm

    Be interesting to see if the DHS offers 'criminal' suggestions such as using encryption and strong passwords. If not, it'll be interesting to see how they advise security without those two fundamentals.

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 26 Sep 2016 @ 10:30pm

    blame travels down, credit travels up

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Sep 2016 @ 1:47am

    Gee thanks but maybe you guys should seriously figure out how to secure your own shit first and actually alert companies immediately about vulnerabilities instead of hoarding them so you can exploit them for years before sticking your nose in telling other people how to (not)secure things.

    reply to this | link to this | view in chronology ]

  • identicon
    Yes, I know I'm commenting anonymously, 27 Sep 2016 @ 4:00am

    Origins?

    This sounds exactly like a `fiber to the Press Release'.
    So... What were mr. Silvers previous jobs?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Sep 2016 @ 7:59am

    Hum... Will DHS audit free software?

    reply to this | link to this | view in chronology ]

  • identicon
    Paul Roberts, 28 Sep 2016 @ 8:26pm

    Got the conference name wrong!

    Just FYI: The conference was The Security of Things Forum, not The Internet of Things Forum.

    reply to this | link to this | view in chronology ]

  • identicon
    walter carroll, 16 Nov 2016 @ 11:00am

    I've started writing this comment several times and each time I have realized that I am writing the opening chapter of a book. The gist of it is that developers AND marketers are feeding this monster of a population that believes technology is capable of handling all things, and if it's not, it will be shortly.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Copymouse
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.