The proliferation of devices on the Internet is becoming a tidal wave. In addition to your phone, computer, video game console and television, the Internet now connects practically everything that has electronics and sensors: household appliances, heating and air conditioning systems, cars, airplanes, ships, industrial robots, public utilities, home security systems, children’s toys and medical devices. By 2025, it is estimated that there will be at least 75 billion connected devices in what is being called the “Internet of Things” (IOT). With advances in microprocessors, sensing devices and software, pretty soon anything that can be connected will be connected.
It should come as no surprise that the IOT has extended to government networks, particularly those operated by the Department of Defense (DoD). At DoD, everything from motors to battlefield sensors to door access readers may come with a network connection that is required for it to perform its assigned task. In addition to this mission-supporting equipment, DoD also has a litany of consumer devices running on its networks, from printers to video monitors and cameras to refrigerators. These devices are continually communicating with one another, as well as with higher headquarters all the way back to the Pentagon. The result is what some observers call the “Internet of Battlefield Things” (IOBT). There is a general consensus among experts that the military which first creates the IOBT will gain a decisive advantage over its competitors.
While the evolution of the Internet into the IOT and IOBT are generally positive developments, with their arrival comes a major cybersecurity challenge. Simply put, the more devices there are on a network, the greater the potential chance that an adversary will be able to achieve a penetration. There has been no shortage of news stories about how our adversaries seek to penetrate U.S. critical infrastructure, including our power grid, government networks and elections systems. In many instances, hackers look for easy avenues for accessing our networks through connected devices. In 2016, it was discovered that implantable cardiac devices used by St. Jude’s Hospital were vulnerable to hacking. Baby monitors have proven remarkably vulnerable to hacking.
This Nation’s adversaries are aggressively trying to penetrate the networks, systems and even individual weapons of the DoD. An increasing amount of critical, classified information is generated by the mass of devices on the network. Recently, the military found out that the movements of troops could be compromised by accessing the fitness trackers many personnel were wearing. As more and more devices are added to the IOBT—with or without permission, the risk of penetration and the compromising of critical classified information goes up.
The exponential growth of the IOT and IOBT is creating new vulnerabilities to cyber attacks at an alarming rate. Compromised IOT/IOBT devices are increasingly the “easy” way for attackers to get a foothold inside an organization’s network. Today, a device is usually “whitelisted” onto the network, which means it is identified as “trusted.” But that trusted device can then be used to execute commands inside of your firewall, which can help hackers perform reconnaissance and, perhaps ultimately, get to other higher value parts of a network. In addition, many unauthorized or unrecorded devices are being added to a network, thereby increasing the chances for penetration. Adversaries can attack vulnerable devices not only to get to sensitive information, but to physically compromise parts of your system that you depend on, say, in a time of war. As the IOT/IOBT grows, so does the problem of device vulnerability.
What is the DoD doing about this growing vulnerability? Seven years ago, the DoD created Comply to Connect (C2C) as a way to secure its growing array of network endpoints. C2C is a formal system for 1) identifying and validating new devices that are connected to a network; 2) evaluating their compliance with DoD security policies; 3) conducting continuous monitoring of these devices, and; 4) automatically addressing device issues, thereby reducing the need for maintaining cyber hygiene on cybersecurity administrators.
The C2C approach combines existing cybersecurity technologies with newer technologies to deal with the changing nature of DoD’s network architecture. The core tenet of C2C is understanding what devices and people are connecting to DoD networks and what their security posture is. With this knowledge, commanders can make informed risk decisions about these connections, and automatically control them based on security policies. C2C also provides DoD a way to continuously monitor the state of networks and devices—computing and non-computing networked devices—with a high degree of fidelity. The information yielded by C2C will feed into a centralized console that will provide these leaders full situational awareness of major areas of risk, which will, in turn, inform policy setting and resource allocation.
Without C2C, the DoD won’t know how many printers, industrial controllers or refrigerators it has on its networks. It won’t know where its Windows patch management tools have stopped working. It won’t know whether Kaspersky and Huawei-made equipment have been removed from systems, as mandated by Congress. It won’t have a way to funnel network information to leadership for decisionmaking. Lacking these fundamental capabilities, DoD will not be able to meet the basic responsibilities of securing its networks.
The U.S. Congress has twice in recent years directed DoD to move forward with implementing the C2C capability. While the U.S. Marine Corps and U.S. Navy, as well as a few other DoD components, have moved forward with implementation of this program, most of DoD has not. Congress needs to be relentless in asking DoD when it plans to fully implement C2C to secure its systems and networks against increasingly sophisticated cyber adversaries.
Daniel Gouré, Ph.D., is a vice president at the public-policy research think tank Lexington Institute. Goure has a background in the public sector and U.S. federal government, most recently serving as a member of the 2001 Department of Defense Transition Team. You can follow him on Twitter at @dgoure and the Lexington Institute @LexNextDC. Read his full bio here.