Blog

THE NDAA BAN IS JUST THE TIP OF THE ICEBERG

Robert McNutt | September 16, 2019

As of August 13, U.S. government departments should have searched for and removed risky devices from their networks that are produced by five manufacturers.

It’s a big undertaking that is the result of a ban imposed by the Fiscal 2019 National Defense Authorization Act (NDAA), which stipulated that federal agencies should not purchase these devices due to security concerns.

Now that the ban deadline has come and gone, we have a bigger question on our hands: what else is attached to our government networks? Cameras are just the tip of the iceberg. There are more than 750 different types of devices connecting to government networks in the Americas today, according to Forescout Device Cloud data. These include VoIP phones, medical devices, printers, other brands of connected cameras, and much, much more.

The NDAA law puts the focus on these particular Chinese-made cameras, but in reality, all types of Internet of Things devices, regardless of where they are manufactured, can be compromised. Today there may be concerns about cameras, but tomorrow it may be concerns about a multitude of other IoT devices.

This isn’t a cybersecurity problem we solve only with bans, which only address a handful of products at a time. Instead, we need to rethink how we handle the entire category of Internet of Things (IoT) devices.

First, we need to determine better processes and protocols with manufacturers that allow us to trust in the security and services around the devices they sell. This includes assurances that products are built to serve the end customers’ desired function—in this case the government—while also avoiding manipulation by any third party, whether it be a hacker or a foreign government. Some of these processes are in place now, but not every piece of software or hardware can be vetted as some might think.

Second, we need better ways to monitor devices that are already implemented for signs of compromise. Perhaps the most dangerous thing that this ban process exposed is the fact that many government departments simply didn’t have an automated way to know what devices they have on their networks. That makes it not only difficult to comply with the ban, but also to secure any other type of networked device. If you don’t know it’s there, you certainly can’t remove it or secure it.

Those compromises could include security vulnerabilities that allow hackers to access other important devices or systems on government networks. Many devices also communicate over unencrypted protocols, which if not changed, could make them vulnerable to traffic sniffing or communications tampering.

Some departments have already recognized this risk and are taking steps to fix it. For example, several years ago, the government issued a mandate called Continuous Diagnostics and Mitigation to ensure civilian agencies have the ability to track every connected device. Some agencies have implemented this, but it is not universal. The Department of Defense more recently developed a similar framework of its own, but has yet to roll it out fully.

IoT devices offer many benefits, such as the ability to connect to sensors remotely or have a smart TV in a conference room. The solution isn’t to remove all these connected devices from the network entirely. We have to learn how to operate in this new reality of the Internet of Things. There are steps to take to make sure these devices are kept secure once we have an automated way to discover them. For instance, they can be segmented from the rest of the network or monitored to make sure they cannot communicate with a command and control server or transfer data where we don’t want it to go.

These challenges aren’t specific to the public sector. IoT devices are being brought into the environments of companies of all types, from the largest Fortune 50 companies to your local dentist office.

While the deadline for the NDAA ban has come and gone, it shouldn’t represent a single point in time exercise. We have a moment here to start a larger conversation about what we’re allowing onto government networks and how we can build a more efficient process to monitor this over time. That way, the next time there’s a ban or concerns about a certain device category, we can act quickly and efficiently to secure our national interests.