DHS Offers Its Unsolicited 'Help' In Securing The Internet Of Things

from the STANDING-BY-TO-TAKE-CREDIT-FOR-ACTIONS-OF-OTHERS dept

Mon, Sep 26th 2016 1:10pm — Tim Cushing

It's generally agreed that the state of security for the Internet of Things runs from "abysmal" to "compromised during unboxing." The government -- despite no one asking it to -- is offering to help out… somehow. DHS Assistant Secretary for Cyber Policy Robert Silvers spoke at the Internet of Things forum, offering up a pile of words that indicates Silvers is pretty cool with the "cyber" part of his title... but not all that strong on the "policy" part.

The industry, according to Silvers, is demanding that IoT security is tackled "from a DHS perspective," meaning a focus on public safety. And then he damned other government departments' efforts with faint praise.

"This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention."

Shorter DHS: we're going to take what the private sector and other government agencies have accomplished, print it out on a few pages of DHS letterhead, and call it good. All Silvers is promising is the DHS's insertion into a crowded marketplace of vague ideas, many of them coming from other government agencies.

Even better, Silvers claimed the DHS's intrusion into this overcrowded space won't be "regulatory." This statement arrived shortly before Silvers suggested regulation was on its way.

“We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems. While some of this may sound like common sense, it’s an undeniable fact that some companies are not being held accountable,” Silvers said.

"Companies not being held accountable" sounds like the sort of thing the government would feel compelled to fix with regulation. As Kieran McCarthy of The Register points out, the DHS seems mostly concerned with ensuring it's cut in on the cybersecurity action.

The DHS's current plan seems to be little more than shoving their foot in the door: Silvers could not give a timetable for the principles, or even a consultation plan. He didn't highlight specific areas of concern, or point to the direction the DHS is expected to take.

Perpetually-increasing budgets are on the line here. Every agency wants a piece of the "cyber" pie, whether on the offensive or defensive side. The DHS is no different, even though its track record on cybersecurity is mostly terrible. (Its track record on "homeland" security isn't that fantastic either…) Its Election Cybersecurity task force is composed of state politicians, rather than security experts. And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points -- despite having had nearly 15 years to do so.

In front of a group of professionals actually putting together best practices for the Internet of Things, the DHS has announced its willingness to coattail-ride its way into the cybersecurity future -- one promising to be full of government intrusion and steady paychecks. And, like others in the government who feel the government should do nothing more than make demands of the private sector, Silvers encouraged the forum attendees to "nerd harder." Or, at least, faster.

Silvers issued a call of action to attendees, urging them to “accelerate everything” they’re working on and tackle issues that pop up in cybersecurity in real time.

Thanks, bossman. There's nothing security professionals like more than being told how to do their jobs by government agencies without coherent future plans or the ability to secure anything more than a pension.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, dhs, iot, security

40 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 26 Sep 2016 @ 1:19pm

Knock knock. It's the government
We're from the Government and we're here to help!
[ link to this | view in thread ]
TasMot (profile), 26 Sep 2016 @ 1:26pm

DHS - Let's do SOMETHING
From the excerpts is sounds like what he is going to require shortly is that in some way, IoT merchandize is going to need to be registered (and some small but perpetually increasing fee paid to DHS) before it can be offered for sale.

This will cover the cost of all of the time it takes DHS personnel to make PR announcements. After all, businesses have no vote, so if a new business tax is passed people tend to be happy because they don't have to pay it (isn't that a joke), so the new law gets passed and we end up paying the tax with higher prices for every product sold anyway.
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 1:38pm

Yet another agency desperate to make themselves look like they have a purpose. The NYPD will be showing up soon to point out how much they can do also.
[ link to this | view in thread ]
Anonymous Anonymous Coward (profile), 26 Sep 2016 @ 2:01pm

Can't be regulatory
Simply because DHS has absolutely NO regulatory authority. That remains with the Legislature. The might have some rule making ability, but it remains to be seen if they can concoct a Constitutional rule, or if anyone will listen.
[ link to this | view in thread ]
That One Guy (profile), 26 Sep 2016 @ 2:07pm

"Let me help you with that. No no, no need to watch what I'm doing..."
Beyond trying to look like they're 'doing something' by 'helping', my second (perhaps tin-foilish) thought was that they're looking for exploits that they themselves can use or pass on to another agency to use.

At this point the gross incompetence the various government agencies have displayed in all things security would have me hesitating to trust them to secure a freakin' lemonade stand, I imagine any company would(or should) be extremely hesitant to let the DHS or any other government anywhere near their code/products.
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 2:16pm

Re:
That's after they install unconstitutional backdoors on every New Yorker's computer and monitor them 24/7.
[ link to this | view in thread ]
ECA (profile), 26 Sep 2016 @ 2:17pm

To many
To many chiefs and NO INDIANS..
To many groups wanting to do something and its going to get SO BAD...
How many groups, agencies, Czars, Idiots have ANYTHING to do with this, or the knowledge to THINK they can do anything with this..

When the net went up it was interesting and you COULD find things..Now its like looking in the library to find porn..
There is so much BS out there, that its Scary and weird..
[ link to this | view in thread ]
Norahc, 26 Sep 2016 @ 2:46pm

Re: Can't be regulatory
Since when has a rule, law (or lack thereof), or even the Constitution ever stopped a government agency looking to increase its fiefdom or budget?
[ link to this | view in thread ]
Stan (profile), 26 Sep 2016 @ 2:49pm

Robert Silvers - champion of internet secrity
I feel very optimistic about this. For one thing, I'm sure that Robert Silvers will, at any moment, march over to the NSA armed with a subpoena for the treasure chest of zero-day exploits that are the biggest threat to the USA's internet security. Are you marching yet, Robert?
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 2:52pm

Re: To many
How many groups, agencies, Czars, Idiots have ANYTHING to do with this, or the knowledge to THINK they can do anything with this..

They all know that keeping the bad guys out is good, and keeping the government out is bad, and that is all the knowledge needed to to tell businesses what they want. How to meet those demands is somebodies else's problem.
[ link to this | view in thread ]
AricTheRed (profile), 26 Sep 2016 @ 2:52pm

Re: DHS - Let's do SOMETHING
If this is not about taxes and fees, it about "Because SCARY!"

CFAA was a response to Wargames.

DHS and a bit of incoherent word salad inflatable-tubeman-arm-waving seems likely to be in response to...

Maximum Overdrive

Now that the IoT is a reality, with computerized self driving big-rigs and cars on the way too, WE NEED TO DO SOMETHING to prevent the wholesale slaughter of humans in preparation of the alien colonization of earth!

It is all very reasonable and sensible if you ask me.
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 2:55pm

Re: Re: Can't be regulatory
The funny thing is, DHS was created as an umbrella agency specifically to prevent any overstepping. DHS is really supposed to be there to coordinate communication between the other TLAs, not to actually do anything itself. But nobody stays happy for long just being the messenger....
[ link to this | view in thread ]
Mark Wing, 26 Sep 2016 @ 3:04pm

"I trust the government to help me with internet security" said no one ever.
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 3:25pm

Benefit of the the doubt...
While I know everyone here seems to be railing Robert Silvers for his speech, there is something they can do with a PDF. For example, I'm a network engineer, so I follow Cisco, Juniper, Mikrotik, Ubquiti, Vyos, et al alerts for flaws pretty regularly. Now with the latest NSA releases that were very detrimental for security, does the average IT person know how to contact support to get the patches? For something like Mikrotik, Ubiquiti and Vyos, it's rather easy since while maybe not open-source, they do publicly release patches. For Cisco, Juniper, Brocade, et al it's definitely going to be a bit harder without a current support contract.

So for Cisco as an example, you can contact PSIRT: http://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html

For Juniper, I'm actually clueless as I've always had a J-Care agreement, but they do have a security incident response team, so I'm sure it's something similiar. For the vulnerabilities on ScreenOS just released though, I would assume they would tell you to trash it since it's probably EOL.
[ link to this | view in thread ]
Another Anonymous Coward, 26 Sep 2016 @ 3:27pm

Well, there you go, then
Glad to know that the DHS is going to beaurocrat harder.
[ link to this | view in thread ]
HegemonicDistortion (profile), 26 Sep 2016 @ 3:28pm

Accountable
If the government wants companies to be held accountable for their security lapses, then make them financially liable to their customers for breaches.

Stupidly, our "cyber protection" law that got rolled into the omnibus budget bill last year provides for some civil immunity if companies share data about breaches with DHS, which will only make security even less important to companies.
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 3:41pm

Re: Accountable
"If the government wants companies to be held accountable for their security lapses, then make them financially liable to their customers for breaches."

That makes absolutely no sense... So grandma can sue the Wordpress Foundation, because she didn't update her site's source code or used the wonderful password of "password". Most companies actually do respond to vulnerabilities when alerted, of course not all, but read up on Full Disclosure and I'm sure it's more patched than shamed.
[ link to this | view in thread ]
orbitalinsertion (profile), 26 Sep 2016 @ 3:42pm

Well. Companies should be held accountable, and in some way better than attempted civil litigation. Not that the DHS should be within 20AU of any such thing. And who knows why he is addressing security experts with this. Maybe fair warning the DHS might do something else idiotic in their space. He should be addressing the companies with the slapdash product "innovation". Just like the security experts have been doing since... forever.
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 3:46pm

Most likely result of DHS involvement
Backdoors in every possible IoT device enabling surveillance and control.
[ link to this | view in thread ]
David (profile), 26 Sep 2016 @ 4:20pm

The public wants to know.
Will IoT users have to remove their shoes?
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 4:51pm

"This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention."

Wow ... really complex stuff huh.
Get my attention you say, I have no IOT - now go away.
[ link to this | view in thread ]
Personanongrata, 26 Sep 2016 @ 5:46pm

DHS Boondoggle of the Century
And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points -- despite having had nearly 15 years to do so.

What else would you expect from a boondoggle (DHS) that has squandered billions of dollars in the renovation of a defunct insane asylum as it's headquarters (a project that will not be completed until 2020 something)?

https://www.washingtonpost.com/politics/planned-homeland-security-headquarters-long-delay ed-and-over-budget-now-in-doubt/2014/05/20/d0df2580-dc42-11e3-8009-71de85b9c527_story.html
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 6:34pm

Re: DHS Boondoggle of the Century
But they have Powerpoint and therefore they are going to use it, okay? Because everyone knows Powerpoint slides make an average pay-grade bureaucrat into a thought-leader, okay! Add a black t-shirt, a slimmed-down gut (just breath in if necessary), a Ted talk and book deal, and any government servant previously demeaned and treated as laughable is now so cool it just hurts.
[ link to this | view in thread ]
Anonymous Coward, 26 Sep 2016 @ 7:32pm

Be interesting to see if the DHS offers 'criminal' suggestions such as using encryption and strong passwords. If not, it'll be interesting to see how they advise security without those two fundamentals.
[ link to this | view in thread ]
Padpaw (profile), 26 Sep 2016 @ 10:30pm

blame travels down, credit travels up
[ link to this | view in thread ]
spodula, 27 Sep 2016 @ 12:42am

Re: DHS - Let's do SOMETHING
well SOMEONE needs to do something. Even a name and shame would be good at this point!

As for them wanting a slice of the Cybersecurity action, go for it. cos there doesnt seem to be ANY Cybersecurity action in this space at the moment.

It may spur people who actually know what there doing to take an interest.
[ link to this | view in thread ]
Anonymous Coward, 27 Sep 2016 @ 1:47am

Gee thanks but maybe you guys should seriously figure out how to secure your own shit first and actually alert companies immediately about vulnerabilities instead of hoarding them so you can exploit them for years before sticking your nose in telling other people how to (not)secure things.
[ link to this | view in thread ]
Yes, I know I'm commenting anonymously, 27 Sep 2016 @ 4:00am

Origins?
This sounds exactly like a `fiber to the Press Release'.
So... What were mr. Silvers previous jobs?
[ link to this | view in thread ]
Anonymous Coward, 27 Sep 2016 @ 5:12am

Re: Re: Accountable
Not sure what your point was, but if Granny is unable to successfully run her business, IOT related or not, then it will probably fail - how is this the fault of any software she may have been using and why should patrons be left holding the bag when it does?
[ link to this | view in thread ]
Anonymous Coward, 27 Sep 2016 @ 6:00am

Re: Re: Re: Can't be regulatory
The funny this is, every agency oversteps.

The whole idea of the Government having a "prevention" is a farce told as a bed time fairy tail for the fools that believe in big government.

What makes me sad is that Bush was a huge Big government politician despite fooling all the sheeple that "claimed" to be against such things. That and the fact that with the creation of the DHS Bush (and those that voted for it) pissed on the graves of EVERY fallen warrior that served the US until then.

I question the loyalty of ANY U.S. soldier that likes Bush.
[ link to this | view in thread ]
Anonymous Coward, 27 Sep 2016 @ 6:55am

Re: Re: Re: Accountable
Holding companies responsible for the fault of end-users lacking security policies is bound to end up as a disaster. Looking at a quick Shodan search and using default passwords on just about anything from software packages to IoT products shows this is literally unenforceable. Another search for outdated software installs will lead to pretty much the same conclusion.
[ link to this | view in thread ]
BentFranklin (profile), 27 Sep 2016 @ 7:23am

Re:
Shit happens, then it rolls downhill.
[ link to this | view in thread ]
Ninja (profile), 27 Sep 2016 @ 7:26am

Re: Well, there you go, then
I'd rather have them "do nothing" harder.
[ link to this | view in thread ]
Anonymous Coward, 27 Sep 2016 @ 7:59am

Hum... Will DHS audit free software?
[ link to this | view in thread ]
Anonymous Coward, 27 Sep 2016 @ 10:07am

Re: Re:
Trickle down
[ link to this | view in thread ]
Anonymous Coward, 27 Sep 2016 @ 12:04pm

Re:
Oh, that'd be nice.

Then you could safely avoid anything labeled "DHS approved".
[ link to this | view in thread ]
Terry Cyberist, 28 Sep 2016 @ 4:20am

Re: Accountable
There must be one of those vague open-ended computer laws which could be used against companies selling insecure devices or refusing to fix them.

If only there was the same will to go after them as there is to go after lone hackers. Which one causes more damage?
[ link to this | view in thread ]
The Wanderer (profile), 28 Sep 2016 @ 6:57am

Re: Re: Re: Can't be regulatory
Amusingly enough, my understanding is that the NSA was similarly created to be a central coordination and analysis entity for the existing intelligence agencies - to take in, analyze, and (if and/or as suitable) disseminate the intelligence which the other agencies gather, and specifically not to do any intelligence-gathering of its own.

If that's accurate, it seems fairly clear that they've diverged pretty far from that ideal... and it would seem unsurprising for the DHS to do the same.
[ link to this | view in thread ]
Paul Roberts, 28 Sep 2016 @ 8:26pm

Got the conference name wrong!
Just FYI: The conference was The Security of Things Forum, not The Internet of Things Forum.
[ link to this | view in thread ]
walter carroll, 16 Nov 2016 @ 11:00am

I've started writing this comment several times and each time I have realized that I am writing the opening chapter of a book. The gist of it is that developers AND marketers are feeding this monster of a population that believes technology is capable of handling all things, and if it's not, it will be shortly.
[ link to this | view in thread ]