DHS Offers Its Unsolicited 'Help' In Securing The Internet Of Things
from the STANDING-BY-TO-TAKE-CREDIT-FOR-ACTIONS-OF-OTHERS dept
It's generally agreed that the state of security for the Internet of Things runs from "abysmal" to "compromised during unboxing." The government -- despite no one asking it to -- is offering to help out… somehow. DHS Assistant Secretary for Cyber Policy Robert Silvers spoke at the Internet of Things forum, offering up a pile of words that indicates Silvers is pretty cool with the "cyber" part of his title... but not all that strong on the "policy" part.
The industry, according to Silvers, is demanding that IoT security is tackled "from a DHS perspective," meaning a focus on public safety. And then he damned other government departments' efforts with faint praise.
"This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention."
Shorter DHS: we're going to take what the private sector and other government agencies have accomplished, print it out on a few pages of DHS letterhead, and call it good. All Silvers is promising is the DHS's insertion into a crowded marketplace of vague ideas, many of them coming from other government agencies.
Even better, Silvers claimed the DHS's intrusion into this overcrowded space won't be "regulatory." This statement arrived shortly before Silvers suggested regulation was on its way.
“We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems. While some of this may sound like common sense, it’s an undeniable fact that some companies are not being held accountable,” Silvers said.
"Companies not being held accountable" sounds like the sort of thing the government would feel compelled to fix with regulation. As Kieran McCarthy of The Register points out, the DHS seems mostly concerned with ensuring it's cut in on the cybersecurity action.
The DHS's current plan seems to be little more than shoving their foot in the door: Silvers could not give a timetable for the principles, or even a consultation plan. He didn't highlight specific areas of concern, or point to the direction the DHS is expected to take.
Perpetually-increasing budgets are on the line here. Every agency wants a piece of the "cyber" pie, whether on the offensive or defensive side. The DHS is no different, even though its track record on cybersecurity is mostly terrible. (Its track record on "homeland" security isn't that fantastic either…) Its Election Cybersecurity task force is composed of state politicians, rather than security experts. And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points -- despite having had nearly 15 years to do so.
In front of a group of professionals actually putting together best practices for the Internet of Things, the DHS has announced its willingness to coattail-ride its way into the cybersecurity future -- one promising to be full of government intrusion and steady paychecks. And, like others in the government who feel the government should do nothing more than make demands of the private sector, Silvers encouraged the forum attendees to "nerd harder." Or, at least, faster.
Silvers issued a call of action to attendees, urging them to “accelerate everything” they’re working on and tackle issues that pop up in cybersecurity in real time.
Thanks, bossman. There's nothing security professionals like more than being told how to do their jobs by government agencies without coherent future plans or the ability to secure anything more than a pension.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, dhs, iot, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Knock knock. It's the government
[ link to this | view in thread ]
DHS - Let's do SOMETHING
This will cover the cost of all of the time it takes DHS personnel to make PR announcements. After all, businesses have no vote, so if a new business tax is passed people tend to be happy because they don't have to pay it (isn't that a joke), so the new law gets passed and we end up paying the tax with higher prices for every product sold anyway.
[ link to this | view in thread ]
[ link to this | view in thread ]
Can't be regulatory
[ link to this | view in thread ]
"Let me help you with that. No no, no need to watch what I'm doing..."
At this point the gross incompetence the various government agencies have displayed in all things security would have me hesitating to trust them to secure a freakin' lemonade stand, I imagine any company would(or should) be extremely hesitant to let the DHS or any other government anywhere near their code/products.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
To many
To many groups wanting to do something and its going to get SO BAD...
How many groups, agencies, Czars, Idiots have ANYTHING to do with this, or the knowledge to THINK they can do anything with this..
When the net went up it was interesting and you COULD find things..Now its like looking in the library to find porn..
There is so much BS out there, that its Scary and weird..
[ link to this | view in thread ]
Re: Can't be regulatory
[ link to this | view in thread ]
Robert Silvers - champion of internet secrity
[ link to this | view in thread ]
Re: To many
They all know that keeping the bad guys out is good, and keeping the government out is bad, and that is all the knowledge needed to to tell businesses what they want. How to meet those demands is somebodies else's problem.
[ link to this | view in thread ]
Re: DHS - Let's do SOMETHING
CFAA was a response to Wargames.
DHS and a bit of incoherent word salad inflatable-tubeman-arm-waving seems likely to be in response to...
Maximum Overdrive
Now that the IoT is a reality, with computerized self driving big-rigs and cars on the way too, WE NEED TO DO SOMETHING to prevent the wholesale slaughter of humans in preparation of the alien colonization of earth!
It is all very reasonable and sensible if you ask me.
[ link to this | view in thread ]
Re: Re: Can't be regulatory
[ link to this | view in thread ]
[ link to this | view in thread ]
Benefit of the the doubt...
So for Cisco as an example, you can contact PSIRT: http://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html
For Juniper, I'm actually clueless as I've always had a J-Care agreement, but they do have a security incident response team, so I'm sure it's something similiar. For the vulnerabilities on ScreenOS just released though, I would assume they would tell you to trash it since it's probably EOL.
[ link to this | view in thread ]
Well, there you go, then
[ link to this | view in thread ]
Accountable
Stupidly, our "cyber protection" law that got rolled into the omnibus budget bill last year provides for some civil immunity if companies share data about breaches with DHS, which will only make security even less important to companies.
[ link to this | view in thread ]
Re: Accountable
That makes absolutely no sense... So grandma can sue the Wordpress Foundation, because she didn't update her site's source code or used the wonderful password of "password". Most companies actually do respond to vulnerabilities when alerted, of course not all, but read up on Full Disclosure and I'm sure it's more patched than shamed.
[ link to this | view in thread ]
[ link to this | view in thread ]
Most likely result of DHS involvement
[ link to this | view in thread ]
The public wants to know.
[ link to this | view in thread ]
Wow ... really complex stuff huh.
Get my attention you say, I have no IOT - now go away.
[ link to this | view in thread ]
DHS Boondoggle of the Century
What else would you expect from a boondoggle (DHS) that has squandered billions of dollars in the renovation of a defunct insane asylum as it's headquarters (a project that will not be completed until 2020 something)?
https://www.washingtonpost.com/politics/planned-homeland-security-headquarters-long-delay ed-and-over-budget-now-in-doubt/2014/05/20/d0df2580-dc42-11e3-8009-71de85b9c527_story.html
[ link to this | view in thread ]
Re: DHS Boondoggle of the Century
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: DHS - Let's do SOMETHING
As for them wanting a slice of the Cybersecurity action, go for it. cos there doesnt seem to be ANY Cybersecurity action in this space at the moment.
It may spur people who actually know what there doing to take an interest.
[ link to this | view in thread ]
[ link to this | view in thread ]
Origins?
So... What were mr. Silvers previous jobs?
[ link to this | view in thread ]
Re: Re: Accountable
[ link to this | view in thread ]
Re: Re: Re: Can't be regulatory
The whole idea of the Government having a "prevention" is a farce told as a bed time fairy tail for the fools that believe in big government.
What makes me sad is that Bush was a huge Big government politician despite fooling all the sheeple that "claimed" to be against such things. That and the fact that with the creation of the DHS Bush (and those that voted for it) pissed on the graves of EVERY fallen warrior that served the US until then.
I question the loyalty of ANY U.S. soldier that likes Bush.
[ link to this | view in thread ]
Re: Re: Re: Accountable
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Well, there you go, then
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
Then you could safely avoid anything labeled "DHS approved".
[ link to this | view in thread ]
Re: Accountable
If only there was the same will to go after them as there is to go after lone hackers. Which one causes more damage?
[ link to this | view in thread ]
Re: Re: Re: Can't be regulatory
If that's accurate, it seems fairly clear that they've diverged pretty far from that ideal... and it would seem unsurprising for the DHS to do the same.
[ link to this | view in thread ]
Got the conference name wrong!
[ link to this | view in thread ]
[ link to this | view in thread ]