NIST official: Internet of Things is indefensible

The interconnectivity of the Internet of Things makes cyber threats inevitable, says NIST fellow Ron Ross.

Ron Ross of the National Institute of Standards and Technology (NIST).

According to NIST fellow Ron Ross, the interconnectivity of the Internet of Things makes cyber threats inevitable.  (Image: Ron Ross / LinkedIn)

The interconnectivity of the Internet of Things (IOT) leaves public and private computer systems essentially indefensible, and no amount of security guidance can provide salvation.

That's the sobering assessment of a top analyst at the National Institute of Standards and Technology -- the agency responsible for providing such guidance. Federal officials can implement as many security controls as they want, said Ron Ross, a fellow in NIST's Computer Security Division, and hackers will still "have a slice of that pie that will always be accessible because there are things that are off our radar due to their complexity,"

"You can comply perfectly with all of that stuff and you can still have a very vulnerable infrastructure because of the complexity," Ross, who was speaking at an April 16 event hosted by AFCEA's Bethesda chapter, added. "There are things that those standards and guidance … don't touch."

NIST is one of the primary dispensers of federal security guidance, which is not in short supply. As Ross put it, agencies are "drowning in guidance." His answer to the challenge is, ironically, more guidance.

Ross and his colleagues are working on a publication he hopes will be a rubric for applying security controls throughout the life cycle of IT systems. His goal for the document, he told FCW, is to "do a better job of engaging the right people in the organization, the decision makers who are taking those risk-based decisions, and get them involved early in the process."

A draft of that publication, NIST 800-160, has been published. Ross hopes to have a second out in the next four to five months, and a final version ready at the end of the year or early in 2016.

The non-binding document is aimed at anyone involved with or affected by IT engineering, in the public and private sectors alike. That means systems and software engineers, acquisition managers and C-suite security officials, to name a few.

During the panel discussion, Ross said tackling the insecurity wrought by the Internet of Things would require the kind of collaboration among government, the private sector and academia that helped the United States in its space race with the Soviet Union in the 1960s.

In a separate interview, Robert Bigman, a former chief information security officer at the CIA, said that a lack of federal policy governing the Internet of Things left a security vacuum. "There's a bigger problem" than the need for voluntary security standards, he said: "we don't have any governance policy or regulations at the … federal level, over this entire issue of the Internet of Things."

"No one's tackled this issue, and frankly, no one wants to tackle the issue," he added.

Bigman, now a private IT security consultant, suggested that the Office of Management and Budget task NIST with coming up with recommendations for regulating the IOT.

IOT hacks have occasionally raised eyebrows, but "no one's paying attention to the bigger issue," he said, referring to a lack of federal regulation.