Can feds catch up on IoT?
When it comes to Internet of Things initiatives in the public sector, local governments have taken the lead with transportation and smart city systems. But there's real potential at the federal level, several industry and government experts said at a recent panel discussion on disruptive technology.
"We’ve gotta figure out how to lead this," Chris Smith, AT&T Global Public Sector Solutions' vice president for technology, said at ACT-IAC's Executive Leadership Conference in Williamsburg, Va. Cities have been the early adopters to date, he said, "but there’s a great corollary to our government campuses and our military bases."
The benefits can go beyond smoother transit and energy efficiency, Smith said. “If we have good sensor information, and we’re analyzing it at the edge," it can result in better physical security at such facilities.
Department of Justice CTO Ron Bewtra agreed that the potential for federal agencies is significant, but warned that the security of IoT systems themselves could be a stumbling block. Sensors and other endpoints have too often been built without adequate thought toward security, he said, and the broader policy frameworks are similarly lacking.
Bewtra pointed to innovations in health IT with wearable monitors, connected pacemakers and the like. Because the emphasis has been on making things user-centric, he said, " we start ignoring that framework and that security on top."
Agencies, Bewtra said, should deploy sensor networks on a small scale first and "think about that security, think about the privacy issues, think about that framework ... right out of the gate. "
Peggy Irelan, Intel's senior principal engineer, director and CTO for intelligent software platforms and applications, echoed Bewtra's concerns. "The amount of regulation that needs to start being considered about these control systems … needs some serious focus," she said. "If there’s not some sort of expectation of security and privacy in the way these systems are designed and requirements for auditing, where you can prove it did what it was supposed to do when it was supposed to do it, … it can quickly get out of control."
AT&T's Smith did not dispute that security is key, but he also pointed to the risks of over-securing systems. In government, he said, "we love to figure out the reason why we can’t go do something. I think it's incumbent on us as a nation to lead from the front on this."
Smith used sensor-enabled sprinkler systems as an example. If such a system were hacked, he asked, what would be the real risk beyond some wasted water and muddy government lawns?
"We've gotta be smart about this," he said, and suggested that the degree to which systems connect digital signals to "real kinetic action" -- whether that action involves vehicle traffic or automated military defenses -- should be a prime determinant of how much security is necessary. "We shouldn’t apply just crazy security concerns to sensor networks that aren’t going be able to do any harm to anyone."
The General Services Administration's Andrei Chursov, however, said most agencies' IoT programs could be confined to analytics and not action for some time. "There will definitely be a next step," said Chursov, who is a senior advisor to the GSA administrator, but given the current state of the technology, "the cost of convincing decision makers to go that far [and embrace IoT-driven intervention] may be too high."
Intel's Irelan, meanwhile, stressed that a properly architected system can help to secure itself. When an audience member asked about the risk of IoT devices being co-opted for distributed denial-of-service attacks like the one that took down domain name server systems on Oct. 21, Irelan said that a good software-defined system would respond before humans noticed the problem.
"If the behavior of a device changes that significantly, it should’ve been shut down," she said. "When things are connected, there are some basic things that should be built in as guidance. ... Government can come in and guide the industry to help prevent some of these things."
Chursov also called for that industry-government discussion. "We cannot eliminate risk" with IoT, he said, and so stakeholders must figure out how to manage it. "There needs to be tiering and a real, thoughtful conversation."
Troy K. Schneider is editor-in-chief of FCW and GCN.
Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of NationalJournal.com, Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, National Journal, Governing, and many of the other titles listed above.
Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.
Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.