A number of gaps in the Defense Department’s policies surrounding personal fitness trackers, smart TVs and other internet-connected devices could put the agency at risk for sabotage, surveillance or other cyberattacks, a watchdog said.
Over the years, DOD has taken many steps to plug the cybersecurity holes associated with the internet of things, but the Government Accountability Office found certain devices, like smart TVs and smartphones, still didn’t have enough protection. Additionally, none of the DOD’s main security policies dealt with problems unique to internet-connected devices.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The internet of things refers to physical items that connect to the internet, such as GPS-enabled fitness devices, Wi-Fi-connected fridges and thermostats controlled by apps. Such technology has become ubiquitous not only in DOD but governmentwide, and a GAO report from May 2017 found this rapid rise in use made it challenging to design security standards for governments, businesses and homes that rely on the IoT.
DOD found a few major areas where IoT devices could lead to danger: sabotaging missions or equipment, collecting sensitive information, and endangering leadership. For example, a hypothetical attack could include using public smart TVs to record conversations or infiltrating internet-connected cars to take over the vehicle's’ controls. DOD also found it possible to collect data from personal phones, flood ships and shut down command center computer systems using the IoT.
DOD officials told GAO that smart TVs and certain applications on agency-issued phones still present possible security risks. The GAO recommended asking agency security experts for leads on other technology susceptible to cyberattacks. In addition, the DOD plans to create specific policies to protect IoT devices, like encrypting data and watching for strange network activity.