The Internet of Things has spawned many changes within the Federal government, including new methods of data collection at the Department of Agriculture (USDA), new policy considerations at the National Institute of Standards and Technology (NIST), and a realignment of the Office of the CIO (OCIO) at the Department of Commerce.
USDA is constantly asking farmers for data about crop production and livestock. USDA plans to send out its agriculture census in November and is collecting information through February; however, responses tend to be low.
Michael Valivullah, chief technology officer at the National Agriculture Statistics Service at USDA, said that he envisions a system where USDA can tap directly into farming sensors in order to collect the data it needs, and only bother the farmers in order to validate the information. This system can make the data more reliable and make the process more cost efficient.
“We collect data constantly,” Valivullah said at MeriTalk’s Cyber Security Brainstorm on Sept. 20. “Privacy is a very, very big concern for us. We want to make sure we don’t reveal the farmer’s or rancher’s personal information.”
Valivullah said one of the reasons that privacy is important is that if personal information is revealed, USDA officials could be fined or could go to jail for up to five years.
Farmers are embracing IoT technology like the See and Spray Robot, which travels around the farm at 4 mph to detect and identify diseases or other problems with individual plants and treat it on the spot with insecticide and other remedies.
“There’s no single silver bullet that’s going to address risk,” said Katerina Megas, commercial adoption lead for the Trusted Identities Group, and program manager for the Cybersecurity of the Internet of Things Program at NIST.
Megas said that NIST has been considering issuing a framework for each agency to follow in order to address their own risk and provide the tools to understand the tradeoffs. NIST has also discussed publishing a report with questions about IoT systems that agency officials usually don’t think to ask when they look to purchase a device to help the government cover its bases in the acquisition process.
“You don’t know what you don’t know,” Megas said. “You don’t know what to ask.”
Megas also said that creating a third-party certification process for IoT devices would pose a lot of questions, such as how to revoke the certification if necessary, and would a device still be certified if it’s patched.
“The problem is the level of complexity,” said Rod Turk, acting CIO and CISO at the Department of Commerce.
Turk said that third-party certification would be difficult because of the wide variety of jobs that IoT devices would be used for.
“To say there’s only one control or set of controls to fix this problem is unrealistic,” Turk said.
Turk said that he tailors his security approach to the needs of the different departments. For example, when officials from the Patent and Trademark Office travel to “some rather nefarious” countries, Turk gives them a blank BlackBerry that doesn’t connect back to the agency’s BlackBerry server. That way, if the BlackBerry is taken, hackers won’t be able to download everything from the server. The device is safe but still adequate for employees to use to communicate.
“For every positive IoT effect, there is also a negative IoT effect,” Turk said.
Turk said that Commerce is going through a realignment of its CIO office to accommodate the way that technology is moving.
“The realignment is to prepare the OCIO for the future,” Turk said. “IT is looking more and more like a commodity.”
Turk compared IT to the way consumers expect electricity to come on and water to flow in their houses. The IT departments are moving from a group of very technical IT specialists, to outsourcing, consolidation, and collaboration between departments.
“The CISO is going to be a risk manager, not a compliance manager,” Turk said. “I don’t think people understand their risk…and technology is changing every single day.”
