GAO Urges Improved DOD Security Measures for IoT Devices, Operations

The Government Accountability Office (GAO) found in a recent report that although the Department of Defense (DOD) is assessing the security risks associated with internet of things (IoT) devices, they have not conducted any security operations assessments.

DOD has issued policies and guidance for IoT devices, including personal wearable fitness devices, portable electronic devices, smartphones, and infrastructure devices associated with industrial control systems. However, GAO found that these policies and guidance do not clearly address some security risks relating to IoT devices.”

Among the vulnerabilities highlighted by the report is the use of smart televisions. According to GAO, “DOD officials told us that existing DoD policies and guidance do not clearly address security risks relating to smart televisions, and particularly smart televisions in unsecure areas. Officials from military services and other DoD components described smart televisions as a risk to operations security due, in part, to the ability of commercial providers to access the devices remotely—potentially eavesdropping on conversations or sending recordings of these conversations to third parties.”

GAO’s general recommendations, upon completing the report, are that “DOD (1) conduct operations security surveys that could address IoT security risks or address operations security risks posed by IoT devices through other DOD risk assessments; and (2) review and assess its security policies and guidance affecting IoT devices and identify areas, if any, where new DOD policies may be needed or where guidance should be updated.”

The report also notes that DOD agreed with the recommendations outlined in GAO’s report.