On Tuesday, the Obama administration announced a program to better secure the “Internet of Things” and also highlighted the opportunities networked devices provide for the US intelligence community. The juxtaposition of these announcements casts the Internet of Things (IoT) as the latest iteration of a recurring tension about the role of the federal government: On the one hand, the government seeks to secure US persons against technological vulnerabilities, but on the other hand, the government seeks to exploit those same vulnerabilities for intelligence and/or law enforcement purposes. Vulnerabilities don’t stop at borders or check the citizenship of those who exploit them.
The initiative to secure the IoT came as part of the President’s new “Cybersecurity National Action Plan” (CNAP). Cast as the “capstone of more than seven years of determined effort” by the Obama administration, the CNAP will devote over $19 billion to cybersecurity as part of the fiscal year 2017 federal budget, create a $3.1 billion Information Technology Modernization Fund to update government systems, add a Federal Chief Information Security Officer, launch a National Cybersecurity Awareness Campaign, and establish a Commission on Enhancing National Cybersecurity and a Federal Privacy Council. The White House Fact Sheet on CNAP further explains:
The Department of Homeland Security is collaborating with UL and other industry partners to develop a Cybersecurity Assurance Program to test and certify networked devices within the “Internet of Things,” whether they be refrigerators or medical infusion pumps, so that when you buy a new product, you can be sure that it has been certified to meet security standards.
Meanwhile, Director of National Intelligence James Clapper presented the Intelligence Community’s 2016 Worldwide Threat Assessment to the Senate Armed Services Committee. “Cyber” tops the list of threats, as it has for the past several years (see 2015, 2014, and 2013), though this year it is framed as “Cyber and Technology.” The Threat Assessment explicitly notes (p. 1) that the IoT poses both defensive challenges and offensive opportunities for the intelligence community:
Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructure and US Government systems. These developments will pose challenges to our cyber defenses and operational tradecraft but also create new opportunities for our own intelligence collectors.
Internet of Things (IoT). “Smart” devices incorporated into the electric grid, vehicles—including autonomous vehicles—and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.
The prominence of the IoT in Tuesday’s government statements is new, but the tension between the government’s roles with respect to security vulnerabilities is not. The tension arises because “the government” is not monolithic, but rather includes different agencies whose differing mandates can conflict with one another. Sometimes even within a single agency, multiple mandates produce conflicting priorities.
The tension of multiple roles is evident with respect to the government’s policy on disclosure and patching of zero-day vulnerabilities. As the report of the President’s Review Group on Intelligence and Communications Technologies explained in 2013,
NSA and other US Government agencies, such as DHS, have important missions to assist US corporations in the protection of privately owned and operated critical infrastructure information networks. To do so, NSA, DHS, and other agencies should identify vulnerabilities in software widely employed in critical infrastructure and then work to eliminate those vulnerabilities as quickly as possible. That duty to defend, however, may sometimes come into conflict with the intelligence collection mission, particularly when it comes to … “Zero Days.” (emphasis added).
The tension is also visible in debates over encryption. Privacy and civil liberties organizations, as well as many technology companies, strongly support the use of encryption in consumer products and oppose governmental pushes for “back doors.” Recently, some government officials have sounded more positive (or at least less negative) notes on encryption, even as others continue to highlight the difficulties widespread encryption poses for law enforcement investigations. For example, NSA Director Mike Rogers said in a speech to the Atlantic Council last month that “[e]ncryption is foundational to the future, so what we’ve got to ask ourselves is … what’s the best way for us to deal with it?” Days later, however, Assistant Attorney General Leslie Caldwell argued that encryption of personal devices and messaging services creates “obstacles which can stop our investigations and prosecutions in their tracks.”
These examples from the last few years suggest that as technology advances, the instances of tension stemming from competing government roles are likely to multiply. Different iterations of the tension may even interact. Just last week, Harvard’s Berkman Center for Internet & Society issued a report highlighting how the IoT might shake up the encryption and “going dark” debate. The report, titled “Don’t Panic,” argues that even though some channels of surveillance may be “going dark,” “[t]he audio and video sensors on IoT devices will open up numerous avenues for government actors to demand access to real-time and recorded communications” and thus ensure that opportunities for surveillance in general do not go dark (pp. 13-15).
In the IoT iteration of the tension in the government’s conflicting roles, the more consumer-protection-focused government interests seem to be prevailing (at least for now). The announcement of the DHS- and industry-led Cybersecurity Assurance Program was not coupled with calls to ensure government back doors into the back doors linked to smart home systems. But the relative priority the government puts on its consumer protection and law enforcement/intelligence collection roles may shift over time and certainly varies by context. Each new iteration will require efforts by those both inside and outside government to reassess and rebalance the government’s competing priorities, seeking ways to manage the tensions even when they can’t be definitively resolved.