Defense Department Moving Slowly on ‘Internet of Things’

Defense Department leaders have identified the “Internet of Things” as a key component of the military’s modernization strategy. But the Pentagon is behind the curve due to security concerns and other impediments, cyber experts said.

There is a fear that without proper safeguards, this linkage of systems could be compromised with disastrous consequences.

The Internet of Things (IoT) refers to “networks of objects that communicate with other objects and with computers through the Internet,” the Congressional Research Service said in a recent report about the concept. “‘Things’ may include virtually any object for which remote communication, data collection or control might be useful” such as vehicles, appliances, medical devices, electric grids, transportation infrastructure, manufacturing equipment or building systems.

The technology concept is made possible by the integration of sensors, Internet connectivity, digital analytics and automation, explained William Carter, co-author of a Center for Strategic and International Studies report released in September, “Leveraging the Internet of Things for a More Efficient and Effective Military.”

The private sector has embraced the Internet of Things as a way to improve operations, using it to monitor machines, track supply chains and automate business and industrial processes. The economic impact of the technologies will be between $2.7 trillion and $6.2 trillion per year by 2025, the report said.

But the Pentagon has failed to fully leverage them despite the potential benefits, according to analysts and defense officials.

“The military continues to lead in the development of some high-end applications of IoT technologies such as surveillance and reconnaissance drones, advanced sensors and satellite communications systems, but the development and deployment of the vast majority of IoT applications are driven by the commercial sector with the military severely lagging behind,” the CSIS report said.

The Internet of Things is as much about networking machines and human-machine interfaces as it is developing new platforms or systems, said retired Marine Gen. James Cartwright, former vice chairman of the joint chiefs of staff.

“This is not an invention that’s required. … It is an organizational issue,” he said during a recent conference at CSIS. “While we have networks out there today and we act and react to those networks and what they sense and what they tell us … most of that activity is really networking people. The next evolution in this is to bring the ‘things’ into it.”

In a constrained budget environment, the Defense Department has opportunities to take advantage of the Internet of Things by adopting practices from the commercial sector, the CSIS report said. The military could retrofit its vehicle fleet with onboard sensors to monitor engine performance and parts status, facilitate condition-based maintenance and reduce unanticipated failures. Using sensors to track geolocation, status, fuel efficiency, weight and cargo could reduce fuel costs by as much as 25 percent and increase fleet utilization by 20 percent, the report said.

“What’s happening with the Internet of Things … is we’re doing every point in that supply chain and everything is an entity unto itself,” said Chris Smith, vice president of technology at AT&T Government Solutions. “Instead of replacing batteries, let’s say every two years because we know they’re going to wear out, you can actually [monitor] each battery and each set of brakes and every component within there and say, ‘No, we’re starting to see the [problem] factor on this vehicle. Go replace it now so you don’t break down somewhere and have to send another convoy out to pick that up.’”

Deploying radio frequency identification tags and standardized barcodes to track individual supplies down to the tactical level could provide real-time supply chain visibility and allow the military to order parts and supplies on demand, the CSIS report said.

The Internet of Things also provides opportunities to cut costs by reducing energy consumption. Smart thermostats have saved commercial consumers as much as 10 to 15 percent on heating and cooling. Even half those efficiency gains could save the Pentagon $700 million on energy per year if they were installed at military facilities, the report said.

For troops out in the field, limited Internet connectivity is a hindrance, noted Curtis Dukes, director of the information assurance division at the National Security Agency, which is tasked with protecting Pentagon communications and information systems from penetration and disruption.

“You want to have a great sensor network … but it’s a bandwidth constrained environment,” he said. “That’s one area where there is a distinct difference between the Defense Department and the commercial sector.”

Pushing connectivity out to the tactical edge in large volumes is going to require investment in new generations of communications drones and small satellites, as well as leveraging commercial satellites, Carter said.

Smith views “smart vehicles” as potential delivery platforms for connectivity. “These are mobile hot spots,” he said. “Think about the field uses out there where we couldn’t push the network in the past because of the cost, because of the remoteness of it. Now if all vehicles are connected you have kind of a mobile, meshed network running out there.”

But the lack of common standards and protocols complicates efforts to integrate systems.

“I think we’ve started to lag a bit in adopting [the] Internet of Things,” Dukes said. “There’s a lack of standards when it comes to how you actually securely communicate with everything being Internet aware and also how that communication stream looks.”

“We really haven’t thought through what the security model looks [like] for this Internet of Things, and I think that’s the first step. And then the second one is codifying those security parameters into standards for that,” he added.

The need to develop common standards extends to commercial devices that the Defense Department would be interested in using, Carter noted.

Cultural barriers add another obstacle, analysts said.

“The risk aversion of many military figures is based on the fact that if systems fail, people die,” Carter said. “Nobody wants to be calling IoT support from a foxhole saying, … ‘My smartphone isn’t working [and] I can’t accomplish my mission.’”

Security concerns are the main issue holding back the military’s use of the Internet of Things, said officials, analysts and members of industry. Some potential adversaries have advanced cyber and electronic warfare capabilities, and everything connected to the Internet is potentially vulnerable to attack, they noted.

“Everybody today likes to talk about the Internet of Things … [but] I look at it as the Internet of threats,” said Paul Geraci, senior director of U.S. intelligence and national security programs at OSIsoft, a California-based company that provides IoT-related software to the federal government and the private sector. “While many may look at it as a beautiful thing that we’re all interconnected … it’s an asymmetric threat now. It’s a constant threat, and it’s a constant risk.”

Budget constraints and the Defense Department’s approach to spending hinder the pursuit of Internet of Things technologies, Carter said. “The military does not spend dollars today to save dollars tomorrow, which is in many ways how industry has developed real value from IoT,” he said. “You invest in a new system today and [then] you save on the efficiencies you generate over time.”

The Defense Department has not invested enough money in cyber security for facilities that use Internet of Things technologies, said John Conger, former acting assistant secretary of defense for energy, installations and environment, who is now the Pentagon’s principal deputy comptroller.

The Defense Department owns 300,000 buildings, some of which have hundreds of Internet access points that could be vulnerable, he noted at a recent Federal Facilities Council conference.

“While cyber threats are getting a lot of attention at the department and [U.S. Cyber Command] is getting plenty of money, the facilities are not,” Conger said.

“At some point we’re going to have to spend real money” to address the problem, he said. “It’s not just the fact that [adversaries] might turn off the lights. … What if you have a critical system that’s hooked up to all this and … you can’t turn the chillers back on when the computer systems are going to overheat and that’s going to shut down the network? Or what happens when they actually use that to get into some other network?”

The art of deception can be employed against machines as well as people, noted Richard Hale, deputy chief information officer for cyber security at the Defense Department. “The Internet of Things, especially as we get more and more autonomous and more of this is real-time control system sort of stuff — it’s going to make really bad decisions if information isn’t right or if it’s not coming from a genuine, trustworthy” component, he said. “Non-spoofable … identity is going to be a fundamental characteristic” of the Pentagon’s future IoT systems.

Dukes said “lightweight” cryptography would be needed to secure smartphones and other devices that don’t have the processing capability of traditional devices. That could entail creating cryptographic tools and protocols that require less energy or less software code to execute.

In a constrained budget environment, priorities will need to be set when it comes to securing the Internet of Things, officials said.

“We don’t want to have all of our money spent on some insignificant cyber security problem,” Hale said. “Nuclear command-and-control ought to have more cyber security … than the thermostat in my house or in a DoD building perhaps.”

The department will need to set different standards for a wide range of Internet of Things systems, from nuclear and aircraft systems on the high end to logistics and administrative activities on the lower end, Cartwright noted.

Industry needs to be a partner in these efforts, Dukes said. “As you move to these Internet of Things, if we’re not careful and if we don’t think about building security into those devices … an adversary would be able to connect onto that and actually see what’s going on,” he said. “It really is forcing industry to actually start baking or building security into this process.”

Topics: Cybersecurity, Infotech