If you were informed that certain brands of footwear had unacceptable amounts of radiation coming from them, you would urgently find and remove those items from your house. When tainted pet food is causing pets to die around the country, you’d run not walk to make sure your pet food is not one of them. Yet known and active cyber vulnerabilities in telecommunications and surveillance equipment (controlled by foreign adversaries) has not been addressed as quickly or urgently as you would expect; let’s dig into why.
The 2019 National Defense Authorization Act (NDAA) specifies in Section 889 that the U.S. Federal Government is prohibited from contracting for or obtaining telecommunications or video surveillance equipment or services from certain foreign vendors of such equipment. These rules were put in place for a reason – it has been determined that these devices can enable cyber attacks and other forms of espionage by foreign adversaries on the US Government and industry. In other words, there is a clear and present danger from these devices, and their removal is both required and urgent.
Yet many organizations struggle to locate, disable, and replace these devices – why is that?
First of all, the nature of how IoT devices used in telecommunications and video surveillance are deployed typically leads to a very heterogeneous and distributed collection of devices. Many of these devices are long-lived, so after a number of years the typical inventory of them will show different makes and models as they get replaced one by one. Combined with personnel turnover and poor record keeping, there often is no consistent list of what devices are where – a tough starting point to find the offending devices.
Secondly, not all devices are as they appear. The manufacturers of banned devices have OEM’d their products to multiple other brands, so just looking at the brand name on the device will not tell you if was manufactured by a banned entity. To know this requires a deeper examination and understanding of the device.
Finally, as it often does come down to, performing these operations manually takes both people and time. Many organizations are short of human resources, especially ones that are working onsite currently. The devices themselves are distributed across multiple sites, states, and countries, and if manual methods are used there will be time and effort to physically get to them. The longer it takes to reduce the attack surface of prohibited devices, the more likelihood that cyber criminals can succeed on their objectives.
Clearly automation is needed to bring time and effort down to reasonable levels to become NDAA 889 compliant. Automated discovery solutions that can identify make, model, and original manufacturer can create an inventory list that pinpoints exactly where prohibited devices are located. Even better, when the prohibited device is replaced, the new device replacing it needs to be provisioned with updated firmware, certificates, and paswords. These can all be automated as well.
Looking to bring automation to your efforts on NDAA 889 compliance? Check out more details on how Viakoo can support you (and sign up for a personalized demo) at: https://www.viakoo.com/ndaa-889