In a release aptly labeled “A Starting Point for IoT Device Manufacturers” the National Institute of Standards and Technology (NIST), an arm of the Department of Commerce, recently added to the discussion with the publication. NIST sought to provide IoT device manufacturers a better understanding of appropriate cybersecurity features for the vast and constantly proliferating range of IoT devices. NIST’s fundamental purpose is to improve the securitibility of IoT devices and to identify, in general terms, the features that can be designed so that customers can better use them to manage cybersecurity risk profiles.
On July 16, 2019, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued an “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes” (the “Advisory”). The Advisory provides a detailed and helpful overview of trends in Business Email Compromise (“BEC”) schemes affecting U.S. financial institutions and other businesses.
This week the U.S. Department of Justice (DOJ) and Netcracker Technology Corporation (NTC) announced that they had settled charges that NTC had violated U.S. controls on foreign access to sensitive data. The settlement underscores many of the export control and related compliance risks surrounding the provision and use of cloud computing services and global networks. At the same time, the Enhanced Security Plan issued by NTC and DOJ as part of the settlement provides a helpful set of benchmarks and best practices for companies that may be considering the use of cloud services and network infrastructure to house and transmit their most sensitive data.
According to DOJ’s settlement announcement, NTC had worked as a subcontractor on two federal government contracts with the Defense Information Systems Agency (DISA), a combat support agency of the U.S. Department of Defense (DoD), and performed some product support work from locations outside the United States, including Russia. DOJ alleged that by failing to maintain adequate controls on the cloud and network infrastructure supporting these contracts, NTC had threatened the security of sensitive data about individuals, DoD projects, networks and critical U.S. domestic communications infrastructure. DOJ further asserted that uncleared NTC foreign national employees in Russia and Ukraine worked on the DISA projects and were aware of the sensitive nature of the projects and the data stored and transmitted through the network managed by DISA.
Over the course of the last year, a number of U.S. technology companies and associations, including Intel, Samsung and the Information Technology Industry Council (ITIC) initiated a process dubbed “the National IOT Strategy Dialogue” the purpose of which was to develop strategic recommendations for U.S. government policymakers on the Internet of Things.
The group recently issued a white paper capturing the recommendations they advocate that the U.S. government undertake or implement. These players suggest that for the U.S. to win the global race to test, develop and deploy beneficial IOT technologies, that the U.S. government needs a strategic roadmap.