The U.S. Army CIO has released a new policy for Internet of Things (IoT) device cybersecurity which mandates that all Army personnel who are approved to telework remove or turn off all IoT devices in their workspaces.
“As a result of the pandemic, we saw a drastic expansion of our digital ecosystem which introduced new cybersecurity risks. So, we’re elevating and expanding our protocols to make telework offices more secure for our current and future digital Army workforce,” said Army CIO Dr. Raj Iyer.
The Army reiterated that teleworking during the COVID-19 pandemic has heightened the risk posed by IoT devices as the typical home may contain 70 IoT devices on average.
The policy defines IoT devices as a network of items or applications that connect to the internet and emanate from several different technologies. The policy specifically said it applies to:
- “Bluetooth wireless devices, speakers, mobile phone headsets, intercoms, hubs, home routers, printers, computers, laptops, tablets, mobile phones, smartwatches, auto devices, gaming consoles, TV, home entertainment centers, digital audio players, portable media, players, digital video recorders, webcams, cameras, sensors, fitness trackers, medical devices, weighing scales;
- Smart home devices, kitchen appliances, washer and dryer machines, lights, home electric systems, smart energy management systems, smart security solutions; and
- Personal home assistant applications on mobile devices.”
The Army said that when smart IoT devices are powered on, they constantly listen and collect data by recording audio, transcripts, and even video. The policy raises concerns with cybercriminals and foreign adversaries exploiting cybersecurity weaknesses to gain access to classified information.
“This new policy aims to prevent data leaks and protect privacy of critical unclassified information, personally identifiable information, and operational data,” a press release from the Army CIO said.
Due to this, Army military, civilian, and contractor personnel must protect themselves and the Army’s mission by:
- Removing all IoT devices with listening functions from the work area;
- Turning off or removing all personal mobile devices, such as smartphones or tablets, in the work area; and
- Disabling audio access functions on personal assistant applications and devices.