A U.S. Soldier of Bandit Troop 1st (Tiger) Squadron 3rd Cavalry Regiment provides overwatch security while soldiers move up Pride Rock mountain to witness the reenlistment of two U.S. Soldiers in Paktya province, Afghanistan.

A U.S. Soldier of Bandit Troop 1st (Tiger) Squadron 3rd Cavalry Regiment provides overwatch security while soldiers move up Pride Rock mountain to witness the reenlistment of two U.S. Soldiers in Paktya province, Afghanistan. U.S. Army photo by Spc. Steven Cope/Released

Can the Pentagon Ditch the Password and Finally Embrace the 'Internet of Things'?

A new report claims the U.S. Defense Department could save millions using internet-ready devices and sensors. But there's one huge problem before that can happen.

Today's soldiers might be less technologically equipped than the average person.

Soldiers primarily use radio systems and voice recorders for communication, accessed through the military Wideband Networking protocol. Civilians, in contrast, use a variety of Web applications on 3G and 4G Internet, digitally-enabled home appliances, wearable devices and mobile phones that, when connected, can suggest ways to improve their routines: tracking their sleep and exercise, remotely monitoring their houses and reporting on their energy use, for instance.

Or that's at least what a new report from the Center for Strategic and International Studies argues. According to CSIS, the military has been too slow to embrace the network of devices and sensors known as the Internet of Things. A conservative calculation suggests the Defense Department could save at least $700 million on energy each year with digital thermostats. Equipping vehicle fleets with sensors, and tracking optimum levels of variables including temperature, could cut fuel costs by 25 percent, the CSIS report said.

The report acknowledged DOD uses sensors in some operations, including package and pallet transit or satellite linked missiles that can be redirected mid-flight, but that the military struggles "to equip its workforce, civilians and warfighters alike, with the basic functions provided by commercial smartphones.")

But a military version of the Internet of Things needs to be far more robust against cyberattack than its commercial counterpart, DOD's Deputy Chief Information Officer for Cybersecurity Richard Hale said at CSIS Tuesday. 

“This idea that somebody is going to try to disrupt our operations, because they do it in any other area of warfighting, is certain," Hale said. "It's how we think about this . . . [but] the idea that everything is connected to everything else is still not deeply embedded in the design, or the production, or the operation of complicated distributed systems."

DOD must therefore re-think the way employees access a network that gathers data from, or potentially control, physical devices, Hale said. If access keys are "replayable," meaning they can be used more than once, it makes the physical assets on the network more vulnerable to intruders, he said.

In particular, if some of the physical systems connected to the Internet of Things can operate autonomously based on real-time information, they are "going to make really bad decisions if information isn't right," Hale said. 

As a result, security systems allowing anonymous sign-ons could be dangerous, he said.

"Anonymity is inappropriate in most situations internal to our network, so we've worked to basically get rid of things like passwords and move to credentials," he said. "The Internet of Things is going to need the same thing. . .  We have to drive out passwords."

Hale noted that DOD will have to work with the private sector, including device manufacturers, to set stronger security standards.

At the same event, Curtis Dukes, director of the information assurance division for the National Security Agency, said his team is working with the National Institute for Standard and Technology to identify industry standards for the military use of the Internet of Things.

"It first starts with an asset up to what the communication path is, what [data] fields we need collected about that device, how we actually share that, and then take action on that information," Dukes said. "Many of those standards don't exist today."

But he noted that especially as the federal government often buys commercial devices and adapts them for their use -- NSA has approved Samsung phones for "secret"-level use -- standards would have to be global, not limited to the manufacturers in United States. 

"We can use our acquisition buying power" to encourage manufacturers to better protect devices, potentially by issuing each device a unique authentication key, he said, and "actually have a more effective approach to cyber defense."