US Army Apparently Rescinds IoT Device BanPolicy Instructed Remote Workers Not to Use These Devices
The U.S. Army has deleted from its website a directive requiring all remote workers to remove or turn off IoT devices, according to the security firm Bitdefender.
The new requirement was issued in a memo posted to the Army's website on May 20 by the Army's CIO, Dr. Raj Iyer, that has since been removed, according to Bitdefender. The security firm found a cached version of Iyer's note.
Bitdefender researchers say such a policy is essentially unenforceable. But they acknowledge that many IoT devices lack adequate security.
"Securing the home networks of all employees is not feasible, for obvious reasons, so you have to focus on picking up abnormal behavior from the worker's devices," says Alex Balan, director of security research at Bitdefender. "XDR/EDR solutions and SOC services like MDR are built for this specific situation, and it's my opinion that they're mandatory to have in a 'work from home' age."
The U.S. Army did not respond to an Information Security Media Group request for additional information.
Why the Ban?
The "Cybersecurity Requirements for Teleworkers in the Vicinity of Smart Internet of Things (loT) Applications and Devices" policy that Bitdefender found in the cache says many IoT devices present a security issue because they constantly collect data and listen even when not in direct use.
"Although those virtual smart assistants and digital gadgets or applications may seem helpful, they pose a great threat to security, in your home and at the national level," the policy removed from the Army website states. "With the rise of telework due to the pandemic, IoT devices have elevated security risks, particularly for the Department of Defense, as teleworkers use personal devices while connected to DoD networks for business."
The policy stated all military, civilian and contractor personnel must:
- Remove all IoT devices with listening functions from the work area;
- Turn off or remove all personal mobile devices, such as smartphones or tablets, in the work area;
- Disable audio access functions on personal assistant applications and devices.
The memo noted that the average home contains about 70 IoT devices.