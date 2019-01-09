Security of emerging tech and IoT is an ongoing concern

Why only three recommendations for a sector that includes the IoT, easily the broadest attack surface for hackers?

Nick Marinos, director of cybersecurity and data promotion issues at GAO, said the number of recommendations does not reflect “the amount of work that GAO has done to raise concerns regarding the cybersecurity of emerging technologies.”

He said many recommendations in the other nine action areas have connections to emerging technologies.

“For example, we have ongoing reviews looking at supply chain cybersecurity issues as well as the impact of 5G on the government and nation,” he said. “These have relevance to securing emerging technology area along with other topics.”

And he said he expects the number of recommendations focused on emerging technologies “will increase quite substantially in the coming years.”

Automotive security is a priority

For now, the single priority recommendation, which goes back nearly three years, to March 2016, focused on vehicle security. It called for the Department of Transportation (DOT) to “direct the National Highway Traffic Safety Administration (NHTSA) to work expeditiously to finish defining and then to document the agency’s roles and responsibilities in response to a vehicle cyberattack involving safety-critical systems.”

The response from the DOT later that month, agreed with the recommendation and cited a number of things the agency was doing, including “research opportunities,” convening a roundtable meeting with automotive stakeholders and reaching a “historic agreement” with 18 automakers on “proactive safety principles.”

All of which could be boiled down to, “we’re working on it.”

But not finished with it. The current “status” of the recommendation said that by February 2018 (almost two years later), the DOT had “outlined NHTSA’s roles and responsibilities to address cybersecurity incidents that involve automotive safety critical systems under its existing processes and authorities, but continues to examine whether these processes will need to be updated.”

“In addition, NHTSA still needs to document how it will collaborate with other federal agencies and stakeholders in responding to a cyberattack.”

And nothing since then—almost another year later. Which would be hard to describe as expeditious.