US Army tells remote workers to switch off their IoT devices (and then withdraws advice)

The US Army appears to have made a strategic withdrawal from advice it issued to remote workers last week about their use of smart IoT devices.

As several news outlets reported, the US Army issued a new policy requiring Army military, civillian, and contractors who are approved to telework to “remove or turn off all Internet of Things (IOT) devices in their workplaces”.

The message from the Army’s Chief Information Officer Dr Raj Iyer on how to protect and safeguard Department of Defense data by making more efforts to mitigate data leaks was clear:

Anytime smart IoT devices are powered on, they constantly listen and collect data by recording audio, transcripts, and even video. This means that Army military, civilian, and contractor personnel should protect themselves and the mission by:

  • Removing all IoT devices, with listening functions, from the work area.
  • Turning off or removing all personal mobile devices, such as smartphones or tablets, in your work area.
  • Disabling audio access functions on personal assistant applications and devices.

Yes, this edict didn’t just require users to remove the likes of smart TVs and Alexa speakers from their environment, but also to turn off or remove smartphones which may respond to phrases like “Hey Siri” or “OK Google.”

The memo, since deleted from the US Army’s website, starkly stated no IoT devices would be tolerated in the remote workplace:

“Effective immediately, all personnel approved to telework must conduct work in an environment free of IoT devices.”

Wow. No IoT devices? Presumably that goes beyond smart speakers and TVs and smartphones, and would include fitness trackers, fridges, gaming consoles, and internet-enabled home security systems.

And yes, that’s right. The US Army has – without explanation – removed the memo entitled ““Cybersecurity Requirements for Teleworkers in the Vicinity of Smart Internet  of Things (loT)  Applications  and  Devices” from its website.

Furthermore, the initial announcement of the policy’s existence has also been removed – although a copy remains in a Google cache.

There are lots of genuine concerns over IoT devices – some of them are poorly designed, others may be secured by their owners with weak passwords or badly-chosen settings, and readers of the BOX blog are all too familiar with the many tales we’ve heard over the years of “smart” devices proving to be pretty dumb when it comes to protecting users’ privacy and security.

So I can understand the US Army’s concern, but an edict banning all IoT devices from the homes of those working remotely sounds utterly unrealistic, to have no chance of finding support amongst users, and unlikely to succeed in its goal.

And maybe that’s the reason why the memo has been quietly erased from the US Army’s website, while they try to find a less draconian way of addressing the dangers IoT devices can bring into the remote workplace.