Earlier this week the White House announced a new consumer Internet of Things (IoT) labeling effort designed to assist consumers in identifying secure technologies. As more connected devices are coming online, information about security can help consumers make informed purchase decisions. This, in turn, could make security a point of competition in the IoT marketplace, raising the overall security level of the ecosystem for all, whether or not they worry about security.
To help get there, the White House will be bringing together companies, associations, and government partners to discuss the creation of an IoT labeling program. Although details are scant right now, the ultimate goal is to develop and introduce a common label for products that are tested against U.S. standards by approved organizations so consumers can have insight in to which devices meet the highest cybersecurity standards and are less vulnerable to hacking. The effort aims to deliver quick impact by starting with routers and home cameras, as these are both common and most at-risk, according to the White House. While this approach will leave a vast array of IoT devices out of scope, we agree that these represent a good starting point.
It is positive, and indeed essential for success, that the White House is partnering with the private sector and focusing on creating a voluntary approach. Further ensuring that success does require navigating several challenges.
Don’t Start From Scratch
IoT “labeling” is an idea with a long history, and government officials should build on existing bodies of work. Last December, the National Institute of Standards and Technology (NIST) released a whitepaper on the path forward for a cybersecurity label for consumer IoT products. (Check out the comments submitted to NIST from the Cybersecurity Coalition.) NIST’s paper, which was issued at the direction of the White House, aimed to identify key elements of labeling programs, including proposed baseline product security criteria. These criteria were expressed as product-focused outcomes, rather than a new “labeling program,” so that providers and customers could choose the best solutions for their devices and environments – a wise decision, given the diversity of IoT devices and deployments.
Other government-led efforts include the National Telecommunications and Information Association’s IoT multistakeholder process, Singapore’s cybersecurity labeling scheme, and the European Union’s Cyber Resilience Act. The private sector has been exploring this as well.
With all the work already done on IoT labeling, the White House should ensure its new effort builds on this work and not start from scratch. For example, many of these past efforts spent a lot of time dispelling the misconception that the term “label” refers only to a physical sticker when it’s clear that the “label” must have digital formats for online market places as well. We also encourage the White House to explore layered labels, as the Cybersecurity Coalition detailed in our NIST comments, to ensure effective and comprehensive information is available to IoT users with varied appetites for detailed security information.
It's also important that security label testing and content be grounded in credible security benchmarks. Many of these already exist, and the White House should leverage existing standards and assessment processes for IoT security, such as the NIST IoT security baseline. Echoing the NIST IoT label white paper, the criteria should be outcome-focused and appropriate for the device and environment.
Needed: Good Communications and More Data
Given that the purpose of the labeling program is to enable consumers to make more informed decisions, labels must communicate information that is accessible to individuals with widely varying technical knowledge, be easily comparable between similar products, and trustworthy.
Existing research suggests that some consumers could find a label communicating security information helpful, and that consumers could change purchasing behavior based on the label content. However, these studies were limited, and IoT security is not as easily quantifiable compared to other labeling programs, such as Energy Star for energy consumption. We need more definitive information on how everyday consumers would make use of an IoT security label, preferably in live settings. What is the optimal format that will help consumers make informed choices? Will more transparent device security information actually drive consumers and manufacturers to make pro-security choices? Good data on these questions will boost the chances of success for the White House’s effort.
While an IoT security labeling program has potential to help consumers make informed choices, it has limits and risks. Perhaps most importantly, a security label must avoid conveying a false sense of security to the user, and they must not assume a device is secure just because it has a label. Other factors are always at play, such as the security of networks and ensuring device software stays up to date, both of which generally require involvement from the device owner.
Additionally, there needs to be a balance between the amount of information provided to the consumer and how it’s presented. If consumers are presented with too much information, or confusing information, it may impede their ability to make informed decisions about IoT device security. Yet if the information is too high-level, it may not be impactful for consumer decisions. Again, pre-market label testing should help achieve the right balance.
The White House referred to IoT labeling as “an idea whose time has come.” It’s positive that the White House is continuing to consider ways to help drive security across the digital ecosystem and recognizing the importance the consumer market plays. We agree that exploring IoT security labeling is a worthwhile part of these efforts – especially as other countries are investigating this approach. We urge those involved to take the necessary time to ensure any labeling program is effective and actually helps consumers and manufacturers strengthen the security of their devices.
K-12 Institutions at Risk of Cyber Attack
A new report shows that K-12 schools are at a higher risk of cyberattack from ransomware operators and hacktivists.
Recommendations from White House Ransomware Summit
Ransomware remains one of the most disruptive cyber threats to governments, organizations, and individuals.
House bill would jump ahead of in-progress efforts to secure software at federal agencies
The Apache Log4j vulnerability brought to light a challenge for software providers that had been seldom seen.