Is an “energy star label for cyber” the solution to IoT device security and privacy?
From baby monitors being hacked to front doors being unlocked through smart home locks, cybersecurity risks with Internet of Things (IoT) devices are becoming more apparent. One solution proposed by the Biden administration is a cyber label to help consumers identify which products meet baseline security standards. The latest movement on this journey came on October 19 when industry, government and civil society leaders convened at the White House to brainstorm a label program. However, several major questions remain for this to not only become a reality, but to be successful.
Most consumers buy these products with little thought to whether the device is secure and the potential risks around them. With the number of IoT devices expected to reach 14.4 billion by the end of the year, the issue is even more urgent. The White House’s focus is on consumer-facing IoT devices, but the risk extends to other applications like IoT deployed in critical infrastructure.
Labels are not a new idea. The ENERGY STAR label involves the Environmental Protection Agency setting standards, and the Organic Seal is given out by the Department of Agriculture. This would be the newest—but arguably could be the most critical—use in leading to adoption of stronger cyber standards by companies and helping prevent consumers from unknowingly buying insecure products.
There are still questions about how labels would work and critics have questioned whether a label will actually make a difference, including whether consumers will buy devices based on the label. However, the latest White House convening showed the urgency with which the Biden administration is approaching labels, especially with the participation of key figures like Deputy National Security Advisor Anne Neuberger, Sen. Angus King (I-Maine), National Cyber Director Chris Inglis and Federal Communications Commission Chairwoman Jessica Rosenworcel.
Stakeholders, myself included, raised a number of key considerations in response to a draft label program presented on October 19. There are three main ones to flag.
First, there is the question of how consumers will be educated to look for these labels and understand what they mean. After all, if consumers don’t understand what the insignia on a product means, then the goal of having consumers purchase more secure products will be limited. In connection to this, a design for the label itself is needed. For example, would there be a physical marking like a check mark indicating basic standards have been met, a QR code that takes a consumer to a website to learn more or a combination of the two?
Secondly, it’s important to decide what the baseline standards will look like in order to determine whether an IoT device complies. The National Institute for Standards and Technology issued a baseline for consumer IoT products after the administration previously issued an executive order on IoT labels. However, it is yet to be established whether one standard will apply to all devices or whether there should be heightened standards for those with greater risk. Similarly, how should the standard relate to ongoing international efforts or those by private associations, or should it at all?
There is also the question of whether the labels should reflect more traditional data privacy measures, which is important without a federal law on data privacy and security. The label effort so far has focused mostly on security measures. There is room for additional criteria to be added to help identify whether privacy considerations are being met. This could include whether an organization has a privacy policy, how long data is retained and shared, and whether the entity complies with a privacy framework, among other factors. Private sector offerings like ZenData’s Privacy Badge have emerged to validate privacy, which assesses privacy coverage for websites based on multiple factors. A similar concept could be considered to validate IoT device privacy within this label effort for a unified security and privacy approach.
The third consideration is how the label should be assessed and enforced. On the assessment side, a company might need to self-certify that they are in compliance to help obtain widespread scale of a label, but this would require it be verified somehow to prevent or identify false claims. Alternatively, a third-party entity could certify. In the event a bad actor is found, enforcement measures would need to be in place, which might mean the Federal Trade Commission or a similar entity having a role.
There is still work to be done for labels to become a reality, but with the amount of IoT devices and threats coming from them increasing, now is the time to take action. With continued collaboration between industry, government and civil society, labels have the potential to be one part of improvement.
Image credit: TaweeW.asurut
