From Inside Cybersecurity:
The R Street Institute, a think tank advocating for free market solutions, is seeking answers on how the White House will determine a security baseline and enforcement mechanisms for its upcoming cybersecurity label for consumer Internet of Things devices.
The White House held a workshop last week on the creation of a national IoT labeling program targeted for a spring 2023 launch to get input from stakeholders from the private sector, academic institutions and federal agencies. R Street’s Brandon Pugh was among the participants.
The meeting “focused on how to best implement a national cybersecurity labeling program, drive improved security standards for Internet-enabled devices, and generate a globally recognized label,” according to National Security Council spokeswoman Adrienne Watson.
“Labels are not a new idea. The ENERGY STAR label involves the Environmental Protection Agency setting standards, and the Organic Seal is given out by the Department of Agriculture. This would be the newest—but arguably could be the most critical—use in leading to adoption of stronger cyber standards by companies and helping prevent consumers from unknowingly buying insecure products,” Pugh said in a blog post following the workshop.
Pugh, resident senior fellow and policy counsel for R Street’s cyber team, wrote, “There are still questions about how labels would work and critics have questioned whether a label will actually make a difference, including whether consumers will buy devices based on the label.”
“However,” Pugh said, “the latest White House convening showed the urgency with which the Biden administration is approaching labels, especially with the participation of key figures like Deputy National Security Advisor Anne Neuberger, Sen. Angus King (I-Maine), National Cyber Director Chris Inglis and Federal Communications Commission Chairwoman Jessica Rosenworcel.”
The post outlines three considerations that should be taken into account as the Biden administration rollouts out the program.
Pugh wrote, “First, there is the question of how consumers will be educated to look for these labels and understand what they mean. After all, if consumers don’t understand what the insignia on a product means, then the goal of having consumers purchase more secure products will be limited.”
The design of the label also is important, Pugh said, giving two options – a “check mark” to indicate whether “basic standards” are met, or the use of QR code where consumers can get more information.
Pugh wrote, “Secondly, it’s important to decide what the baseline standards will look like in order to determine whether an IoT device complies. The National Institute for Standards and Technology issued a baseline for consumer IoT products after the administration previously issued an executive order on IoT labels. However, it is yet to be established whether one standard will apply to all devices or whether there should be heightened standards for those with greater risk.”
Pugh asks whether the standard should align with ongoing “internal efforts” and others developed by “private associations” such as the ioXT Alliance.
He added, “There is also the question of whether the labels should reflect more traditional data privacy measures, which is important without a federal law on data privacy and security.”
“The third consideration is how the label should be assessed and enforced,” Pugh wrote. “On the assessment side, a company might need to self-certify that they are in compliance to help obtain widespread scale of a label, but this would require it be verified somehow to prevent or identify false claims.
Pugh wrote, “Alternatively, a third-party entity could certify. In the event a bad actor is found, enforcement measures would need to be in place, which might mean the Federal Trade Commission or a similar entity having a role.”
The Consumer Technology Association participated in the workshop offering a vision for the label that looks across a variety of existing approaches for IoT security and builds off criteria developed by NIST through the 2021 cyber executive order.
CTA’s Michael Bergman told Inside Cybersecurity the label should build on Carnegie Mellon’s approach of having a physical label on an IoT device and a QR code where consumers can get additional technical information.
The label should rely on third party certification and self-attestation, Bergman said, and could also incorporate criteria from industry developed standards from ISO, ANSI and ETSI.
