The White House’s National Security Council (NSC) is working on an ambitious project to improve consumer Internet of Things (IoT) security through industry-standard labeling. If successful, the labeling system will replace existing frameworks across the globe.
Modeled after the EPA’s Energy Star labeling program, the IoT labeling initiative should have two effects: to educate and inform consumers, and to provide a strong incentive to manufacturers to make their products more secure.
The government wants the program to roll out in the Spring of 2023. But what must these labels address from the perspective of cybersecurity specialists?
Why consumer IoT matters to cybersecurity professionals
IoT devices represent a special kind of security threat. Consumers buy fun or useful gadgets with a focus on the price, features or convenience, often without considering security. After all, how threatening could a toaster, security camera, smart doorbell, smart light switch, air-quality monitor or fitness dog collar really be?
This perception issue is the main problem with consumer IoT. A “smart light bulb” sounds innocent. But all IoT devices are, by definition, nonstandard microprocessor-based computers that run software and send data over a network.
In fact, the majority of “computers” in the world are IoT devices rather than servers, laptops or desktops. Billions of devices come in thousands of types. This combination of ubiquity and variety causes even more issues for cybersecurity.
Operating systems manufacturers and application vendors stay vigilant for new security threats and issue regular patches and updates. But is the maker of smart home smoke detectors performing those tasks? The new labels should light a fire to get IoT makers to focus more on security.
The dissolving security perimeter
The IoT concept has been around since 1999. Until recently, the distinction between consumer IoT and industrial or enterprise IT was far more defined. This distinction is still important, of course. But from a cybersecurity perspective, well, things have changed.
Employees are working from home, and not just full-time remote workers and hybrid workers. Even full-time office workers are now logging on from home in the evenings and weekends. These employees are connecting over the same networks their consumer IoT devices operate on.
The dissolution of the perimeter in enterprise computing means that IoT devices inside and outside corporate offices share the same status as potential security risks to be managed — hence the need for zero trust architectures. But the difference is that consumer devices are far less likely to offer security features, such as regular security-enhancing firmware updates.
Zero trust is necessary. But consumer devices with greater security would also help a lot.
In search of a global standard
The White House is working with the European Union to unify labeling standards with the hope that they’ll be applied globally.
As a preview of the White House’s initiative, Carnegie Mellon University developed 47 “key factors” for privacy and security, working with 22 groups, and tested with real consumers. They concluded that the main facts should be plainly displayed on the box each device comes in, along with a QR code linking to additional details and a URL for accessing the company’s privacy policy.
The researchers divided the highest-priority types of security information into five categories:
- Security updates
- Access control
- Sensor types
- Data storage locations
- Data Sharing.
The NSC can also look at Singapore’s example. That country launched its Cybersecurity Labelling Scheme (CLS) in October 2020, and much of that effort was adopted by Finland. Singapore also proposed an international standard, ISO 27404, which defines a Universal Cybersecurity Labelling Framework (UCLF) for consumer IoT.
And so, the NSC labeling system can succeed in all its aims if it’s “user friendly” enough for the mass consumer marketplace, improves upon existing initiatives from the likes of Carnegie Mellon and Singapore and also offers the right kind of restrictions and coverage.
Clarity, transparency and security
From a cybersecurity point of view, the best ideas are clear labels that address:
- How often manufacturers deploy patches, with a requirement for manufacturers to stick to their promises on frequency
- Whether or not devices connect to the internet without a password and other access control issues
- Whether it supports multi-factor authentication, especially for devices that come with consumer-facing apps that directly connect with devices
- Lists of all sensors capable of capturing data, including microphones and cameras, and what the purpose of those sensors are
- Whether harvested data is available to employees or third-party companies
- Whether harvested data is stored on the device, the cloud or both, and who has access to the cloud-stored data
- What exactly is done with the data generated by the device? For example, does it have an expiration date? Is it available to consumers? Can anyone share or duplicate it, and what is to become of the data should the company go out of business or change management?
Cybersecurity professionals want the White House initiative to succeed wildly. It could make their jobs just a little bit easier. But to succeed, the new labels must hit all of the major threat points inherent in the nature of the IoT beast.