The White House’s National Security Council (NSC) is working on an ambitious project to improve consumer Internet of Things (IoT) security through industry-standard labeling. If successful, the labeling system will replace existing frameworks across the globe.

Modeled after the EPA’s Energy Star labeling program, the IoT labeling initiative should have two effects: to educate and inform consumers, and to provide a strong incentive to manufacturers to make their products more secure.

The government wants the program to roll out in the Spring of 2023. But what must these labels address from the perspective of cybersecurity specialists?

Why consumer IoT matters to cybersecurity professionals

IoT devices represent a special kind of security threat. Consumers buy fun or useful gadgets with a focus on the price, features or convenience, often without considering security. After all, how threatening could a toaster, security camera, smart doorbell, smart light switch, air-quality monitor or fitness dog collar really be?

This perception issue is the main problem with consumer IoT. A “smart light bulb” sounds innocent. But all IoT devices are, by definition, nonstandard microprocessor-based computers that run software and send data over a network.

In fact, the majority of “computers” in the world are IoT devices rather than servers, laptops or desktops. Billions of devices come in thousands of types. This combination of ubiquity and variety causes even more issues for cybersecurity.

Operating systems manufacturers and application vendors stay vigilant for new security threats and issue regular patches and updates. But is the maker of smart home smoke detectors performing those tasks? The new labels should light a fire to get IoT makers to focus more on security.

The dissolving security perimeter

The IoT concept has been around since 1999. Until recently, the distinction between consumer IoT and industrial or enterprise IT was far more defined. This distinction is still important, of course. But from a cybersecurity perspective, well, things have changed.

Employees are working from home, and not just full-time remote workers and hybrid workers. Even full-time office workers are now logging on from home in the evenings and weekends. These employees are connecting over the same networks their consumer IoT devices operate on.

The dissolution of the perimeter in enterprise computing means that IoT devices inside and outside corporate offices share the same status as potential security risks to be managed — hence the need for zero trust architectures. But the difference is that consumer devices are far less likely to offer security features, such as regular security-enhancing firmware updates.

Zero trust is necessary. But consumer devices with greater security would also help a lot.

In search of a global standard

The White House is working with the European Union to unify labeling standards with the hope that they’ll be applied globally.

As a preview of the White House’s initiative, Carnegie Mellon University developed 47 “key factors” for privacy and security, working with 22 groups, and tested with real consumers. They concluded that the main facts should be plainly displayed on the box each device comes in, along with a QR code linking to additional details and a URL for accessing the company’s privacy policy.

The researchers divided the highest-priority types of security information into five categories:

  1. Security updates
  2. Access control
  3. Sensor types
  4. Data storage locations
  5. Data Sharing.

The NSC can also look at Singapore’s example. That country launched its Cybersecurity Labelling Scheme (CLS) in October 2020, and much of that effort was adopted by Finland. Singapore also proposed an international standard, ISO 27404, which defines a Universal Cybersecurity Labelling Framework (UCLF) for consumer IoT.

And so, the NSC labeling system can succeed in all its aims if it’s “user friendly” enough for the mass consumer marketplace, improves upon existing initiatives from the likes of Carnegie Mellon and Singapore and also offers the right kind of restrictions and coverage.

Clarity, transparency and security

From a cybersecurity point of view, the best ideas are clear labels that address: 

  • How often manufacturers deploy patches, with a requirement for manufacturers to stick to their promises on frequency
  • Whether or not devices connect to the internet without a password and other access control issues
  • Whether it supports multi-factor authentication, especially for devices that come with consumer-facing apps that directly connect with devices
  • Lists of all sensors capable of capturing data, including microphones and cameras, and what the purpose of those sensors are
  • Whether harvested data is available to employees or third-party companies
  • Whether harvested data is stored on the device, the cloud or both, and who has access to the cloud-stored data
  • What exactly is done with the data generated by the device? For example, does it have an expiration date? Is it available to consumers? Can anyone share or duplicate it, and what is to become of the data should the company go out of business or change management?

Cybersecurity professionals want the White House initiative to succeed wildly. It could make their jobs just a little bit easier. But to succeed, the new labels must hit all of the major threat points inherent in the nature of the IoT beast.

More from Government

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why keep Cybercom and the NSA’s dual-hat arrangement?

4 min read - The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established. Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…