January 3, 2023 By Mike Elgan 3 min read

The White House’s National Security Council (NSC) is working on an ambitious project to improve consumer Internet of Things (IoT) security through industry-standard labeling. If successful, the labeling system will replace existing frameworks across the globe.

Modeled after the EPA’s Energy Star labeling program, the IoT labeling initiative should have two effects: to educate and inform consumers, and to provide a strong incentive to manufacturers to make their products more secure.

The government wants the program to roll out in the Spring of 2023. But what must these labels address from the perspective of cybersecurity specialists?

Why consumer IoT matters to cybersecurity professionals

IoT devices represent a special kind of security threat. Consumers buy fun or useful gadgets with a focus on the price, features or convenience, often without considering security. After all, how threatening could a toaster, security camera, smart doorbell, smart light switch, air-quality monitor or fitness dog collar really be?

This perception issue is the main problem with consumer IoT. A “smart light bulb” sounds innocent. But all IoT devices are, by definition, nonstandard microprocessor-based computers that run software and send data over a network.

In fact, the majority of “computers” in the world are IoT devices rather than servers, laptops or desktops. Billions of devices come in thousands of types. This combination of ubiquity and variety causes even more issues for cybersecurity.

Operating systems manufacturers and application vendors stay vigilant for new security threats and issue regular patches and updates. But is the maker of smart home smoke detectors performing those tasks? The new labels should light a fire to get IoT makers to focus more on security.

The dissolving security perimeter

The IoT concept has been around since 1999. Until recently, the distinction between consumer IoT and industrial or enterprise IT was far more defined. This distinction is still important, of course. But from a cybersecurity perspective, well, things have changed.

Employees are working from home, and not just full-time remote workers and hybrid workers. Even full-time office workers are now logging on from home in the evenings and weekends. These employees are connecting over the same networks their consumer IoT devices operate on.

The dissolution of the perimeter in enterprise computing means that IoT devices inside and outside corporate offices share the same status as potential security risks to be managed — hence the need for zero trust architectures. But the difference is that consumer devices are far less likely to offer security features, such as regular security-enhancing firmware updates.

Zero trust is necessary. But consumer devices with greater security would also help a lot.

In search of a global standard

The White House is working with the European Union to unify labeling standards with the hope that they’ll be applied globally.

As a preview of the White House’s initiative, Carnegie Mellon University developed 47 “key factors” for privacy and security, working with 22 groups, and tested with real consumers. They concluded that the main facts should be plainly displayed on the box each device comes in, along with a QR code linking to additional details and a URL for accessing the company’s privacy policy.

The researchers divided the highest-priority types of security information into five categories:

  1. Security updates
  2. Access control
  3. Sensor types
  4. Data storage locations
  5. Data Sharing.

The NSC can also look at Singapore’s example. That country launched its Cybersecurity Labelling Scheme (CLS) in October 2020, and much of that effort was adopted by Finland. Singapore also proposed an international standard, ISO 27404, which defines a Universal Cybersecurity Labelling Framework (UCLF) for consumer IoT.

And so, the NSC labeling system can succeed in all its aims if it’s “user friendly” enough for the mass consumer marketplace, improves upon existing initiatives from the likes of Carnegie Mellon and Singapore and also offers the right kind of restrictions and coverage.

Clarity, transparency and security

From a cybersecurity point of view, the best ideas are clear labels that address: 

  • How often manufacturers deploy patches, with a requirement for manufacturers to stick to their promises on frequency
  • Whether or not devices connect to the internet without a password and other access control issues
  • Whether it supports multi-factor authentication, especially for devices that come with consumer-facing apps that directly connect with devices
  • Lists of all sensors capable of capturing data, including microphones and cameras, and what the purpose of those sensors are
  • Whether harvested data is available to employees or third-party companies
  • Whether harvested data is stored on the device, the cloud or both, and who has access to the cloud-stored data
  • What exactly is done with the data generated by the device? For example, does it have an expiration date? Is it available to consumers? Can anyone share or duplicate it, and what is to become of the data should the company go out of business or change management?

Cybersecurity professionals want the White House initiative to succeed wildly. It could make their jobs just a little bit easier. But to succeed, the new labels must hit all of the major threat points inherent in the nature of the IoT beast.

More from Government

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today