The White House’s National Security Council (NSC) is working on an ambitious project to improve consumer Internet of Things (IoT) security through industry-standard labeling. If successful, the labeling system will replace existing frameworks across the globe.

Modeled after the EPA’s Energy Star labeling program, the IoT labeling initiative should have two effects: to educate and inform consumers, and to provide a strong incentive to manufacturers to make their products more secure.

The government wants the program to roll out in the Spring of 2023. But what must these labels address from the perspective of cybersecurity specialists?

Why Consumer IoT Matters to Cybersecurity Professionals

IoT devices represent a special kind of security threat. Consumers buy fun or useful gadgets with a focus on the price, features or convenience, often without considering security. After all, how threatening could a toaster, security camera, smart doorbell, smart light switch, air-quality monitor or fitness dog collar really be?

This perception issue is the main problem with consumer IoT. A “smart light bulb” sounds innocent. But all IoT devices are, by definition, nonstandard microprocessor-based computers that run software and send data over a network.

In fact, the majority of “computers” in the world are IoT devices rather than servers, laptops or desktops. Billions of devices come in thousands of types. This combination of ubiquity and variety causes even more issues for cybersecurity.

Operating systems manufacturers and application vendors stay vigilant for new security threats and issue regular patches and updates. But is the maker of smart home smoke detectors performing those tasks? The new labels should light a fire to get IoT makers to focus more on security.

The Dissolving Security Perimeter

The IoT concept has been around since 1999. Until recently, the distinction between consumer IoT and industrial or enterprise IT was far more defined. This distinction is still important, of course. But from a cybersecurity perspective, well, things have changed.

Employees are working from home, and not just full-time remote workers and hybrid workers. Even full-time office workers are now logging on from home in the evenings and weekends. These employees are connecting over the same networks their consumer IoT devices operate on.

The dissolution of the perimeter in enterprise computing means that IoT devices inside and outside corporate offices share the same status as potential security risks to be managed — hence the need for zero trust architectures. But the difference is that consumer devices are far less likely to offer security features, such as regular security-enhancing firmware updates.

Zero trust is necessary. But consumer devices with greater security would also help a lot.

In Search of a Global Standard

The White House is working with the European Union to unify labeling standards with the hope that they’ll be applied globally.

As a preview of the White House’s initiative, Carnegie Mellon University developed 47 “key factors” for privacy and security, working with 22 groups, and tested with real consumers. They concluded that the main facts should be plainly displayed on the box each device comes in, along with a QR code linking to additional details and a URL for accessing the company’s privacy policy.

The researchers divided the highest-priority types of security information into five categories:

  1. Security updates
  2. Access control
  3. Sensor types
  4. Data storage locations
  5. Data Sharing.

The NSC can also look at Singapore’s example. That country launched its Cybersecurity Labelling Scheme (CLS) in October 2020, and much of that effort was adopted by Finland. Singapore also proposed an international standard, ISO 27404, which defines a Universal Cybersecurity Labelling Framework (UCLF) for consumer IoT.

And so, the NSC labeling system can succeed in all its aims if it’s “user friendly” enough for the mass consumer marketplace, improves upon existing initiatives from the likes of Carnegie Mellon and Singapore and also offers the right kind of restrictions and coverage.

Clarity, Transparency and Security

From a cybersecurity point of view, the best ideas are clear labels that address: 

  • How often manufacturers deploy patches, with a requirement for manufacturers to stick to their promises on frequency
  • Whether or not devices connect to the internet without a password and other access control issues
  • Whether it supports multi-factor authentication, especially for devices that come with consumer-facing apps that directly connect with devices
  • Lists of all sensors capable of capturing data, including microphones and cameras, and what the purpose of those sensors are
  • Whether harvested data is available to employees or third-party companies
  • Whether harvested data is stored on the device, the cloud or both, and who has access to the cloud-stored data
  • What exactly is done with the data generated by the device? For example, does it have an expiration date? Is it available to consumers? Can anyone share or duplicate it, and what is to become of the data should the company go out of business or change management?

Cybersecurity professionals want the White House initiative to succeed wildly. It could make their jobs just a little bit easier. But to succeed, the new labels must hit all of the major threat points inherent in the nature of the IoT beast.

More from Government

Who Will Be the Next National Cyber Director?

After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

How Much is the U.S. Investing in Cyber (And is it Enough)?

It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going…

What the New Federal Cybersecurity Act Means for Businesses

On December 21, 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act. The risk of quantum-powered password decryption is increasing exponentially. The new legislation is designed to help federal agencies proactively shift to a post-quantum security posture. Agencies have until May 4, 2023, to submit an inventory of potentially vulnerable systems, and the Act directs the Office of Management and Budget (OMB) to prioritize the adoption of post-quantum cryptography standards. For businesses, government efforts to address emerging quantum risks…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…