U.S. consumers could have a set of cybersecurity labeling standards to protect their Internet of Things (IoT) devices as early as spring 2023 if the White House National Security Council has its way.
In an effort to communicate the risks that come along with using internet-connected devices, the Council is gathering representatives from consumer product associations, technology think tanks, and manufacturing companies at the White House next week for a workshop. The goal? Come up with roughly four solid cybersecurity standards that manufacturers of IoT devices can use to properly label cybersecurity risks to users.
The move ties in nicely with October being Cybersecurity Awareness Month. In February 2022, the U.S. National Institute of Standards and Technology (NIST) issued a whitepaper with recommendations for cybersecurity labeling for consumer IoT products.
From the whitepaper: "Since IoT product vulnerabilities have led to breaches and enabled a variety of malicious activities, one goal of these criteria is to address IoT product vulnerabilities. Understanding already exploited vulnerabilities in IoT products and ensuring the consumer IoT product labeling program considers these incidents in its criteria can help to improve the cybersecurity of the IoT ecosystem."
The goal of the labeling standards is to put cybersecurity more top of mind for consumers who tend to gobble up new, shiny IoT devices full of handy features without any thought to their online security. Any labeling language, NIST recommends, should be made clear and easy enough so that consumers of any range of cybersecurity knowledge could understand it. Akin to warning labels on cigarettes (albeit tobacco is considerably more dangerous to users), the idea is to protect consumers from themselves.
Using the Energy Star labeling model
The labeling program will be modeled after Energy Star, the program used by the Environmental Protection Agency and Department of Energy to promote energy efficiency in home appliances. We're all familiar with the yellow "Energy Guide" labels that tell us how much it will cost us to operate our refrigerator or water heater for a year.
More from the NIST whitepaper: "The IoT product cybersecurity labeling provisions in the EO (Executive Order) aim to aid consumers in their IoT purchase decisions by enabling comparisons among products and educating them about IoT cybersecurity considerations. This transparency may also encourage IoT product developers to consider cybersecurity aspects of their IoT products and ways to achieve greater consumer trust and confidence in the IoT products—and ultimately, to improve the management of related cybersecurity risks."
Will the program get off the ground?
There is some skepticism that this program can even get off the ground, especially if it gets bogged down at the federal level. It likely will require the involvement and leadership of public and private companies or non-governmental agencies to make the labeling program a reality.
For instance, if a manufacturer claims how often it deploys patches for software related to its products to earn a "rating," who verifies their claim? What if a device connects to the internet without requiring a password, which can open new vulnerabilities? Who flags that and verifies that the manufacturer label accurately reflects that issue?
With devices in the crosshairs of these new labeling standards, software could be next. To many experts, opening up labeling requirements to software is a much bigger bite to chew off given the number of updates made to software programs and applications.