White House Proposes IoT Security Labeling

The White House last week held a meeting with the private sector, tech associations and government representatives to discuss the development of a security label for IoT devices. The label would be akin to the Energy Star label, an initiative led by the Environmental Protection Agency and the U.S. Department of Energy.

The label system, initially for routers and video cameras, will be designed so that “Americans can easily recognize which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities. By developing and rolling out a common label for products that meet U.S. government standards and are tested by vetted and approved entities, we will help American consumers easily identify secure tech to bring into their homes,” the White House said last week in a document that described the event.

Home routers and video devices are often commandeered by criminals and employed in distributed denial-of-service attacks against organizations. It’s not clear yet what standards or vetting organizations are being considered. Industry reaction to the possible labeling system has been mixed but seems mostly positive.

“The ‘Energy Star’ label worries me about this one,” said Forrester VP and principal analyst Jeff Pollard. “That’s not exactly a stellar program. A yellow sticker on the thing you bought, that makes you feel better about the thing you bought … and that you notice after you bought the thing,” he said, doesn’t necessarily change the game.

John Pescatore, director of emerging security trends at the SANS Institute, pointed to prior successful government and private industry standards efforts. “There is a long history around fire resistant material standards where independent organizations like UL Labs worked with government agencies like NIST, the Association for Testing and Materials and the National Fire Protection Association to make sure that a wide variety of flammable things were much safer,” said Pescatore.

“This all succeeded because the government didn’t try to dictate standards, it worked with private industry to make sure that procurements and use of flammable “things” had to include compliance with the industry standards,” he said.

Pescatore pointed to a number of existing meaningful technology standards efforts, as well, including the Connectivity Standards Alliance-IoT which has some big names on board: Amazon, Apple, Google and Samsung, among others.

“If the U.S. government put its buying power behind some consensus standards, the bar for IoT security will be raised,” he added. “It’s good to see elsewhere in the Biden announcement they specifically said they will be ‘strengthening the federal government’s cybersecurity requirements and raising the bar through the purchasing power of government,’” Pescatore said.

Greg Young, VP of cybersecurity at Trend Micro, agreed; he added that because IoT and home smart devices are exceptionally vulnerable, “a clear and consumer-focused label is a great idea.”

However, the devil is in the certification details, he added, and shared good and bad examples of previous efforts. “They [the government] need to remember what has been learned already or risk repeating the mistakes,” he said.

Young pointed to the NIST FIPS140-2 standard for certifying the use of cryptography as one of the greatest successes. “FIPS140-2 has a very narrow scope, four levels and a relatively speedy testing and validation process using government-certified private sector labs. Everyday devices such as the PIN pad on an ATM are certified under FIPS.”

The bad, in his view, proved to be Common Criteria. “Common Criteria was intended to provide certification for the security features in operating systems and security products and appliances. Common Criteria had too much scope creep in the goals, was complex to the level of ridiculousness, effectively allowed vendors to set their own bar for what would entail success by describing a ‘security target,’ and weighed down by documentation over testing. Common Criteria was effectively abandoned by the government and don’t think anyone misses it,” he said.

Young added that, as with all standards, maintaining the rating is an issue, especially with devices regularly patched and updated. “I’m encouraged that NIST has been flagged as a potential lead agency and I hope that they apply the blueprint of FIPS140-2 to this IoT effort,” he said. He added that, while simplistic, the analogy to the Energy Star rating is being used to emphasize the clarity required.

“I’m concerned, however, because the nature of IoT can be exceptionally broad and the scope of what is to be included can easily expand, and opinions can differ about what is important for IoT to be secure,” he continued. “Consumers need help in protecting themselves from the cybersecurity risks of IoT. This effort can be entirely successful, but the discipline required is exceptionally great in order to minimize the bureaucracy, maintain the scope, deliver speedy testing and make sense of how to maintain certifications in the face of easily changed product software,” he concluded.

Diana Kelley, chief strategy officer and chief security officer at Cybrize, said the time is long overdue for a way to provide consumers and enterprises with a reliable, normalized indicator of the security level of products and services, but warns that users can’t expect to displace their own security efforts with the arrival of a security label.

“The trick, of course, is to ensure the benchmarks being used are the right ones—and that buyers don’t lose sight of the fact that security in practice depends on both the relative security of the device and also how it’s used. The ‘safest’ car in the world still isn’t safe if the driver is unable to drive it safely,” she said.