Everything we know about the White House’s IoT security labeling effort

Home security cameras are among the first devices to be considered for a security
Enlarge / Home security cameras are among the first devices to be considered for a security “nutrition label,” which could launch in spring 2023.

Getty Images

The White House issued a statement today, essentially saying it hosted a big gathering of big names on Wednesday and that some sort of security label for smart devices will emerge as a result in spring 2023. Here’s a whole lot more about what happened and what’s likely to come out of it.

One of the top recommendations of the US Cyberspace Solarium Commission, named for the Eisenhower administration’s drive to rethink Cold War strategy, was in its March 2020 report: “Establish a national cybersecurity certification and labeling agency.” A “nonprofit, nongovernmental organization” becomes a labeling authority for at least five years, labeling products based on consensus from the Departments of Commerce and Homeland Security and “experts from the federal government, academia, nongovernmental organizations, and the private sector.”

And that’s about who turned up, according to the White House. Amazon, Comcast, Google, Intel, LG, Samsung, Sony and other private companies emerged. So does the Connectivity Standards Alliance, the consortium behind Matter, along with the American National Standards Institute (ANSI), Consumer Reports and the Consumer Technology Association, CTIA and the National Retail Federation lobby groups. Add in pretty much any safety-related government agency and you have the Solarium Commission recommended panel.

Also Read :  Meet 27-year-old entrepreneur who wants to develop made-in-Nigeria computers

Details on the label itself, how it exists to date, and what it would rate or measure were not available, but clues did exist. CyberScoop quoted a White House official as saying that device ratings could be based on “vulnerability fixes, amount of information collected about consumers, whether data is encrypted, and interoperability with other products.”

How the label could look like, there is at least one template. Researchers from Carnegie Mellon University, one of the parties invited to the summit, had already created a safety “nutrition label.” The label, based on input from more than 22 groups, has performed well with users, the university claims. It provides multiple layers of disclosure based on common IoT vulnerabilities: default passwords, security updates, offline mode functionality, and the like.

Also Read :  The promising impact of Web3 on data privacy and security

You can even create your own voluntary safety label or just kick the hoops like I did.

I don't know why we developed this smart doorbell, but we are committed to updating it for at least three years.

I don’t know why we developed this smart doorbell, but we are committed to updating it for at least three years.

Kevin Purdy / Carnegie Mellon

The White House told reporters Thursday that it aims to “keep things simple” with a code that phones can scan to reveal security and privacy information.

Which products get the labels? The White House told reporters Wednesday that it would begin voluntary labeling in spring 2023, which would focus on “high-risk internet-connected devices like routers” and home cameras.

The White House press release said it wanted to “create a globally recognized label” with this effort. CyberScoop reported earlier this month that the task force is working with the European Union to “align to standards”. It is notable, therefore, that Deputy National Security Advisor for Cyber ​​and Emerging Technologies, Anne Neuberger, attended Singapore International Cyber ​​Week, where she described how the US looks to Singapore as a “world leader in IoT,” as The Register reports.

Also Read :  SecuriThings is bringing order to IoT device management with $21M investment • TechCrunch

Singapore’s Cyber ​​Security Labeling Scheme assigns a rating on a four-star scale to almost every internet-connected consumer device in this country. The system is recognized by Finland and now also by Germany. At this week’s conference, it was announced that the system could soon make its way to medical devices. It’s a good bet that whatever system the US develops will want to achieve some reciprocity with Singapore’s system, even at a single level.

The Cybersecurity Labeling Scheme in Singapore, which gives consumer devices one of four ratings based on security practices.

The Cybersecurity Labeling Scheme in Singapore, which gives consumer devices one of four ratings based on security practices.

Does this label have a Matter aspect? Almost certainly, given the presence of the CSA at the White House summit. Matter certification already requires devices to use AES encryption when communicating over networks, be able to receive updates wirelessly, be code-signed, and have a secure enclave for storing keys and certificates that are reconciled against a blockchain ledger. Some or all of these aspects (minus the blockchain bit) are likely to be addressed on security labels.

While the first version of this security tag will almost certainly be a compromised, politically-savory endeavor, anything is likely better than the system we have now: individual online searches for smart home brand names and manufacturers, ending with the phrases “Breach” and “Vulnerability.”

Source

Leave a Reply

Your email address will not be published.