The White House released a statement today saying it has hosted a big meeting with big names on Wednesday, and that it will have some sort of security label for smart devices in the spring of 2023. Here’s a lot more about what happened, and what’s likely to come out.
One of the top recommendations from the U.S. Cyberspace Solarium Commission, citing the Eisenhower administration’s drive to rethink Cold War strategy, was in its March 2020 report, “Establishing a National Cybersecurity Certification and Labeling Authority. ” A “non-profit, non-governmental organization” will become a labeling authority for at least five years, labeling products based on the consensus of the Departments of Commerce and Homeland Security, and “experts from the federal government, academia, not governmental organizations and the private sector.”
And that’s about who showed up, according to the White House. Amazon, Comcast, Google, Intel, LG, Samsung, Sony and other private entities showed up. So did the Connectivity Standards Alliance, the consortium behind Matter, along with the American National Standards Institute (ANSI), Consumer Reports and the Consumer Technology Association, CTIA, and National Retail Federation lobby groups. Add to that just about all safety-related government agencies and you have the panel recommended by the Solarium Commission.
Details on the label itself, as it exists to date, and what it would rate or measure, weren’t available, but hints have been forthcoming. CyberScoop quoted a White House official as saying that device ratings can be based on “vulnerability fixes, amount of information collected about consumers, whether data is encrypted, and interoperability with other products.”
As for what the label might look like, there is at least one template. Researchers from Carnegie Mellon University, one of the parties invited to the summit, had already created a “nutrition label” for safety. The label, based on input from more than 22 groups, performed well with users, the university says. It offers multiple levels of disclosure, based on common Internet of Things pain points: default passwords, security updates, functionality when offline, and the like.
You can even make your own voluntary safety tag, or just kick the tires on like I did.
The White House told reporters on Thursday that it aimed to “keep things simple,” with a code that can be scanned by phones to display security and privacy information.
Which products get the labels? The White House told reporters on Wednesday it would begin voluntary labeling in the spring of 2023, focusing on “particularly vulnerable Internet-connected devices such as routers” and home cameras.
The White House press release states that it wants this effort to “generate a globally recognized label.” CyberScoop reported earlier this month that the task force was working with the European Union to “align standards”. Notably, then, Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger attended Singapore International Cyber Week, where she described the US looking to Singapore as a “global leader in IoT,” as reported by The Register.
Singapore’s Cyber Security Labeling Scheme awards nearly every internet-connected consumer device in that country a rating on a four-star scale. The system is recognized by Finland and, as of today, Germany. Announced at this week’s conference, the system may soon make its way into medical devices. It’s a good bet that whatever system the US devises will want to achieve some reciprocity with Singapore’s system, if only on a single level.
Is there a Matter aspect to this labeling? Pretty sure, given the CSA’s presence on top of the White House. Matter certification already requires devices to use AES encryption when communicating over networks, receive updates over the air, be code signed, and have a secure enclave to store keys and certificates to be verified against a blockchain ledger. Some or all of these aspects (minus the blockchain bit) are likely to be considered on security labels.
While the first draft of this security label will almost certainly be a compromised, politically palatable effort, anything is probably better than the system we have now: individual online searches for smart home brand names and manufacturers using the phrases “infringement” and “vulnerability.” .”