My previous post pointed out a contradiction between two of the components of the draft IoT device labeling program that NIST is developing, which will be finalized in guidance due on February 6, 2022. Those components were NIST’s desire for a binary label (i.e. a seal of approval), and their desire to have outcomes-based criteria for that label, which IMO preclude a binary yes-or-no decision on which devices should receive the label.
But there’s another contradiction
in what NIST is suggesting for the program, which is much more fundamental and has
to do with how the program will be run. In the Discussion
Draft they put out recently on this subject (and
to some degree in the web workshop they had last week), they stated (page 1)
their philosophy for the program very elegantly:
NIST will identify key elements of
labeling program in terms of minimum requirements and desirable attributes –
rather than establishing its own program; it will specify desired outcomes,
allowing providers and customers to choose best solutions for their devices and
environments. One size will not fit all, and multiple solutions might be
offered by label providers.
What’s not to like about this? As
a former student of Milton Friedman (a few years ago) at the University of
Chicago, I’m all for letting markets determine for themselves how commerce
should be conducted. But this assumes that no individual player in the market has
the power to impose costs on other players, that can’t be fully compensated
through the legal system.
Friedman had a great illustration for
this principle: If a truck owned by Commonwealth Edison (the electric utility
in Chicago, now part of Exelon, Inc.) hits my car, I have the right (or really
my insurance company does) to sue them for the full damages; the damages can be
clearly identified and quantified. However, if ComEd pollutes the air in
Chicago (at the time they operated a couple big coal-fired plants just 4 or 5
miles from the U of C) and my daughter later develops asthma[i], it’s not at all clear
that the asthma was ComEd’s fault.
Plus, ComEd can certainly argue
that, while their coal plants might have increased my child’s chances of
getting asthma, there are many other contributors to air pollution as well. Who
could possibly sort all of these contributions out and determine the precise
value of each source’s contribution to my daughter’s asthma? In cases like
this, markets alone can’t assure fair outcomes for all participants. Government
needs to step in.
In Friedman’s example,
environmental regulations are required to prevent the pollution that could lead
to my daughter getting asthma – and if ComEd doesn’t follow those regulations
to a T, this fact allows me to sue ComEd for the cost of her asthma (although such
suits are usually big class actions nowadays), without having to prove a
specific connection between the pollution and the asthma. That is, regulations
set boundaries for actors in free markets. To quote Robert Frost, “Good fences
make good neighbors.”
This is all a roundabout way of
saying that, while it’s great to set up a regulatory program - as NIST wants to
do - in which the rules and their implementation are left up to the
participants in the program, there needs to be some government entity that in
the end ensures the rules are fair ones and they’re enforced fairly.
What bothered me about NIST’s idea
for governance of the IoT device labeling program is that they seem to want to
turn the entire program over to one or more “consumer labeling scheme
owners”. How they’ll be chosen, how many there will be (one? Twenty?), as well
as how the boundaries will be set between them, aren’t specified (at least they
aren’t yet).
Even more importantly, the parameters of the program will be
up to the scheme owners. To quote NIST (page 2), “The scheme owner would be
responsible for tailoring the product criteria, defining conformity assessment
requirements, developing the label and associated information, and conducting
related consumer outreach and education.” In other words, there aren’t any real
limits on the program a scheme owner can put together, other than that a) they
have to use the criteria that NIST has identified (in the Discussion Draft),
and b) the label needs to be binary. So what would happen if a scheme owner:
1.
Decides to assess devices against the criteria as
leniently as possible (see my previous post, where I discussed the
impossibility of performing a true binary assessment based on outcomes-based
criteria), while at the same time charging high fees for assessments? The
message will be clear to IoT device manufacturers: “The price this scheme owner
charges me for the assessment is high, but I’m sure they’ll give me a label. It’s
much better giving this scheme a shot, rather than going to a different scheme
owner, who might really assess the device and not give me the label if they
think I’m deficient.”
2.
Decides not to bother with the “consumer outreach
and education” part? After all, the entities that are going to pay the fees to
the scheme owner are the manufacturers, not the consumers. Given that there
will probably be a lot of consumers who initially are willing to fork over an
extra $10-$20 for a security camera that carries a cybersecurity label, why not
charge a high assessment fee to manufacturers that see the importance of
getting a label immediately, so they can sell to these early adopters? Then
close up shop and let another scheme owner do the hard work of outreach and
education, to grow the market further?”
3.
Decides to poach another scheme owner’s market? Let’s
imagine that one scheme owner has had success providing labels for baby
monitors; now they decide they ought to try their hand at a labeling scheme for
smart appliances, despite not knowing anything about home appliances. But
there’s already another scheme owner doing well in that market, and they’re not
at all pleased at the idea of having an organization with no experience in appliances
jump into that market and perhaps hand out meaningless labels, just so they can
collect the assessment fees. NIST specifically points out that they don’t want
to see consumers getting confused by multiple labels for similar products, but
that’s exactly what would be the outcome in this case. Who is going to mediate
this dispute?
During the web workshop, I asked
in the chat how the scheme owners will make money. That didn’t get answered in
the workshop, and it doesn’t seem to me that the NIST staff members who are
developing the guidance for the IoT device labeling program have even asked themselves
that question. But they really should. If you want to have private industry
develop and run a regulatory program, you need to make sure you understand how
they will make money doing this; if they can’t make money by what we’d consider
“legit” means, they’ll find other means to make it. Those “other means” are
likely to involve the scheme owners doing things that are unfair to other
scheme owners, to manufacturers, and potentially to consumers as well, as shown
in the three hypothetical examples above.
Yet preventing these abuses will require
some power higher than the device owners to set and enforce rules. Let’s be
clear: at a minimum, some government agency needs to police the device labeling
program so that it operates fairly for all, even though the specific details of
how the program will work are left up to the scheme owners.
In the web meeting, the presenters
made clear – as I knew already – that NIST doesn’t run programs like this and isn’t
a regulator. But how about another federal agency? In fact, the Executive
Order, in the paragraph that orders the IoT device labeling program (which I
quoted near the beginning of my last post), states that the Director of NIST
should coordinate “with the Chair of
the Federal Trade Commission” in developing the program and the criteria. Yet I
haven’t seen or heard one word about the FTC, or any other agency, being
involved with this program. Sure, NIST isn’t a regulator, but that doesn’t mean
they can’t find a regulator within the government to set and enforce rules for
this program.
So how about turning over
implementation of the device labeling program to the FTC? They’re great at
writing and enforcing rules. This doesn’t mean that NIST’s ideas need to go out
the window. In general, I like the idea of having multiple scheme owners
providing label schemes for different markets; and I also like the idea that the
scheme owners should be free to construct their own programs.
But just like any other economic activity,
there need to be government-enforced rules to make sure everyone is treated
fairly. Anyone is free to build cars or trucks in whatever way they see fit.
However, they all have to follow the safety standards set by the National Highway
Traffic Safety Administration (NHTSA). When they advertise their car, they have
to make true statements in their ads, or the FTC will come down on them. And
when they communicate with shareholders, they need to follow the information
disclosure guidelines set by the Securities and Exchange Commission (SEC). All
this regulation obviously hasn’t prevented companies like Tesla and Rivian from
producing innovative new cars and trucks that consumers and businesses want to
buy.
So I like NIST’s ideas for allowing
experimentation – and even competition - by the scheme providers. But make no
mistake: This is a regulatory program. The EO ordered the government to develop
a program to raise the level of cybersecurity in consumer IoT devices by
creating a precious commodity – the label – that device manufacturers will desire
because they know that a label will increase their sales. And even more
importantly, not having a label might cause a manufacturer to go out of
business.
NIST, please turn the implementation
and operation of the IoT device labeling program over to a regulator to ensure
it’s successful. I can guarantee it will fail if you don’t do that. Good fences
make good neighbors.
P.S. My client Red Alert Labs
will submit both this post and the previous one (slightly edited) to NIST as
comments on the Discussion Draft paper.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] To
be honest, Friedman didn’t talk about asthma as the consequence of pollution.
He talked about someone’s shirt collar getting soiled. Unfortunately, Friedman tended
to minimize damages that could be caused by businesses. This tendency got worse
later on, especially in his Newsweek columns, where he started
publishing ideas not based on economic analysis but on his personal opinions,
while at the same time leaving the impression that they were based on such
analysis (more specifically, the statements were based on assumptions that he didn’t
make clear, such as the assumption that pollution, while definitely harmful,
doesn’t really threaten health). Today, most of the politicians who quote him
have no knowledge at all of what he wrote as an economist, and base their
polemics entirely on those columns and a couple cringeworthy books like Free
to Choose.
No comments:
Post a Comment