Thursday, July 20, 2023

The IoT device cybersecurity program is here (warts and all)!

 

Yesterday, the White House announced the long awaited cybersecurity labeling program for IoT devices, called Cyber Trust Mark. I had written about this in my post in May, as well as in previous posts. This program was mandated by Executive Order 14028, issued in May 2021. It is a voluntary program, which is expected to be “up and running” in 2024.

There were several surprises in the announcement, that went beyond what had been made public before:

1.      The agency that will implement the program will be the Federal Communications Commission (FCC), not the Federal Trade Commission (FTC), as I had expected (as well as some others). I hope this has been thought through, since the FCC’s experience with consumer products has mostly to do with technical communications standards and not cybersecurity. The FTC, since one of its roles is enforcing commitments consumer products companies make regarding privacy of personal information they hold, has already done a lot of work in the cybersecurity area.

2.      “NIST will also immediately undertake an effort to define cybersecurity requirements for consumer-grade routers…” Of course, routers are an IoT product, and there has been a lot of concern (mostly justified) about their security in the last couple of years. It’s certainly a good idea to require a higher standard of cybersecurity for routers. NIST is obligated to draft requirements for routers by the end of 2023.

3.      The US Dept. of Energy announced a project to work with the National Labs to develop cyber labeling requirements for smart meters and power inverters. Both of these are devices that are installed in (or on) homes, although they have lots of applications in industrial and commercial facilities (in more industrial-strength incarnations, to be sure).

However, there were some negative surprises as well. The biggest was that the labeling program, after being initially discussed as a way to communicate to consumers the degree to which an IoT product met certain criteria for cybersecurity has now become a way for “..Americans to confidently identify which internet and Bluetooth-connected devices are cybersecure”, according to Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the National Security Council.

Note that the label was originally not intended to provide an up-or-down judgment on a product, but instead just point out areas of strength and weakness, allowing the consumer to determine for themselves whether it’s safe to buy. However, now it seems the White House has come up with a Roman emperor-style thumbs up-thumbs down label, which is based on some extraordinary insights they have into what constitutes a cybersecure product; I certainly hope they’ll share those insights with the rest of us, especially the many manufacturers who think they’re doing a good job on security, only to get a thumbs down when the labels are awarded.

More importantly, the document supposedly defers to NIST’s judgment on what should be in a cybersecurity framework for IoT. Even though it’s not mentioned in the announcement, NIST came out with what seems to me to be an excellent IoT cyber framework, NIST.IR.8425, last year. I wrote about it in a blog post for my French client Red Alert Labs in November; RAL works with manufacturers to secure and certify IoT devices.

However, like all NIST frameworks, exactly which provisions an organization complies with and how they comply with them are up to the organization, based on their assessment of their own risk environment. This is not compatible with an airy statement that a product is “cybersecure” or not.

I’m going to choose to believe that Ms. Neuberger’s statement was a bit of hyperbole inserted in her address by an over-zealous intern, who seems to think that the device labeling program is a game-changing innovation, when in fact it’s an initial step on a long journey towards an unattainable goal that might be called “complete cybersecurity of IoT devices”. But if it’s not, and the FCC decides to go through with the binary label idea, I’m sure that will fail. What manufacturer is going to meekly tuck their tail between their legs and walk away after being told they’re not being awarded the label because they didn’t meet some undefined criteria, while their competitor down the street received the label? They’re going to raise h___ and rightly so, in my opinion.

However, if I found Ms. Neuberger’s statement amusing, another statement (which appeared in the NextGov/FCW article on the announcement without attribution, although I heard it said by another source as well) chilled my blood: “The administration is also working with the Department of Justice to develop liability protocols for manufacturers working with the Cyber Trust labeling program.”

Yes, boys and girls, this is our good friend the Liability Monster, once more rearing its head after making an initial appearance in the National Cybersecurity Strategy last March. I thought I might have succeeded in driving a wooden stake through its heart in my 4 or 5 posts on the subject, but I must have grabbed a plastic stake instead.

It seems that some people in the White House have come to believe that our nation’s cybersecurity problems are far too pressing for us to deal with them through regulation (as everybody knows, regulations take a lonnng time to develop and implement) or through the court system (after all, you never can be sure how a judge or jury will rule on liability for a breach. It’s much better to ensure the outcome before the trial starts).

Instead, we need to place our finger on the scales of justice from the beginning and ensure that the parties we all know are responsible for cyber breaches – the developers of the software or manufacturers of the devices – are assumed to be liable right from the start. This will substantially reduce the workload of some very busy people in the White House and assure that they might even be home for dinner every now and then. What higher goal can there be than that?

Just like the thumbs up-thumbs down idea, the idea that the Department of Justice is even going to consider amending the centuries-old principle that liability is determined by a judge and/or jury in a court of law, instead of being determined by someone in the White House, will fail. I just wish people who should know better didn’t waste so much time on these pursuits. The IoT device labeling program needs to be treated seriously, since it has an important role to play in national security.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

No comments:

Post a Comment