Yesterday, the White House announced the long awaited cybersecurity labeling program for IoT
devices, called Cyber Trust Mark. I had written about this in my post in May, as well as in previous posts. This program was
mandated by Executive Order 14028, issued in May 2021. It is a voluntary
program, which is expected to be “up and running” in 2024.
There were several surprises in
the announcement, that went beyond what had been made public before:
1.
The agency that will implement
the program will be the Federal Communications Commission (FCC), not the
Federal Trade Commission (FTC), as I had expected (as well as some others). I
hope this has been thought through, since the FCC’s experience with consumer products
has mostly to do with technical communications standards and not cybersecurity.
The FTC, since one of its roles is enforcing commitments consumer products
companies make regarding privacy of personal information they hold, has already
done a lot of work in the cybersecurity area.
2.
“NIST will also
immediately undertake an effort to define cybersecurity requirements for consumer-grade
routers…” Of course, routers are an IoT product, and there has been a lot of
concern (mostly justified) about their security in the last couple of years. It’s
certainly a good idea to require a higher standard of cybersecurity for routers.
NIST is obligated to draft requirements for routers by the end of 2023.
3.
The US Dept. of Energy
announced a project to work with the National Labs to develop cyber labeling requirements
for smart meters and power inverters. Both of these are devices that are
installed in (or on) homes, although they have lots of applications in
industrial and commercial facilities (in more industrial-strength incarnations,
to be sure).
However, there were some negative
surprises as well. The biggest was that the labeling program, after being
initially discussed as a way to communicate to consumers the degree to which an
IoT product met certain criteria for cybersecurity has now become a way for “..Americans
to confidently identify which internet and Bluetooth-connected devices are
cybersecure”, according to Anne Neuberger, the deputy national security
adviser for cyber and emerging technology at the National Security Council.
Note that the label was originally
not intended to provide an up-or-down judgment on a product, but instead just point
out areas of strength and weakness, allowing the consumer to determine for
themselves whether it’s safe to buy. However, now it seems the White House has
come up with a Roman emperor-style thumbs up-thumbs down label, which is based
on some extraordinary insights they have into what constitutes a cybersecure
product; I certainly hope they’ll share those insights with the rest of us,
especially the many manufacturers who think they’re doing a good job on security,
only to get a thumbs down when the labels are awarded.
More importantly, the document
supposedly defers to NIST’s judgment on what should be in a cybersecurity
framework for IoT. Even though it’s not mentioned in the announcement, NIST
came out with what seems to me to be an excellent IoT cyber framework, NIST.IR.8425,
last year. I wrote about it in a blog
post for my French client Red Alert
Labs in November; RAL works with manufacturers to secure and certify IoT
devices.
However, like all NIST frameworks,
exactly which provisions an organization complies with and how they comply with
them are up to the organization, based on their assessment of their own risk environment.
This is not compatible with an airy statement that a product is “cybersecure”
or not.
I’m going to choose to believe
that Ms. Neuberger’s statement was a bit of hyperbole inserted in her address
by an over-zealous intern, who seems to think that the device labeling program
is a game-changing innovation, when in fact it’s an initial step on a long
journey towards an unattainable goal that might be called “complete cybersecurity
of IoT devices”. But if it’s not, and the FCC decides to go through with the
binary label idea, I’m sure that will fail. What manufacturer is going to
meekly tuck their tail between their legs and walk away after being told they’re
not being awarded the label because they didn’t meet some undefined criteria,
while their competitor down the street received the label? They’re going to
raise h___ and rightly so, in my opinion.
However, if I found Ms. Neuberger’s
statement amusing, another statement (which appeared in the NextGov/FCW article
on the announcement without attribution, although I heard it said by another
source as well) chilled my blood: “The administration is also working with the
Department of Justice to develop liability protocols for manufacturers working
with the Cyber Trust labeling program.”
Yes, boys and girls, this is our
good friend the Liability Monster, once more rearing its head after making an initial
appearance in the National Cybersecurity Strategy last March. I thought I
might have succeeded in driving a wooden stake through its heart in my 4 or 5
posts on the subject, but I must have grabbed a plastic stake instead.
It seems that some people in the White
House have come to believe that our nation’s cybersecurity problems are far too
pressing for us to deal with them through regulation (as everybody knows, regulations
take a lonnng time to develop and implement) or through the court system (after
all, you never can be sure how a judge or jury will rule on liability for a
breach. It’s much better to ensure the outcome before the trial starts).
Instead, we need to place our
finger on the scales of justice from the beginning and ensure that the parties
we all know are responsible for cyber breaches – the developers of the software
or manufacturers of the devices – are assumed to be liable right from the start.
This will substantially reduce the workload of some very busy people in the White
House and assure that they might even be home for dinner every now and then.
What higher goal can there be than that?
Just like the thumbs up-thumbs
down idea, the idea that the Department of Justice is even going to consider amending
the centuries-old principle that liability is determined by a judge and/or jury
in a court of law, instead of being determined by someone in the White House, will
fail. I just wish people who should know better didn’t waste so much time on these
pursuits. The IoT device labeling program needs to be treated seriously, since
it has an important role to play in national security.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the clients
of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment