Wednesday, January 10, 2024

Evidently, she still hasn’t gotten the memo


I’ve put up two posts recently on the upcoming Cyber Trust Mark cybersecurity labeling program for IoT devices, that the FCC is developing in response to Executive Order 14028 (the current ETA is the end of 2024).

In the first of those posts, I quoted Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, who said at the July announcement of the program that the labeling program would become a way for “..Americans to confidently identify which internet and Bluetooth-connected devices are cybersecure”. My comment on her comment was

Unfortunately, Ms. Neuberger doesn’t seem to have gotten the memo that said a labeling program needs to provide a positive incentive to follow the path of (cyber) virtue, not require public shaming (perhaps the stocks?) for those who don’t want to obtain the label, whatever their reasons. She also didn’t see the memo that said there’s no way the federal government, the Vatican, the NSC, or any other entity can determine whether a product is “cybersecure”. Every product is cybersecure until it gets hacked, at which point it isn’t. The best that mere mortals can say on this issue is that the device manufacturer has practices in place that should normally be conducive to good security, and we hope they’ll keep them up.

However, I regret to say she still doesn’t seem to have gotten that memo (or read my post, not that I expected her to). Politico’s weekly free cybersecurity newsletter (which is quite good, BTW) quoted her as saying at the Consumer Electronics Show this week (regarding her recent discussions with other countries), “I don’t want to scoop ourselves but it’s so that products that are tested here can also be sold in other parts of the world,” Neuberger said, “which is what private companies are really interested in.”

However, the fact is that, even when the Cyber Trust Mark program comes into effect, products that are manufactured in the US will be able to be sold anywhere in the world that they’re allowed to be sold, whether or not they have the label. The label isn’t even a seal of approval that allows a product to be sold here. The FCC got it right when they said in the Notice of Proposed Rulemaking that they issued after the announcement:

“We anticipate that devices or products bearing the Commission’s cybersecurity label will be valued by consumers, particularly by those who may otherwise have difficulty determining whether a product they are thinking of buying meets basic security standards.” 

Ms. Neuberger, the label doesn’t tell the consumer if a product is “cybersecure”, as if anybody could do that. It does tell the consumer that the manufacturer seems to have designed and built the device while following certain basic cybersecurity practices, which are described in NISTIR 8425.

Also, evaluating a product for the label doesn’t require “testing” of products. The manufacturer will need to provide evidence that they addressed the requirements of NISTIR 8425 like “The configuration of the IoT product is changeable, there is the ability to restore a secure default setting, and any and all changes can only be performed by authorized individuals, services, and other IoT product components.” Evaluating requirements like this requires expertise in evaluating evidence, but it isn’t “testing” in the usual sense of the word.

However, there is one area where testing (or “technical evaluation”, anyway) does make sense: That is learning about vulnerabilities in the product. The best way to learn about vulnerabilities in software or intelligent devices is to look up the product in a vulnerability database. But there’s one little problem with that, which I pointed out in my last post: If the manufacturer isn’t reporting vulnerabilities in their device to CVE.org (which after that provides the information to the NVD), you will always get the same error message when you look up the device: “There are 0 matching records.” That might mean the device has no vulnerabilities, but it also may mean the device has 40,000 vulnerabilities, as in an example I provided in this post in 2022.

So, what percentage of device manufacturers are not reporting vulnerabilities in their devices? I’d love to do a rigorous survey of device manufacturers, but I regret to say that my fondness for food and housing for my family prevents my having the resources to do that. In my last post, I did share the results of a short “survey” I did, which indicates – nay, proves – that, of the top ten medical device makers,

·        Four don’t report vulnerabilities for any of their devices;

·        Four report a smattering of vulnerabilities (in one case, just two vulnerabilities reported for all the versions of all the devices sold by this manufacturer); and

·        The other two are huge companies that have many product lines of all types. It would require a big effort just to learn which CPE names in the NVD refer to one of those companies’ medical devices. So, I couldn’t get data on them.

I will also point out that a product security specialist for one of the top five medical device makers told me last year they have never reported a vulnerability for any of their devices (they are in the first category above). And if medical device makers aren’t reporting vulnerabilities (even though they’re regulated for cybersecurity by the FDA. Of course, vulnerability reporting is not required of them), is it likely that baby monitor makers are doing that?

So, I think device makers should be required to report device vulnerabilities to CVE.org, in order to receive the label. This is a golden opportunity.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

I lead the OWASP SBOM Forum. If you would like to join or contribute to our group, please go here, or email me with any questions.

 

No comments:

Post a Comment