I’ve put up two posts recently on
the upcoming Cyber Trust Mark cybersecurity labeling program for IoT devices,
that the FCC is developing in response to Executive Order 14028 (the current
ETA is the end of 2024).
In the first
of those posts, I quoted Anne Neuberger, the deputy national security adviser
for cyber and emerging technologies, who said at the July announcement of the
program that the labeling program would become a way for “..Americans to
confidently identify which internet and Bluetooth-connected devices are
cybersecure”. My comment on her comment was
Unfortunately, Ms. Neuberger
doesn’t seem to have gotten the memo that said a labeling program needs to
provide a positive incentive to follow the path of (cyber) virtue, not require
public shaming (perhaps the stocks?) for those who don’t want to obtain the
label, whatever their reasons. She also didn’t see the memo that said there’s
no way the federal government, the Vatican, the NSC, or any other entity can
determine whether a product is “cybersecure”. Every product is cybersecure
until it gets hacked, at which point it isn’t. The best that mere mortals can
say on this issue is that the device manufacturer has practices in place that
should normally be conducive to good security, and we hope they’ll keep them
up.
However, I regret to say she still
doesn’t seem to have gotten that memo (or read my post, not that I expected her
to). Politico’s weekly free cybersecurity newsletter (which is quite
good, BTW) quoted her as saying at the Consumer Electronics Show this week
(regarding her recent discussions with other countries), “I don’t want to scoop
ourselves but it’s so that products that are tested here can also be sold in
other parts of the world,” Neuberger said, “which is what private companies are
really interested in.”
However, the fact is that, even
when the Cyber Trust Mark program comes into effect, products that are
manufactured in the US will be able to be sold anywhere in the world that
they’re allowed to be sold, whether or not they have the label. The label isn’t
even a seal of approval that allows a product to be sold here. The FCC got it
right when they said in the Notice of Proposed Rulemaking that they issued after
the announcement:
“We anticipate that devices or
products bearing the Commission’s cybersecurity label will be valued by
consumers, particularly by those who may otherwise have difficulty determining
whether a product they are thinking of buying meets basic security standards.”
Ms. Neuberger, the label doesn’t
tell the consumer if a product is “cybersecure”, as if anybody could do that.
It does tell the consumer that the manufacturer seems to have designed and
built the device while following certain basic cybersecurity practices, which
are described in NISTIR 8425.
Also, evaluating a product for the
label doesn’t require “testing” of products. The manufacturer will need to
provide evidence that they addressed the requirements of NISTIR 8425 like “The
configuration of the IoT product is changeable, there is the ability to restore
a secure default setting, and any and all changes can only be performed by
authorized individuals, services, and other IoT product components.” Evaluating
requirements like this requires expertise in evaluating evidence, but it isn’t “testing”
in the usual sense of the word.
However, there is one area where testing
(or “technical evaluation”, anyway) does make sense: That is learning about vulnerabilities
in the product. The best way to learn about vulnerabilities in software or
intelligent devices is to look up the product in a vulnerability database. But
there’s one little problem with that, which I pointed out in my last
post: If the manufacturer isn’t reporting vulnerabilities in their device to CVE.org
(which after that provides the information to the NVD), you will always get the
same error message when you look up the device: “There are 0 matching records.”
That might mean the device has no vulnerabilities, but it also may mean the
device has 40,000 vulnerabilities, as in an example I provided in this
post in 2022.
So, what percentage of device
manufacturers are not reporting vulnerabilities in their devices? I’d love to
do a rigorous survey of device manufacturers, but I regret to say that my
fondness for food and housing for my family prevents my having the resources to
do that. In my last post, I did share the results of a short “survey” I did,
which indicates – nay, proves – that, of the top ten medical device makers,
·
Four don’t report
vulnerabilities for any of their devices;
·
Four report a
smattering of vulnerabilities (in one case, just two vulnerabilities reported for
all the versions of all the devices sold by this manufacturer); and
·
The other two are huge
companies that have many product lines of all types. It would require a big
effort just to learn which CPE names in the NVD refer to one of those companies’
medical devices. So, I couldn’t get data on them.
I will also point out that a
product security specialist for one of the top five medical device makers told
me last year they have never reported a vulnerability for any of their devices
(they are in the first category above). And if medical device makers aren’t
reporting vulnerabilities (even though they’re regulated for cybersecurity by
the FDA. Of course, vulnerability reporting is not required of them), is it
likely that baby monitor makers are doing that?
So, I think device makers should
be required to report device vulnerabilities to CVE.org, in order to receive
the label. This is a golden opportunity.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum. If
you would like to join or contribute to our group, please go here, or email me with any questions.
No comments:
Post a Comment