A missed opportunity to get cybersecurity regulation right

 

Note from Tom:

From now on, my Substack blog will continue to carry all of new posts, as well as my over 1200 "legacy" posts from 2013 on. Since I will stop posting new posts on Blogspot in the future, I urge everyone to sign up for either a free or paid subscription on Substack now. The cost of a paid subscription is $30 per year or $5 per month. Anyone who can’t pay the $30 should email me, so I can set you up with a free one-year "paid" subscription. Enjoy!

 

Ever since it was mandated in Executive Order 14028 in May 2021, I’ve liked the idea of a “device labeling program”. Briefly, this is a program in which some central authority – usually a government body – authorizes a government agency to issue a certification (called a label but actually a website) of the cybersecurity of intelligent devices. These programs were pioneered in Finland, Germany and Singapore, so this wasn’t a new idea when the Biden White House included it in their EO.

EO 14028 mainly dealt with the cybersecurity of software; it has already led to a profound impact on the software industry. However, the device labeling program has had trouble finding a home. The EO didn’t specify which federal agency would oversee the program, although it seemed to suggest that the Federal Trade Commission would be appropriate (I agreed with that idea at the time, since this seemed like something they should run).

The EO required NIST to take the preliminary steps for the program by developing the requirements on which the labeling program will be based. NIST jumped at that opportunity. They had already put out multiple frameworks having to do with IoT cybersecurity, so it was natural that they would develop the requirements for the device labeling program.

However, NIST went beyond that mandate to try to design the program itself (on the idea that they would administer it later).  It became clear before long (at least to me) that they shouldn’t be in charge of the program itself.

Nevertheless, in 2022 NIST released a new document, NIST.IR.8425. This document seemed to me (and still seems today) to be perfectly aimed at the “consumer” IoT market, which is what the EO had mandated. NIST understood that “consumer IoT devices” can include a lot more than baby monitors and smart lightbulbs. It can also include devices used by small- and medium-sized businesses and government agencies – everything but large enterprises, which have a very different set of cybersecurity concerns.

Why was I so enamored with NISTIR 8425? I’m glad you asked. I see three different types of cybersecurity risk to IoT devices:

1.      Risks due to security measures not implemented in the device. This is how a lot of people think about device security: It’s a question of how the device is put together and what policies are “baked” into it – more correctly, what policies are not baked into it. To certify the device, a lab needs to examine it and answer questions like “Are there default passwords?”, “Can all external access be controlled and tracked?”, and “In case of compromise, is it easy to perform a factory reset?”

2.      Risks due to the lack of specific cybersecurity policies and practices in the environment where the device is installed, such as a factory or a water treatment plant. Questions here include: “Is the network properly segmented so that higher-security zones are protected from attacks originating in lower-security zones?”, “Is communication between zones restricted to defined and protected ‘conduits’, so that all communications are monitored and audited?”, and “Is the safety-related network strongly protected from the operational network?”

3.      Risks due to the lack of specific policies and practices of the device manufacturer, e.g., “Do they sufficiently protect and monitor their development environment, so they are unlikely to fall victim to a devastating supply chain attack like SolarWinds?”, “Do they make patches for serious vulnerabilities available soon after the vulnerability is reported – rather than wait up to three years for the next full device update?”, and “If they are unable to deliver a patch for a serious new vulnerability right away, do they still notify their customers and recommend mitigation steps?”

After reviewing NISTIR 8425, I realize that it addresses just the first and third types of device cybersecurity risk, but not the second. This is undoubtedly because households and small businesses don’t have complex networks that require paying attention to topics like network segmentation or zones and conduits. On the other hand, the ISA/IEC 62443 standard is intended mostly for larger enterprises; it includes measures that address all three types of risk.

In July 2023, the White House announced that the Federal Communications Commission (FCC) would run the device labeling program, now branded “Cyber Trust Mark”. In February 2024, the FCC made public proposed details of the program in a Notice of Proposed Rulemaking. After that, the FCC announced various details of the program; the announcements culminated on January 7, 2025, when the White House announced the “launch” of the program.

What’s happened since that date? Nothing. Of course, January 20 marked the start of the new presidential administration, which since then hasn’t evinced a burning desire to expand what the US is doing about cybersecurity. In fact, CISA has already lost a lot of people and the bloodletting isn’t over yet, although the FCC has lost relatively few employees. However, the FCC has not previously had major cybersecurity responsibilities, so if they were to really implement the device labeling program, they would have to add staff – which might be hard to pull off today, given the current emphasis on downsizing the federal government.

This is a shame. I really liked the approach taken by the FCC, which I described at the beginning of this post. The Cyber Trust Mark program (and device labeling programs in general) takes the carrot approach to regulation, where the regulator tries to encourage good behavior, not just discourage bad behavior. While it’s not always possible to do that, this is one case where it is possible. In fact, the program was based in large part on the Energy Star program, which – from at least one news report that I’ve seen – may be eliminated soon. Energy Star is – or was – quite successful in encouraging consumers to demand energy efficiency in home appliances, as well as in encouraging manufacturers to compete on the basis of efficiency.

In that post, I wrote:

When I think of positive approaches, I usually think of my elementary school classes, where I would get to wear a gold star on my forehead for turning in my homework on time or getting all the answers correct on a spelling test.

I certainly hope we haven’t heard the last of both programs: Cyber Trust Mark and Energy Star!

 

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com or comment on this blog’s Substack community chat.