Today, the White House issued a statement that essentially said that it had a big meeting with big names on Wednesday and that there will be a sort of security label for smart devices based on it in the spring of 2023. Here’s a lot more about what happened and what could come of it.
Named for the Eisenhower administration’s push to rethink Cold War strategy, one of the top-level recommendations of the U.S. Cyber Solarium Commission, in its March 2020 report, was to “create a national cybersecurity certification and labeling authority.”The “non-profit non-governmental organization”will become the labeling authority for at least five years, labeling products based on consensus from the Departments of Commerce and Homeland Security, and “experts from the federal government, academia, non-governmental organizations.”organizations and the private sector”.
And that’s about who showed up, according to the White House. Amazon, Comcast, Google, Intel, LG, Samsung, Sony, and other individuals have emerged. So did the Connectivity Standards Alliance, the consortium behind Matter, along with the American National Standards Institute (ANSI), Consumer Reports, the Consumer Technology Association, CTIA, and the National Retail Federation lobby groups. Add to that just about every safety-relevant government agency and you have a panel recommended by the Solarium Commission.
Details about the label itself, as it still exists today, and what it would evaluate or measure, were not available, but there were hints. CyberScoop quoted a White House official as saying device ratings could be based on “vulnerabilities fixed, amount of information gathered about consumers, whether data is encrypted, and compatibility with other products.”
As far as what the label might look like, there is at least one template. Researchers from Carnegie Mellon University, one of the parties invited to the summit, have already created a protective “nutrition label”. Based on reviews from over 22 groups, the label has performed well among users, the university says. It provides multiple layers of information disclosure based on common IoT pain points: default passwords, security updates, offline functionality, and the like.
You can even create your own self-imposed security label or just kick it like I did.
The White House told reporters on Thursday that it sought to “simplify things”with a code that can be scanned by phones to reveal security and privacy information.
What products will receive labels? The White House told reporters Wednesday that it will begin with voluntary labeling in the spring of 2023, focusing on “particularly vulnerable Internet-connected devices such as routers”and home cameras.
The White House press release notes that it wants these efforts to “create a globally recognized label.”Earlier this month, CyberScoop reported that the task force was working with the European Union to “harmonize standards.”Notably, Deputy National Security Adviser for Cyber Security and Emerging Technologies Ann Neuberger attended Singapore International Cyber Week, where she described how the US looks to Singapore as “a global leader in the Internet of Things”, as reported by The Register.
The Singapore Cybersecurity Labeling Scheme ranks nearly every Internet-connected consumer device on a four-star scale. The system is recognized by Finland and, to date, by Germany. At a conference this week, it was announced that the system could soon appear on medical devices. One can bet that whatever system is developed in the US will want to achieve some reciprocity with Singapore’s system, even if only on the same level.
Is there an aspect of Matter in this designation? Almost certainly, given the presence of the CSA at the White House summit. Matter certification already requires devices to use AES encryption when communicating across networks, be able to receive updates over the air, be code-signed, and have a secure enclave for storing keys and certificates that will be verified on the blockchain ledger. Some or all of these aspects (with the exception of the blockchain bit) are likely to be considered on security labels.
While the first version of this security label will almost certainly be a compromised, politically acceptable attempt, things are likely to be better than the system we have now: individually searching for smart home brands and manufacturers on the Internet, with the final phrases “violation”and “vulnerability”.