If Congress does not pass a cybersecurity bill aimed at the “Internet of things,” or IoT, this year, a private certification label could fill the gap.
The digital rights group Public Knowledge has proposed a badge for IoT devices, which are everyday appliances with Internet connectivity, such as smart refrigerators, the Amazon Echo, or app-controlled thermostats like Nest. The “Security Shield” would indicate that a manufacturer had met certain cybersecurity standards.
The program is modeled after the energy efficiency program Energy Star, a voluntary labeling system for household appliances and office equipment, which is currently administered by the Environmental Protection Agency and the Department of Energy.
A bill to create a voluntary IoT cybersecurity program run by the Department of Commerce was introduced in 2017 by Sen. Ed Markey, D-Mass., and Rep. Ted Lieu, D-Calif., but Congress failed to act on the bill.
“The IoT will also stand for the Internet of Threats unless we put in place appropriate cybersecurity safeguards,” Markey said then.
Several major IoT security breaches led Public Knowledge to resurrect the idea. In 2016, the Mirai botnet infected routers and streaming video cameras across the country and hijacked them to launch attacks that crashed major websites including Netflix, SoundCloud, and Spotify. In Finland, cybercriminals remotely disabled the heating system in two apartment buildings in November 2016, when temperatures were below freezing.
The group recommends a voluntary approach to the labeling system, though it suggested that the National Institute of Standards and Technology, or NIST, an agency within the Department of Commerce, could administer the program. The federal government could also endorse Security Shield through its procurement standards, the way that it currently requires agencies to buy Energy Star-rated products whenever possible.
“Processes that involve government, industry, academia, and civil society are less likely to be captured by the interests of one stakeholder group,” said Megan Stifel, Public Knowledge’s cybersecurity policy director. “One of the concerns with a private organization running such a program is whether the capabilities make a meaningful difference in advancing cybersecurity.”
Public Knowledge faces competition in the race to get a cybersecurity labeling system up and running. The European Union and Canada are considering similar labeling programs. In December, browser developer Mozilla and developer group ThingsCon launched a Trusted Technology Mark, aimed at consumer IoT devices.
“There are a number of challenges with such an effort,” said Stifel, “including identifying how to ensure a product’s security capabilities remain up to date — which should be one of the criteria for obtaining the label — and that once updates are available and pushed, establishing a process to ensure they are installed properly.”
The scale of the program and incentives for participation are other challenges that need to be addressed, Stifel said. “They are not minor challenges, but collectively we believe they are surmountable.”
