The White House National Security Council will announce plans Tuesday for a consumer products cybersecurity labeling program intended to improve digital safeguards on internet-connected devices, a senior White House official told CyberScoop.
About 50 representatives from consumer product associations, manufacturing companies and technology think tanks will convene at the White House on Oct. 19 for a workshop on the voluntary effort ahead of an expected spring 2023 launch.
The White House briefly described the effort in a document it released Tuesday outlining various cybersecurity initiatives. The administration plans to start with recommending three or four cybersecurity standards that manufacturers can use as the basis for labels that communicate the risks associated with using so-called internet of things devices.
Deputy National Security Adviser for Cyber and Emerging Tech Anne Neuberger is spearheading the initiative, which is modeled after Energy Star, a labeling program the Environmental Protection Agency and the Department of Energy operate to promote energy efficiency, the senior administration official said.
“Today when folks buy tech, they buy it for a cool feature, speed to market — cybersecurity is often an afterthought,” said the official, who requested to remain anonymous to speak candidly about the effort. “Everybody realizes that it’s an idea whose time has come.”
The administration is working with the European Union to align on standards since the White House wants products with cybersecurity labels to be sold globally.
The standards under consideration could rate products based on how often manufacturers deploy patches for software vulnerabilities or whether devices connect to the internet without a password, the official said. It is not yet clear who will verify companies’ claims.
The White House hopes the program will reward companies that invest in cybersecurity while also helping consumers find safer products. The status quo in which products hit the market quickly, leaving consumers to muddle through or ignore products’ cybersecurity features, is “not sustainable,” the official said.
In its final report, the U.S. Cybersecurity Solarium Commission recommended that Congress create a nonprofit national cybersecurity certification and labeling authority tasked with “establishing and managing a voluntary cybersecurity certification and labeling program for information and communication technologies,” including software, devices and industrial control systems.
CSC Executive Director Mark Montgomery hailed the White House decision to pursue a labeling program but warned it will be difficult to design and stand up.
“I would hope they initially stick to OT and IoT products not software as the propensity for software updates will make management of the certification challenging,” Montgomery said. “The feds should be looking for a non-governmental organization to execute this as the certification will require an agility and persistence that will be hard for a federal agency to maintain with all their other requirements.”
Poor or nonexistent cybersecurity safeguards in connected devices has long been a problem for consumers and industries alike. The White House’s early plans include creating a barcode-like label on products that consumers can scan with their phones for updated security details. While many questions remain about how the administration will roll out the effort, the official said the White House is determined to move forward and has studied similar programs implemented in Singapore and Finland.
National Institute of Standards and Technology standards will be used, the official said, and will need to be tailored for specific products. However, NIST doesn’t currently have technical control standards in place for IoT devices, a fact that at least one cybersecurity expert said will complicate White House efforts because designing them will be time consuming. (NIST has issued guidance on IoT cybersecurity.)
The White House official acknowledged the issue but said the labeling initiative is just getting underway. The workshop and similar meetings in the coming months are designed to help officials and industry work together to overcome such challenges, the official said.
“What we’re trying to do is work with NIST to get the right balance of security and not having 50 standards,” the official said. “Let’s just get this program off the ground and set a key standard that applies across many devices … I think perfect is going to be the enemy of the good on this.”
The White House hopes to leave next Wednesday’s meeting with commitments from key companies to participate in the program, the administration official said. By bringing industry in early, the White House hopes product security standards will be enhanced “in parallel to the standard being built,” the official said.
Some critics of the plan have called it misguided, in part because the U.S. doesn’t manufacture most of the connected products that American consumers purchase. Additionally, others said, similar policy efforts are underway in the U.K., EU and Singapore that the U.S. could adopt.
“NIST is doing good work on IoT,” said Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council. “It would be a shame if all that policymakers can imagine is to turn that into another top-down regulatory scheme.”
Herr, whose team recently released a report on IoT cybersecurity, said he doesn’t understand the administration’s focus on consumer-facing labels in a digital world.
“Labels are portals to data — ways to verify transparent and auditable security behavior,” he said. “It’s not about seeing some gold star on a box at a store; it’s about security researchers, investors, and other companies using this data to hold vendors accountable. The policy win right now is counterparties, not just consumers.”
Other experts were more measured.
Sarah Zatko, chief scientist at the nonprofit research organization Cyber Independent Testing Lab, said more transparency around software safety is sorely needed for consumers and for cybersecurity insurance providers, which currently lack the data to assess risk effectively in the IoT space. Zatko said she understands why the White House is focused on paper labels — even though they are “quaint” — because consumers are used to the format and a paper label can easily be linked to more dynamic data stored online.
“It’s vital that the paper label contain information that is comparable, not just a gold star,” said Zatko, whose organization focuses on creating a safe software environment for consumers.
A pass/fail standard where companies are only incentivized to do whatever it takes to hit the minimum requirements for a pass would be a mistake, she said.
“A consumer can’t tell the difference between ‘barely passed’ and ‘passed with flying colors,’” Zatko said. “Part of why I like a label like Energy Star is that it shows actual data I can compare, in an easy-to-read presentation, which encourages healthy competition between vendors.”
Corrected Oct.12, 2022: This story has been corrected to reflect that the White House did not “downplay” challenges presented by the lack of existing NIST standards but instead acknowledges them.