Security news that informs and inspires

White House Unveils New Cyber Trust Mark for IoT Security

By

The Internet, as a wise woman once said, is built on rock and roll and silly string, and it’s kind of a miracle that any of it works at all. However, the Internet looks like the absolute pinnacle of human achievement when compared to the Internet of things, an agglomeration of appliances, vehicles, and lightbulbs that serves as a daily reminder what a terrible idea it was to teach sand how to think.

Many, if not most, IoT devices are security challenged, to put it lightly, and despite the best efforts of security researchers and engineers who have warned manufacturers about the dangers of vulnerabilities in their products, trying to find an IoT device designed with security in mind is a fool’s errand. That way lies madness.

“Each IoT device offers a backdoor or even a front door for cybercriminals to exploit the network. Our defenses are only as strong as the weakest link in the chain,” said Rep. Doris Matsui (D-Calif.).

And yet all is not lost.

A new initiative backed by the federal government and a slew of high-profile device manufacturers aims to develop a set of cybersecurity standards for IoT devices and produce a seal of trust that manufacturers who meet those standards can place on their products. The goal is twofold: improve the security posture of smart devices and give buyers a visible indicator that those devices have met the new requirements. Called the U.S. Cyber Trust Mark, the program has been in the works for quite some time and federal officials have worked with private sector experts and security researchers to develop the baseline security requirements. The labeling program was mentioned in the recently published National Cybersecurity Strategy implementation plan and the idea has been floating around Washington in various forms for many years.

Now it appears the time has finally come for it to move forward.

“People have talked about labeling for years now and there have been a lot of questions about how you would do this. Seeing it in the White House strategy implementation plan and then today shows me they want to see what will work,” said Beau Woods, a member of the grassroots organization I Am the Cavalry, and a former senior advisor at the Cybersecurity and Infrastructure Security Agency who has worked on IoT security issues for several years.

“For a long time we’ve been thinking it’s impossible to secure these devices and at this point it’s putting a lot of things at risk. It’s probably past time for something to be done.”

Although the U.S. Cyber Trust Mark program is mainly focused on consumer products at the moment, it will have some implications for SMBs, enterprises and other organizations, as well. Most companies, regardless of size, have some form of consumer-grade IT products in their environments, whether by design or through other means. The Cyber Trust Mark seal will give IT teams an assurance that the product has at least met a minimum set of security standards, something that is not clear at the moment.

“This can be a way to communicate this to buyers and combined with other factors to assess risk. It fits into the broader overall picture,,” Woods said.

“Securable products are foundational for a secure ecosystem."

And for the device makers who choose to participate, it gives them a way to communicate to buyers that they have done the work in the background to improve the security of their products.

“Labels will create clear incentives for manufacturers to produce more secure devices,” Matsui said.

A number of large technology companies are participating in the program already, including Cisco, Google, Infineon, Samsung, LG Electronics, and KeySight. Others likely will follow suit in the months ahead as the program gets off the ground. For now, much of the focus will be on the development of the standards through the National Institute of Standards and Technology and on the education of buyers, some of which will fall on the manufacturers themselves and the rest of which will be the responsibility of the federal government.

Though IoT security in general has historically been a mess, there are some sectors that have made strides.

“Health care is one of the places where it has moved the most because the FDA has gotten serious about it and some of the manufacturers have hired employees who are serious about it,” Woods said.

Whether this new effort can have the same effect for other sectors is an open question, but there is nowhere to go but up.

“Securable products are foundational for a secure ecosystem,” said Laurie Locasio, director of NIST.