"White House Proposes IoT Security Labeling"
The White House called a meeting with representatives from the private sector, technology associations, and government to discuss the creation of an Internet of Things (IoT) security label. The label would be similar to the Energy Star label, a joint initiative of the Environmental Protection Agency (EPA) and the Department of Energy (DOE). The labeling system, which will initially be used for routers and video cameras, will be designed so that Americans can easily identify which devices meet the highest cybersecurity standards for protection against hacking and other cyber vulnerabilities. Criminals often hijack home routers and video devices to use them in Distributed Denial-of-Service (DoS) attacks against organizations. It is unclear what standards or vetting organizations are being considered at this time. The industry's reaction to the potential labeling system has been mixed, but it appears to be mostly positive. The SANS Institute's director of emerging security trends, John Pescatore, mentioned a number of existing meaningful technology standards efforts, including the Connectivity Standards Alliance-IoT, which includes Amazon, Apple, Google, and Samsung, among others. Greg Young, Trend Micro's VP of cybersecurity, added that because IoT and home smart devices are particularly vulnerable, a clear and consumer-focused label is a good idea. However, the details of certification are important, he added, sharing both good and bad examples of previous efforts. He stated that the government must remember what has already been learned or risk repeating the mistakes. Young cited the NIST FIPS140-2 standard for certifying the use of cryptography as one of the most significant achievements. FIPS140-2 has a limited scope with four levels, and a relatively quick testing and validation process that uses government-certified private-sector labs. FIPS is used to certify everyday devices, such as the PIN pad on an ATM. In his opinion, the bad proved to be Common Criteria. The goal of Common Criteria was to provide certification for security features in operating systems, security products, and appliances. Common Criteria had too much scope creep in its goals, was overly complex, effectively allowed vendors to set their own bar for what entailed success by describing a 'security target,' and was weighed down by documentation over testing. This article continues to discuss the IoT security labeling effort and experts' thoughts on this labeling idea.
Security Boulevard reports "White House Proposes IoT Security Labeling"