VI Reflections: Security and Privacy Labeling
By grigby1
The growth in Internet of Things (IoT) devices requires more robust security and increased awareness. Cisco predicts that the number of Internet-connected devices will reach 500 billion by 2030. IoT products often prioritize utility and cost over security, resulting in inadequate or no security features. This makes them an attractive target for hackers. A security labeling scheme like nutrition labels on packaged foods could improve IoT device quality as well as the privacy and security of consumers' data. Labeling can help consumers compare the privacy and security features of IoT devices. Such labels may encourage IoT device manufacturers to consider security and privacy and address vulnerabilities.
Carnegie Mellon University's CyLab Security and Privacy Institute has studied security and privacy labels for smart devices. These labels aim to help consumers make informed choices about IoT device purchases and encourage manufacturers to be more transparent about their privacy and security practices. With security and privacy experts across industry, government, and academia, a CyLab team developed a security and privacy "nutrition label." The team also developed an IoT label generator for manufacturers to easily label devices. The primary layer of the label, displayed on the outside of a device's box, contains the most important information, such as the data types collected, the purpose of this collection, and who shares the data. Consumers can access a secondary layer of the label online by scanning a QR code on the primary layer. This layer contains data retention and sharing information. The CyLab research team also investigated how consumers perceive risk when reading attributes on the label and how that affects their purchasing behavior. They found that, in general, people accurately perceived the risk of most attributes they tested, which influenced their device purchases.
Under the Presidential Executive Order on Improving the Nation's Cybersecurity (14028) issued on May 12, 2021, the National Institute of Standards and Technology (NIST) was tasked with a multifaceted consumer cybersecurity labeling initiative that includes IoT labeling. NIST published "Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products," which recommends consumer IoT product label criteria, consumer education considerations, and more for IoT product labeling programs. Label design elements such as icons, text, colors, and typography are not covered in this document. However, the document does point out the importance of rigorous consumer testing in assessing the usability of a label design and consumer education material. NIST calls for consumer testing to include a demographically diverse, US census-representative sample of consumers of various disabilities and abilities to ensure label clarity and bias-free results. An IoT product cybersecurity label should also support both physical and digital formats.
The Biden-Harris administration announced a cybersecurity certification and labeling program aimed at helping Americans in selecting smart devices that are safer and less vulnerable to cyberattacks. The "US Cyber Trust Mark" program proposed by Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel would raise cybersecurity standards across a wide range of devices, including smart refrigerators, microwaves, televisions, climate control systems, fitness trackers, and more. Several major electronics, appliance, and consumer product manufacturers, retailers, and trade associations have made voluntary commitments to improve cybersecurity in the products they sell. Amazon, Google, LG Electronics, Samsung Electronics, and others have all announced their support and commitment to the program. Under the program, consumers would see a "US Cyber Trust Mark" in the form of a shield logo on products that meet official cybersecurity criteria. The program's goal is to provide consumers with tools that will allow them to make informed decisions regarding the security of the products they purchase. As proposed, the program would involve stakeholder-led efforts to certify and label products based on specific cybersecurity criteria published by NIST such as unique and strong default passwords, data protection, software updates, and incident detection capabilities.
Security and privacy labeling is not only beneficial to individuals, but also to nations as whole. Such an initiative could significantly impact critical infrastructure sectors where IoT devices are heavily used. Cyber threats increase as these sectors use IoT for operational efficiency and data analytics. By setting clear cybersecurity standards, a labeling program could mitigate these threats and secure devices at the core of essential services. A cybersecurity labeling program could spark international collaboration and standardized security for connected devices.
To see previous articles, please visit the VI Reflections Archive.