President Biden still wants his cybersecurity labels on those smart devices
May follow Finland and Germany in adopting Singapore's standard
The Biden administration is pushing ahead with its drive to add cyber security labeling to consumer Internet of Things (IoT) devices, and may join other nations in adopting the scheme pioneered by Singapore.
This desire for labeling, and what's been achieved so far, was discussed at a Wednesday meeting attended by US deputy national security advisor for cyber and emerging technology Anne Neuberger, Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel, national cyber director Chris Inglis, and representatives from telcos and other tech companies including Google, AT&T, Cisco, Intel, Samsung and more.
Google's VP engineering, Dave Kleidermacher, took to the Chocolate Factory's blog to confirm the company's attendance at the workshop. The veep summarized the problematic nature of increasingly interconnected devices amid ever evolving cybersecurity threats:
Not only are we becoming more deeply connected through IoT devices, we're now putting more of our lives and trust in the hands of digital technology.
Yet, the IoT industry still lacks a global harmonized way for measuring the security quality of connected products, which means consumers may not have the visibility they need into whether their IoT devices protect their data.
Standards for these US security labels are expected to roll out by Spring 2023, initially as a voluntary system. The labels are expected to feature ratings that reflect the quantity of data collected, how easily the device can be patched or upgraded to mitigate vulnerabilities, data encryption, and interoperability. The labeling effort began in Spring 2021 following an executive order by Biden.
Essentially, the discussion this week was a progress update of sorts between government and industry on how these labels will be designed and used. The project is still in flux, from what we can tell.
- Founder of cybersecurity firm Acronis is afraid of his own vacuum cleaner
- CISA warns of security holes in industrial Advantech, Hitachi kit
- Millennials, Gen Z actually suck at workplace security
- So, the US, China, and Russia walk into an infosec conference
This workshop was referenced by Neuberger on Thursday during a streamed speech at Singapore International Cyber Week (SICW) 2022 – a conference that drew government and industry representatives from all over the world to discuss cyber security.
Neuberger said countries must work to avoid fragmentation of IoT standards since such fragmentation could burden consumers – particularly as they transit between jurisdictions.
The security advisor also said the US was looking to Singapore for inspiration on labelling as it had "become a world leader in IoT" – a sentiment she also expressed to journalists the week prior.
In 2014, the city-state launched its Smart Nation initiative, which seeks not only to collect data and digitize public services, but to incorporate interoperable IoT and automation across all aspects of life – including transport, healthcare, food and beverages, logistics and more.
Singapore launched its Cybersecurity Labelling Scheme (CLS) in October 2020. Some gradients of the four-level scheme are mutually recognized by Finland.
During the conference, Cyber Security Agency (CSA) of Singapore director Soon Chia Lim said the largely voluntary CLS scheme was designed with four levels so that developers and manufacturers feel they can easily climb to higher security ratings.
At a SICW 2022 keynote, Singapore minister of state Janil Puthicheary said the CLS has "gained much traction internationally" and announced Germany was expected to sign a mutual recognition agreement (MRA) on the labels as well.
"In addition to signing these MRAs with countries with similar schemes, Singapore has been working with industry and government partners to put up a proposal to develop an international standard, ISO 27404, which defines a Universal Cybersecurity Labelling Framework (UCLF) for consumer IoT. The UCLF will serve as a guide for countries that are looking to implement and set up their own labelling schemes for consumer IoT," said Puthicheary.
"It's easier to use what's out there than recreate the wheel" said Internet of Secure Things (IoXt) Alliance director of operations Grace Burkard during a SICW roundtable discussion.
"We need to be aligned not just to prevent attacks on untested IoT devices, but to fuel innovation," said Burkard. "Without global synchronized IoT standards, IoT doesn't have the runway it needs to evolve." ®