Security Shield: A Label to Educate Consumers and Promote Sustainable CybersecurityJanuary 28, 2019
You can view and download our new white paper, “Security Shield: A Label to Support Sustainable Cybersecurity,” here.
Last year, we published a white paper recommending stakeholders improve cybersecurity and foster innovation by drawing upon time-tested principles from sustainability management. The paper observed that transitioning to a sustainable approach to cybersecurity embraces the principles of shared responsibility and collective action, frames business costs associated with improved security as an investment in the internet ecosystem, encourages broad adoption of risk-management practices, and supports consumer engagement.
Our first paper also included a series of operational and policy recommendations for actors across the internet ecosystem. Among these recommendations is for device manufacturers to sell products that are secure to market, have an established lifecycle, and are updatable as necessary. As part of our recommendations, we highlighted a need for the marketplace to offer devices with these capabilities. In our new white paper, “Security Shield: A Label to Support Sustainable Cybersecurity,” we outline the need for a consumer-facing label that would inform purchasers of Internet of Things (IoT) products that the manufacturer followed best security practices in developing the product and convey that the product’s security capabilities are better than similar products without such a label.
Why should the IoT marketplace adopt a label?
Efforts abound to identify and implement best cybersecurity practices, but additional action is necessary to improve cybersecurity. The Cybersecurity Framework, published in 2014 and recently updated, is one example of best practices for enterprise networks. More recently, risk management practices have expanded to consider how to build and maintain products securely before and after they enter the internet ecosystem. These security capabilities baselines are an important development and signal a maturation within the marketplace.
Still, there will be some products that make it to market yet fail to follow best practices. To reduce the risk such insecure products pose to the internet ecosystem and trust in it, consumers need to be able to distinguish among more and less secure products. A consumer-facing label is one tool to aid consumer choice. Indeed, recent U.S. government-led cybersecurity reports have recommended as much. Other tools include retail establishments setting minimum security requirements for products they will sell and training retail staff to inform consumers about security capabilities, to name just two. These steps alone can help, but just as was the case with energy conservation, a label can facilitate additional awareness and thereby additional opportunity to enhance cybersecurity.
What does a cybersecurity label mean for consumers and manufacturers?
The paper uses the Energy Star program as a model to consider in developing a consumer-facing label for cybersecurity. To begin, however, it is critical to recognize that the Energy Star program can inform a cybersecurity label, but it is not a perfect solution. As is well known, cybersecurity cannot be measured the way that energy usage and conservation can.
Nonetheless, there are other important attributes from Energy Star that can be brought forward for cybersecurity. These include the establishment of baseline capabilities that a product awarded the label must meet, third party assessment to confirm manufacturer’s attestations, and consumer awareness of the simple label’s significance as compared to similarly priced and featured products. There are other forms a label could take, including a more detailed bill of materials approach or a nutrition label. At this stage in the market’s development, we believe that a program similar to Energy Star is likely the more useful of the two for establishing baseline standards, addressing information asymmetries that undermine consumer trust, and driving innovation in cybersecurity.
Implementing a labeling program has a number of contingencies also addressed in the paper. Most importantly, the product capabilities, or attributes, must develop through a robust multistakeholder process — not one set by industry alone. After all, vulnerabilities in products and their code have existed for decades yet industry has not yet risen to meet this challenge and seen fit to consistently take products secure-to-market.
Also important in establishing these capabilities is the need for interoperability. The consumer IoT marketplace is a global one, and setting low baselines in one region continues the negative externalities already weakening trust in the internet ecosystem. Additionally, government procurement rules required acquisition of Energy Star products; Congress should consider legislation that would provide similar incentives for a cybersecurity label. Furthermore, additional incentives in the form of tax deductions or rebates as well as reassessment of existing liability limitations are also worthy of discussion in pursuing a label.
Finally, raising cybersecurity depends on positive action by all stakeholders, and awareness and education at the corporate and consumer level are key elements to a successful labeling scheme and better cybersecurity. A security shield label for consumer IoT devices is an important first step to foster sustainable cybersecurity practices and restore consumer trust in the marketplace. It should spur the market and build consumer trust while fostering a sustainable approach to cybersecurity in the IoT ecosystem and beyond.
About Megan Stifel
Megan was previously Public Knowledge's Cybersecurity Policy Director and is now a Senior Fellow. Megan is Senior Policy Counsel at the Global Cyber Alliance. Previously, Megan was the Director for Cyber Policy in the National Security Division at the Department of Justice. She also served as counsel in the Computer Crime and Intellectual Property Section of the Criminal Division at DOJ. She began her DOJ career as an attorney in the Office of Intelligence. Megan served as Director for International Cyber Policy at the National Security Council. She was responsible for expanding the Obama Administration’s cybersecurity policy abroad, including in connection with internet governance, bilateral and multilateral engagement, and capacity building. She is a non-resident senior fellow at the Atlantic Council's Cyber Statecraft Initiative at the Brent Scowcroft Center on International Security. Megan received her J.D. from the Maurer School of Law at Indiana University and her B.A. from the University of Notre Dame. She is a member of the Dean’s Alumni Board at the Maurer School of Law and a Partner in Social Venture Partners Charleston.