Tell Congress to Use the CRA to Save Net NeutralityLearn More About the CRA
The rapid rise of the Internet of Things (IoT) has given new urgency to a conversation in the cybersecurity community about the consumer’s role in the internet ecosystem. Consumer IoT-powered botnets are an increasing concern, and the proliferation of insecure products as companies rush to be first-to-market in new areas only compounds the issue. The 2016 Commission on Enhancing National Cybersecurity report called for a product labeling scheme to help inform consumers about which IoT products are relatively more secure. Additionally, such an effort can incentivize manufacturers to adopt a secure-to-market approach, empowering consumers to better manage their own risks. Senator Markey and Congressman Lieu echoed this call with their proposed Cyber Shield Act. Experts consistently compare this labeling proposal to the Environmental Protection Agency’s Energy Star program.
As we previously outlined in detail, sustainability management programs supported by initiatives like Energy Star provide a useful conceptual framework for crafting forward-looking, consumer-engaged cybersecurity policy. However, any analogy has limits, and many of the metrics used in conservation and sustainability do not have clear counterparts in cybersecurity, nor is there (nor should there be) a single agency with comprehensive authority over the internet ecosystem.
Although a cybersecurity labeling system similar to Energy Star should prove valuable, we still have some questions to answer, chiefly: What would such a system look like? Who would run it? And how would someone earn the label?
What is Energy Star?
Energy Star is a nonregulatory, opt-in government program that awards a consumer-facing label to qualifying products, identifying those which prove the most energy-efficient in a given category. Energy Star certification can also extend to commercial buildings and homes. It is generally regarded as one of the most successful and recognizable government-led programs of the last quarter-century -- more than 90 percent of U.S. households recognize and understand the label. The EPA estimates the program has saved consumers more than $430 billion in energy costs since its inception -- in addition to saving more than 4.6 trillion kWh of electricity and preventing 2.8 billion metric tons of greenhouse gas emissions. It is a rare example of a successful market-steering program with support from consumer advocates, corporations, and both political parties.
Energy Star began life in 1992 as “Energy Star Computers,” introduced under the Clean Air Act’s mandate that the EPA should “develop, evaluate, and demonstrate nonregulatory strategies and technologies for air pollution prevention . . . with opportunities for participation by [industry and public stakeholders].” Since then, the EPA has updated and expanded the program, relying on a multistakeholder approach to revise standards upwards and improve energy efficiency. It has also incorporated a third-party testing and certification system in order to avoid potential fraud and abuse. A similar cybersecurity program should embrace these key elements:
- It should be managed by a government agency to ensure a focus on delivering public goods;
- its standards should be developed in consultation with a variety of stakeholders;
- and it should incorporate third-party review in certification.
Operationalizing the “Energy Star” Framework
The closest analog to the EPA in cybersecurity is the National Institute of Standards and Technology (NIST). Under Section 401 of the Cybersecurity Enhancement Act of 2014, NIST is responsible for coordinating the development of standards and best practices for cybersecurity, making those standards available and usable by the public, and increasing awareness of cybersecurity and cyber safety. An Energy Star-like labeling program could easily fit within this statutory authority. Although it likely has the authority to create such a program, NIST will require additional support from Congress in order to manage a program of any size. It could also partner with its parent agency, the Department of Commerce, much like the EPA partners with the Department of Energy to manage Energy Star.
The EPA has clear metrics, like power consumption, that companies can use to guide product design and test before a device goes to market, but presently NIST lacks a real measure that can be tested against cybersecurity best-practices in the design phase. There are community-developed metrics for network security and analyzing known vulnerabilities, but no clear metrics exist for product performance before distribution or for improvements in security over the operational lifecycle. There is no perfect analog for “emissions” or “power consumption” in the cybersecurity realm, and retrospective statistics -- like attempted attacks in a given period -- do not support the prospective goals of an Energy Star-style program. A secure-to-market approach requires positive efforts throughout the device design and production lifecycle. However, NIST can easily develop standards to encourage these efforts informed by recognized best practices in design, production, and operation that are inherently more secure and privacy protective than others. A Cybersecurity Baseline for IoT could form the basis for a rating scheme that would focus on qualitative practices, and could, over time, lead to more quantitative, data-driven analysis. This would actually be a close analog to the original “Energy Star Computers” program.
When framing Energy Star Computers, the EPA recognized a need for a simple, affordable step that could have a significant impact. They came up with a viable option that manufacturers embraced: the concept of a “sleep” function, which could put computers into a low-power state when not in use. The first generation of qualifying computers needed a basic sleep function that reduced power consumption by around 70 percent. Over time, this evolved into the current standard, which has greater specificity, more refined metrics, and is tailored to a wider variety of devices. The important thing to note is that an assessment and labeling scheme does not need to spring forth fully-grown and armored. As with other successful sustainability management initiatives, a cybersecurity labeling program can begin with a simple step -- for example, eliminating hardcoded credentials and labeling accordingly such products.
The Commission on Enhancing Cybersecurity report provides two examples for a label: a symbol, like the Energy Star logo, or a more detailed description, like an FDA nutritional label. Part of the success of the Energy Star label has doubtless been its simplicity. While cybersecurity is a complex issue, a consumer-facing label does not initially need to contain detailed information -- rather, it should help consumers clearly differentiate more secure products. The manufacturer should make more detailed security information available, either through publication of the overall criteria for meeting the standard, including a “software bill of materials” with the product, or making one available online. For products without packaging, or those available for purchase through online marketplaces like Amazon, a digital label like the one contemplated by the Cyber Shield Act could also be appropriate.
Implementing a labeling program that follows a consensus security capabilities baseline represents a single government action that can simultaneously build awareness about secure products, foster innovation, and improve security throughout the internet ecosystem, without the need for direct regulation. In the same way that Energy Star gave manufacturers an incentive to develop and implement sustainable technologies, a labeling program for cybersecurity can help ensure that manufacturers embrace a secure-to-market approach for IoT devices and support a more sustainable and resilient internet ecosystem for tomorrow. A labeling program would enable companies to compete on security in the same way they now compete on energy efficiency, especially when combined with efforts to educate consumers and introduce incentives to implement additional sustainable cybersecurity practices. It’s time the market gave consumers the power to manage their own cybersecurity risk.