Although a cybersecurity labeling system similar to Energy Star should prove valuable, we still have some questions to answer, chiefly: What would such a system look like? Who would run it? And how would someone earn the label?
As we have previously outlined in detail, sustainability management provides a useful conceptual framework for crafting forward-looking cybersecurity policy. A sustainable approach to cybersecurity involves, among other things, acknowledging that cybersecurity is a shared responsibility, framing business choices that prioritize security as investments, and engaging broadly in risk management practices. The Internet of Things (IoT) ecosystem has reached (or, arguably, passed) an inflection point in its development, and a sustainability-based security baseline for consumer-facing IoT is past due.
In a late-May vehicle safety review, Consumer Reports noticed a problem with the new Tesla Model 3’s brake performance: It stopped more like a truck than a sedan. Within days Elon Musk’s company was able to identify the issue and resolve it through an over-the-air (OTA) update.
Back in 2011, the Federal Trade Commission alleged that Facebook deceived consumers by failing to keep its promises to protect user privacy. The two parties agreed to settle the charges through something called an “agreement containing consent order.” The Commission also signed a consent agreement with Google that same year. The FTC issued a final Decision and Consent Order regarding the Facebook allegations in 2012. (A consent order is an FTC enforcement tool that operates like a legal settlement.) Without admitting to the complaint’s counts, the parties involved signed a document that basically says, “we both agree to enter this agreement to resolve the allegations in the complaint, so now you have to do the following things, and if you fail to do any of them, the FTC is going to impose financial penalties.”