The Internet, as a wise woman once said, is built on rock and roll and silly string, and it’s kind of a miracle that any of it works at all. However, the Internet looks like the absolute pinnacle of human achievement when compared to the Internet of things, an agglomeration of appliances, vehicles, and lightbulbs that serves as a daily reminder what a terrible idea it was to teach sand how to think.
Many, if not most, IoT devices are security challenged, to put it lightly, and despite the best efforts of security researchers and engineers who have warned manufacturers about the dangers of vulnerabilities in their products, trying to find an IoT device designed with security in mind is a fool’s errand. That way lies madness.
“Each IoT device offers a backdoor or even a front door for cybercriminals to exploit the network. Our defenses are only as strong as the weakest link in the chain,” said Rep. Doris Matsui (D-Calif.).
And yet all is not lost.
A new initiative backed by the federal government and a slew of high-profile device manufacturers aims to develop a set of cybersecurity standards for IoT devices and produce a seal of trust that manufacturers who meet those standards can place on their products. The goal is twofold: improve the security posture of smart devices and give buyers a visible indicator that those devices have met the new requirements. Called the U.S. Cyber Trust Mark, the program has been in the works for quite some time and federal officials have worked with private sector experts and security researchers to develop the baseline security requirements. The labeling program was mentioned in the recently published National Cybersecurity Strategy implementation plan and the idea has been floating around Washington in various forms for many years.
Now it appears the time has finally come for it to move forward.
“People have talked about labeling for years now and there have been a lot of questions about how you would do this. Seeing it in the White House strategy implementation plan and then today shows me they want to see what will work,” said Beau Woods, a member of the grassroots organization I Am the Cavalry, and a former senior advisor at the Cybersecurity and Infrastructure Security Agency who has worked on IoT security issues for several years.
“For a long time we’ve been thinking it’s impossible to secure these devices and at this point it’s putting a lot of things at risk. It’s probably past time for something to be done.”
Although the U.S. Cyber Trust Mark program is mainly focused on consumer products at the moment, it will have some implications for SMBs, enterprises and other organizations, as well. Most companies, regardless of size, have some form of consumer-grade IT products in their environments, whether by design or through other means. The Cyber Trust Mark seal will give IT teams an assurance that the product has at least met a minimum set of security standards, something that is not clear at the moment.
“This can be a way to communicate this to buyers and combined with other factors to assess risk. It fits into the broader overall picture,,” Woods said.
“Securable products are foundational for a secure ecosystem.”