For Consumers: IoT Devices and Software
In May of 2021, President Joe Biden signed the Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) as part of a greater effort to enhance software supply chain security. As part of the order, the National Institute of Science and Technology was tasked with issuing guidance for labeling consumer internet of things devices and software.
No Mandatory Labeling Yet
Labeling, particularly for consumer products, is largely dictated by laws; those selling certain types of food in a grocery store, for example, are required to include nutritional information in a standardized manner. Although laws may eventually mandate the labeling of various IoT products and software, NIST’s instructions include devising methods of creating incentives for manufacturers and developers to participate, suggesting a voluntary approach. Furthermore, NIST is looking into existing labeling practices when developing their own guidelines, as experience in other fields can offer valuable guidance. Should labeling become mandatory in the future, it would likely be up to the Federal Trade Commission to enforce these rules.
Scope Remains Murky
The ubiquity of software in our daily lives means developing labeling standards is especially difficult. Consider, for example, cars. The computers that power a car’s sensors and other basic elements generally operates as a black box developed in tandem with the car’s mechanical components; labeling such a device is likely unnecessary as it doesn’t present a realistic attack vector. In-car entertainment systems, on the other hand, often connect to the internet and can place a driver’s personal information at risk, making it a more likely attack surface. Furthermore, the scope of proposed labeling schemes remains difficult to define as well. A car entertainment system meets the criteria of an IoT device according to many definitions of the internet of things, yet few would place it in the same category as other IoT devices.
A Flexible Approach
In most cases, labeling suggestions or requirements change at a slow pace. Although nutritional information labeling changes over time, it’s only after research has firmly demonstrated that a better approach is warranted. After all, basic foods rarely change. Computational devices, on the other hand, change at a rapid pace, and any labeling effort must be reflective of the state of technology at a particular point in time. As a result, NIST is aiming to build flexibility into its labeling proposals. Labeling inappropriate for its contemporary technological landscape can place an unnecessary burden on developers and manufacturers. Perhaps even worse, it can leave consumers confused about why potentially irrelevant information is including on a product’s label.
Security is the Top Priority
Labeling is widespread; food labeling helps buyers with allergies avoid potential health problems, and nutritional information helps buyers better manage their diets. On technological devices, however, labeling generally only addresses hazards from its electrical components. As the importance of cybersecurity becomes more clear, however, the Biden administration seeks to provide individuals with the information needed to ensure their data and infrastructure is safe. By setting guidelines for IoT consumer device and software labeling through NIST, the administration hopes to set the stage for more robust security practices, giving buyers better tools for protecting against ransomware and other attacks.
Avoiding Jargon
Labels can only be helpful if they’re understood by those who read them. The tech industry is notorious for its ever-growing list of jargon, which can lead to consumer confusion and poor security. One of their recommendations is to avoid ambiguity whenever possible. Elements of labels should, according to NIST, list binary information: Either a products meets a certain criterion or it doesn’t. This can help various parties provide guidance for consumers who lack the technical knowledge to analyze more detailed information. Customers can simply look for a device that meets certain criteria.
Software and Hardware
While the components of computing devices are remarkable, it’s the software that makes these devices truly powerful. In IoT devices, in particular, hardware changes occur at a moderate pace. The software, on the other hand, often goes through regular updates both to address potential security issues and to add new capabilities. The intersection of hardware and software poses a challenge for setting labeling guidelines; how much information ought to be included on the label? Part of NIST’s task involves identifying software deemed as critical, a evolving list that includes operating systems, networking interfaces, and identity and authentication software.
Building on Previous Work
Part of the reason NIST was tasked with developing labeling schemes is its past experience developing cybersecurity guidelines. The NIST’s Information Technology Laboratory released its Secure Software Development Framework version 1.1 in February of 2022, a document that builds on previous guidelines. Industry practices play a key role in developing labeling, and following the high standards of industry best practices will make it easier for manufacturers and developers to label their products. Again, NIST is following the industry instead of recommending mandates that would require significant changes for manufacturers and developers.
A Burgeoning International Effort
Although NIST is developing its own guidelines, the executive order states that it should build upon national and international experience. The United States isn’t the only country looking into labeling for computational devices, and efforts are underway in many government organizations, including the European Union. Furthermore, there are signs that countries are looking to collaborate; Finland and Singapore, for example, have agreed to recognize each other’s IoT cybersecurity labeling. Presenting guidelines that work smoothly with these other standards can help spur adoption and allow NIST to build on the findings and experiences of other entities.
Cybersecurity is a challenging field. While advances in other areas are typically iterative and happen slowly enough for regulations to keep up, IoT and software evolve at a rapid pace, making it difficult to keep up against heavily motivated malicious actors. While other government organizations have a role to play in keeping individual and commercial data safe, NIST was chosen to lead the way on IoT and software labeling due to its ability to analyze information about data security based on real-world findings. However, it will likely be some time before consumers see a significant difference when shopping.