The White House issued a statement today that said, essentially, it hosted a big meeting on Wednesday, with big names, and that some kind of security label for smart devices will come of it in spring 2023. Here’s a good deal more on what happened, and what’s likely to come out of it.
One of the top-level recommendations of the US Cyberspace Solarium Commission, named for the Eisenhower administration’s drive to rethink Cold War strategy, in its March 2020 report was to “establish a national cybersecurity certification and labeling authority.” A “non-profit, non-governmental organization” will become a labeling authority for at least five years, tagging products based on the consensus of the departments of Commerce and Homeland Security and “experts from the federal government, academia, non-governmental organizations, and the private sector.”
And that’s about who showed up, according to the White House. Amazon, Comcast, Google, Intel, LG, Samsung, Sony, and other private entities showed up. So did the Connectivity Standards Alliance, the consortium behind Matter, along with the American National Standards Institute (ANSI), Consumer Reports, and the Consumer Technology Association, CTIA, and National Retail Federation lobbying groups. Add in just about every security-touching government agency, and you’ve got the panel the Solarium Commission recommended.
Details on the label itself as it exists so far, and what it would rate or measure, were not available, but there have been hints. CyberScoop quoted a White House official stating that device ratings could be based on “vulnerability remediation, amount of information collected on consumers, whether data is encrypted, and interoperability with other products.”
As for what the label could look like, there’s at least one template. Researchers from Carnegie Mellon University, one of the parties invited to the summit, had already created a security “nutrition label.” The label, based on input from more than 22 groups, performed well with users, the university claims. It provides multiple levels of disclosure, based on common Internet of Things pain points: default passwords, security updates, functionality when offline, and the like.