The U.S. government has committed to rolling out a cybersecurity labeling initiative for consumer-grade internet-of-things (IoT) devices in the spring of next year. The goal is to require manufacturers to make sure adequate cybersecurity controls are embedded within these devices.
The threat these devices represent is two-fold. The first is that consumers are becoming more aware cybercriminals can, for example, hack into a monitor placed in a child’s room. The second, which is a little more common, is many of these devices can be commandeered by botnets to launch distributed denial of service (DDoS) attacks that continue to increase in scale and frequency.
The approach the White House envisions for creating these labels is to require manufacturers to include a QR code that consumers could scan to figure out the level of cybersecurity protection being provided. It’s not clear how many consumers would actually scan a QR code to determine what level of security has been enabled, but the existence of the requirement should at least create a cybersecurity baseline that manufacturers would need to meet.
Government agencies involved in the initiative include the National Security Council, the Office of the National Cyber Director, the Office of Science and Technology Policy, the National Economic Council, the Department of Commerce, the Department of Energy, the Department of Homeland Security, the Department of State, the Federal Communications Commission, the Federal Trade Commission, and the Consumer Product Safety Commission.
Other participants include the European Commission, Amazon, the American National Standards Institute, AT&T, Cisco Systems, Comcast, Consumer Reports, the Consumer Technology Association, the Connectivity Standards Alliance, CTIA, Google, Intel, ioXt, LG, the National Retail Federation, Samsung, Sony, UL Solutions, the Atlantic Council, Carnegie Mellon University, and R Street Institute.
Raising awareness of IoT security risks
Consumer-grade IoT devices are naturally more vulnerable than industrial IoT devices, but the sheer number of consumer-grade IoT devices makes them a relatively easy target. In fact, with more employees accessing corporate resources from home using consumer-grade devices and networks, the probability that malware will spread from the home to the office has never been greater.
Of course, connecting anything to the internet today comes with a lot of inherent risk. A recent survey of 800 senior IT managers, senior IT security managers, and project managers responsible for industrial internet-of-things (IIoT)/operational technology (OT) found 94% reported their organization experienced a security incident in the last 12 months. The difference is most consumers today don’t have as much appreciation for that risk as an organization managing industrial control systems.
Obviously, any labeling system that gets created would need to be accompanied by a raft of public service awareness campaigns that ultimately should encourage consumers to make cybersecurity a much more important criteria when evaluating any device they intend to bring into their homes. The challenge may be convincing consumers to pay extra for additional cybersecurity, especially when many of them are now more conscious of costs during an economic downturn.
In the meantime at least, cybersecurity professionals can take some comfort from the fact that by this time next year the number of completely insecure consumer devices connected to the internet may hopefully begin to decline.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.