Plans from the Biden administration to release product security rating system could raise the bar for security overall, say experts, but won’t likely prevent the next SolarWinds or Microsoft hacks.
In a briefing to reporters Friday, senior official compared the forthcoming rating system to the health and safety letter grades at restaurants. And it is a concept that the cybersecurity community has batted around for some time: place a label on the box that says a product is or is not secure, and let consumers create a market around security.
But experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks and could create a false sense of complacency.
“Labeling won’t solve nation-state problems, no matter how good the label is, even if it’s perfectly enforced and sets a really high bar,” said Beau Woods, cyber safety innovation fellow at the Atlantic Council and a volunteer with the internet-of-things security advocacy group I Am The Cavalry.
Several governments, both individual nations and the European Union, have pursued cybersecurity standards in recent years, particularly around IoT devices. At the briefing, the administration specifically mentioned Singapore’s labeling law. Labels create a voluntary basic cybersecurity standard.
The problem is that basic standards do a good job addressing the vast majority of hackers, but they do not address hackers with extraordinary capabilities. No standards can create perfectly secure products, because they simply don’t exist.
Brad Rees, chief technology officer of the ioXt Alliance, an industry group developing labeling standards for IoT, noted that the issues behind the SolarWinds hack likely would not have shown up on a product rating.
“It’s unfortunate that the White House chose to throw out or tease an IoT labeling scheme in the middle of talking about a Chinese-state hacker with Microsoft Exchange,” he said. “Labeling schemes are here to prevent baseline security issues. They’re not nation-state-proof. That’s not the intent.”
The intent, said Rees, is to stop the types of attacks that can be headed off with a checklist. He pointed to the Verkada hack last week, where cameras had a fixed default password. A checklist-based label could have been prevented that from happening or, at a minimum, informed consumers of the risk so they could have made buying choices accordingly.
Base security standards can make nation states work harder to hack low hanging fruit. But a Hafnium Microsoft Exchange attack, utilizing previously unknown vulnerabilities from a vendor with well-esteemed security hygiene, may be beyond standards’ grasp. Similarly, complex supply chain attacks that trojanize software and move laterally across networks bring a level of sophistication that likely exceeds that of any security rating standard.
“If a labeling scheme is successful, it will force high capability adversaries to reveal more of their capabilities so they’re more trackable, and discoverable,” said Woods. “But it won’t solve the SolarWinds problem.”
Labels, say Rees and Woods, can provide a lot of benefits, but only when handled properly. He pointed to vagaries in the Singapore labeling system as an example. Singapore provides a single digit security rating, with little context of what that number means.
The solution the ioXt Alliance has pursued, by comparison, would be a seal that a product meets a minimum standard. For home consumers, a binary yes or no, secure or not, could be enough. But that seal would also have to be accompanied with the opportunity for organizations to get more specifics, he added. On its website, ioXt contains detailed information about a number of different security dimensions that go beyond the minimal requirements. He worries much information on the product will make consumers eyes glaze over.
“You have to worry about the NASCAR effect when you launch a lightbulb. How many labels do you need to place on this thing? And, as a consumer, which of the 20 labels matters to you?” he said.
Woods believes that labels are more effective in conjunction with strong, mandatory standards for security – that they should only address how much beyond the minimal standard a product would go. He added that the United Kingdom did extensive investigations into how to best implement an IoT labelling requirement before ultimately deciding that legislating baseline standards would ultimately be more effective.
The restaurant health inspection metaphor used by the administration is a good visualization for a general public. It is not a perfect metaphor for how Rees thinks a labeling standard would likely work, and Woods questioned a little bit of the ambiguity it brought to the table.
Restaurants are investigated by an official public health authority. That might not be practicable for a technology industry turning out an overwhelming number of products in a given year. A more realistic solution, said Rees, might be a mixture of third-party laboratories and self-certification. ioXt enforces its self-certification with a bug bounty like program incentivizing researchers to discover errors in self-reporting. Woods said when I Am the Cavalry has worked on standards in the past, it always focused on standards that users could easily validate.
A more nuanced issue with the restaurant analogy might be in determining what exactly would be certified. From context, it appeared to be some kind of product certification, but Woods noted that it could be a process certification – hygiene at the development or corporate level. The White House did not immediately respond to an email seeking clarification.
Ambiguity aside, Rees said there is a real opportunity for a labeling standard to raise the bar for security overall.
“The short answer is, absolutely it will raise the security standard,” he said. “The medium-length answer is companies who go through these assessments end up with security at the top of mind. This won’t make things unhackable. But I’ll tell you, companies who do assessments are head and shoulders above those who don’t even look when they launch products.”