SSecurity Shield - Public Knowledge · consumer toward the preferred choice.2 A cybersecurity...
16
Transcript of SSecurity Shield - Public Knowledge · consumer toward the preferred choice.2 A cybersecurity...
SSecurity Shield:A Label to Support Sustainable
Cybersecurity
Megan StifelDylan GilbertMark Peterson
Acknowledgements
Theauthorswishtothanktheindividualsandorganizationsthatattendeda2018Cyber/Weekroundtableonthispaper.Additionally,we’dliketothankBeauWoods,theInternetSociety,andothersfortheirfeedback.Thispaper,alongwithotherPublicKnowledgecybersecurityworks,wasmadepossiblebythegeneroussupportoftheHewlettFoundation.
1
Introduction
PublicKnowledgerecentlyproposedthatstakeholdersimprovecybersecurityandfosterinnovationbydrawingupontime-testedprinciplesfromsustainabilitymanagement.1Transitioningtoasustainableapproachtocybersecurityembracestheprinciplesofsharedresponsibilityandcollectiveaction,framesbusinesscostsassociatedwithimprovedsecurityasaninvestmentintheinternetecosystem,encouragesbroadadoptionofrisk-managementpractices,andsupportsconsumerengagement.Theproposalmadeaseriesofoperationalandpolicyrecommendationsforactorsacrosstheinternetecosystem.Italsoaskedforfeedbackonwhichactionswerebesttofocusonfirst,whatpolicychallengesstandintheway,andwhatincentivescouldspurbroaderadoptionoftheseactions.Aftercollectingfeedbackandreviewingsomeofthoserecommendations,thenextphasewilltakeadeeperlookattheactionsconsideredmostimpactfulorwiththelongestdevelopmenttime.
Oneofthekeypointsindiscussionsaboutthewhitepaperhasbeenthegovernment’sroleinimprovingincentivesforstakeholderstoimplementsustainablecybersecuritypractices.Thisincludestheneedtoraisesocialawareness,suchasthrougheducationandlabelingschemes,whichcanguideconsumerchoices,andpossiblytointroducemorecoerciveincentives,suchasreevaluatingframeworksforliability.Ingeneral,labelingconsumerproductsencouragestheconsumertowardthepreferredchoice.2Acybersecuritylabelingschemeisaviablemechanismforfurtheringsustainablecybersecuritypracticesinthecontextofconsumer-facingInternetofThings(IoT)products.Thispaperproposesthecreationofa“SecurityShield”labeltospurthemarket,tobuildconsumertrust,andtofosterasustainableapproachtocybersecurityintheIoTecosystemandbeyond.
Thegovernment’sabilitytostimulatethemarketplacehasbeeneffectivelydemonstrated
inenvironmentalconservationandsustainability.ProgramslikeEnergyStarhaveprovidednon-regulatoryincentivestoindustrytodriveinnovation,andstatutoryandcommonlawlegalclaimshavepressuredcompaniestointernalizenegativeexternalitiestheiractivitiesmayhaveontheecosystem.3ApplyingthesesuccessfulprogramstocybersecuritycouldhavesignificantpositiveimpactinboththeU.S.andinternationally.Providingconsumer-facinglabels,indicatingwhichproductsareassessedtobemoresecurethanothersaccordingtoconsensus-developedcapabilitiesbaselinesandstandards,enablescompaniestocompeteonsecurityinorderto
1SeeMeganStifel,SecuringtheModernEconomy:TransformingCybersecurityThroughSustainability,PublicKnowledge(Apr.2018),https://www.publicknowledge.org/documents/securing-the-modern-economy-transforming-cybersecurity-through-sustainabili.2See,e.g.,JohnM.BlytheandShaneD.Johnson,RapidevidenceassessmentonlabelingschemesandimplicationsforconsumerIoTsecurity,5(DawesCentreforFutureCrimeatUCL,2018),https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747296/Rapid_evidence_assessment_IoT_security_oct_2018.pdf.3See,e.g.,CleanAirAct§304,42U.S.C.§7604(2012)(establishingaprivaterightofactionforcertainviolationsofthestatute);CleanWaterAct§505,33U.S.C.§1365(2012)(protectingacommonlawrightofactionfordamagesduetoviolationofthestatuteortoseekenforcementofthestatute).
2
differentiatetheirproducts,andempowersconsumerstohaveaninformedinfluenceonthemarket.InthesamewaythatprogramslikeEnergyStarprovidedameansformanufacturerstoincorporateandimproveenergyefficientdesigns,alabelingprogramforcybersecuritycanencourageasecure-to-marketapproachfornewdevicesandassociatedsoftware.ThiswillbeparticularlyimportantastheInternetofThingsdramaticallyexpandsthenumberofinternet-enableddevicesoverthenextdecade.
TheEmergenceofaCybersecurityLabelingScheme
The2016CommissiononEnhancingNationalCybersecurityReportonSecuringandGrowingtheDigitalEconomyrecommendedsomeformoflabelingschemetoeducateconsumersontherelativesecurityofdevicesandprograms.Thereportstoppedshortofrecommendingacourseofaction,butdistinguishedbetweentwopotentialoptions:asimpleEnergyStar-likemark,oramoredetailedmaterialslist-stylelabel.4In2017theNationalTelecommunicationsandInformationAdministrationMultistakeholderProcessonInternetofThingsSecurityUpgradabilityandPatchingidentifiedupdatabilityasacapabilitythatshouldbecommunicatedtoconsumers,andidentifiedalabelasonemethodtodoso.5Morerecently,theMay2018ReporttothePresident“EnhancingResilienceoftheInternetandCommunicationsEcosystemAgainstBotnetsandOtherAutomated,DistributedThreats,”(“BotnetReport”)identifiedanIoTLineofEffort,RaisingtheBarforIoTSecurity,andincludedasitsfirstworkstreamthedevelopmentofrobustmarketsfortrustworthyIoTdevices.6Itidentifiedseveraltaskstowardthisend,includingthedevelopmentofacoresecuritycapabilitybaseline,developmentofaconsumerIoTsecuritybaseline,establishmentofassessmentprogramsforconsumerIoTdevices,andexplorationofvoluntarylabelingapproachforconsumerIoT.TheBotnetReportalsocalledforthedevelopmentofGuidelinesforSoftwareComponentTransparency,thesubstanceofwhichissimilartothematerialslist-stylelabel.Whilebothoptionshavetheiruses,atthisstageinthemarket’sdevelopmentaprogramsimilartoEnergyStarislikelythemoreusefulofthetwoforestablishingbaselinestandards,addressinginformationasymmetriesthatundermineconsumertrust,anddrivinginnovationincybersecurity.
EnergyStar’sstrategicvisionprovidessomeusefulprinciplesforacybersecuritylabelingprogram.Theprogramshouldseektoprovideacommon,objectivebasisforwhatconstitutesa4SeeCommissiononEnhancingNationalCybersecurity,ReportonSecuringandGrowingtheDigitalEconomy,30(Dec.1,2016),https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf.5MultistakeholderProcessonInternetofThingsSecurityUpgradabilityandPatching,CommunicatingIoTDeviceSecurityUpdateCapabilitytoImproveTransparencyforConsumers,at1(July18,2017),https://www.ntia.doc.gov/files/ntia/publications/communicating_iot_security_update_capability_for_consumers_-_jul_2017.pdf;seealsoFederalTradeCommissionPublicCommenton“CommunicatingIoTDeviceSecurityUpdateCapabilitytoImproveTransparencyforConsumers,”https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-comment-national-telecommunications-information-administration-communicating-iot-device-security/170619ntiaiotcomment.pdf.6SeeReporttothePresident“EnhancingResilienceoftheInternetandCommunicationsEcosystemAgainstBotnetsandOtherAutomated,DistributedThreats(“BotnetReport”),43-44(May30,2018),https://www.commerce.gov/sites/default/files/media/files/2018/eo_13800_botnet_report_-_finalv2.pdf.
3
highlysecuresystem,device,orprogram,itshouldprovideaneasywaytoidentifyqualifiedproducts,anditshouldbecoupledwitheducationandoutreachprogramstobuildandsustaindemandforqualifyingproducts.7TheotherkeytotheEnergyStarprogramhasbeenidentifyingproductsthatarecost-effectiveforpurchasers,atleastfunctionallyequivalenttonon-qualifyingproducts,andbroadlyavailable.Thisconstraintiscriticaltopushingthebaselinestandardforwardandensuringacontinuingdemandforqualifyingproducts.StateandfederalsupportfortheEnergyStarprogramthroughtaxcuts,rebates,subsidies,anddirectpurchasesofqualifyingproductshasalsobeenimportantinsustainingtheprogramanddrivingtowardstheoverallpublicgoal—amoresustainable,resilientenergymarket.
Today,theemergenceofacybersecuritylabelingprogramseemsalmostinevitable.
Equipmentmanufacturersarealreadydevelopingtheirowninternalstandards,consumeradvocacygroupsareoutliningrequirements,andsomegovernmentsaremovingtoregulatedirectly.ThesuccessoftheEnergyStarprogramarguesforanotheralternative:voluntaryparticipationinaprogramthatdevelopsconsensussecuritybaselinecapabilitiesandstandards,basedonsustainablecybersecurityprinciples,assessedindependentlyandidentifiedbyagovernment-recognizedlabel.
ABriefHistoryofEnergyStar EnergyStarisanonregulatory,opt-in,programadministeredbytheEnvironmentalProtectionAgency(“EPA”)andtheDepartmentofEnergythatawardsaconsumer-facinglabeltoqualifyingproducts,identifyingthosethatarethemostenergy-efficientinagivencategory,e.g.,homeappliancesandelectronics.EnergyStarcertificationcanalsoextendtocommercialbuildingsandhomes.Itisgenerallyregardedasoneofthemostsuccessfulandrecognizablegovernment-administeredprogramsofthelastquarter-century–morethan90%ofU.S.householdsrecognizeandunderstandthelabel.8TheEPAestimatestheprogramhassavedconsumersover$430billioninenergycostssinceitsinception–inadditiontosavingmorethan4.6trillionkWhofelectricityandpreventing2.8billionmetrictonsworthofgreenhousegasemissions.9Itisarareexampleofsuccessfulmarket-guidingprogramwithsupportfromconsumeradvocates,corporations,andbothpoliticalparties.10
7SeeEnergyStarProductsProgramStrategicVisionandGuidingPrinciples,EPA,https://www.energystar.gov/ia/partners/prod_development/downloads/ENERGY_STAR_Strategic_Vision_and_Guiding_Principles.pdf?da2b-e159(lastvisitedJuly5,2018).8SeeEnergyStar,EnergyStarbytheNumbers–2016,EPA,https://www.energystar.gov/sites/default/files/asset/document/Archive%20-%202016%20By%20the%20Numbers.pdf.9Id.10See,e.g.,TarynHolowka,EnergyEfficiency:ARareBipartisanConsensus,RealClearPolitics(Apr.10,2018),https://www.realclearpolitics.com/articles/2018/04/10/energy_efficiency_a_rare_bipartisan_consensus_136752.html;MaryH.K.Farrell,ProposedFederalBudgetEliminatesEnergyStar,ConsumerReports(May23,2017),https://www.consumerreports.org/appliances/proposed-federal-budget-eliminates-energy-star/;LetterfromIndustryinSupportofEnergyStar,AlliancetoSaveEnergy(Apr.24,2017),https://www.ase.org/sites/ase.org/files/industry_support_letter_for_energy_star-final_5.0.pdf.
4
ThemodernEnergyStarprogrambeganintheearly90’sas“EnergyStarComputers,”asurprisinglynarrowprogramdrawingfromthesameprinciplesastheEPA’sGreenLightsprogram.11GreenLightstackledoneaspectoftheenergyefficiencyproblem,commerciallighting,byencouragingcompaniestoupgradetheirlightingsystems.12Asanincentivetoinvestinmoreefficientlighting,theEPAagreedtoprovideinformationonavailabletechnologyandfinancingoptions,aswellaspublicrecognitionforcompaniesmeetingtheirgoals.TheGreenLightsapproachrecognizedthattherewereeconomicbenefitstoadoptingefficienttechnologythattheEPAcouldmarkettoprivateactors,andthatrealgainscouldbemadebytakingincremental,narrowlytargetedsteps.ThisapproachinformedEnergyStarComputers,whichencouragedcomputermanufacturerstoreducetheirproducts’overallenergyconsumptionbyimplementingasleepfeature,enteringalow-powerstatewhenidleforalongperiod.13
TheEPAoriginallyderiveditsauthorityfortheEnergyStarprogramthroughtheCleanAirAct’smandatethattheagencyshould“develop,evaluate,anddemonstratenon-regulatorystrategiesandtechnologiesforairpollutionprevention,”withopportunitiesforparticipationbyindustryandpublicstakeholders.14TheoriginalEnergyStarComputersprogramrapidlyexpandedtoincludeotherpiecesofofficeequipment,appliances,commercialbuildings,andhomes.In2005CongressmovedtocodifyEnergyStarinordertoexpanditsscopeandimproveconsumereducationonenergyefficiency.15TheEnergyPolicyAct(“EPAct”)of2005mandatesthattheDepartmentofEnergyandEPAmaintain,“avoluntaryprogramtoidentifyandpromoteenergy-efficientproductsandbuildingsinordertoreduceenergyconsumption,improveenergysecurity,andreducepollutionthrough[labelingandcommunication]aboutproductsandbuildingsthatmeetthehighestenergyconservationstandards.”16TheEPActalsogivesstatutoryweighttoearlierExecutiveOrdersrequiringfederalagenciestopurchaseEnergyStarqualifyingproducts
11SeegenerallyTheClimateisRightforAction:VoluntaryProgramstoReduceGreenhouseGasEmissions,EPA(Oct.1992).12SeeIntroducing…TheGreenLightsProgram,EPA(Dec.1993),https://nepis.epa.gov/Exe/ZyNET.exe/2000C67F.txt?ZyActionD=ZyDocument&Client=EPA&Index=1991%20Thru%201994&Docs=&Query=&Time=&EndTime=&SearchMethod=1&TocRestrict=n&Toc=&TocEntry=&QField=&QFieldYear=&QFieldMonth=&QFieldDay=&UseQField=&IntQFieldOp=0&ExtQFieldOp=0&XmlQuery=&File=D%3A%5CZYFILES%5CINDEX%20DATA%5C91THRU94%5CTXT%5C00000008%5C2000C67F.txt&User=ANONYMOUS&Password=anonymous&SortMethod=h%7C-&MaximumDocuments=1&FuzzyDegree=0&ImageQuality=r75g8/r75g8/x150y150g16/i425&Display=hpfr&DefSeekPage=x&SearchBack=ZyActionL&Back=ZyActionS&BackDesc=Results%20page&MaximumPages=1&ZyEntry=2.13SeeEnergyStarComputers,EPA,1(Sep.11,1992),https://nepis.epa.gov/Exe/ZyNET.exe/2000T10J.txt?ZyActionD=ZyDocument&Client=EPA&Index=1991%20Thru%201994%7CHardcopy%20Publications&Docs=&Query=Energy%20Star%20&Time=&EndTime=&SearchMethod=2&TocRestrict=n&Toc=&TocEntry=&QField=&QFieldYear=&QFieldMonth=&QFieldDay=&UseQField=&IntQFieldOp=0&ExtQFieldOp=0&XmlQuery=&File=D%3A%5CZYFILES%5CINDEX%20DATA%5C91THRU94%5CTXT%5C00000016%5C2000T10J.txt&User=ANONYMOUS&Password=anonymous&SortMethod=-%7Ch&MaximumDocuments=15&FuzzyDegree=0&ImageQuality=r85g16/r85g16/x150y150g16/i500&Display=hpfr&DefSeekPage=x&SearchBack=ZyActionE&Back=ZyActionS&BackDesc=Results%20page&MaximumPages=1&ZyEntry=1&SeekPage=x.1442U.S.C.§7403(g).15See151Cong.Rec.H2193(dailyed.Apr.20,2005)(statementofRep.Barton)("Thebill...expandstheEnergyStarprogramtotellAmericanconsumerswhatproductssavethemostenergy.").1642U.S.C.§6294a(a).
5
wherepossible.17Today,“EnergyStarProducts”coversmorethan60categoriesofhomeandcommercialdevices.18 CongressallocatesappropriationsfortheEnergyStarProgramundertheEPA’sAtmosphericProtectionProgram,witharequested$46milliontoadministertheprogramforfiscalyear2019.19Recentproposalstoeithereliminatetheprogram20orshifttoauser-feecollectionmodel21haveencounteredresistancefrommembersofCongress,industrygroups,andconsumeradvocates.22
ExistingCybersecurityAssessmentandLabelingEfforts
Thusfar,cybersecurityassessmentprogramsareevolvingalongthreetracks:industrytradeassociationsaredevelopingstandardsfortheirownmembers;civilsocietyandconsumeradvocacygroupsareestablishingframeworksforthepublicatlarge;andnationalandinternationalstandardsassociationsarepublishingindependentcriteria.
Severaldomesticeffortsareunderwaythatcouldsupportlabelingschemesforconsumer
IoTdevices.InAugust2018,CTIA,awirelessindustrytradeassociation,unveiledacybersecuritycertificationprogramforLTEandWi-FienabledIoTdevices.23Wirelessoperators,technologycompanies,securityexperts,andtestinglaboratoriescollaboratedtocreatetheprogram’splansandtestingrequirementstobuildupontheNationalTelecommunicationsandInformationAdministration(“NTIA”)andNationalInstituteofStandardsandTechnology(“NIST”)IoTsecurityrecommendations.24Whileassociation-drivenlabelingprogramscanbehelpfulforpushingtheecosystemtowardsbroadadoption,becausesuchtestingguidesoftenprioritizespeedy
17See42U.S.C.§8259b;seealsoExec.OrderNo.12845,RequiringAgenciesToPurchaseEnergyEfficientComputerEquipment,58Fed.Reg.21,887(Apr.21,1993);Exec.OrderNo.13123,GreeningtheGovernmentThroughEfficientEnergyManagement,64Fed.Reg.30,851(June8,1999).18SeeEnergyEfficientProducts,EPA,https://www.energystar.gov/products(lastvisitedJul.10,2018)19SeeUnitedStatesEnvironmentalProtectionAgencyFiscalYear2019JustificationofAppropriationEstimatesfortheCommitteeonAppropriations,EPAat153-54(Feb.2018),https://www.epa.gov/sites/production/files/2018-02/documents/fy-2019-congressional-justification-all-tabs.pdf.20SeeFY2018BudgetinBrief,EPA,65(May2017),https://www.epa.gov/sites/production/files/2017-05/documents/fy-2018-budget-in-brief.pdf.21SeeFY2019BudgetinBrief,EPA,18(Feb.2018),https://www.epa.gov/sites/production/files/2018-02/documents/fy-2019-epa-bib.pdf.22See,e.g.,TimothyCama,Trump’splanforEnergyStarsparksindustryuproar,TheHill(Feb.22,2018),https://thehill.com/policy/energy-environment/374940-trumps-plan-for-energy-star-sparks-industry-uproar;MarcGunther,KillingEnergyStar:APopularProgramLandsontheTrumpHitList,YaleEnvironment,360(May4,2017),https://e360.yale.edu/features/killing-energy-star-a-popular-program-lands-on-the-trump-hit-list.23SeegenerallyCTIACybersecurityTestPlanforIoTDevices,CTIA,5(Aug.2018),https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf(“Forthepurposeofthisdocument,anIoTdevicecontainsanIoTapplicationlayerthatprovidesidentityandauthenticationfunctionalityandatleastonecommunicationsmodulesupportingeitherLTEorWiFi®.”).24SeeWirelessIndustryAnnouncesNewCybersecurityCertificationProgramforCellular-ConnectedIoTDevices,CTIA(Aug.21,2018),https://www.ctia.org/news/wireless-industry-announces-internet-of-things-cybersecurity-certification-program.
6
certificationandeaseofmarketaccessoveradoptionandconsumereducation,theymaynotbethemosteffectiveapproachtobuildconsumertrust.
Civilsocietyorganizationshavealsoundertakenvariousbaselinedevelopmentand
labeling-relatedefforts.Mozilla,25inpartnershipwithTrustCon,haslaunchedaTrustableTechnologyMarktohelpconsumersassesstheprivacyandsecurityoftheirhomeIoTdevices.26ThedevicesmaybeevaluatedbyrepresentativesfromTrustConagainstfivecriteria:privacy&datapractices,transparency,security,stability,andopenness.27Alternatively,manufacturerscanself-certify,buttheymustpublishtheirassessmentwithanopenlicense.28Althoughnotalabelingprogram,TheInternetSociety,throughitsOnlineTrustAlliance(“OTA”)initiative,haslaunchedanIoTTrustFramework,whichseekstodifferentiateitselffromothersimilarframeworksbyfocusingonthefullprivacyandsecuritylifecycleandincorporatingtheentireIoTecosystem,notjustdevices.29CivilsocietyandprivatecompanieshavealsojoinedforcestointroducetheDigitalStandard,“anambitious,open,andcollaborativeefforttocreateadigitalprivacyandsecuritystandard.”30OnegoaloftheDigitalStandardistoequipconsumerstobewell-informedabouttheproductsthattheybuy.31TheStandarddoesnot,however,featureaconsumer-facinglabelingscheme,optinginsteadtofocusonusingthestandardtoallowtestingorganizationstoevaluateandreporttoconsumersonwhetherproductsareprotectingconsumersecurityandprivacy.32
Internationally,theEuropeanCommissionhassetforthalegislativeproposaltostrengthentheEuropeanUnionAgencyforNetworkSecurityInformation(ENISA),whichisawaitingfinalreviewbeforepassage.33InadditiontoreinforcementoftheEUcybersecurityagency’smandate,theEUCybersecurityAct34(ECA)wouldestablishanICTcybersecuritycertificationframework.35TheECAcertificationframework,“wouldprovideforEU-widecertificationschemeswithacomprehensivesetofrules,technicalrequirements,standardsandprocedures”thatENISAwouldprepareincooperationwithaEuropeancybersecuritycertification
25Whilesomewhatofahybridentity,becauseMozillaisanon-profitweincludethemwithothermembersofcivilsocietyforpurposesofthissection.26SeeMatthewHewes,MozillaandThingsConlaunchcertificationmarkforsecureIoTdevices,TheNextWeb(lastvisitedJan.24,2019),https://thenextweb.com/security/2018/12/06/mozilla-and-thingscon-launch-certification-mark-for-secure-iot-devices/.27Id.28SeeTrustableTechnologyMarkApplicationForm,https://trustabletech.org/apply/.29SeeInternetSociety,IoTTrustbyDesign,https://www.internetsociety.org/resources/doc/2018/iot-trust-by-design.30DigitalStandard,DigitalStandard,https://www.thedigitalstandard.org/(lastvisitedSep.26,2018).31Seeid.32SeeConsumerReportsLaunchesDigitalStandardtoSafeguardConsumers’SecurityandPrivacyinComplexMarketplace,ConsumerReports(Mar.06,2017),https://www.consumerreports.org/media-room/press-releases/2017/03/consumer_reports_launches_digital_standard_to_safeguard_consumers_security_and_privacy_in_complex_marketplace/.33SeegenerallyMarNegreiro,ENISAandanewcybersecurityact,europarl.europa.eu(Sept.6,2018),http://www.europarl.europa.eu/RegData/etudes/BRIE/2017/614643/EPRS_BRI(2017)614643_EN.pdf.34EUCybersecurityAgency(ENISA)andinformationandcommunicationtechnologycybersecuritycertification(CybersecurityAct),2017/0225(COD),https://ec.europa.eu/commission/news/cybersecurity-act-2018-dec-11_en.35SeeNegreiro,supranote34at6.
7
group(ECCG).36Afteradoptionofthecertificationscheme,aproductmanufacturerorICTserviceprovidercouldapplyforcertificationwithaconformityassessmentbodyofitschoice,withaccreditationissuedforamaximumoffiveyears.37
TheUnitedKingdomhasintroducedaCodeofPracticeforConsumerIoTSecuritybasedon
“thirteenoutcome-focusedguidelines,”whichtargetsmanufacturersbutalsoprovidesguidanceforconsumersofIoTsmartdevices.38In2018Canadalaunchedamultistakeholderprocess:EnhancingIoTSecurity,whichincludesaworkinggrouponlabeling.39Together,theEU,Canadian,andUK-driveneffortsarehelpingtopushinternationaldevelopmentsintherightdirection.However,whileapre-marketevaluationcanenhancethesecurityofproductsgoingtomarket,marketsurveillance,includingpatchability,lifecyclemanagement,andongoingassessments,arealsocriticaltoenhancingsecurityoverthelongerterm,particularlygiventherapidlyevolvingIoTmarket.TheCanadianprocessincorporatestheseelementsandcouldserveasamodelforU.S.andbroadermarkets.
Thesesecuritycapabilitiesbaselinesareanimportantdevelopmentandsignalmaturation
withinthemarketplace.Still,therewillbesomeproductsthatmakeittomarketyetfailtofollowbestpractices.Toreducetherisksuchinsecureproductsposetotheinternetecosystemandtrustinit,consumersneedtobeabletodistinguishamongmoreandlesssecureproducts.Inlightofthenumberandvariationamongbaselinesandtheabsenceofadomesticallyrecognizedlabeltoinformthemarketofconformancewithabaseline,anopportunityexistsfortheU.S.governmenttoconveneaprocesstoadvanceagloballyinteroperablebaselinedevelopmentandlabelingprocess.
PracticalConsiderationsinDevelopingaConsumerCybersecurityLabel
InconsideringtheutilityandviabilityofaconsumerIoTcybersecuritylabelingprogram,fourkeyquestionsassistinfocusingthediscussion:
● Attestation:Aneffectivesecuritylabelwillattesttoaconsensussecuritybaseline
orbestpractices.Whatcriteriashouldbeincludedinsuchabaseline?● Assessment:Whoorwhatshouldoverseetheassessmentprocesstoverifythe
attestation?● Attributes:Whattypesofinformationshouldthelabelcontainandhowshouldthe
informationbeconveyed,e.g.,whatshouldthelabellooklike?● Implementation:Howshouldtheprogrambeimplemented?
36Id.at8.37Id.38SeeU.K.DepartmentforDigital,CultureMedia&Sport,CodeofPracticeforConsumerIoTSecurity(Oct.2018),https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf.39See,e.g.,CanadianMultistakeholderProcess:EnhancingIoTSecurity,ReportonFourthMultistakeholderMeeting,https://iotsecurity2018.ca/wp-content/uploads/2018/12/IoT-Security-Report-Meeting-4-November-20.pdf.
8
Attestation
Ratherthanfocusinitiallyonquantifiablesecuritymetrics—whicharguablydonotexistyetinamanageableform—acybersecuritylabelingprogramshouldinsteadstartwithafocusonqualifiablebestpracticesindesignandmanufacturing.Thereareessentiallythreewaystoidentifythesepractices:industry-leddevelopment,nationalstandardsbodydevelopment(throughagencieslikeNIST),orthroughnationalcontributiontoaninternationalstandardsbody(e.g.,theInternationalOrganizationforStandardization(“ISO”).Whileitmaybereasonabletodevelopuniquenationalstandards,itiswisertodevelopstandardswithinternationalapplicationinmind.
TheneedforquantifiablemetricsisoneofthekeychallengestoimplementingaratingschemelikeEnergyStar’sinthecybersecuritycontext.Amatureratingschemenecessarilyrequiresdiscrete,objectivemeasuresofperformancetoanalyzeinordertogeneratemetrics.40Theconventionalwisdomincybersecurityhaslongbeenthatthreatvectorschangetoorapidlyformostmetricstobemeaningful,andthatthevarietyofboththreatsandtargetsrendersa“onesizefitsall”approachineffectiveandinappropriate.41Inaddition,manycommonlyproposedmeasures,suchasportscanratesandpatchupdatecompletion,areeithernotclearlydefinedornotuniformlyapplied,limitingtheiraccuracyand,therefore,theirusefulness.42
Forthisreason,itislikelymoreusefultoexaminebusinesspracticesatthedesignand
manufacturingstagesaswellaspostmarket,e.g.,estimatedproductlifecycleandpatching,asawaytogaugeproductsecurity.Companiescanattesttocertainpractices-forexampleearlyengagementwithsecurityresearchers,improvingsupply-chainrigor,ortakingeffortstoreducecodecomplexity-inexchangeforrecognition.43Intheabsenceofquantifiablemetrics,theseattestationsgivemanufacturersawaytocommunicatetheireffortsandcorporatevaluestoconsumers.InthesamewaythatEnergyStargavemanufacturersawaytodisplaytheirproducts’energyconservingattributes,aSecurityShieldlabelallowsthemtoshowthatcybersecurityis“anintegralpartof[their]developmentprocess.”44Further,objectiveandobservableattestestationscanbeindependently,publiclyverified(formarketedproducts)andtieintowell-understoodlegalandgovernmentenforcementcapabilities.
40Anoteonterminology:broadly,“measurement”referstothecollectionofdataondiscretefactors,anda“metric”isderivedbycomparingtwoormoremeasurementstoapredeterminedbaseline.Formore,seeWayneJensen,NISTIR7564:DirectionsinSecurityMetricsResearch,NationalInstituteofStandardsandTechnology,3-4(Apr.2009),https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7564.pdf(lastvisitedSep.26,2018).41Seegenerally,LarryClinton,Metrics?WhatMetrics?FindingtheMissingLinktotheNISTCybersecurityFramework,InternetSecurityAlliance(May31,2017),https://isalliance.org/metrics-what-metrics-finding-the-missing-link-to-the-nist-cybersecurity-framework/(lastvisitedSep.26,2018).42SeePaulE.Black,etal.,CyberSecurityMetricsandMeasures,NationalInstituteofStandardsandTechnologyat3,https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=51292(lastvisitedSep.26,2018).43Foranillustrativeexample,seeIAmTheCavalry,FiveStarAutomotiveCyberSafetyFramework(Feb.2015),https://www.iamthecavalry.org/wp-content/uploads/2014/08/Five-Star-Automotive-Cyber-Safety-February-2015.pdf.44RioDeclarationonEnvironmentandDevelopmentat2(1992),http://www.unesco.org/education/pdf/RIO_E.PDF(discussingenvironmentalprotection’simportancetosustainabledevelopment).
9
Focusingondesignandmanufacturingpracticesalsohelpsaddressoneofthemajorweaknessesofasinglepre-marketassessmentforcybersecurity.IncontrasttoEnergyStar,SecurityShieldexamineshighlydynamicproducts.Itisaxiomaticthatnosoftwareisbug-free,andanycompanyseekingareasonabletime-to-marketislikelytoreleaseflawedproducts—andthoseflawsmay,ingoodfaith,notbeknownatthetimeofrelease.Withsoftware,however,patchingcanremedymany—ifnotmost—issues.Itcanalsocreatenewones.Atthesametime,maliciousactorsareabletoapplyfarmorepressureonproducts“inthewild”thanreasonablein-labtests,andeventuallydiscoverwaystoexploithiddenbugs.Together,thesefactorssuggestthatrelyingonasnapshotproducttesttoawardaSecurityShieldlabelwouldrenderthelabellargelyirrelevant,becausethepracticalsecurity“quality”ofanysingleproductislikelytovaryovertime.
Privatecertifyingorganizationsmaypushcomplementarystandardsinordertocapturesectionsofthemarketnotcoveredbythisprogram.Includingmultiplestakeholdersindevelopmentandallowingthird-partycertifierstotakepartintheprocessmaymitigatethechancethatcompetingstandardswillarise.Theriskofeventualconfusionmustbeweighedagainstthebenefitofmore—orless—robustprivatestandards.Ultimately,baselinestandardsshouldbedevelopedwithagoalofglobalinteroperability.Keepingtheinternationalmarketinmindduringdevelopmentcouldhelpforbearmorestridentorconflictingglobalalternativesandleadthedevelopmentofinternationalstandards.
Anypolicyefforttoimprovecybersecuritywillrequirebroadcommitmentfromavarietyofstakeholdersinordertohaveameaningfulimpact.Oftennationstateandgovernmentalcapabilitiesandresponsibilitieslikewar,crime,andespionageframecybersecuritydiscussions.Thisapproachlargelyconfinesthediscussiontothemilitary,intelligence,andlaw-enforcementcommunities,whichcanbesecretivebydesignandsometimesnecessity,andcanemphasizesecuritywhilefailingtoadequatelyrecognizeotherimportantdemocraticprinciplessuchasprotectingprivacyandfreeassociation.45Theseintergovernmentaleffortsalsohavenotprovensuccessfulatimprovingcybersecurity.Amoreeffectiveapproachcallsforengagingdevicemanufacturers,softwaredevelopers,policyadvocates,andeducationalnetworkstobalanceequitiesandempowerthepublic.46Thistypeofmultistakeholderismencouragestransparency,whichisneededtoovercomethecurrentenvironmentoffear,uncertainty,anddoubt(“FUD”)bredbythetraditionalapproachtocybersecurity.FUDhasproventobeusefulatraisingawarenessabouttheexistenceofathreatbutlessthaneffectiveatbreedingsolutionsor
45SeeMaríliaMaciel,NathaliaFoditsch,LucaBelliandNicolasCastellon,FundaçãoGetúlioVargas,Cybersecurity,PrivacyandTrust:Trends,FundaçãoGetúlioVargas,inLatinAmerica,inCybersecurity:AreWeReadyinLatinAmericaandtheCaribbean?2016CybersecurityReport,ObservatoryCybersecurityinLatinAmericaandtheCaribbean(2016),https://publications.iadb.org/bitstream/handle/11319/7449/Cybersecurity-Are-We-Prepared-in-Latin-America-and-Caribbean.pdf?sequence=1&isAllowed=y.46See,e.g.,HansdeBruijn&MarijnJanssen,BuildingCybersecurityAwareness:Theneedforevidence-basedframingstrategies,34Gov’tInfo.Quarterly1(Jan.2017),https://www.sciencedirect.com/science/article/pii/S0740624X17300540;CybersecurityProgramShouldBeMoreTransparent,ProtectPrivacy,CenterforDemocracy&Tech.(Mar.30,2009),https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/.
10
improvingbehaviorintheecosystem.47Further,transparentprocessesthatengagetheprivatesectorwillhelptocombateffortsbyauthoritarianregimesandothersthatusecybersecurityasacloaktoengageincensorship,widespreadsurveillance,andotheractionsthatcounterhumanrights.
Indeed,amultistakeholderapproachcanhelpensurethatnetworkownersandedge
providers,amongothers,haveavoiceinregulatoryefforts,helpingtomitigatepotentialnegativeimpactstointernationalcommerce.48PastU.S.-basedeffortstodevelopstandardsandbestpracticesincybersecurity,liketheNIST-supportedCybersecurityFrameworkandtheDHS,NIST,andNTIA-coordinatedefforttoproducetheBotnetReporthaveproventhevalueofamultistakeholderapproach.Theseprojectsrecognizedthatcybersecurityissues,likeautomated,distributedattacks,areanecosystem-widechallenge,andcanonlybeaddressedbyengagingabroadarrayofstakeholders.49Assessment
OnekeylessonfromEnergyStaristhatasystembasedonself-reportedattestationsiseasilyabused.Attestationsshouldbeauditablebyathird-partyobserver—eitherthegovernment,astheprogramsupportingbody,oradulyrecognizedandaccreditedprivateentity.Inthelattercase,thegovernmentcouldprovidefundingfortheaudit,orarebateorothertaxincentiveforcompaniesthatpassmuster.Asattestationprogramsscale,thetendencyhasbeenforassessmentstoloserigorduetorisingcoststhatexertpressureonthemarket.Thistradeoffmustbeacknowledged,andemphasisshouldbeplacedonrobustandaccountablethird-partyassessmentoverrapidscaling.50
TheEPAandDoEimplementedathird-partytestingrequirementforEnergyStarcertificationaftera2010GovernmentAccountabilityOfficeinvestigationrevealedthattheexistingsystem(largelybasedonself-reporteddata)wasripeforfraudandabuse.51Inimplementingthird-partytesting,theEPAreliedontheexistingISO/IEC17065conformityassessmentforproductcertifyingbodies.CompanieslikeMETLabs,Nemco,andUnderwritersLaboratory(“UL”),whichofferbroadandestablishedtestingandcertificationservices,werewellpositionedtoprovidetheseservicestotheEPA,andcouldbereadytooperationalizeacybersecuritylabelingscheme.CTIAhasalreadypartneredwithanumberoftestlabsand
47SamCurry,CuttheFUD:WhyFear,Uncertainty,andDoubtisharmingthesecurityindustry,Helpnetsecurity(Nov.29,2017),https://www.helpnetsecurity.com/2017/11/29/fud-cybersecurity/.48See,e.g.,InternetSociety,InternetGovernance–WhytheMultistakeholderApproachWorks(Apr.26,2016)https://www.internetsociety.org/resources/doc/2016/internet-governance-why-the-multistakeholder-approach-works/.49Seegenerally,BotnetReport,supranote7.50See,e.g.,AndrewPlato,TheFailureofthePCI-DSS?(Feb.11,2014),https://www.anitian.com/the-failure-of-the-pci-dss/.51SeeGAO-10-470(Mar.2010),https://www.gao.gov/assets/310/301514.pdf.
11
certifyingbodiesinordertoimplementitsstandard,primingtheindustryforfuturecybersecurityrequirements.52
Asaproactivemeasure,aprogrammanagercanprovideclearguidanceforattestations,
definingspecifictermsandexplaininghowcustomersarelikelytointerpretcertainstatements.TheFTChaslongprovidedthistypeofinformationtomarketersintheenvironmentalcontextthroughits“GreenGuides.”53Whilecompliancewiththeseguidesdoesnotforecloseanenforcementaction,itdoesprovideawayformarketerstoanticipateandavoidpracticesthatmightbeconsideredunfairordeceptive.54Attributes
Asdiscussedinotherfora,informationasymmetriesdistortthemarketforconsumerIoT.55Thismarketfailurecanbeaddressedthroughregulation,suchasproductsliabilitylaws,orintheabsenceofnewregulation,someothermechanismtoeducateandinformIoTdeviceconsumers.56Oncesuchmechanismisavoluntarylabelingprogram.Oncethedecisionsofwhattoassessandhowtoassessithavebeenmade,threequestionsarise:
● Whatshouldbecommunicatedfromtheassessmentresults?● Howshouldthatthatbecommunicated?● Whereshouldthatbecommunicated?
Whilesomearequicktodismisstrustmarks,arguingthattheyareanoverlysimplistic
solutiontoacomplexproblem,notalllabelsarecreatedequal.Informationallabelscomeinavarietyofformats,andcommunicatedatadifferentlydependingonthedesign,criteria,andevengeneralperception.Theycanbedetailedandtechnical,aswiththetraditionalNutritionFactslabelonfood;theycanprovideastreamlinedratingofkeytraits,aswiththemorerecent“FactsupFront”labels57ortheycanbesimple,trademark-stylemarks,liketheREAL®dairyseal58orENERGYSTAR®label.Recently,technology-drivenalternativemarksliketheSmartLabelhaveenteredthemarket.Acybersecuritymarkcouldtakeasimilar,moredynamicapproachtoinformingIoTdeviceconsumers.Devicescould,forexample,featureamarkthatincorporates,orissupplementedby,aQRcodelinkingtomoredetailedinformation,similartotheSmartLabel
52SeeCTIA,CertificationResources,https://www.ctia.org/about-ctia/certification-resources(lastvisitedJan.24,2019).53SeeFTCIssuesRevised“GreenGuides”,FTC(Oct.1,2012),https://www.ftc.gov/news-events/press-releases/2012/10/ftc-issues-revised-green-guides.54Seeid.55SeePromotingStakeholderActionsAgainstBotnetsandOtherAutomatedThreats,CommentsofPublicKnowledge,3-4(Feb.12,2018),https://www.publicknowledge.org/documents/public-knowledge-botnet-comments;seealsoBlytheandJohnson,supranote2at4.1.56Seegenerally,BenjaminC.Dean,AnExplorationofStrictProductsLiabilityandtheInternetofThings(April2018),https://cdt.org/files/2018/04/2018-04-16-IoT-Strict-Products-Liability-FNL.pdf.57AmodifiedversionoftheBritishGuidelineDailyAmount(GDA)label,http://www.factsupfront.org/.58http://realseal.com/.
12
programforinformationonfoodandhouseholdproducts.59Asoftwarebillofmaterials(SBoM)isanother“nutritionlabel”stylesolutionforprovidinginformationoncriticalpiecesofcode,whichmaybeunwieldyforstandardpackaging.60Click-throughorQR-codeaccesstoaSBoMcanbeaviablesolution.
Whatevertheformat,acybersecuritylabelforconsumerIoTmustprovideaccessible
informationtoconsumers,whichenablesthemtomakeameaningfulchoice.Itmustbeunderstandabletotheaverageconsumerandprovidesufficientinsighttoequipaconsumertomakeaninformedpurchase.Giventhelackofmeaningfulmetricsandgenerallysparseconsumereducationoncybersecuritytoday,amarkcanserveasanappropriateandeffectivewaytoreducetheinformationasymmetriesthatdistorttheconsumerIoTdevicemarket.Problemscanarisewhenacompanygoesoutofbusiness,oraproductiscirculatedinthesecondarymarket.AdynamiclabelsuchasaQRcodecouldbeausefultoolunderthesecircumstancestoinformconsumersthatthesecuritylifecyclehasended,togetherwitharobustcommunicationsstrategybythemanufacturerandsupportedbygovernmentengagement,e.g,children’scarseats.61
Alabelshouldbelocatedinaconspicuousplacebutshouldnotbeintrusivetothepoint
thatitcaninterferewithdesignconceptorfunctionality.Labelsthatexistondesign-orientedproducts,e.g.,theFCClogoonAppleproducts,tendtobehiddenfromsight,socaremustbetakenwhenconsideringthemasproofsofconcept.Alabelmustalsobedesignedtobeeasilyrecognizedandshouldbeversatileenoughtouseonavarietyofsurfacesandmaterials,forexamplethetagofsoft,connectedtoy.Implementation
Agovernment-ledSecurityShieldprogramwillneedbothlegalauthorityandappropriatefundingtoproperlyimplement.TheprogramasawholecouldfindstatutoryauthorityunderSections401and501oftheCybersecurityEnhancementActof201462orunderSection103oftheCybersecurityInformationSharingActof2015.63CongressshouldprovideDepartmentofCommerceandotherappropriateDepartmentsandagencieswithadditionalfundstosupporttheirroleinsuchaneffort.
PursuanttotheNationalTechnologyTransferandAdvancementActof1995(NTTAA)and
OMBCircularA-119,afederalagencyshouldincarryingoutitsmission,wherepossible,
59SeeNewSmartLabel™InitiativeGivesConsumersEasyAccesstoDetailedProductIngredientInformation,GMA(Dec.2,2015),https://www.gmaonline.org/news-events/newsroom/new-smartlabel-initiative-gives-consumers-easy-access-to-detailed-ingredien/..60SeeNationalTelecommunications&InformationAdministration,NTIALaunchesInitiativetoImproveSoftwareComponentTransparency,https://www.ntia.doc.gov/blog/2018/ntia-launches-initiative-improve-software-component-transparency.61See,e.g.,https://www.nhtsa.gov/equipment/car-seats-and-booster-seats.62See15U.S.C.§§7451-61(requiringNISTtocoordinateanationalcybersecurityawarenessandeducationprogram,andtopromotetheadvancementofcybersecuritytechnicalstandards).63See6U.S.C.§1502(requiringtheheadsofappropriateagencies,todistributeinformationoncybersecuritybestpractices).
13
emphasizetheuseofprivatelydevelopedconsensusstandards,wherethosestandardsareeffectiveatmeetingtheagency’sneeds.64TheOMBCircularlaysoutacase-by-caseassessmentprocess,andalsoputscertainlimitationsonthetypesofstandardsfederalagenciesshouldprefer—favoringvoluntarystandardswhosedevelopmentincludespecificattributes(openness,balance,dueprocess,anappealsprocess,andconsensus).65Intheabsenceofsuchstandards,orincaseswherethestandardinquestionisforinternaluse,agovernment-specificstandardisappropriate.Itisalsoimportanttonotethat,likeEnergyStar,aSecurityShieldprogramwouldnotnecessarilyrepresentadefinitivebaselinestandardforreasonablepractices.SecurityShieldpartnersshould,however,beaheadofthecurveandcommittedtopullingitforward.
Trustmarkscanonlyaccomplishtheirintendedtasksiftheyarelegitimateandworthyofpublicconfidence.66DrivingtheSecurityShieldprogramthroughgovernmentprocurementcansignalthekindofapprovalfromapublicauthoritythatisnecessarytocontributetothemark’slegitimacy.67Aspreviouslydiscussed,governmentprocurementrulesrequiredacquisitionofEnergyStarproducts.Congressshouldconsiderlegislationthatwouldprovidesimilarincentivesforacybersecuritylabel.Furthermore,additionalincentivesintheformoftaxdeductionsorrebatesaswellasreassessmentofexistingliabilitylimitationsarealsoworthyofdiscussioninpursuingalabel.Assessmentcostsaresignificantatscale,andsomecompaniesareskepticalofdemandforsecure-to-marketproducts.Taxincentivesatthefederalandstatelevelsmaybecreatedtoovercomethisnegativeinertia.Further,totheextentthatitisnecessary,taxrebatesanddeductionsforpurchasesofSecurityShieldlabeledproductscouldencourageconsumerstopurchaselabeledproducts.Itshouldbenoted,however,thatconsumersarewillingtopayforthesecurityandprivacythattheyvalue.68AswithEnergyStar,thegovernmentcanservetoconnectbusinessestoconsumersbyprovidinginformationonparticipatingcompanies,outliningfinancingoptions,andpubliclyrecognizingbusinessesandorganizationsthataremeetingSecurityShield’sgoals.
Othertoolsinadditiontoalabelcanenhancetheeffectivenessoftheprogram.These
includeretailestablishmentssettingminimumsecurityrequirementsforproductstheywillsellandretailstafftrainedtoinformconsumersaboutsecuritycapabilities,tonamejusttwo.Thesestepsalonecanhelp,butjustaswasthecasewithenergyconservation,alabelcanfacilitateadditionalawarenessandtherebyadditionalopportunitytoenhancecybersecurity.Shortofafull-scaleprogram,retailerssuchasAmazon,BestBuy,orWalmartworkingtogetherwithmanufacturerscouldundertakeapilotprogramtoassesstheviabilityandeffectivenessofacybersecuritylabelingprogram.Thepilotcouldprioritizeproductsassessedtohavebetter64SeeNationalTechnologyTransferandAdvancementActof1995,Pub.L.104-113§§12(d)(1)-(3),15U.S.C.§272;OMBCircularA-119,Revisedat19(Jan.22,2016)(“TheCirculardoesnotprecludetheuseofotherstandards...whereuseofa[privatelydeveloped]standardwouldnotbeaseffectiveatmeetingtheagency’sregulatory,procurementorprogramneeds.”).65SeeOMBCircularA-119,Revisedat18.66SeeGiladL.Rosner,TrustmarksintheIdentityEcosystem,22(OpenIdentityExchange,September1,2014).67Id.68See,e.g.,BruceBrown,BlackBerrysurvey:Consumersdon’ttrustconnecteddevicestokeepdatasecure,DigitalTrends(Jan.7,2019,7:00AM),https://www.digitaltrends.com/cars/blackberry-survey-consumers-mistrust-connected-device-security-ces-2019/.
14
securityandshouldincludetransparencyaroundthecapabilitiesandassessmentleadingtosuchprioritization.Inaddition,retailerscanserveasaresourcemoregenerallytoconsumersabouttheimportanceofproductsecuritybutindoingsoshouldworkfromacommonsetofmaterialsdevelopedinpartnershipwiththegovernmentandsocialscientists.Recommendations
TheSecurityShieldprogrammaybeoperationalizedthroughaseriesofdiscretesteps.Steponeistodevelopconsensussecuritycapabilitiesbaselineorstandards.NISThasexperienceconveningmultistakeholderprocessestodevelopcybersecurityprocessesandbestpracticesthroughitsworkontheCybersecurityFrameworkforCriticalInfrastructureanditsupcomingIoTPrivacyFramework,andcouldserveasthefederalsourcefortheSecurityShieldlabelingprogram.NISTshouldfacilitatethedevelopmentofconsensusIoTsecuritybaselinestandardsincoordinationwiththeotherrelevantagencies(e.g.,DepartmentofHomelandSecurity),industrystakeholders,andconsumeradvocates.
Inconjunctionwithlegislativeeffortsorinadvanceofthem,Steptwocouldbeapilot
program.DevicemanufacturersandtheDepartmentofCommercecanandshouldbeginworkimmediatelyonapilottotestthesecuritybaseline.Apilotprogram,forexampleforrouters,printers,babymonitors,orotherprevalentgovernmentandhouseholdproductsisonewaytobeginbuildingtowardsatrustedlabelthatconsumerscanusetoreliablyevaluateproductriskandmovethemarkettowardsamoresecureinternetecosystem.
Severalsupportingandenablingeffortsarealsocriticaltosuchaprogram’ssuccess.These
includeeducationandawarenessraising,marketsurveillance,andincentivesprograms.Eachoftheseeffortsrequirescollaborationbetweenthepublicandprivatesectorsandwouldbenefitfromasinglepointoffocusfromthefederalgovernment,suchasthroughaprogramofficewithintheDepartmentofCommerce.
