An all-out effort to develop a consumer-focused security labeling program will likely initially focus on Internet of Things (IoT) devices and could include many technology products used by small businesses as well.

The "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software," held this week by the National Institute of Standards and Technology (NIST), is the government agency's latest step in creating a consumer labeling program to communicate the security capabilities of applications and connected devices, an effort mandated by the Biden administration's Executive Order on Improving the Nation's Cybersecurity, issued in May 2021. The initiative includes government agencies, private industry, and academic experts, with the groups rushing to create requirements and institute pilot programs because the first deadline — the identification of the criteria and components of such a label — must be completed by February 2022.

The goal is to improve the security of products by giving consumers and small businesses the information they need to make security a factor in their purchasing decisions, says Warren Merkel, leader of the standards services group in the Standards Coordination Office at NIST.

"The overall opinion seems to be the magical, 'If it is done right, it is a good thing,'" he says. "I do think there is appropriate concern about what the requirements are and ... that we are not adding a bunch of requirements that differ from what is being done globally. There is not a strong feeling that this is a bad idea, but I think everyone thinks this needs to be done in a way that is attainable."

The Biden administration's May executive order directs NIST to "initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs."

While the focus is on consumers, small businesses have many of the same characteristics — a lack of security expertise and a lack of individual purchasing power to affect vendors — so that any security-labeling system will likely affect their purchasing decisions as well, says Chris Wysopal, co-founder and chief technology officer for application security firm Veracode, who attended the workshop.

"Small businesses use a lot of the same software that is consumer grade and do not have the sophistication to evaluate the security of these product," he says. "So small businesses will get a lot of value out of these labels too."

The effort aims to create a label that communicates the level of security in a product's design, development, and maintenance. A white paper published by NIST in May concluded that the diversity of IoT devices will require more than one approach to establish security confidence, that more critical devices and software will require more rigorous testing, and that buyers will have to be trained and informed about the components of the labels and what security means in that context.

The label will be voluntary, at least initially, with companies attesting to their own security rankings. Improper ranking of a product will be handled by the Federal Trade Commission as violations of truth-in-advertising laws.

In addition, the labels may start attesting to only the most basic of security precautions. IoT security labels, for example, may just mean that a security analysis of a device's design was completed, the device does not have hard-coded password, and the device is easily updatable, Wysopal says.

"Obviously, that is kindergarten-level security, but it is amazing that many IoT devices do not even have that level," he says. "Those basics need to be in all software, so we should make those requirements be part of the labels."

Some Pushback
The idea of a logo program or nutrition label for security is not new. A variety of private-industry and government labels to communicate security already exist, such as Veracode Verified, Underwriters Laboratories (UL) Cybersecurity certification, the European Union's Cybersecurity Certification Framework, and the United Kingdom's Code of Practice of Consumer IoT Security.

While the current effort is mandated for both software products and IoT products, many companies have pushed back against the software security mandates.

"Much of the software that consumers purchase and use for connected devices is consumed via application stores or marketplaces that are already well-tended," Cisco Systems stated in its initial response to the program, adding "we believe that the emerging area of risk where NIST's efforts can be most effectively focused is on software embedded or otherwise incorporated with devices, such as IoT devices in the consumer environment that interact with the physical environment."

An initial proposal will be released in October, with a comment period until the end of the year, according to NIST. The biggest challenge at this point is the aggressive schedule, says NIST's Merkel.

"It is distilling all that input into actual criteria by February," he adds. "I think everyone recognizes that there is an issue, but how to get there and do it in a meaningful way — there have been different approaches to that. Especially because consumer outreach and education is a big challenge."

NIST plans to post videos from the workshop in the coming weeks.