On July 18, the Biden Administration launched a Yale Fox is a cybersecurity and machine intelligence expert. to assist consumers in choosing smart devices that are less vulnerable to hacking. This new “U.S. Cyber Trust Mark” will be on IoT products and devices that have cybersecurity protections and represents an excellent first step toward securing people's home networks, especially as the number of cyber-attacks and attempts have increased in 2023 alone.
However, the primary concern with certification programs such as this is determining whether or not the consumer, you're marketing to is willing to pay a higher premium for a different, ethically produced product. Unfortunately, the answer tends to be "no," as certifications are just one of the many factors that go into a purchasing decision, with price often being the top decider. Depending on the cost of this program, it might make more sense if there were a way to subsidize consumers who purchase these products rather than corporations.
From Stick to Carrot
Additionally, these types of programs are perceived as "red tape" and are begrudgingly accepted by the impacted companies. As programs like these tend to introduce additional costs and paperwork for all organizations participating, it might be beneficial to see a more modern approach where regulatory compliance can be digitally measured and automated. This changes the dynamic from a "stick," where individuals and companies are penalized for non-compliance, to a "carrot," where they essentially receive a free cybersecurity audit of their product.
Many companies don't undertake any security certifications, so this option of a fully digital, automated, "lite" certification can create benefits rather than obstacles.
Overall, how can we ensure participation and efficiency in a program such as this one? Establishing a single source of truth in a public code repository during the Request for Comments (RFC) phase is a good place to start. A system that uses live data will eventually need to refer to a source like this to evaluate compliance. The private sector could also create tools that automatically update as requirements change, potentially offering this as a service to other vendors.
4 Ways to Improve Effectiveness
As the program continues to develop and expand, below are a few ways to establish its effectiveness:
1. Use a real-time, data-driven approach. There is an enormous amount of public data that already exists around these devices, publicly known (and unpatched) security issues, and more. This information should be used to (a) inform program metrics, for example, if we have 400 million vulnerable home routers today, how long would it take to reduce this number to less than 4 million (<1%), and (b) inform the actual policies that are implemented. For instance, if a certification requirement impacts only a small aspect but creates a significant inconvenience to fix, it can be de-prioritized.
2. Technology moves fast, establish moving targets for benchmarks and evaluation. With rapidly evolving technology, establish dynamic benchmarks and evaluations. Using a data-driven approach, you can set fluid benchmarks that change as the landscape changes. For instance, if a software version 1.8 is certified but then a 1.9 version is released, how does the certification hold up? The government could use a continuous integration script that verifies the security integrity of every new release. This means that if changes between 1.8 and 1.9 introduce a new security issue, it cannot be delivered to end-user devices until it's fixed.
3. Assume bad actors will attempt to influence or game the certification program. Assume that bad actors will attempt to manipulate the certification program. If the certification process contains easy-to-fail elements, how can bad actors make it harder for everyone to pass? For example, with building energy certifications, owners are given points based on specific criteria. If simply purchasing a bike rack improves the building’s score, but doesn’t really improve energy consumption, then all actors (good and bad) will game it.
4. Focus on the large players first. The majority of home internet users get their router equipment from their ISP. Focusing on these providers to improve the security posture of their equipment will have an outsized impact on the national security profile.
In summary, this program needs dynamic checks and balances that are robust, stress-tested, and red-teamed, both for social engineering and security. It should be piloted with a small group of diverse customers, both large and small. Feedback should be collected and a state of constant iterative improvement for the program should be expected.
