With cyber attacks continuing to grow and new risks emerging, The Biden-Harris Administration in July announced a cybersecurity certification and labeling program to help U.S. consumers more easily choose smart devices that are safer and less vulnerable to cyber attacks.
This is called the U.S. Cyber Trust Mark program, and under it, consumers would see a newly created shield logo on products that meet established cybersecurity criteria from the National Institute of Standards and Technology. The goal of the program is to provide tools for consumers to make informed decisions about the security of the products they choose for their homes or their companies, according to a White House press release. But cybersecurity experts say this is just one step in the direction of building more cyber awareness, and ultimately, getting ahead of cyber vulnerabilities is a shared responsibility among the public and private sector.
“We don’t want to create a false sense of security, right?” said Sonu Shankar, chief strategy officer of Phosphorus, on this episode of The Insuring Cyber Podcast. “We don’t want to be defending at the one yard line. I think a big part of that, collectively for our economy and our society, is we are going to have to get to a point where there is more awareness around what happens after you get a labeled and trusted device. What are your responsibilities? What should you be doing every day?”
Phosphorus is an IoT cybersecurity company, and Shankar and his team have been closely following the development of this new program and testing IoT devices to find out how insecure they are. Phosphorus published a report in December 2022 titled, xIoT threat and trend report, which found that 68% of devices have high-risk to critical vulnerabilities. Shankar said shared responsibility is key, particularly as connected devices become more commonplace within households and companies.
“Even if, for example, a camera or a badge reader is coming with a cyber trust mark or a label, and we know that the device has been manufactured with these security requirements in mind, ultimately the management and monitoring of those devices is going to land on the enterprise, the operator,” he said. “We need more awareness in the industry and the market with operators, with users, that there is still the management and monitoring piece where they have to change passwords on a regular basis. They have to maintain firmware on a regular basis. They have to update configurations. They have to monitor them for changes in their state. They have to monitor them for potential malicious activity taking place directly on the device.”
This is particularly important within the context of the extended internet of things, or xIoT, which he says encompasses every connected device that can’t send logs activity to a security monitoring tool or can’t be running an endpoint security agent. These are more traditional devices such as printers or HVAC controllers, he says, but it could also encompass medical devices such as infusion pumps and health monitors. In the industrial and manufacturing sector, things like sensors or other operational technology devices are also included in the xIoT.
Shankar said one of the concerns with these devices is that they could be running with default passwords or outdated software, making them vulnerable to attacks.
“Most of these devices are running with default passwords in major enterprise environments. They’re running with firmware that is very old. They’re running with firmware that has known critical vulnerabilities. They’re running with configuration issues,” he said. “These devices are absolutely going to be repurposed for launching attacks. It could be a wide variety of attacks, especially with the nature of these devices. They can be repurposed to do essentially anything an attacker wants to do with them. And that’s what really makes them incredibly enticing targets for attack as well.”
With this in mind, operators of these devices – whether individuals or companies – will need to ensure their passwords and software are up to date to meet the latest cybersecurity standards. Shankar said the U.S. Cyber Trust Mark program could play a big role in that.
“I think that it’s a great first step. It’s a baby step, but a huge baby step in the direction that we want to go,” he said. “The labeling is primarily to bring more awareness around the fact that, on the consumer side, we are now bringing so many more smart devices into our lives everyday. The subtle message there is the fact that all of our enterprise environments – where we go to work every day, where we innovate every day, where we think about what we’re going to build next every day – all of those environments also include a large set of connected devices. I think inevitably, there will be a point in time in the future where only devices that have met a certain level of security requirements will actually be allowed to get deployed in an enterprise environment.”
He said he believes the next evolution of the program will be to articulate what it means for an enterprise if it has a trusted device that is being installed into its environment. He also hopes to see more structure around what it takes to get the U.S. Cyber Trust Mark label.
“It’s really hard to make it a one-size-fits-all for this world, but I think starting with default passwords, configurations and firmware, and monitoring overall would be great,” he said, “and ultimately, guidance on how you should be doing that every day. I think that is going to be incredibly important for the future.”
The Federal Communications Commission is expected to seek public comment as the proposed voluntary cybersecurity labeling program is rolled out. The program is set to be up and running by 2024.
This is part one of a two part conversation on the U.S. Cyber Trust Mark program. Be sure to check out the rest of the episode to see what else Shankar had to say, and check back for part two publishing on Wednesday, August 30, along with the Insuring Cyber newsletter. Thanks for listening.
Was this article valuable?
Here are more articles you may enjoy.
2023 to Test Recent Growth in Private Flood Insurance Market 
Citizens Suspends Binding, Could Be Most Affected as Hurricane Aims for Big Bend 
Idalia Rumbles Ashore as Cat 3, Lashing Tallahassee and Much of Florida and Georgia 
Burger King Must Face Lawsuit Claiming its Whoppers Are Too Small 
