Visible to the public SoS Musings #61 - Security and Privacy LabelingConflict Detection Enabled

SoS Musings #61 -

Security and Privacy Labeling

The growing number and sophistication of Internet of Things (IoT) devices call for stronger security. The number of connected IoT devices will continue to grow globally. According to Cisco, 500 billion devices are expected to be connected to the Internet by year 2030. Oftentimes, IoT products are designed to prioritize utility and cost over security, resulting in many products being sold with inadequate cybersecurity measures or no security features at all. As hackers often go for the easiest systems to attack that will yield the most damage and profits, this creates cybersecurity risks for consumers' data privacy and security. A security labeling scheme, similar to nutrition labels on packaged foods, could help enhance the quality of IoT devices while safeguarding consumers' data privacy and security. Labeling can make it easier for consumers to learn about and compare the privacy and security features of their IoT devices, similar to how people compare calories in different food products before making the decision to purchase. Manufacturers may be incentivized to resolve vulnerabilities and consider security and privacy in the design and development of IoT devices if such labels are implemented.

Researchers at Carnegie Mellon University's CyLab, which gathers experts from various disciplines to collaborate on cutting-edge research and educate the next generation of security and privacy professionals, have extensively explored the idea of security and privacy labels. A study conducted by a team of CyLab researchers looked into what should be included on an IoT privacy and security label by consulting with experts. The team developed a security and privacy "nutrition label" to allow consumers to check a new IoT device's security and privacy practices. The team consulted with a diverse group of security and privacy experts in the realms of industry, government, and academia in order to develop the label. CyLab's Pardis Emami-Naeini, the study's lead author, emphasized the importance of displaying information on such labels in a concise and understandable manner, similar to the way in which information is provided on nutrition labels on food products. CyLab highlighted the results of a survey conducted by the Economist Intelligence Unit in which 89 percent of participants expressed discomfort with their personal data being shared with third-parties without their consent. In addition, 93 percent of the participants said it is essential to inform consumers of the collection of personal data. Emami-Naeini pointed out that although consumers have these concerns, they cannot find information pertaining to the privacy and security practices of devices when they purchase them. Therefore, the team's label, intended to be placed on the exterior of a device's box, presents important information such as the types of data the device collects, purposes for the device's data collection, and with whom the data is shared. Consumers can access a secondary layer of the label online by scanning a QR code on the primary layer, thus offering additional information such as how long the device retains data and how often it is shared. Both layers present 47 pieces of information regarding a device's security and privacy practices when they are combined. They also developed an IoT label generator to facilitate the creation of device labels for manufacturers.

Further research by the CyLab research team sought to explore how actual consumers perceive risk when reading the attributes provided by the label and how that impacts their purchasing behavior. They found that, in general, people accurately perceived the risk associated with most of the tested attributes. Their perceptions also influenced their willingness to purchase IoT devices, thus helping to pave the way to an improved IoT privacy and security label that can lead to a safer and more secure IoT ecosystem. The research behind these findings involved presenting a randomly assigned scenario about the purchase of an IoT device to 1,371 participants. The participants were then asked to imagine purchasing an IoT device such as a smart speaker or a smart light bulb for themselves, a friend, or a family member. The device's packaging displayed the label explaining the privacy and security practices of the device, and participants were asked how the presented information would change their perception of risk, desire to purchase, and reasoning. It was found that the recipient of the device (i.e., participants themselves, their friend, or their family member) did not impact their risk perception. However, they were less willing to purchase the device for their friends and family than for themselves. Although most of the security and privacy attributes displayed on the label yielded accurate risk perceptions, there were some misconceptions. For example, when given the attribute "Average Time to Patch," which had values of one month, which is less risky, or six months, which is riskier, a considerable number of participants assessed both to be high risk and reduced their willingness to purchase. Some participants said that a device that requires patching must not be secure, as it would not require patching otherwise. Emami-Naeini says these findings suggest that manufacturers should provide justifications to consumers as to why patching may be necessary, why it takes them a certain amount of time to patch a security flaw, and why it may not be practical to patch vulnerabilities faster. Another element that did not change participants' risk perception or desire to purchase was the purpose of data collection. This was linked to the participants' lack of trust in device developers as one participant wrote "companies who collect data are incredibly untrustworthy," and another participant expressed "they do not have consumers' best interests in mind when they are utilizing the data they collect."

The National Institute of Standards and Technology (NIST) has made efforts towards establishing a consumer-focused security labeling program for software and connected devices. In September 2021, NIST held the "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software." This workshop was a step in the creation of the consumer labeling program aimed at communicating the security capabilities of applications and connected devices, an effort mandated by the Biden administration's May 2021 Executive Order on Improving the Nation's Cybersecurity. According to Warren Merkel, leader of the standards services group in the Standards Coordination Office at NIST, the goal is to enhance product security by providing security information that consumers and small businesses need to consider when making purchasing decisions. The effort aims to create a label that effectively communicates a product's level of security regarding its design, development, and maintenance. The label will be voluntary, at least at first, with companies attesting to their security rankings. The Federal Trade Commission (FTC) will handle improper product rankings as violations of truth-in-advertising laws. Labels may start attesting only to basic security precautions. For example, IoT security labels may just mean that a security analysis of a device's design was completed, the device does not contain a hard-coded password, and it can easily be updated. NIST issued draft on Baseline Criteria for Consumer Software Cybersecurity Labeling and a discussion draft on Consumer Cybersecurity Labeling for IoT Products. NIST proposed that the software provider would need to meet all of the technical requirements to qualify for a label and to display it. These requirements are referred to as attestations or claims about the software's security, which are categorized as descriptive attestations, secure software development attestations, critical cybersecurity attributes and capability attestations, and data inventory and protection attestations. The labeling effort should educate consumers about what the labels mean and show where they can get more information about those cybersecurity attributes. The tentative broad general guidelines NIST has developed for IoT label criteria include product identification, product configuration, data protection, interface access control, software updating, cybersecurity state awareness, cybersecurity documentation, information dissemination, and more.

Similar efforts are being made in Singapore and Finland. For example, an agreement was made between Singapore and Finland to recognize each nation's respective cybersecurity labels for IoT devices. Both countries would mutually recognize cybersecurity labels issued by the Cyber Security Agency of Singapore (CSA) and Transport and Communications Agency of Finland (Traficom). The CSA launched the Cybersecurity Labeling Scheme (CLS) for consumer IoT devices in an effort to strengthen device security, raise cyber hygiene levels, and strengthen the security of Singapore's cyberspace. The CLS, which is the first of its kind in the Asia-Pacific region, rates smart devices according to their levels of cybersecurity provisions, thus enabling consumers to identify products with better cybersecurity provisions and make informed decisions prior to purchasing. Singapore's CLS also aims to encourage IoT device manufacturers to improve the security of their products. The CLS was first intended to cover Wi-Fi routers and smart home hubs. These devices were prioritized due to their widespread use and the potential impact on users if they were compromised. It has since been expanded to incorporate IP cameras, smart door locks, smart lights, and smart printers, among other consumer IoT devices. Finland became the first European country to certify safe IoT devices with its Cybersecurity Label. Traficom launched the Cybersecurity Label to let users know that labeled devices meet basic information security standards. It shows customers that a product's access control, software updates, data protection, data transfer and storage, and default settings have been implemented in a secure manner.

The security community is encouraged to continue exploring and improving security and privacy labeling, which could lead to a more secure IoT ecosystem.