acm-header
Sign In

Communications of the ACM

Security

Security by Labeling


refrigerator-freezer in a home appliance store

Credit: Alicia Kubista / Andrij Borys Associates

Empowering consumers to make risk-informed purchasing decisions when buying Internet-of-Things (IoT) devices or using digital services is a principal thrust to advance consumer cybersecurity. Simple yet effective labels convey relevant cybersecurity information to buyers at the point of sale and encourage IoT vendors to up their cybersecurity game as they now can recoup their security investments from risk-aware buyers. These dynamics benefit consumers and the industry alike, resulting in better, more resilient cybersecurity for all.

Consumers are insufficiently aware of risks emanating from IoT and are ill-equipped to manage them. For all the much-heralded benefits of consumer IoT to come true, the industry must ensure all the smart home appliances, connected thermostats, and digital services are secure and can be trusted. The industry has for long been criticized for not paying sufficient attention to the cybersecurity of its products. Concerns over security were pushed aside, yielding precedence to shorter time-to-market and higher corporate profits. Less time for testing translates into insecure products in residential homes.

The full cost of insecurity is on display when consumers, industry, and governments must respond to and clean up after cyber incidents. The toll of consumer cybercrime alone adds up to more than 100 billion USD per year globally.4 The industry, with support from government, must find ways to put IoT security front and center and make the necessary up-front investments that enhance consumer cyber-security and lower cost to everyone.

Back to Top

Lack of Information Drives Cyber Insecurity

Consumer cybersecurity is suffering from information asymmetry, the skewed appraisal of the quality of a property that Nobel Laureate economist George Akerlof described in his seminal writing "The Market for Lemons: Quality Uncertainty and the Market Mechanism."1 In the secondhand car market, Akerlof observed, buyers of used cars could not tell good cars from bad ones and thus differentiated the product on price alone, rather than including the quality of the preowned vehicles in their purchase decision-making. Sellers had no incentive to sell higher-quality cars since they could not find buyers willing to pay a higher price. Thus, the information asymmetry between the seller, who knows the quality of the car, and the buyer, who cannot assess the quality of the car, led to a market of lemons, a degraded market of subquality cars, which frequently break down and are in constant need of expensive repairs.


The challenges on the way to consumer IoT cybersecurity labeling are considerable but not insurmountable.


The consumer IoT marketplace faces a similar conundrum. Buyers cannot discern a secure Internet-connected camera from its insecure, cheaper alternative. With no market demand, IoT manufacturers have no incentive to invest in cybersecurity. All that is left is to compete on price, further incenting the reduction of security to save on cost and hindering the much-needed consumer adoption of secure Internet-connected devices and services. Adding transparency by means of a recognized, trusted cybersecurity label can break this vicious cycle, empower buyers to make risk-informed purchases, and allow vendors to reap the rewards of their cybersecurity investments by marketing to security-aware customers. In fact, research shows that a sizable portion of consumers is willing to pay a 30% markup for secure IoT products.5

Back to Top

Making Obscure Certifications Consumer Friendly

Traditionally, certifications in the ICT industry have been used to attest to the conformance of products or services with standards. The number of standards and certifications relevant to the protection of the digital consumer is growing. The U.K.'s Internet of Toys Assurance Scheme is a case in point. It certifies a cybersecurity and data protection baseline for interconnected toys to protect children from digital harm. Another consumer-centered example is The Digital Standard, an initiative spearheaded by a U.S. non-profit collective, that designed a framework for evaluating cybersecurity, privacy, governance, and product ownership of consumer IoT. Technical standards and security baselines, including ETSI EN 303 645 consumer cybersecurity IoT baseline requirements and its test specification ETSI TS 103 701, the NIST IoT device cybersecurity capability core baseline NISTIR 8259A and the foundational cybersecurity activities for IoT device manufacturers NISTIR 8259 as well as the C2 consensus on IoT device security baseline capabilities, under-gird consumer IoT certification.

While these are important contributions toward advancing consumer cybersecurity, certification remains a rather obscure matter to most end users and even less provides clarity on what it implies for cybersecurity. When consumers buy a new refrigerator or a dishwasher at a retailer, they hardly inquire about technical industry certification. But what has successfully emerged for many decades now are labels that translate selected technical facts into easy-to-understand information that consumers can use to compare products.

To account for distinct product types, informational needs, and contexts of use, conventional labels come in different forms and styles. Binary labels or seals of approval denote the existence of a property, such as the USDA Organic Seal. Graded labels use a scale to indicate levels of quality, such as New York City's restaurant sanitation letter grades A, B, or C. Finally, descriptive labels offer the most information and highlight key properties. The FDA Nutrition Facts label falls in this category. The purpose and objective of a cybersecurity label will determine which type is most applicable to inform the digital consumer in an effective way.

Back to Top

Early Movers Leading the Way

Singapore's efforts to create a cybersecurity label have garnered much attention and have been widely cited as an example to use market forces to even out the information asymmetry and thus strengthen cybersecurity. Under the purview of the Cyber Security Agency of Singapore (CSA), the Cybersecurity Labeling Scheme for consumer smart devices was launched in October 2020 and offered certification and labeling for Wi-Fi routers and smart home hubs. Labels of the voluntary scheme fall into four categories with distinct security requirements; Levels 1 and 2 rely on vendor self-certification, whereas Levels 3 and 4 require independent assessment by approved test labs. CSA-issued labels are valid for a period of up to three years, during which the manufacturer will provide security updates to consumers. Seven months into the launch, eight devices from five vendors received a label, all of them at Level 1. One year later, the number rose to 138 devices that attained a label on all but Level 3, with many more products from a diverse set of manufacturers waiting in the certification pipeline.

Finland's Transport and Communications Agency was the first to award its own consumer cybersecurity label, Tietoturvamerkki. It has issued labels to 14 products that met Finland's National Cyber Security Centre information security requirements based on ETSI EN 303 645. Finland and Singapore signed a mutual recognition agreement, which allows manufacturers to receive certification for both markets in a single certification process.

Through the Executive Order "Improving the Nation's Cybersecurity," U.S. President Biden directed in 2021 the National Institute of Standards and Technology (NIST) to study IoT labeling, which resulted in recommendations for cybersecurity criteria for consumer IoT products and software.6 In contrast to Singapore and Finland, NIST is not establishing a government labeling program, but its recommendations and standards aim at enabling private actors to fill the gap.


Buyers cannot discern a secure Internet-connected camera from its insecure, cheaper alternative.


IoT trust marks for consumer IoT devices were also discussed in the U.K. and Australia. Eventually, the U.K. favored a mandatory cybersecurity baseline for connected consumer devices instead. In Australia, a private provider piloted the IoT Security Trust mark in 2021. Certification providers with global reach play an important role in the adoption of labels by industry. Known for its safety and quality testing, the independent Underwriters Lab (UL) introduced a label-based IoT Security Rating. To that end, UL works with manufacturers and retailers to certify smart washers, HVAC systems, refrigerators, and other home appliances.

It should be noted these are not the first attempts for an IoT label. Starting in 2015, the Cyber Independent Testing Laboratory aimed at providing public product cybersecurity ratings but has since then pivoted to surveying firmware security at scale. The Trustable Tech mark, which closed down in 2020, was another effort in this category, that ran into difficulties to reach critical mass and find a sustainable business model. It is a cautionary note that the failure of a label can undermine trust and divert much-needed industry investments in consumer cybersecurity.

Back to Top

Interventions to Rejuvenate Cybersecurity Market Forces

One does not need to be an economist to determine there exists a market failure for cybersecurity. Simply put, market participants do not compete on security. This is a case for justifiable and, frankly, much-needed government intervention to strengthen cybersecurity. Regulators can set the conditions for labels to successfully leverage market mechanisms to overcome information asymmetry and prevent a market of cybersecurity lemons. Defraying manufacturers' expenses for labeling through government cost reimbursement is one way to accelerate label adoption. A recent British regulatory cost estimate for physical label implementation ranged from 3,000 GBP per company on the lower end to 500,000 GBP for the largest manufacturers.2 But this is not where it stops. A series of root causes of cybersecurity externalities need to be addressed, think of it as security essentials.


Consumer cybersecurity can no longer be ignored.


To that end, governments have made important contributions to overcome information asymmetries and reduce externalities, in some cases through regulatory means. For instance, NIST developed an IoT device cybersecurity capability core baseline that helps boost consumer cybersecurity. Per California IoT Law (SB-327 Information privacy: connected devices), manufacturers are required to equip each connected device with a unique password and other reasonable security features when selling to consumers in the Golden State. Building on the Code of Practice for Consumer IoT Security, the U.K.'s pending Product Security and Telecommunications Infrastructure bill would tighten the industry's responsibility for consumer cybersecurity. Non-compliance with relevant standards—such as the globally applicable ETSI standard EN 303 645: Cyber Security for Consumer Internet of Things: Baseline Requirements—would be punishable to the greater of 10 GBP million or 4% of the manufacturer's annual global revenue.

Back to Top

Multistakeholder Collaboration to Overcome Challenges

The challenges on the way to consumer IoT cybersecurity labeling are considerable but not insurmountable. Building upon existing IoT cybersecurity standards, the relevant labeling infrastructure, processes, and governance mechanisms need to be established. Governments should focus on setting the conditions upon which the private sector can jumpstart labels and move quickly to practical solutions that small and large IoT manufacturers can implement. The market must come with sustainable business models for labels. Leveraging sector-specific knowledge in trade associations and harnessing certification expertise and capacity in the private sector are key ingredients to scale IoT consumer labels successfully. The adoption and diffusion of labels by industry and consumers is another, perhaps the most critical, step in advancing consumer cybersecurity. Securing the cooperation of large national retailers in this step can help reach critical masses for IoT cybersecurity labeling in industry and among consumers, as they have the power to decide what secure IoT they put on their physical and digital shelves.

The nascent labeling regime also must address a range of policy design decisions. For instance, a label's static character poses a challenge to the ever-changing nature of cybersecurity. Should a label include an expiration date or be subject to reoccurring assessments? Should a competent authority be able to revoke a label or even stop the sale of a consumer IoT device that upon testing shows severe security vulnerabilities? Should expert consumers get access to testing and certification results to make security decisions in line with their risk profile? Experiences from other domains, such as food, energy, and health sanitation should help inform these design decisions, but they also provide hints on how labeling systems may evolve.3

Consumer cybersecurity can no longer be ignored. It is time for governments, manufacturers, trade associations, and consumer advocacy groups to take immediate steps to establish guidelines and identify best practices but also consider financial incentives for setting up IoT labeling systems, driving industry adoption, and ensuring consumer label recognition and education with the ultimate goal to advance consumer cybersecurity. Close multistakeholder collaboration among consumers, industry, and government is a must to secure IoT devices and for consumers to justifiably trust in the digital future.

Back to Top

References

1. Akerlof, G.A. The market for "lemons": Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84, 3 (1970), 488–500; https://bit.ly/3O5NMlA

2. Evidencing the cost of the U.K. government's proposed regulatory interventions for consumer IoT Department for Digital, Culture, Media and Sport (2020); https://bit.ly/3O5Njjk

3. Garg, V. and Kuehn, A. Squeezing the Cybersecurity Lemons—A Labeling Regime for IoT Products. ;login:. (2021); https://bit.ly/3yvhQB6

4. 2016 Norton Cyber Security Insights Report: Understanding cybercrime and the consequences of constant connectivity. Symantec Corporation (2016); https://bit.ly/3O0Se4V

5. Product security: IoT and other Internet-enabled devices. Centre for International Governance Innovation, CIGI-Ipsos Global Survey on Internet Security and Trust (2019); https://bit.ly/3IAK7Lm

6. Report for the Assistant to the President for National Security Affairs (APNSA) on Cybersecurity Labeling for Consumers: Internet of Things (IoT) Devices and Software. National Institute of Standards and Technology (2022); https://bit.ly/3uJRrOS

Back to Top

Author

Andreas Kuehn ([email protected]) is Senior Fellow at the Observer Research Foundation America, Washington, D.C., USA.


Copyright held by author.
Request permission to (re)publish from the owner/author

The Digital Library is published by the Association for Computing Machinery. Copyright © 2022 ACM, Inc.


 

No entries found