Squeezing the Cybersecurity Lemons – A Labeling Regime for IoT Products

December 9, 2021

Research

Authors:

Article shepherded by:

Rik Farrow

Some public policy experts have suggested that a cybersecurity label can help buyers make informed purchasing decisions of new IoT devices. One proposal uses New York City’s health sanitation labels as an analogy [1]. Restaurateurs are required to display a letter grade – A, B, or C – based on the inspector’s score. The score changes after an infraction, resulting in a lower letter grade from which restaurant goers can infer that an establishment’s hygiene is amiss. Policy makers have argued that a similar label that assigns grades based on the cybersecurity posture of the IoT product may help buyers make purchasing decisions commensurate with their cyber-risk tolerance. We discuss some of the issues involved with the establishment of IoT labeling in this article.

The underlying concern is that non-expert buyers may be unable to differentiate IoT products on cybersecurity. This information asymmetry may lead to under provisioning of cybersecurity by the vendors, as consumers will differentiate products on features instead. This potentially results in a lemons market for cybersecurity in some IoT [2]. The resulting costs are made apparent when industry and government respond to incidents, clean-up compromised networks and devices, recover business operations, as well as contain the damages from data breaches. Labels may mitigate information asymmetry and thereby incentivize upfront cybersecurity investments, and move cybersecurity to the left, that is, earlier in the product development lifecycle.

Furthermore, these labels may allow vendors to generate additional revenue. Research shows that buyers are willing to pay a 30% premium for cybersecurity for consumer IoT products [3]. Labeling may enable vendors to differentiate their products from less secure alternatives and thereby target customers who are willing to pay for secure and safe IoT products.

Death by a Thousand Certifications

Unsurprisingly, third party certification providers have jumped into the fray recognizing that the testing and certification of a growing number of Internet-connected devices will become a viable revenue stream. The U.S. wireless industry’s trade group, CTIA, has come up with a cybersecurity certification program that allows vendors to have an independent third-party attest to the security of their offerings [4]. Another example is the Network Equipment Security Assurance Scheme (NESAS) which grew out of a joint effort by 3GPP, a consortium of standards organizations for mobile telecommunications, and GSMA, a global industry organization for mobile network operators, which defines security requirements and an assessment framework for secure product development and lifecycle processes and provides test cases for the security evaluation of network equipment [5]. Finally, the Digital Standard from Consumer Reports has taken a more holistic perspective, encompassing not just security and privacy but also other consumer concerns such as the right to repair [6].

The public sector is also invested in solving the security information asymmetry to ensure the broader resilience of the national cyber infrastructure. To that end, the U.S. National Institute of Standards and Technology (NIST) has issued an IoT device cybersecurity capability core baseline for use as “a starting point” in identifying device cybersecurity capabilities [7]. The European Union’s Cybersecurity Agency has released baseline security recommendations for IoT as well as good practices for IoT and a smart infrastructures tool [8]. The EU is also developing a cybersecurity framework for tailored risk-based certification [9]. These efforts are seconded by legal and regulatory requirements designed to bolster the security of devices used by government agencies, such as the U.S. IoT Cybersecurity Improvement Act. This Act directs NIST to develop guidelines and standards for federal agencies and contractors. It also instructs the Office of Management and Budget (OMB) to review information security policies and principles for compliance with NIST’s recommendations [10]. The California IoT Law (SB-327 Information privacy: connected devices) requires manufacturers to equip certain IoT devices sold in the State of California with reasonable security features, including a preset or generated password unique to each device [11].

These technical certifications and associated security assurance may not suffice to inform the average consumer or even a professional buyer. A mechanism to make the connected product’s cybersecurity obvious at the point of purchase may further facilitate IoT purchases commensurate with the buyer’s cyber risk tolerance. One solution is to translate the certification results, from testing an IoT product against a security specification, into a cybersecurity label [12]. In the recent Executive Order on Improving the Nation’s Cybersecurity, President Biden initiated a cybersecurity labeling pilot [13]. The U.S. Cyberspace Solarium Commission has also proposed the creation of a National Cybersecurity Certification and Labeling Authority, which would establish an Energy Star style cybersecurity labeling regime for IoT [14]. Such an entity, the Commission’s recommendation goes on, could also cooperate with other U.S. government departments and agencies to develop security certifications for emerging technologies, cloud computing in particular.

Measuring Security is Difficult

The technical, organizational, and economic challenges in creating an effective cybersecurity label and the supporting infrastructure for a comprehensive labeling regime are numerous, especially when considering labels for the broader cybersecurity ecosystem that go beyond consumer IoT [15]. First, cybersecurity is difficult to measure. For example, EnergyGuide or EU energy labels convey energy efficiency, which is measured in kWh per annum. There is no analogue for cybersecurity. Furthermore, cyber risk of an IoT device is contingent on the context of deployment. The same device deployed behind a firewall is exposed to lower risk than if connected directly to the Internet. Neither are two firewalls created equal and even the same firewall will offer different flavors of security based on its configuration. Furthermore, the context of application matters for managing cybersecurity and mitigating risk. The operational needs of a connected device in a medical environment, possibly affecting sensitive or critical health data processing, differ from its cousin in a residential smart home setting.

Second, security is a dynamic, not a static property [16]. An IoT device is subject to a changing software and threat environment. What was assessed and deemed secure yesterday, may not be secure today. A newly discovered software vulnerability or new type of exploit technique might render an IoT device previously considered secure as vulnerable. The dynamism of the threat environment highlights the limits and deficiencies of any labelling regime established via prescriptive rules. The agility and flexibility required to adapt such rules to a continually evolving threat landscape is incompatible with the rigidity and delays inherent in the regulatory process. Given the adversarial nature of cybersecurity any measure of cybersecurity will be limited by the evolution of threat actor capabilities. As time passes on, it can be assumed that the security of a device diminishes as a result of general technological progress and end-of-life support.

Some proposals for cybersecurity labels recognize the limitations of static labels, as they portray the state of a device’s security–including versions of firmware and software–at the point of time it was tested. To overcome these shortcomings, a label could indicate a security expiration date [17]. The UK’s Code of Practice for Consumer IoT Security suggests that manufacturers should provide a timeline beyond which they may not offer security updates [18]. Academic researchers and ioXt, an industry alliance for IoT security standards and certification, have proposed the use of QR code based smart labels that can provide the most current security status of a device [19, 20].

One Label Cannot Rule them All

Beyond these technical concerns, there is the challenge of determining the appropriate testing and assessment labs as well as the labeling accreditation authority. The NYC health department creates an institutional structure for determining the grade for a restaurant. In cybersecurity this would be analogous to certifying, as well as labeling, the software development lifecycle of an IoT vendor. However, current proposals focus on labeling products. For example, the U.S. Cyberspace Solarium Commission has proposed the creation of a non-profit National Cybersecurity Certification and Labeling Agency [14]. The proposed entity could either certify devices itself, authorize third party entities to certify against a specification, or certify existing certifications.

A centralized, prescriptive approach may struggle with scalability, device diversity, and deployment complexity. An Internet connected car is demonstrably different from a smart rain sensor. A vendor for the latter should not have to meet the same security requirements as the car’s manufacturer. Previous centralized approaches to security certification were criticized for having security requirements that were too difficult to understand, too expensive to implement, and too narrow to provide adequate security protection [21]. This suggests that voluntary processes, driven by industry sector and sub-sector best practices, certification procedures, as well as metrics, would offer the most promising approach for IoT security labels.

Yet, it is important to avoid too many labels for similar product types and sectors with comparable deployment environments. This is to reduce the likelihood for confusion among consumers as they have to determine which label is relevant for their needs [22]. If unsuccessful labels become defunct vendors have to bear the cost of labeling, which is estimated to range from 4,000 US dollar on the lower end up to 700,000 US dollar per company for the largest manufacturers according to a recent regulatory study [23], without being able to leverage the additional revenue. Concurrently, a defunct label can cause consumers to lose confidence in cybersecurity labeling overall. Thus, it is important to address the sustainability of a label as well as the labeling regime over time.

These challenges can be addressed by leveraging sector-specific labeling by trade associations, as is the case with CTIA’s certification. These groups can leverage the knowledge of experts across the sector and ensure the label’s sustainability. Furthermore, these groups would be privy to the target customers and users and therefore possess important insights into the respective deployment environments, operational constraints, and business needs. This still leaves the critical task of choosing and designing an effective label itself.

Designing Cybersecurity Labels

Label designs fall in three distinct categories [12,15]:

Binary labels, such as the USDA organic label, are the most usable and simple as they indicate the presence of a property or quality.
Graded labels, including the EnergyGuide label, offer greater shades of distinctions between products. However, research shows that products with lower grades may be penalized by customers and be given the boot in favor of unlabeled alternatives.
Descriptive labels, such as the FDA nutrition facts label, offer the most amount of information to the consumer, but are more complex thus less usable. These labels may also be less effective at informing consumer behavior for products that are perceived as less risky.

It is likely that different labeling styles are needed for distinct IoT devices and deployment environments. Unfortunately, few studies have investigated the comparative effectiveness of different labeling styles in cybersecurity [12]. Each label requires additional design decisions that should be informed by empirical evidence. For binary labels, for example, a designer may choose an icon, such as a lock, keys or a shield, that leverages an effective, yet appropriate security mental model. Alternatively, the choice may be to employ a preexisting trustmark that indicates broader product quality [15]. Security can then be incorporated into the overall product quality certification and emphasized with additional text or visual clues to the existing label.

Enhanced labels, such as graded and descriptive labels, increase the number of design decisions. In the case of graded labels, designers must choose the grades’ framing. UL (Underwriters Laboratories), a global safety certification company, grades IoT security along five levels: 1) bronze, 2) silver, 3) gold, 4) platinum, and 5) diamond [24]. For descriptive labels designers must begin by choosing the specific information to include in the label [19]. Given the lack of empirical results on these design decisions, it is important to prioritize research in advance of policy interventions.

When making these design decisions, it is important to keep in mind how consumers interpret the cybersecurity label. The consumer’s technical literacy, their behavioral incentives driving the purchase, as well as their mental models of security must be accounted for to avoid conveying a false sense of security and safety that could spur unsafe user actions. Absent design research for non-expert users, one option may be to leverage more mature customers. For example, one proposal in the UK pushes the responsibility of verifying security labels to retailers, who can only sell IoT devices that meet certain security requirements [23].

Sustainable Cybersecurity Labels

The discussion as well as the adoption and uptake of cybersecurity labels is in an early stage. Yet it is helpful to learn from other risk domains [25], such as the food industry [1], to get clues to how the labeling regime may develop in the future. Yet these lessons must be appropriately contextualized to address the adversarial nature of cybersecurity as well as the breadth of IoT categories and products, corresponding deployment environments, and diversity of customers. Consider, for example, that the NYC health department certifies restaurants rather than individual dishes. Cybersecurity labels will, however, be certifying devices not vendors. Thus, it is important to focus on the outcome of labeling, which is to inform the determination of acceptable risk. The NYC health sanitation rating frames this in three essential outcomes:

The grades determine how often a food establishment gets inspected. A lower grade results in more frequent inspections with the objective to provide guidance and improve the sanitary condition. Graded with a C, a restaurant will receive an inspector’s visit three to four times a year, whereas an A restaurant will be inspected once a year. Contextualizing this for cybersecurity, a lower rated device may be expected to have shorter security lifespan.
If found to be in severe violation of food safety and creating a public health hazard that cannot be corrected, an inspector can close a restaurant immediately. In the cybersecurity context, if a vulnerability is reported, the labeling entity may require the vendor to fix the security flaw. Absent that the label may be withdrawn or, alternatively, retailers may no longer carry the product.
The NYC health department ensures a consistent and repeatable baseline for all restaurants to demonstrate food safety to their customers. However, in food safety there is not an ongoing effort to poison the food in all restaurants that is dynamic and constantly changing. Cybersecurity, by contrast, is an adversarial domain and IoT products are significantly more diverse with distinct threat exposures. Thus, cybersecurity labels may require a decentralized approach perhaps driven by sector specific-stakeholders, rather than a top-down, agency-driven prescriptive approach.

Voluntary labeling may be an effective intervention to address information asymmetry in the cybersecurity market. However, any effective policy intervention must describe practical solutions, supported by institutional infrastructure, and a governance model that allows for stakeholder engagement. Given the diversity of IoT devices, innovative, customized solutions commensurate with the many domains of application are needed. These must emphasize and secure the sustainability of a labeling regime in the long term. The alternative is the creation of a lemons market for cybersecurity labels that undermines what it intends to enhance.

Appendix

References:

[1] D. Volz, President Biden signs cybersecurity Executive Order to boost federal defense against hacks. The Wall Street Journal, (2021).

[2] M. W. Smith, Information asymmetry meets data security: the lemons market for smartphone apps. Policy Perspectives 26, 85-96 (2019).

[3] “Product security: IoT and other Internet enabled devices”, Centre for International Governance Innovation, CIGI-IPSOS Global Survey (2019). [no author]

[4] Cybersecurity certification program for IoT devices v.1.4”, CTIA (2021). [no author]

[5] “Network Equipment Security Assurance Scheme v.2.0”, GSMA and 3GPP (2021). [no author]

[6] “The Digital Standard”, Consumer Reports, Disconnect, Cyber Independent Testing Lab, and Ranking Digital Rights Project (2020). [no author]

[7] M. Fagan, K. N. Megas, K. Scarfone, M. Smith, “IoT device cybersecurity capability core base- line” (National Institute of Standards & Technology, 2020).

[8] V. Sklyar, V. Kharchenko, ENISA documents in cybersecurity assurance for industry 4.0: IIoT threats and attacks scenarios. Proceedings of 10th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology & Applications 2, 1046-1049 (2019).

[9] D. Markopoulou, V. Papakonstantinou, P. de Hert, The new EU cybersecurity framework: the NIS Directive, ENISA's role and the General Data Protection Regulation. Computer Law & Security Review 35(6), 105336-105341 (2019).

[10] B. Schneier, IoT security: what’s plan B?. IEEE Annals of the History of Computing 15(05), 96-96 (2017).

[11] J. R. Martin, K. Kessler, California Sets the Standard with a New IoT Law. The Journal of Robotics, Artificial Intelligence & Law 2(3), 183-188 (2019).

[12] S. D. Johnson, J. M. Blythe, M. Manning, G. T. W. Wong, The impact of IoT security labelling on consumer product choice and willingness to pay. PLOS ONE 15(1), 1–21 (2020).

[13] J. R. Biden, “Executive Order on Improving the Nation’s Cybersecurity” (The White House, 2021).

[14] A. King, R. M. Gallagher, “Cyberspace solarium report” (Cyberspace Solarium Commission, 2020).

[15] V. Garg, A Lemon by Any Other Label. Proceedings of the 7th International Conference on Information Systems Security & Privacy, 558-565 (2021).

[16] I. Brass, L. Tanczer, M. Carr, M. Elsden, J. Blackstock, Standardising a moving target: The development and evolution of IoT security standards. Proceedings of Living in the Internet of Things, 24-9 (2018).

[17] P. Morgner, C. Mai, N. Koschate-Fischer, F. Freiling, Z. Benenson, Security update labels: Establishing economic incentives for security patching of IoT consumer products. In proceedings of the 2020 IEEE Symposium on Security & Privacy, 429-446 (2020).

[18] S. Datta Burton, L. M. Tanczer, S. Vasudevan, S. Hailes, M. Carr, “The UK Code of Practice for Consumer IoT Cybersecurity: where we are and what next” (DCMS, 2021).

[19] P. Emami-Naeini, Y. Agarwal, L. F. Cranor, H. Hibshi, Ask the Experts: What Should Be on an IoT Privacy and Security Label?. In proceedings of the 2020 IEEE Symposium on Security & Privacy, 447-464 (2020).

[20] D. Kleidermacher, Building an Internet of Secure Things. Computer 53(8), 100-104 (2020).

[21] S. J. Murdoch, M. Bond, R. Anderson, How certification systems fail: Lessons from the Ware report. IEEE Security & Privacy 10(6), 40-44 (2012).

[22] J. L. Hernandez-Ramos, S. N. Matheu, A. Skarmeta, The challenges of software cybersecurity certification. IEEE Security & Privacy 19(1), 99-102 (2021).

[23] DCMS, “Evidencing the cost of the UK government’s proposed regulatory interventions for consumer IoT” (Tech. Rep., 2020).

[24] Underwriters Laboratory, “IoT security rating level” (2020; https://ims.ul.com/ iot-security-rating-levels).

[25] E. Leverett, R. Clayton, R. Anderson, Standardisation and certification of the ‘Internet of Things’. In proceedings of workshop on the economics of information security, (2017).

Article Categories:

Security

Last updated February 8, 2023

Authors:

Vaibhav Garg is the Sr. Director of Cybersecurity Research & Public Policy at Comcast Cable. He has a PhD in Security Informatics from Indiana University and a M.S. in Information Security from Purdue University. His research investigates the intersection of cybersecurity, economics, and public policy. He has co-authored over thirty peer reviewed publications and received the best paper award at the 2011 eCrime Researcher's Summit for his work on the economics of cybercrime. He previously served as the Editor in Chief of ACM Computers & Society, where he received the ACM SIGCAS Outstanding Service Award.

vaibhav_garg@comcast.com

Dr. Andreas Kuehn is a Senior Fellow at Observer Research Foundation America where he leads research on international cybersecurity cooperation within ORF America’s Cyberspace Cooperation Initiative. His work focuses on the new risks and challenges in international security at the intersection of critical and emerging technologies, cybersecurity, and technology governance. Prior to joining ORF America, Dr. Kuehn was a Senior Program Associate at the EastWest Institute, where he led the development of EWI’s breakthrough group efforts and worked on U.S.-Russia and U.S.-China cybersecurity issues. Before that, he was a Cybersecurity Fellow at Stanford University and an adjunct researcher at RAND Corporation. He received his M.Sc. in Information Systems from the University of Zurich and holds a Ph.D. in Information Science and Technology from Syracuse University.

akuehn@orfamerica.org