![Home security cameras are among the first devices to be considered for a security](https://oponame.com/wp-content/uploads/2022/10/Everything-we-know-about-the-White-House-IoT-security-labeling.jpg)
Getty Images
The White House released a statement today that basically says it had a big meeting on Wednesday, with some big names, and some sort of smart device security label will come out of that in the spring of 2023. Here’s a lot more about what happened, and what’s likely to come out of it.
One of the high-level recommendations of the US Cyberspace Solarium Commission, named after the Eisenhower administration’s desire to rethink Cold War strategy, in its March 2020 report was to “create a national certification authority and cybersecurity labelling. A “non-profit, non-governmental organization” will become a labeling authority for at least five years, labeling products based on the consensus of the Departments of Commerce and Homeland Security, and “experts from the federal government, universities , non-governmental organizations and the private sector.
And that’s pretty much who showed up, according to the White House. Amazon, Comcast, Google, Intel, LG, Samsung, Sony and other private entities showed up. So did the Connectivity Standards Alliance, the consortium behind Matter, as well as the American National Standards Institute (ANSI), Consumer Reports and lobby groups Consumer Technology Association, CTIA and the National Retail Federation. Add just about every safety-related government agency and you have the Solarium Commission recommended panel.
Details on the label itself, as it stands so far, and what it would rate or measure, weren’t available, but there were hints. CyberScoop quoted a White House official as saying device ratings could be based on “fixing vulnerabilities, amount of consumer information collected, whether data is encrypted, and interoperability with other products” .
As for what the label might look like, there is at least one template. Researchers from Carnegie Mellon University, one of the parties invited to the summit, had already created a safety “nutrition label”. The label, based on contributions from more than 22 groups, has worked well with users, the university says. It provides multiple levels of disclosure, based on common IoT issues: default passwords, security updates, offline features, and more.
You can even make your own voluntary safety label, or just smash the tires, like I did.
![I don't know why we created this smart doorbell, but we are committed to updating it for at least three years.](https://oponame.com/wp-content/uploads/2022/10/Everything-we-know-about-the-White-House-IoT-security-labeling.png)
I don’t know why we created this smart doorbell, but we are committed to updating it for at least three years.
Kevin Purdy/Carnegie Mellon
The White House told reporters Thursday it was aiming to “keep it simple,” with a code that can be scanned by phones to display security and privacy information.
Which products will obtain the labels? The White House told reporters on Wednesday it would begin with voluntary labeling in the spring of 2023, focusing on “particularly vulnerable Internet-connected devices such as routers” and home cameras.
The White House press release says it wants the effort to “generate a globally recognized label.” CyberScoop reported earlier this month that the task force was working with the European Union to “align with the standards”. It should therefore be noted that Anne Neuberger, Deputy National Security Advisor for Cybersecurity and Emerging Technologies, participated in International Cybersecurity Week in Singapore, where she described the United States envisioning Singapore as a “leader IoT world,” as reported by The Register.
Singapore’s Cybersecurity Labeling System rates almost all internet-connected consumer devices in that country on a four-star scale. The system is recognized by Finland and, to date, by Germany. Announced at the conference this week is that the system could soon make its way to medical devices. It’s a safe bet that whatever system the United States designs will seek to achieve some degree of reciprocity with Singapore’s system, even at one level.
![Singapore's cybersecurity labeling system, where consumer devices are given one of four scores based on security practices.](https://oponame.com/wp-content/uploads/2022/10/1666331129_811_Everything-we-know-about-the-White-House-IoT-security-labeling.png)
Singapore’s cybersecurity labeling system, where consumer devices are given one of four scores based on security practices.
Is there a Matter aspect in this labeling? Almost certainly, given the presence of the CSA at the top of the White House. Matter certification already requires devices to use AES encryption when communicating over networks, be able to receive updates over the air, be code-signed, and have a secure enclave to store keys and certificates. to be verified against a blockchain ledger. Some or all of these aspects (minus the blockchain bit) are likely to be considered on security labels.
While the first version of this security label will almost certainly be a compromised and politically acceptable effort, anything is likely to be better than the system we have now: researching smart home brand names and manufacturers individually in line with the end phrases “violation” and “vulnerability.”
#White #House #IoT #security #labeling #effort