NIST’s Criteria for Cybersecurity Labels Are Good. Who Will Implement Them?

On Friday, the National Institute of Standards and Technology (NIST) released new Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products. The addition of standardized labels, which would allow users to compare and contrast IoT products, could play a vital role in addressing a history of bad digital security that looms over the Internet of Things. NIST opted not to establish its own labeling program, instead releasing these guidelines and leaving it to non-governmental "label providers" to implement. While the new guidelines could be an important step in creating a more secure IoT, with no announced label providers, and no testing mandate, the goals of these recommendations can only be met if the idea gains popularity.

The new guidelines were spurred by an Executive Order that President Biden issued in May 2021. Entitled "Improving the Nation’s Cybersecurity," the order tasks several federal agencies with making a number of "bold changes and significant investments" in the interest of securing the nation's computer systems. Among the many pieces of the order was a requirement for NIST to "identify IoT cybersecurity criteria for a consumer labeling program" that reflects comprehensive testing and assessment while focusing on "ease of use for consumers."

As the Executive Order notes, there are a wide range of "malicious cyber campaigns" that affect all levels of the tech ecosystem, and the requirement for IoT labeling guidelines shows that this is especially true in IoT. From hacked baby monitors and home cameras, to leaked user information, examples of cybersecurity incidents are not hard to find. IoT products face some unique circumstances that don't affect the rest of tech. There are many reasons for this, but one example is the computer chips used in these devices. IoT devices are generally built with chips that are orders of magnitude less powerful than an average smart phone, meaning equipping them with lots of computationally complicated security features can be a challenge. Additionally, as highlighted by recent chip shortages, the nature of IoT production means that manufacturers often use whatever chip is available at the time of a production run. This means that different production runs of what look like identical devices may have entirely different chips, which in turn may have entirely different security vulnerabilities that put them at risk of cyber attack.

Not every IoT company is creating insecure products, but as a consumer, there's no way to know if a company is doing all it can to protect customers. This is where labeling comes in.

OTI has long supported better consumer labeling, as well as an increase in testing of IoT devices. Consumer-facing labels like the Nutrition Facts Label on food packaging, the Energy Star label on electronics, the LEED certifications for buildings, or the coming label for broadband internet, all provide specific and comparable information about the product in consistent ways. This information is based on using a shared set of metrics, which make possible apples-to-apples comparisons between products. Wide adoption of a good label can also shift market incentives, encouraging manufacturers to work towards meeting the labeling criteria so as to have a higher rating.

OTI has been deeply involved in IoT product testing using the Digital Standard, an open-source framework for evaluating the privacy and security of consumer products. Although the Standard is not a “label,” that experience has provided some lessons learned about the importance of consumer-facing product evaluation.

NIST’s recommended testing guidelines have a lot of strengths. To begin with, NIST centers its guidelines on "product-focused outcomes," which avoids requiring particular technological solutions to achieve those outcomes. This is important because tech best practices are constantly changing, and tying a label to specific tech protocols will give the guidelines a shelf life. For example, the recommended encryption protocols used to secure data moving over the internet ten years ago have been replaced by newer protocols or found to be insecure. Focusing on outcomes will allow evaluators to grade against current best practice.

The NIST guidelines also adopt a broad definition of what constitutes an IoT product. This includes not only the device itself, but also "any additional product components that are necessary to use the IoT device beyond basic operational features." That means everything from the device itself, to the app that makes it work, to the cloud servers the manufacturer uses to provide added functionality. By expanding the coverage beyond "operational features," products that can be used in some way without an app—like a smart vacuum that may clean but doesn't map your house unless connected to the internet—can't remove the app testing portion from their labeling requirements. In addition to the technical requirements themselves, NIST accompanies every section of the requirements with an explanation of the "Cybersecurity Utility" that each requirement represents.

The labeling recommendations do not go into specifics like which fonts or icons to use, instead they ask label providers—or "scheme owners" as NIST also calls them—to take certain things into consideration as they implement a labeling program. Labels themselves should simply show that a product has met the recommended technical criteria, but in a way that makes sense to people without "specialized cybersecurity knowledge." Instead of focusing on label design, the recommendations focus on the kinds of information that should be available to consumers, including "what the label means and does not mean," along with what kinds of products the label covers, what they are testing for, and why.

While NIST's new IoT labeling recommendations provide a good technical basis to use for testing and thoughtful requirements for clear and helpful labeling, NIST's decision to leave testing and labeling to third parties and not to establish its own program is worrying. In the conclusion to a whitepaper preceding the recommendations, NIST stated its hope that the guidelines "will be used by one or more organizations to deploy a consumer IoT cybersecurity labeling program or ‘scheme’ in the United States." A standards-setting body, like NIST, can define a technical standard, but unless it is widely adopted by the tech industry, it may never become truly standard. Even when an organization does eventually step forward to run a labeling scheme, absent any sort of broad mandate or other incentives, participation by manufacturers will be voluntary and may not seem worth the effort. Unfortunately, without organizations ready to heed NIST's call, and manufacturers willing to work with them, the bold changes envisioned in the executive order may never be realized.

If the recommendations are to achieve their goals, one or more groups need to be ready to stand up labeling schemes. Through good relationships, their ability to directly affect consumer demand, or both, whoever is conducting testing and labeling will need to figure out a way to get manufacturer participation. Once such labeling efforts have started, spreading their popularity needs to include broader education of the public. As NIST acknowledges, public education will need to be “a shared responsibility among multiple IoT product security stakeholders.” Other ways to speed up adoption of such labels could include bulk purchasers of IoT devices requiring that their IoT products carry a specific label. Even without the example a limited NIST-run labeling program might have set, or a strong labeling requirement, NIST's recommendations do provide something solid to build on—and hopefully, IoT’s many stakeholders will start building.