As connected cyberattacks are growing exponentially, hacks and data breaches remain top of mind for security professionals, manufacturers and top tech companies, globally. Of late, these attacks have become more recent, sophisticated, and with the target being critical infrastructure – the attacks have had a larger impact on the daily lives of citizens and corporations costing them time, money and consumer trust. With an increase in attacks comes an increase in cybersecurity spending and according to PurpleSec, the 5 year spending plan (through 2025) for cybersecurity will reach over $1 trillion.
As a direct result of the SolarWinds and JBS meat factory hacks, and the general increase in connected hacks across the US, President Biden signed an executive order so that the United States federal government could officially take the proper precautions to protect state and nation controlled operations from further attacks. The order signed on May 12,2021 mandates that regulations, such as cybersecurity labeling, will be put into place to prevent future attacks that could lead to massive infrastructure fall out and the hefty repercussions that come with it. Though this is a positive sign for better securing the nation, it’s important to consider if it is the job of the federal government to protect the United States’ connected security at all.
Details of the executive order
To address the critical challenges with securing connected devices, the order covers a few key areas which includes the following:
Zero-trust policy for federal devices: Computers and other similar devices can’t interact with each other. This policy will help combat widespread hacks as if a breach does happen, it will be cut off immediately since that computer is unable to communicate with others within the government, stopping the breach in its tracks.
Software bill of materials (SBOM) – this is now strongly recommended so that the software which the government is using can be consistently monitored and maintained with appropriate updates – preventing vulnerabilities from outdated programs. Additionally, the executive pushes for the creation of a Software Bill of Materials (SBOM) so that the software that companies use is consistently regulated and maintained with updates preventing vulnerabilities and attacks. SBOMs should be required from the onset of device manufacturing instead of being a suggestion and to be most effective, it should be enforced by leading industry organizations who bring together leading tech companies, manufacturers, and stakeholders.
Software labeling program – The purpose of the program is to create a clear mark on device packaging that will indicate to users and consumers that the product has been thoroughly tested for security against guidelines that are in place. For this concept to be most effective the labels must be more specific than a general level rating system to ensure transparency to end-users about the products they are purchasing and using.
With levels like bronze, silver, and gold, there is an incorrect association that one level is superior to the others. When you look at labeling on a lower-tech device like a lightbulb, it may receive a bronze label but a more sophisticated device like a security camera might receive gold. This is not because the lightbulb is less secure, but because it is at a lower risk than a security camera, but in the eyes of a buyer, it could indicate that it’s less secure. To avoid confusion, security labels should be approached based on specific product profiles, applying the necessary security requirements according to the level of risk. With guidance from leaders in the industry, manufacturers would be required to give each product only one label instead of a coalescence of three, to demonstrate that the device is secure for use to ensure transparency for all stakeholders.
The importance of valid security testing
Validation of devices through credible security testing labs or third-party certifications is necessary to apply correct labels successfully, however, since there is a large number of devices to be tested, another option would be to have manufacturers self-certify devices and have the results validated by a third-party organization. By having industry standards organizations as trusted partners, manufacturers will be held accountable and it will deter bad actors who may wrongly self-certify. This will allow researchers to verify the quality of the self-certification, checking for any vulnerabilities and openings that could be left exposed to hackers. Having a checks and balances process for self-certification allows for devices to be tested, secured and given a label with confidence, while maintaining convenience and third party verification.
With cybersecurity threats at the forefront of concerns for the administration, this particular order has the potential to change the way the United States approaches device and security management. While this is a step in the right direction and sets a standard for the country, it’s important that government agencies, like the FTC, use their authority to help enforce the process of security labeling and making sure manufacturers uphold on their part. Leading industry standards organizations should also be heavily involved to help apply standards and regulations to make sure innovation is not hindered. These organizations should also work to make sure all connected devices have a proper level of security to create a secure ecosystem and prevent further infrastructure attacks.