The Hill is reporting on new legislation – called the Cyber Shield Act of 2017 – where manufacturers can have their products evaluated and certified for meeting data security standards.
Do you think this legislation will make a difference? Where do you see the government’s place in enforcing security in commercial products?
This is an interesting article. Thanks for linking it.
The article is quick to point out that the program would be voluntary. That would seem to indicate that this would operate similarly to an ISO standard. Interesting.
The article also indicates the products will need to be certified. While I agree, in theory, that this kind of program is needed. In practice, I'm not sure how well it would work. If we are certifying products, what happens when a vulnerability is discovered in a product that was previously certified? Does it fall out of certification or are there provisions for the manufacturer to support the updates for a given lifecycle? If the manufacturer will support the updates, depending on the kind of device it is, vulnerability patches could be automated... but there would be many devices that would require manual updating. I'm not sure that the average home consumer would be savvy enough to keep up with updating all of their IOT devices to make sure they maintain the certification that was there when they bought the product. I can also imagine a class of IOT products that would create liability if the manufacturer were to auto update.
I'm sure that there are solutions to the problems I thought of. I would be really interested to follow this topic thread for other people's view.
I think that this is a multi edge sword and having the Government being the enforcement arm for secure manufacturing processes is like the pot calling the kettle back. Or if you'd prefer, like the fox guarding the hen house. Admittedly, there needs to greater oversight, from a security standpoint, throughout a manufacturing process from the supply chain / vender management, through design and development, to manufacturing / implementation, to product delivery. Each step has its own very unique set of vulnerabilities and meditating controls.
This will be an interesting piece of legislation.
Device and product standards tend to be "snapshot" certifications. This seems to be no different. Meet certain criteria and be certified until renewal. I'd like to see a certification that includes (and enforces) an update process throughout the year.
I haven't checked for decertification stats for industry-run certifications like PCI-DSS.
I think a certification process is generally better than nothing at all, but there has to be some impetus to enforce maintenance. Cybersecurity moves too fast for a momentary certification/renewal process.
According to the letter of the suggested legislation:
"establish and maintain cybersecurity and data security benchmarks, by convening and consulting interested parties and other Federal agencies, for products with the Cyber Shield label to ensure that those products perform better than their less secure counterparts;"
That means the "certified" product only has to be better than its peers. It's not a "proof" of security, but just a benchmark of performance relative to some zero-security.
The benchmarks are going to be publicly debated:
"engage in an open public review 16 and comment process; "
"Not later than 2 years after the date of enactment of this Act, the Secretary shall establish cybersecurity and data security benchmarks for covered products under subsection"
So this is going to be very far into the future. The public comment and review will take quite a bit of time.
" shall promote technologies that are compliant with the cybersecurity and data security benchmarks established by the Secretary as the preferred technologies in the marketplace for"
the US Government "promoting" any private product is a fuzzy line that will likely be tested in court. The FBI can't endorse any tools, but this new Cyber authority can? That seems like a big lawsuit waiting to happen, also given that the language of the bill seems to be in favor of companies not complying with security (no liability for not participating or exiting participation).
"The Secretary, in consultation with the Advisory Committee, may enter into a contract with a third party to administer the Cyber Shield program if—"
This will create yet another administrative private entity to adjudicate and enforce the program. This also looks to be domiciled in the DoC (Dept of Commerce). The bill seems to be very vague and in need of some further refinment. The "benchmarks" are like colo "policies," just phantom rules that change without your permission but still bind you. I didn't see anything about how a product falls out of compliance or for how long the product certification lives. Does it become decertified when a firmware fix is deployed? Is the testing/certification entity going to certify the firmware side of the product too?
Seems like a good idea, but it should be handled by organizations like NAICS or UL rather than the federal government.
Do you think this might be a precursor to requiring certain cybersecurity measures? Similar to Federal Motor Vehicle Safety Standards?
That same question (re federal statute on cyber security) came up at the last ISC2 chapter meeting in San Diego with Tim Hamon (FBI). The consensus there was - only when people start dying as a result of bad cyber will there be statutory regulation. Until the first death, though, it's really a consumer trust problem.
Maybe this legislation is thought to be the precursor for statutory regulations? I doubt it. Then again, FCC regulates spectrum overlap and interference to protect consumers from harmful radiation. The cyber argument (for statutory regulation thereof) is similar in so much that the device should not be able to be used to interfere with other devices. If I can use a device to attack another device, such as a public transit control system, then the FCC should require controls to mitigate such an attack.
In my opinion, cyber is an FCC statutory domain. FCC is only radio, right? But then again, NSA was only radio too until ...