White House officials convened industry leaders, policy experts and government leaders on Wednesday to discuss plans for security and privacy standards on connected devices.
The meeting — billed as a workshop for a nascent White House Internet of Things labeling initiative — included top White House cyber official Anne Neuberger, Federal Communications Commission Chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Senator Angus King, I-Maine, alongside consumer tech associations, industry executives and the nonprofit consumer advocacy organization Consumer Reports.
Industry leaders from Google, AT&T, Comcast, Amazon, Cisco, Intel, Samsung and Sony attended the meeting, as did officials from the American National Standards Institute and the National Retail Federation, according to the White House.
The meeting focused on the implementation of the program with a focus on issues such as how to ensure labels match international standards, how to design a barcode to ensure consumers can find timely information about a product online and how to raise overall consumer awareness of IoT vulnerabilities.
CyberScoop first revealed White House plans for the meeting last week.
The labeling program is still in its early stages, but the White House expects to roll out a first set of standards in Spring 2023 and plans to launch the voluntary program with standards in place for particularly vulnerable internet-connected devices such as internet routers.
A White House official told reporters the program will likely rate devices based on standards that include vulnerability remediation, amount of information collected on consumers, whether data is encrypted and interoperability with other products.
“It would be a more sophisticated way to approach cybersecurity than merely saying, ‘Oh, if it’s manufactured in one country, it’s safe; if it’s manufactured in another, it’s not,” a senior administration official said.
Brandon Pugh, senior fellow and policy counsel at the R Street Institute think tank, said he left the meeting with the impression that more extensive privacy standards around data collection and sharing could also be considered as part of the rating system down the road.
Pugh said the lack of cybersecurity in Internet-connected devices merits immediate attention.
“As a consumer, you’re really just kind of taking a chance and hoping for the best,” Pugh said. A labeling program is “not perfect in every sense,” Pugh added, “but at least it would give consumers some level of knowledge that what they’re buying is secure.”
A senior White House official told reporters Wednesday that the label will include a barcode for consumers to scan so they can see a given manufacturer’s security practices in real time, ensuring that the “label remains fresh.”
“Given the way cybersecurity continuously evolves infinitely, vulnerabilities continuously evolve,” the official said.
A senior leader from the Federal Trade Commission attended the workshop to highlight compliance and enforcement tactics, the official added.
“They talked about their ability to enforce based on the labels and is the security in device meeting the standard within the label,” the official said, comparing the “model of market enforcement” to nutrition labels.
A Carnegie Mellon University CyLab Security and Privacy Institute researcher, who has spent more than four years working on a separate rating effort known as “privacy nutrition label for IoT devices,” demonstrated that approach at the meeting, noting that his prototype has been consumer-tested and could immediately be implemented across the IoT industry.
The researcher, Yuvraj Agarwal, said he has done several consumer studies to determine if people will spend more for products with heightened security and privacy standards.
“Consumers are willing to pay significantly more of a premium over the base price of the device for a secure product,” Agarwal told CyberScoop. “Consumers really do want to pay for devices that are better in terms of their security and privacy.”
A Google official who participated in the workshop published a blog post Wednesday hailing the effort.
“We’re now putting more of our lives and trust in the hands of digital technology,” Dave Kleidermacher, head of security for Android and Google Play wrote. “Yet, the IoT industry still lacks a global harmonized way for measuring the security quality of connected products, which means consumers may not have the visibility they need into whether their IoT devices protect their data.”
Kleidermacher said Google’s leadership is “encouraged” by the White House effort to accelerate IoT security standardization so that people have “more transparency in the security of the IoT products they use every day.”