Will NIST’s cybersecurity labeling for consumer software and IoT products help us achieve better security? Our experts weigh in.
If one of the goals of President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity” is fulfilled, you’ll be able to look for a quality and security assurance label on any software product you consider buying. To which anyone who cares about such things—and everybody should—might say “it’s about time.”
Indeed, consumer labeling has long been mainstream when it comes to just about everything else. We take for granted that what we plan to eat or drink has a list of ingredients on the packaging or container. The U.S. Department of Agriculture has a label that food vendors can use if their product is certified organic. Most of us are familiar with the Good Housekeeping Seal and UL certification, which offer some assurance that a vast range of products meet a minimum quality standard. “Look for the union label” has been a slogan for almost 50 years.
But details or seals of approval on the quality of software ingredients? Not so much. Pretty much not at all.
While Americans rely on software for just about everything in modern life—communication (email, text, phone), social media, online purchases, games, research, home security, transportation, and much, much more—most remain only dimly aware of what it is, how it works, and the level of its quality and security.
As the National Institute of Standards and Technology (NIST) recently put it, “most consumers take for granted and are unaware of the software upon which many products and services rely, [and] the very notion of what constitutes software may even be unclear.” That is, in large measure, because consumers aren’t told much of anything about it. They generally see only what it does, not what it is, who made it, how it works, or how it could put them at risk.
The Biden executive order (EO) is obviously aimed at closing that gap in consumer awareness. It calls for NIST, the Federal Trade Commission, and other agencies to “initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet of Things (IoT) devices and software development practices, and [to] consider ways to incentivize manufacturers and developers to participate in these programs.”
The EO uses similar language to call for labeling of consumer software.
At one level, an order like that shouldn’t be a tough sell. If an organization can’t trust its software, the business is at risk. That’s true of consumers as well. If you can’t trust the software powering your app or your device, your personal and financial information are at risk.
But is a label an effective way to achieve better security awareness? Debrup Ghosh, senior product manager with the Synopsys Software Integrity Group, isn’t so sure. “The jury is still out on whether labeling is an effective method of consumer awareness,” he said. “For example, data on whether federal food safety laws increased GMO awareness is inconclusive. Several studies reported conflicting results.”
For consumer IoT devices, the two biggest hypotheses that need to be tested are similar to the GMO question: Do consumers understand what these labels mean? Second, do they care?
That, as is usually the case, remains to be seen. But according to a 2021 study done in the U.K. and published in the PLOS Medicine journal, color-coded labels on foods did have some effect. They were “instrumental in ‘nudging’ consumers toward choosing more healthful products and could be the underlying psychological mechanism toward cementing this behavioral change,” according to the study.
When will we know if software labeling will be as influential? Realistically, it’s going to take a while—a long while. For starters, earlier this month, in response to the Biden EO, NIST issued two white papers recommending criteria for cybersecurity labeling of consumer software and consumer IoT products.
They open with a few caveats.
The agency does offer some guidance. It said labeling will require context that takes the use or level of risk of a software product into account. We all know that the equipment needed to provide reasonable protection to a racecar driver is much more extensive than that for a standard passenger vehicle, although some of those components might be the same.
Similarly, “the risk associated with software is tightly bound to that software’s intended use (both in function and operating environment),” NIST said. “The cybersecurity considerations appropriate for a mobile game will differ from those applied to an online banking app or to run the media station on an automobile.”
The white papers propose a structure for labeling but leave a lot of the details for later. For example, launching the initiative will require “labeling schemes and scheme owners,” which can be public or private organizations.
NIST does require, though, that any proposed scheme answer the following questions:
But with neither scheme owners nor schemes in place yet, it will be some time before those questions get answered, especially since, as NIST put it, “there is no one-size-fits-all definition for cybersecurity that can be applied to all types of consumer software.”
Again, NIST does offer detailed guidance about what should be behind the labeling, including scope, the minimum duration of security update support, update method, and the identity of the entity making those claims.
The label must also include secure software development claims that align with NIST’s Secure Software Development Framework, which it updated in response to Biden’s EO.
But is all of this going to fit on a label? No way. The overall goal is to keep it relatively simple—to give average consumers some confidence in the quality and security of the software running the products they are considering buying, without confusing them with technical jargon. NIST calls for it to be written at an eighth-grade reading level.
That kind of clarity is key according to Michael White, applications engineer, principal, with the Synopsys Software Integrity Group. He pointed to a U.K. survey showing that when a date was quoted as the lifetime to receive updates, 13% of those surveyed thought this implied an expiration date for the device itself. “So extensive consideration must be given to the clarity and style in which information is communicated,” he said.
NIST appears to agree, also saying the label should be “usable by a diverse range of consumers without requiring them to have specialized cybersecurity knowledge.” To accomplish that, it recommends a binary label—a single label indicating that a product has met a baseline cybersecurity standard.
Indeed, the agency devotes an entire section of the framework—”Additional Context for Labeling Criteria”—to recommending that the scheme owner conduct focus groups from all demographics to find the best ways for labels to encourage buyers to choose better software.
Ghosh agrees with a robust education campaign but foresees a potential budget problem. “NIST doesn’t specify how it will be funded,” he said. “It will be crucial to get buy-in from manufacturers and industry groups before this scheme is implemented to ensure appropriate funding.”
Finally, for those who want more detail and technical information, the label should provide a link to a website with additional information that should include, at a minimum
All of which sounds comprehensive and useful, but Jamie Boote, senior consultant with the Synopsys Software Integrity Group, notes that it will not just be average consumers using the label. It will be procurement employees in government agencies as well.
“These are labels for contracting officials to read in order to accept or reject software bids,” he said. “These are actionable as long as one is following the manual government procurement process. But until these are encoded in machine-readable format that automated decision makers can accept, reject, or apply mitigations to automatically, they will only provide nominal good and be just another sticker for people to stick on their boxes.”
When are labels likely to start showing up? The EO calls for pilot programs to begin nine months after the order was issued, which would make that deadline more than a month ago, in early February. But it left considerable wiggle room about when an official program would begin.
It said a year after the order, the Commerce Secretary (NIST is within the Commerce department), “shall provide to the President […] a report that reviews the progress made under this section and outlines additional steps needed to secure the software supply chain.”
No deadline on how much time those added steps might take.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.