I got several press releases this week talking about the newest program from the US Federal government for cybersecurity labeling. This program is something designed to help consumers understand how secure IoT devices are and the challenges that can be faced trying to keep your network secure from the large number of smart devices that are being implemented today. Consumer Reports has been pushing for something like this for a while and lauded the move with some caution. I’m going to take it a little further. We need to be very careful about this so it doesn’t become as worthless as the nutrition labels mandated by the government.

Absolute Units

Having labels is certainly better than not having them. Knowing how much sugar a sports drink has is way more helpful than when I was growing up and we had to guess. Knowing where to find that info on a package means I’m not having to go find it somewhere on the Internet¹. However, all is not sunshine and roses. That’s because of the way that companies choose to fudge their numbers.

Food companies spent a lot of time trying to work the numbers on those nutrition labels for years. The most common way to do it is to adjust the serving size listed on the box. For example, a 20-ounce soda bottle isn’t a single serving of liquid. It’s 2.5 servings at 8 ounces each. In order to find the true nutritional value of the whole bottle you need to read close enough to do the math and find out it’s more sugar and calories than you were expecting. The whole game was so bad the FDA forced companies to change labeling in 2022.

One of the other ways that labeling guidelines have allowed companies to get away with misinformation is through clever interpretation. Did you know that TicTacs are sugar free? If you look at the nutritional label information they contain zero sugar despite being made of nothing but sugar. How can they accurately say that? Because the serving size is so small it rounds down to zero. You’re probably groaning now but this is what has happened for years unless some group steps in to fix the issue.

The Fine Print

Now let’s look at how this could be adapted to go horribly wrong with IoT devices. One of the simple ways that I could see it being an issue is with something like a baby monitor. These devices are usually low-cost and don’t have much security built in. If you know the address of the device you can often connect to it and watch the video feed. Adding more software controls on top of the hardware is going to increase the price significantly. So are the manufacturers going to add pricey software to meet labeling guidelines? Or are they going to pull a TicTac? Say, for example, labeling the device as secure against remote access with an asterisk saying it’s only secure if you turn off the Wi-Fi and only look at it in the same room?

The label is going to be a valuable thing to add to the box to differentiate the product from competitors. Given the choice between a box without a label and one with a label, which one would you pick Tommy boy? That being said, how far do you think someone would go to put the label on the box? The program is voluntary but it still has requirements that need to be met. Someone could potentially create specific scenarios that allow them to meet the guidelines under specific circumstances and include the label despite not being the most secure device.

If the government wants to ensure that users aren’t getting attacked and have their data stolen, they need to put explicit guidelines in place to specify how the labels need to be created. No creative interpretation. No asterisks or fine print. It needs to be a table that has simple answers. If you don’t meet the guidelines you don’t get the check mark. Don’t let the manufacturers interpret your rules in their favor. It’s a bit more of a pain for those administering the program but a little sweat equity up front is going to be more comforting than the news articles after the fact.

Tom’s Take

I want this program to work. I really do. I also know how capitalism works. Companies are going to work this label as much as possible in their favor, including some creative thoughts on the requirements. I’d rather have some fusing now that leads to proper implementation in the future than lots of bad press about how the labels are worthless. If the industry is going to take steps to make things better for consumers let’s make sure it’s really better and not some sugar-free version.