Syed: I think that this is a place where consumers are confused today, or perhaps they're not as well-educated about the cybersecurity issues that can crop up with IoT devices today. So, having a label which allows them to at least get a reassurance of some base capabilities, as Benson and Sri have also mentioned, is important.
I think it lends credibility to the suppliers who in fact go and make the effort to make sure that those baseline security efforts have been put in place, because some of the IoT attacks that have taken place in the past have been incredibly simple to have managed up-front, and people didn't do it. That's the kind of stuff that I think consumers will set an expectation for, that the devices they are willing to purchase and acquire have met those basic minimum standards, so that things that have been an issue in the past don't happen again.
Now, going forward, obviously, there will need to be evolution of the product, and things like expiry of product labels, etc. It's going to be a necessary part of the whole process. That's going to take some time to make it all happen.
Josh: I tend to agree. And I think it's good for the industry that we're starting to see more of these types of frameworks. It's definitely a sign that, globally speaking, we're taking security more seriously, especially from the consumer perspective.
I think we have to also consider how are we going to educate the consumer to understand what does this branding actually mean? Because I feel like there's a lot of misunderstanding when somebody purchases something. And so we need to be more transparent, as the vendor, like, “what does this mean, a default?” And, “Are there other hardening suggestions thereafter?”
We don't want to build this idea that, "Oh, it has the Cyber Trust Mark. I can just load it into my LAN and we're good to go." So, I think it offers an opportunity to kind of bridge that gap with the consumer, from a marketing perspective, and ensure that we're really educating the user base on what the difference is.
But from the vendor perspective, again, it's very difficult, if you have to create multiple SKUs for different firmware. Then you have to ask yourself, "Is this just the default that we should have from vendor to consumer?" Instead of some of them, at default, might not have these security attributes.
But sometimes, that strips away innovation capabilities or other features on a product. So, I think there's a compare and contrast, and some smart devices or embedded devices require different types of frameworks, and that's why perhaps homologation would never happen across all connected devices. I could list off a litany of different certificates that speak to some of this stuff, but a lot of those attack vectors are different.
Some of the industrial sector already have their own type of frameworks. I look at this type of branding as something that could expand into other markets. I see even the cellular routers as something that should have a baseline like this for consumers that buy them too. But overall, I think it's a good thing. I just think the scope isn't broad enough for what's connected there out on the Internet, and I just feel like we're not looking at it to have enough governance, and without regulation, we might get people that don't think that they need to volunteer, and then it just becomes more about, "My competitors are marketing this thing. Now we have to do that." Then it will actually put the burden on a vendor, and it might not actually serve the purpose that the consumer thinks it's getting, because they're just going to do the bare minimum.
But one of the things, I mentioned — I thought the fact that they also wanted the companies to have a risk management framework as part of this. Because, ultimately, the ecosystem is going to win by having that in place. So I'm wondering, and maybe Benson you can speak to this; is this going to be, like, a NIST-grade risk management framework? Like, some of the different FIPS publication, kind of tied to that, or could you elaborate on where you think that part of it would expand?
Benson: So, great question, Josh. So, the criteria is based on NIST criteria for cybersecurity labeling. So, I think that's some work that's been done by NIST a few years back. And so, they're applying some of those. So, now, today, the criteria starts, or at least this program starts for consumer products. Now, we had a speaker that spoke to the IoT Advisory Board a few months back. He was on top of this particular program. And they're going to extend this to industrial products, to healthcare products, but they have a different set of criteria.
Josh: Oh, that's great. So, we've already done some pilots for some of these types of smart devices? Or is this just, we're conceptualizing what it could be? Because I always question the efficacy. Like, a smart TV, is it going to be able to minimally do these things that are in this list?
Benson: I think it's a minimum standard at this point, because when you talk about consumer, or you talk about industrial, it covers a wide span of products. And so, they're just looking for the minimum set that is applicable to all. Otherwise, it gets segmented and segmented, and it becomes harder and harder to manage. You know, Sri, I think as you know that, as the registries go into great details of it, then the specific information that's being stored is very different, very unique. But at the minimum, they're trying to have this minimum baseline that’s somewhat easy to comply with, for now.
Josh: Yeah, it does seem like a very minimal baseline. Like, it can make the audience understand that what's in this Trust Mark isn't something that we shouldn't already be doing as a vendor. It should already be assumed, and that's why things like, "It's a voluntary program," kind of exacerbates the issue a little bit. We need to kind of force the issue that our consumers aren't looking at this stuff. If they're, by default, exposed to the Internet, like a lot of IoT techs in the past, I would tell them that, "Like, okay, have we moved on from using protocols that don't have encryption or authentication? Because I have."
Syed: I think that we need to take into account that different kinds of IoT applications are going to have a different set of requirements, and if the baseline accommodates all of that, great, but your comment, Josh, about a smart TV is a good point. The risk associated with a breach of a smart TV, as opposed to a Fitbit — you know, a health monitoring device that a user is wearing, or a home automation system that is controlling the HVAC — the requirements for these are going to be somewhat different, and the baseline needs to be carefully managed so that what is secure for one device may not necessarily be an issue for another. But as long as the baseline tries to accommodate all of the consumer IoT devices that are out there, so that consumers can make the effort to say, "Aha. This device has a label, and this device does not," so that the active comparing becomes meaningful, I think is going to be a big deal.
Sridhar: I do want to add a point to that. So, I know this particular FCC NPRM is focused on consumer. But in our minds, the consumer security requirements bleed into the enterprise and industrial requirements. I'll just talk about one particular thing. This is post-pandemic, right? The biggest concern among CIOs in 2023 is something called shadow IT. So, with shadow IT — with a good chunk of the workforce being remote — what happens is your home consumer IoT devices essentially are part of the attack surface for enterprises.
So, what happens to security within the enterprise? We have to extend it beyond not just your laptop, but now everything else around us, right? So that is becoming a big concern, and the way this is translating into dollars and cents is, the cyber insurance market, that is what enterprises pay in case they ever have a cyber breach, that market is going up, growing at a rate of 25%, compound annual growth rate. That is incredible, right? So, which means there's increased threats, whether it's shadow IT or not, but the thing is, shadow IT is definitely expanding the overall attack surface, and so we gotta think of not just consumer as siloed, but consumer bleeding into enterprise, and actually look at it a much more holistic way.
William: Very good point.
Josh: Yes, those are great points. I mean, shadow IT in an organization could be your deathbed. If you don't have the right monitoring... And in some cases, some of these IoT devices don't have the interoperability with some of these tools to actually do monitoring. So, I think that's a gap in the IoT industry. And even in your own house, you might not realize all of these TCP or UDP streams going on. Because it's shadow IT in your own house that you forgot you set up. But the enterprise perspective, and Sri, a lot of these vendor questionnaires that I field, it's asking for all of that. There's more transparency that consumers are expecting, that are purchasing large swaths of products. They don't want to just see at the device level, are we secure? Is there risk in the supply chain by adding you as a preferred vendor? All of that stuff is important, and that's why it's extremely hard to really grab this market and say, "You know what? From end to end, we can do everything security." So, companies are having a hard time... "How do we fund that?" And “How do we also build features on top of that?” And then, you know, expensing out enough teams, or having third-party security to be able to monitor that?
Group: Yes, exactly.