Around 672 million households are expected to use smart home devices by 2027. With increased connectivity comes greater risks, including cyberattacks, invasion of privacy, harassment, ransom requests and more. Reports of smart devices being hacked are no longer rare; it happens daily.
Devices that are meant to provide convenience become a source of threat and stress. In 2020 in Singapore, around 50,000 home security cameras were compromised with footage being sold to illicit websites. Imagine the devices you installed to protect your home compromising your privacy instead.
In the face of such threats the World Economic Forum’s Global Action and Progress Report 2022 suggests that decent progress has been made by the international community on connected technology governance. The public-private sector, for instance, is conversing and establishing best practices and standards to combat cybercrime. However, these steps will only be effective if common best practices are built globally and reduce the often f
ragmented nature of approaches to preventing cybercrime.
Labelling for smart devices
In an ideal world, internet-connected devices would be secure by design across their lifecycle, but smart devices are mostly designed to optimize functionality and have multiple vulnerabilities making them less resilient to cyber-attacks.
To better protect themselves from the risk of attacks, consumers are expected to inform themselves about device security. Yet a device’s cybersecurity information may not be easily available or difficult to understand. Too often smart device users learn the hard way.
According to Beau Woods, cyber safety advocate with grassroots digital safety I Am The Cavalry: ‘It is untenable to deny buyers information to factor security into buying decisions, while also placing full liability on them for any harm that comes from no fault of their own. Especially as most of them expect products on the market have a baseline level of security and safety.’
What if there was a cybersecurity rating label
for smart devices? Manufacturers would have to prove that their smart devices had gone through robust cybersecurity assessments and fulfilled standards. Customers could make more informed decisions.
Product labelling dates back to the late 1800s, when it was first implemented to protect consumers from hazardous or inaccurately labelled products. Increasingly, there is growing interest by governments in applying smart device labelling for cybersecurity. Nations like Singapore, Finland and Germany have established cybersecurity labelling programmes for consumer smart devices, providing insights into device security.
These programmes can also help manufacturers maintain competitiveness and incentivize them to include the prevention of cyberattacks in the design of devices from the pre-design phase.
In Singapore, smart devices are star-rated based on their built-in cybersecurity provision so a person can compare devices before buying. More stars signify a device has met more stringent requirements and gone thr
ough more rigorous security testing.
Germany has introduced a voluntary labelling scheme for IoT devices. By scanning the QR code or following the short link on a label, package or webpage, a consumer can check that a device has met these requirements before making a purchase. After being granted the German IT security label, which is valid for two years, devices are subject to market surveillance which may test devices on a random or occasion-related basis.
The Biden Administration announced a labelling programme of cybersecurity criteria published by the National Institute of Technology and Standards (NIST).
Opportunities for progress
The disruptive nature of smart devices and cybersecurity can present challenges to the labelling process:
Static labels provide information that is only valid for a period and requires updating rather than presenting information in real-time. To overcome this, labels should include a dynamic component to enable the ability to track security information.
Labelling program
mes might not be benchmarked at the appropriate level. Those benchmarked to a lower than adequate baseline could create the wrong incentives for manufacturers: depending on the type of labelling programme, companies may choose the easiest or cheapest option and limit further action to reach higher levels of device security.
On the other hand, overly stringent requirements might create a barrier to entry. Labelling programmes should ensure requirements are achievable, sustainable and adequate to mitigate against cyberattacks, while having a mechanism to incentivize manufacturers to continuously strive towards higher device security and cost-effective innovation.
If new devices with enhanced security enter the marketplace but have not gone through a process to obtain a label, they may not get the same attention by consumers as a labelled device with a lower level of security.
For labelling to work, these barriers must be addressed collectively. National-level programmes can be supported by incentive schemes
for manufacturers, raising awareness of smart device risks and benefits for consumers, and improving cybersecurity education.
The future of device labelling
Nations such as Singapore and Finland are collaborating to reduce barriers through mutual agreements. The NIST and the US Department of Commerce have made the case for supporting mutual recognition of labelling schemes between national economies and the need to communicate effectively about IoT device security.
In a world where security by design is limited, labelling to inform consumers is a starting point but more research, consultations and pilots are needed to understand what difference labels can make for individuals and businesses. A holistic, systems-led approach to truly enable smart devices to benefit society is needed. Critical actions include:
1. Securing connected devices by design where security is embedded across the entire device lifecycle;
2. Reducing fragmentation of labelling programmes by governments, associations, and businesses i
nternationally.
3. Giving consumers access to up-to-date, easy-to-read and accurate information to make informed purchasing decisions.
4. Mitigating environmental risks by adopting circular economy models and re-evaluating how we extract and use finite natural resources to create connected devices.
Understanding the real impact of device labelling on consumer behaviour and incentivizing manufacturers can provide the driving force to make smart devices secure by design and increase transparency of security.
Source: World Economic Forum