Plans from the Biden administration to release product security rating system could raise the bar for security overall, say experts, but won’t likely prevent the next SolarWinds or Microsoft hacks.
In a briefing to reporters Friday, senior official compared the forthcoming rating system to the health and safety letter grades at restaurants. And it is a concept that the cybersecurity community has batted around for some time: place a label on the box that says a product is or is not secure, and let consumers create a market around security.
But experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks and could create a false sense of complacency.
“Labeling won’t solve nation-state problems, no matter how good the label is, even if it’s perfectly enforced and sets a really high bar,” said Beau Woods, cyber safety innovation fellow at the Atlantic Council and a volunteer with the internet-of-things security advocacy group I Am The Cavalry.
Several governments, both individual nations and the European Union, have pursued cybersecurity standards in recent years, particularly around IoT devices. At the briefing, the administration specifically mentioned Singapore’s labeling law. Labels create a voluntary basic cybersecurity standard.
The problem is that basic standards do a good job addressing the vast majority of hackers, but they do not address hackers with extraordinary capabilities. No standards can create perfectly secure products, because they simply don’t exist.
Brad Rees, chief technology officer of the ioXt Alliance, an industry group developing labeling standards for IoT, noted that the issues behind the SolarWinds hack likely would not have shown up on a product rating.
“It’s unfortunate that the White House chose to throw out or tease an IoT labeling scheme in the middle of talking about a Chinese-state hacker with Microsoft Exchange,” he said. “Labeling schemes are here to prevent baseline security issues. They’re not…