The Cyber Shield Act – Modernizing Security Standards for IOT

The Cyber Shield Act, commissioned by Senator Ed Markey, recommends the establishment of a voluntary program to institute uniform cybersecurity and data benchmarks for consumer devices. The goal of the bill is to improve consumer decision making from the point of purchase, standardized by industry and maintained by manufacturers – similar to an EPA energy rating on appliances, or NHTSA safety rating on automobiles.

DLT supports the Cyber Shield Act and lauds it’s recognition of the growing importance of IOT and associated security risks. Gartner reports that by 2020 there will 20.4 billion connected devices – 63% of which will be used by consumers – raising many security concerns.  Consumers cannot be expected to research every product, its supply chain, its current technology and risk profile, to determine whether it is safe to buy.  A rating system would enable buyers to make informed purchases without requiring extensive homework.

The Cyber Shield Act makes security a key factor in purchasing decisions for consumers. Consumers will be more aware of the need for cyber and data security before devices are even in their hands. The act rightfully incentivizes manufacturers to build secure products in order for them to succeed in the marketplace.

For this act to make a real difference, the cyber standards must be objective. Rather than allowing manufacturers to self-certify products for their own best interest, there must be third party verification with ratings tied to security-by-design requirements, as specified in NIST SP800-160 “Systems Security Engineering”.

It’s also essential for the security ratings to be dynamic.  A static rating cannot reflect a device’s resilience in the face of a fluid threat landscape and the pace of IT innovation.  A viable system to keep security ratings up-to-date in real time is a technical challenge, but central to the success of this bill.

Accompanied by a large-scale effort to educate consumers on cybersecurity issues, especially IOT, the Cyber Shield Act can lead a necessary cultural shift toward a proactive approach to data and security. With this proposal, the burden of security is on the manufacturer, providing the customer more information up front about internet enabled devices. Keep in mind, of course, a rating is not a guarantee. Just because one car is labeled more safely built than another doesn’t mean it is invincible.

We encourage you to read the Institute for Critical Infrastructure Technology’s (ICIT) analysis of this brief and call your senators to vocalize your support for this bill.