Recommendations for Cybersecurity Labelling

0

Article by: Taylor Armerding, Software Security Advocate, Synopsys Software Integrity Group.

If one of the goals of President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity” is fulfilled, you’ll be able to look for a quality and security assurance label on any software product you consider buying. To which anyone who cares about such things — and everybody should — might say “it’s about time.”

Indeed, consumer labelling has long been mainstream when it comes to just about everything else. We take for granted that what we plan to eat or drink has a list of ingredients on the packaging or container. The U.S. Department of Agriculture has a label that food vendors can use if their product is certified organic. Most of us are familiar with the Good Housekeeping Seal and UL certification, which offers some assurance that a vast range of products meets a minimum quality standard. “Look for the union label” has been a slogan for almost 50 years.

But details or seals of approval on the quality of software ingredients? Not so much. Pretty much not at all.

CURRENT STATE OF CONSUMER CYBERSECURITY AWARENESS

While Americans rely on software for just about everything in modern life — communication (email, text, phone), social media, online purchases, games, research, home security, transportation, and much, much more — most remain only dimly aware of what it is, how it works, and the level of its quality and security.

As the National Institute of Standards and Technology (NIST) recently put it, “most consumers take for granted and are unaware of the software upon which many products and services rely, [and]the very notion of what constitutes software may even be unclear.” That is, in large measure, because consumers aren’t told much of anything about it. They generally see only what it does, not what it is, who made it, how it works, or how it could put them at risk.

The Biden executive order (EO) is obviously aimed at closing that gap in consumer awareness. It calls for NIST, the Federal Trade Commission, and other agencies to “initiate pilot programs informed by existing consumer product labelling programs to educate the public on the security capabilities of Internet of Things (IoT) devices and software development practices, and [to]consider ways to incentivise manufacturers and developers to participate in these programs.”

The EO uses similar language to call for the labelling of consumer software.

At one level, an order like that shouldn’t be a tough sell. If an organisation can’t trust its software, the business is at risk. That’s true of consumers as well. If you can’t trust the software powering your app or your device, your personal and financial information are at risk.

But is a label an effective way to achieve better security awareness? Debrup Ghosh, Senior Product Manager with the Synopsys Software Integrity Group, isn’t so sure. “The jury is still out on whether labelling is an effective method of consumer awareness,” he said. “For example, data on whether federal food safety laws increased GMO awareness is inconclusive. Several studies reported conflicting results.”

For consumer IoT devices, the two biggest hypotheses that need to be tested are similar to the GMO question: Do consumers understand what these labels mean? Second, do they care?

That, as is usually the case, remains to be seen. But according to a 2021 study done in the U.K. and published in the PLOS Medicine journal, color-coded labels on foods did have some effect. They were “instrumental in ‘nudging’ consumers toward choosing more healthful products and could be the underlying psychological mechanism toward cementing this behavioural change,” according to the study.

CYBERSECURITY LABELLING CRITERIA

When will we know if software labelling will be as influential? Realistically, it’s going to take a while — a long while. For starters, earlier this month, in response to the Biden EO, NIST issued two white papers recommending criteria for cybersecurity labelling  of consumer software and consumer IoT products.

They open with a few caveats.

  • NIST recommendations are “minimum requirements and desirable attributes.”
  • Those recommendations are not intended to describe how a cybersecurity label should be explicitly represented, nor to detail how a labelling program should be owned or operated.
  • NIST is not designing a specific label, nor is it establishing its own labelling scheme for consumer software or IoT products. Instead, it is seeking input from all interested parties on labelling programs — the deadline is March 15 — and notes that “there may currently be labelling programs that meet the NIST recommended criteria in full or in part.”

The agency does offer some guidance. It said labelling will require context that takes the use or level of risk of a software product into account. We all know that the equipment needed to provide reasonable protection to a race car driver is much more extensive than that for a standard passenger vehicle, although some of those components might be the same.

Similarly, “the risk associated with software is tightly bound to that software’s intended use (both in function and operating environment),” NIST said. “The cybersecurity considerations appropriate for a mobile game will differ from those applied to an online banking app or to run the media station on an automobile.”

The white papers propose a structure for labelling but leave a lot of the details for later. For example, launching the initiative will require “labelling schemes and scheme owners,” which can be public or private organisations.

NIST does require, though, that any proposed scheme answer the following questions:

  • What are the requirements for getting a label?
  • What does the label look like and what information should it contain?
  • What is the process for obtaining and displaying a label on software?

But with neither scheme owners nor schemes in place yet, it will be some time before those questions get answered, especially since, as NIST put it, “there is no one-size-fits-all definition for cybersecurity that can be applied to all types of consumer software.”

Again, NIST does offer detailed guidance about what should be behind the labelling, including scope, the minimum duration of security update support, update method, and the identity of the entity making those claims.

KEEP IT SIMPLE

The label must also include secure software development claims that align with NIST’s Secure Software Development Framework, which it updated in response to Biden’s EO.

But is all of this going to fit on a label? No way. The overall goal is to keep it relatively simple — to give average consumers some confidence in the quality and security of the software running the products they are considering buying, without confusing them with technical jargon. NIST calls for it to be written at an eighth-grade reading level.

That kind of clarity is key according to Michael White, Applications Engineer, Principal, with the Synopsys Software Integrity Group. He pointed to a U.K. survey showing that when a date was quoted as the lifetime to receive updates, 13% of those surveyed thought this implied an expiration date for the device itself. “So extensive consideration must be given to the clarity and style in which information is communicated,” he said.

NIST appears to agree, also saying the label should be “usable by a diverse range of consumers without requiring them to have specialised cybersecurity knowledge.” To accomplish that, it recommends a binary label — a single label indicating that a product has met a baseline cybersecurity standard.

Indeed, the agency devotes an entire section of the framework — ”Additional Context for Labelling Criteria” — to recommend that the scheme owner conduct focus groups from all demographics to find the best ways for labels to encourage buyers to choose better software.

Ghosh agrees with a robust education campaign but foresees a potential budget problem. “NIST doesn’t specify how it will be funded,” he said. “It will be crucial to get buy-in from manufacturers and industry groups before this scheme is implemented to ensure appropriate funding.”

CYBERSECURITY LABELLING DETAILS WE CAN EXPECT

Finally, for those who want more detail and technical information, the label should provide a link to a website with additional information that should include, at a minimum:

  • Intent and scope: What the label means and doesn’t mean, including addressing potential misinterpretations like an assumption that a label makes a product more secure than one without a label, or that the label implies a product endorsement
  • Product criteria: What cybersecurity properties are included in the baseline and why and how these were selected
  • A Glossary: Definitions of the applicable technical terms, written in plain language
  • Declaration of conformity: General information about conformity assessment to the baseline criteria, including the date the label was last awarded
  • User data guidelines: What sensitive data is handled by the software and how it’s protected
  • Changing applicability: The current state of product labelling as new cybersecurity threats and vulnerabilities emerge
  • Expectations for consumers: A clear explanation of the consumers’ share of responsibility in securing software
  • Contact information for the labelling program: This should include how consumers can issue a complaint against a vendor regarding a label

All of which sounds comprehensive and useful, but Jamie Boote, senior consultant with the Synopsys Software Integrity Group, notes that it will not just be average consumers using the label. It will be procurement employees in government agencies as well.

“These are labels for contracting officials to read in order to accept or reject software bids,” he said. “These are actionable if one is following the manual government procurement process. But until these are encoded in a machine-readable format that automated decision-makers can accept, reject, or apply mitigations to automatically, they will only provide nominal good and be just another sticker for people to stick on their boxes.”

LOOKING FORWARD

When are labels likely to start showing up? The EO calls for pilot programs to begin nine months after the order was issued, which would make that deadline more than a month ago, in early February. But it left considerable wiggle room about when an official program would begin.

It said a year after the order, the Commerce Secretary (NIST is within the Commerce Department), “shall provide to the President […] a report that reviews the progress made under this section and outlines additional steps needed to secure the software supply chain.”

No deadline on how much time those added steps might take.

Share.