Can labelling programmes make smart devices cybersecure?

Around 672 million households are expected to use smart home devices by 2027. With increased connectivity comes greater risks, including cyberattacks, invasion of privacy, harassment, ransom requests and more. Reports of smart devices being hacked are no longer rare; it happens daily.

Devices that are meant to provide convenience become a source of threat and stress. In 2020 in Singapore, around 50,000 home security cameras were compromised with footage being sold to illicit websites. Imagine the devices you installed to protect your home compromising your privacy instead.

In the face of such threats the World Economic Forum’s Global Action and Progress Report 2022 suggests that decent progress has been made by the international community on connected technology governance. The public-private sector, for instance, is conversing and establishing best practices and standards to combat cybercrime. However, these steps will only be effective if common best practices are built globally and reduce the often fragmented nature of approaches to preventing cybercrime.

In an ideal world, internet-connected devices would be secure by design across their lifecycle, but smart devices are mostly designed to optimize functionality and have multiple vulnerabilities making them less resilient to cyber-attacks.

To better protect themselves from the risk of attacks, consumers are expected to inform themselves about device security. Yet a device’s cybersecurity information may not be easily available or difficult to understand. Too often smart device users learn the hard way.

According to Beau Woods, cyber safety advocate with grassroots digital safety I Am The Cavalry: “It is untenable to deny buyers information to factor security into buying decisions, while also placing full liability on them for any harm that comes from no fault of their own. Especially as most of them expect products on the market have a baseline level of security and safety.”

What if there was a cybersecurity rating label for smart devices? Manufacturers would have to prove that their smart devices had gone through robust cybersecurity assessments and fulfilled standards. Customers could make more informed decisions.

Product labelling dates back to the late 1800s, when it was first implemented to protect consumers from hazardous or inaccurately labelled products. Increasingly, there is growing interest by governments in applying smart device labelling for cybersecurity. Nations like Singapore, Finland and Germany have established cybersecurity labelling programmes for consumer smart devices, providing insights into device security.

These programmes can also help manufacturers maintain competitiveness and incentivize them to include the prevention of cyberattacks in the design of devices from the pre-design phase.

In Singapore, smart devices are star-rated based on their built-in cybersecurity provision so a person can compare devices before buying. More stars signify a device has met more stringent requirements and gone through more rigorous security testing.

Germany has introduced a voluntary labelling scheme for IoT devices. By scanning the QR code or following the short link on a label, package or webpage, a consumer can check that a device has met these requirements before making a purchase. After being granted the German IT security label, which is valid for two years, devices are subject to market surveillance which may test devices on a random or occasion-related basis.

The Biden Administration announced a labelling programme of cybersecurity criteria published by the National Institute of Technology and Standards (NIST).

The disruptive nature of smart devices and cybersecurity can present challenges to the labelling process:

For labelling to work, these barriers must be addressed collectively. National-level programmes can be supported by incentive schemes for manufacturers, raising awareness of smart device risks and benefits for consumers, and improving cybersecurity education.

Nations such as Singapore and Finland are collaborating to reduce barriers through mutual agreements. The NIST and the US Department of Commerce have made the case for supporting mutual recognition of labelling schemes between national economies and the need to communicate effectively about IoT device security.

In a world where security by design is limited, labelling to inform consumers is a starting point but more research, consultations and pilots are needed to understand what difference labels can make for individuals and businesses. A holistic, systems-led approach to truly enable smart devices to benefit society is needed. Critical actions include:

1. Securing connected devices by design where security is embedded across the entire device lifecycle.

2. Reducing fragmentation of labelling programmes by governments, associations, and businesses internationally.

3. Giving consumers access to up-to-date, easy-to-read and accurate information to make informed purchasing decisions.

4. Mitigating environmental risks by adopting circular economy models and re-evaluating how we extract and use finite natural resources to create connected devices.

Understanding the real impact of device labelling on consumer behaviour and incentivizing manufacturers can provide the driving force to make smart devices secure by design and increase transparency of security.