Will the Biden Administration adopt a Cybersecurity Labelling Scheme (CLS)?
An unprecedented year of targeted malware and ransomware threats kicked off with the SolarWinds attack back in January, a data breach affecting several government institutions and exposing the sensitive data of more than 425 of the US Fortune 500 companies. When nearly 30,000 macOS devices across 153 countries were infected by the malware known as Silver Sparrow a month later, the public turned its eyes to the White House for updates regarding national cybersecurity policy.
We discussed the possibility of the Biden Administration adopting a cybersecurity rating system from Singapore in our last cybersecurity roundup. As the IoT market continues to grow, the government will likely receive more pressure to implement preventative security measures. One proposed solution introduces a Cybersecurity Labelling Scheme (CLS): a ranking solution with the potential to establish new IoT security standards and protocols across the market.
What is a Cybersecurity Labelling Scheme (CLS) and how does it work?
The first of its kind to appear in the Asia-Pacific region, Singapore’s Cybersecurity Labelling Scheme (CSL) categorizes and ranks smart devices according to their cybersecurity capabilities on the following scale:
- Tier 1: Meets basic security requirements.
- Tier 2: Adheres to security-by-design principles.
- Tier 3: Defends against common software vulnerabilities.
- Tier 4: Equipped to protect against cyber-attacks.
A declaration of compliance— and often supporting evidence— is required of all companies seeking to gain tier-1 and/or tier-2 certification, while an assessment report by a CSA-approved laboratory is needed to reach tier-3 or -4 standards. This voluntary system intends to hold manufacturers of smart devices more accountable for security measures taken at the production level.
Part of a larger SG$1 billion initiative to transform Singapore’s cyber and data security systems nationwide, the CLS was specifically designed to:
- Empower consumers with better device transparency, enabling them to factor the safety of their home network into a purchase.
- Incentivize manufacturers to enhance products' security protocols, ultimately improving Singapore's national cybersecurity standards.
While this new system may extend the go-to-market lifecycle for products, especially those enhanced with additional security features, it aims to ultimately reduce the number of vulnerable products falling into the hands of unsuspecting users. Flashy new IoT products are still appearing on Singapore’s market, but the country’s manufacturers beginning to realize that the consumer market cares more about security protocols than previously assumed.
The Cybersecurity Agency of Singapore (CSA) is still monitoring participation to determine if the Cybersecurity Labelling Scheme will become mandatory for all IoT consumer devices. Although still considered more of a trial than a permanent policy, there is already potential for adoption of similar systems outside of Singapore— like in the United States.
Will the US adopt a Cybersecurity Labelling Scheme (CLS)?
There is currently no standardized cybersecurity labelling system for consumer devices in the United States, but that is subject to change between 2021-2024. Previous attempts by the Trump administration to expand the nation's cybersecurity budget were predicted to continue under Biden, with the new President announcing plans to launch the “most ambitious effort ever” to bolster national cybersecurity standards.
While this doesn’t necessarily point to a national data privacy law implementation, it does highlight that the government is turning its focus towards increasing product visibility, modernizing IT infrastructure, and mitigating the cost of major data breaches caused by vulnerable devices.
Those who oppose the implementation of a standardized rating system point to the difficulties of streamlining cybersecurity regulations, including:
- A wide range of risks to explore, which vary greatly from system to system.
- Costs of implementation would be highly unpredictable.
- Wide variation in the technical and financial ability of firms to support security measures.
Well aware of these hesitations, it is likely the Biden administration would offer incentives to manufacturers to support a new Cybersecurity Labelling System, similar to what they did in 2013 with the implementation of our new National Cybersecurity Framework. Businesses participating in upholding the framework were offered:
- Special consideration for federal critical infrastructure grants.
- Priority in receiving certain government assistance.
- Public recognition for framework adoption.
While the Biden Administration has hinted at their interest in exploring Singapore’s Cybersecurity labelling system as a potential solution in the US, consumers will have to wait to witness whether any upcoming policy changes will be enacted. For a more detailed look at the tensions between Cybersecurity and other public policy concerns, The National Academy Press offers a great resource, At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues (Chapter 5).
Will more countries adopt a cybersecurity labelling scheme?
Finland became the first European country to certify networking devices via cybersecurity labelling in November 2019, which likely inspired the new national Internet of Things (IoT) security requirements established in the UK in 2020.
While Singapore is currently the only other country with their own national labelling system, 11 European cybersecurity organizations have applied for the shared ‘Cybersecurity Made In Europe’ label that the European Cyber Security Organization (ECSO) released this year. Designed solely for European manufacturers, this label is intended to differentiate the cybersecurity standards of European companies, primarily SMBs and start-ups, from global competition.
Moving forward, countries interested in establishing a national standard for cybersecurity will most likely look to the five pillars of the ITU Global Cybersecurity Agenda for inspiration:
- Legal Measures
- Technical & Procedural Measures
- Organizational Structures
- Capacity Building
- International Cooperation
The methods through which these pillars are upheld will differ by country and region, but it is clear that elevating technological standards, regulating consumer expectations, and protecting the people accessing cyberspace will be a global priority in 2021 and beyond.