Can labelling programmes make smart devices cybersecure?
Cybersecurity labelling programmes for smart devices would allow customers to make more informed purchases Image: Getty Images/iStockphoto
Listen to the article
- Around 672 million households are expected to use smart home devices by 2027, but the cybersecurity of these devices can vary.
- The onus is placed on consumers to inform themselves about device security. Yet a device’s cybersecurity information may not be easily available or difficult to understand.
- A cybersecurity labelling programme for smart devices would incentivize manufacturers to prove that their devices had passed robust cybersecurity assessments and allow customers to make more informed decisions.
Around 672 million households are expected to use smart home devices by 2027. With increased connectivity comes greater risks, including cyberattacks, invasion of privacy, harassment, ransom requests and more. Reports of smart devices being hacked are no longer rare; it happens daily.
Devices that are meant to provide convenience become a source of threat and stress. In 2020 in Singapore, around 50,000 home security cameras were compromised with footage being sold to illicit websites. Imagine the devices you installed to protect your home compromising your privacy instead.
In the face of such threats the World Economic Forum’s Global Action and Progress Report 2022 suggests that decent progress has been made by the international community on connected technology governance. The public-private sector, for instance, is conversing and establishing best practices and standards to combat cybercrime. However, these steps will only be effective if common best practices are built globally and reduce the often fragmented nature of approaches to preventing cybercrime.
Labelling for smart devices
In an ideal world, internet-connected devices would be secure by design across their lifecycle, but smart devices are mostly designed to optimize functionality and have multiple vulnerabilities making them less resilient to cyber-attacks.
To better protect themselves from the risk of attacks, consumers are expected to inform themselves about device security. Yet a device’s cybersecurity information may not be easily available or difficult to understand. Too often smart device users learn the hard way.
According to Beau Woods, cyber safety advocate with grassroots digital safety I Am The Cavalry: “It is untenable to deny buyers information to factor security into buying decisions, while also placing full liability on them for any harm that comes from no fault of their own. Especially as most of them expect products on the market have a baseline level of security and safety.”
What if there was a cybersecurity rating label for smart devices? Manufacturers would have to prove that their smart devices had gone through robust cybersecurity assessments and fulfilled standards. Customers could make more informed decisions.
Product labelling dates back to the late 1800s, when it was first implemented to protect consumers from hazardous or inaccurately labelled products. Increasingly, there is growing interest by governments in applying smart device labelling for cybersecurity. Nations like Singapore, Finland and Germany have established cybersecurity labelling programmes for consumer smart devices, providing insights into device security.
These programmes can also help manufacturers maintain competitiveness and incentivize them to include the prevention of cyberattacks in the design of devices from the pre-design phase.
In Singapore, smart devices are star-rated based on their built-in cybersecurity provision so a person can compare devices before buying. More stars signify a device has met more stringent requirements and gone through more rigorous security testing.
Germany has introduced a voluntary labelling scheme for IoT devices. By scanning the QR code or following the short link on a label, package or webpage, a consumer can check that a device has met these requirements before making a purchase. After being granted the German IT security label, which is valid for two years, devices are subject to market surveillance which may test devices on a random or occasion-related basis.
The Biden Administration announced a labelling programme of cybersecurity criteria published by the National Institute of Technology and Standards (NIST).
Opportunities for progress
The disruptive nature of smart devices and cybersecurity can present challenges to the labelling process:
- Static labels provide information that is only valid for a period and requires updating rather than presenting information in real-time. To overcome this, labels should include a dynamic component to enable the ability to track security information.
- Labelling programmes might not be benchmarked at the appropriate level. Those benchmarked to a lower than adequate baseline could create the wrong incentives for manufacturers: depending on the type of labelling programme, companies may choose the easiest or cheapest option and limit further action to reach higher levels of device security.
On the other hand, overly stringent requirements might create a barrier to entry. Labelling programmes should ensure requirements are achievable, sustainable and adequate to mitigate against cyberattacks, while having a mechanism to incentivize manufacturers to continuously strive towards higher device security and cost-effective innovation. - If new devices with enhanced security enter the marketplace but have not gone through a process to obtain a label, they may not get the same attention by consumers as a labelled device with a lower level of security.
For labelling to work, these barriers must be addressed collectively. National-level programmes can be supported by incentive schemes for manufacturers, raising awareness of smart device risks and benefits for consumers, and improving cybersecurity education.
The future of device labelling
Nations such as Singapore and Finland are collaborating to reduce barriers through mutual agreements. The NIST and the US Department of Commerce have made the case for supporting mutual recognition of labelling schemes between national economies and the need to communicate effectively about IoT device security.
In a world where security by design is limited, labelling to inform consumers is a starting point but more research, consultations and pilots are needed to understand what difference labels can make for individuals and businesses. A holistic, systems-led approach to truly enable smart devices to benefit society is needed. Critical actions include:
1. Securing connected devices by design where security is embedded across the entire device lifecycle.
2. Reducing fragmentation of labelling programmes by governments, associations, and businesses internationally.
3. Giving consumers access to up-to-date, easy-to-read and accurate information to make informed purchasing decisions.
4. Mitigating environmental risks by adopting circular economy models and re-evaluating how we extract and use finite natural resources to create connected devices.
Understanding the real impact of device labelling on consumer behaviour and incentivizing manufacturers can provide the driving force to make smart devices secure by design and increase transparency of security.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Tech and Innovation
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.
More on CybersecuritySee all
Kate Whiting
December 12, 2024