Last month, the U.S. Commission on Enhancing National Cybersecurity released a new report titled Securing and Growing the Digital Economy, which offered non-partisan recommendations and a strategic roadmap for addressing the growing cybersecurity challenges that face the United States and its ability to secure an ever-growing connected infrastructure and society. As BlackBerry’s Chief Security Officer, I was honored to provide input to the report focusing on the crisis of confidence in cybersecurity that pervades practically all digital systems, devices, components, and software.
While this crisis of confidence is often blamed on insufficient security technology and best practices adoption, BlackBerry believes that the most underserved and critical aspect of solving the crisis is developing methods and programs for evaluating security, so that all relevant stakeholders can first understand the security posture of their critical systems and then make better decisions on what kinds of security improvements are needed to fill the gaps. Our response provides a lot more background about this problem and how to solve it using an efficient methodology backed by strong private-public partnership.
I’m very pleased to see that the Commission took our advice to heart and made cybersecurity assurance programs an important part of its recommendations. In several places within the report, the Commission exhorts the need for a public-private partnership to develop efficient, effective standards to ensure devices and systems are “secure to market”, and that all stakeholders, including non-technical consumers, are “able to readily assess whether the devices they purchase comply” with such standards. The Commission espouses the use of rating systems and/or security labels that can fulfill this requirement: “To improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity ‘nutritional label’ for technology products and services—ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand.” BlackBerry fully agrees that an independent non-profit organization, backed by all relevant stakeholders – in industry, academia, and government – rather than a government-owned and operated program, is the right approach.
Of course, the devil is in the details, as creating effective assurance programs is difficult indeed. BlackBerry continues to lead the way in this arena, not only by certifying its own products to the most stringent security standards available, but also by helping to create, where they are lacking, the kinds of standards espoused by the Commission – for example in medical devices and automotive systems, and by supporting good standards as authorized auditors. After all, we can’t raise the cybersecurity bar if we don’t know how to measure its height.