White House Says A ‘Nutrition Label’ for Cybersecurity is Key to Reassuring Consumers and Enterprises. BlackBerry Agrees.

Cybersecurity Services

Making sure it's organic....Last month, the U.S. Commission on Enhancing National Cybersecurity released a new report titled Securing and Growing the Digital Economy, which offered non-partisan recommendations and a strategic roadmap for addressing the growing cybersecurity challenges that face the United States and its ability to secure an ever-growing connected infrastructure and society. As BlackBerry’s Chief Security Officer, I was honored to provide input to the report focusing on the crisis of confidence in cybersecurity that pervades practically all digital systems, devices, components, and software.

While this crisis of confidence is often blamed on insufficient security technology and best practices adoption, BlackBerry believes that the most underserved and critical aspect of solving the crisis is developing methods and programs for evaluating security, so that all relevant stakeholders can first understand the security posture of their critical systems and then make better decisions on what kinds of security improvements are needed to fill the gaps. Our response provides a lot more background about this problem and how to solve it using an efficient methodology backed by strong private-public partnership.

Business people reading paperwork in officeI’m very pleased to see that the Commission took our advice to heart and made cybersecurity assurance programs an important part of its recommendations. In several places within the report, the Commission exhorts the need for a public-private partnership to develop efficient, effective standards to ensure devices and systems are “secure to market”, and that all stakeholders, including non-technical consumers, are “able to readily assess whether the devices they purchase comply” with such standards. The Commission espouses the use of rating systems and/or security labels that can fulfill this requirement: “To improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity ‘nutritional label’ for technology products and services—ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand.” BlackBerry fully agrees that an independent non-profit organization, backed by all relevant stakeholders – in industry, academia, and government – rather than a government-owned and operated program, is the right approach.

Of course, the devil is in the details, as creating effective assurance programs is difficult indeed. BlackBerry continues to lead the way in this arena, not only by certifying its own products to the most stringent security standards available, but also by helping to create, where they are lacking, the kinds of standards espoused by the Commission – for example in medical devices and automotive systems, and by supporting good standards as authorized auditors. After all, we can’t raise the cybersecurity bar if we don’t know how to measure its height.

About David Kleidermacher

I am dedicated to the vision of a trustworthy, scalable Internet of Things, including mobile devices, connected embedded systems, and cloud infrastructure. I oversee product security strategy as BlackBerry's Chief Security Officer. I am a leading authority in systems software and security, including secure operating systems, virtualization technology, and the application of high robustness security engineering principles to solve computing infrastructure problems. I earned my bachelor of science in computer science from Cornell University and am a frequent speaker and writer in the area of computer security, including delivering the 2014 Embedded World Conference Keynote, "Securing the Internet of Things" and author of the book "Embedded Systems Security", Elsevier 2012.

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus