On March 22, 2017 at the Senate Committee on Commerce, Science, and Transportation, a hearing was held on The Promise and Perils of Emerging Technologies for Cybersecurity. I was honored to be able to testify.
During the two-hour committee, a variety of comments and questions arose from the Senators. One discussion, in particular, stuck with me from Senator Markey.
The Cyber Shield Act that Senator Markey proposed seeks to give the consumers of Internet-connected products (IoT) clear and accurate information on security. Think of it as a sort of technical Consumer Reports.
This should, in turn, allow consumers to make more informed purchasing decisions; similar to the Environmental Protection Agency and the Department of Energy’s Energy Star Ratings for appliances, or the National Highway Transportation Safety Administrations five-star safety ratings for automobiles.
With more accurate information informing decisions, consumers will then be able to make smarter purchasing decisions. One of the major goals of the Act would be to drive manufacturers and vendors to compete on the basis of providing better security, not just on marketing and sales, which should lead to building and maintaining better security across their products and services.
The Cyber Shield Act: Promoting Best Practices
The Act is meant to identify and promote Internet-connected products that meet industry-leading security and data security standards. One of the first things that the suppliers of technology will need to do to meet best practices, will be to have an established and well-run security-by-design or security development lifecycle to guide the creation of technology and minimize potential vulnerabilities.
Essentially, they will be strongly encouraged to think about building security into their products from day one – right alongside thinking about product design, usability, and marketing.
In addition, manufacturers and vendors will need to apply a measurement criteria for a cybersecurity score to their Internet-connected products. The goal is to measure each vendor, manufacturer, and product on the same metrics and best practices in order to level the playing field.
The effort to establish the Cyber Shield Act and rating system to set those best practices in motion will be very difficult, but it is something that we strongly believe should be pursued. In my view, the measurement criteria for the score will be the most daunting task.
That said, once it has been finalized, these criteria have the added benefit of being used as a general scoring mechanism for every new, emerging piece of Internet-connected technology.
Those new companies, many crowdfunded and founded by entrepreneurs with little to no security backgrounds, will finally have guidelines to follow when they do seek out security contractors and experts. In short, they’ll have a place to start.
An Integrated Approach To Cybersecurity
I am pleased that Senator Markey has indicated this will be a voluntary program. I believe market forces should be used to drive improvements in security and that this sort of effort is needed to prime the pump of those forces to do what they are not doing on their own today.
I would like to see the Cyber Shield Act take an open approach to establishing standards and best practices. This could be accomplished with a wide range of stakeholders set up into working groups made up of experts. Using an open public review and comment process similar to that used to establish the NIST Cyber Security Framework would also make sure we have strong public and private perspectives addressed.
There will be some naysayers along the path to getting the Act passed and the shield established, including of course, many who will point out that even the highest rating will not guarantee security. But we already know that to be true, just as a crash rating doesn’t necessarily guarantee safety in a car accident. That does not, however, diminish the value of the rating.
The Cyber Shield Act would, at the very least, give consumers more confidence that they will be better inherently protected, rather than making them throw up their hands in frustration and making buying decisions based on features only, or not buying Internet-connected gadgets at all due to fear.
Others will say new attack vectors will emerge that were not necessarily considered in the original rating. Of course, this is also true, but that is also why a part of the measurement criteria should be post purchase security through not only built-in mechanisms, but also add-on capabilities that secure devices by preventing malicious code pre-execution.
New Legislation For New Threats
In cybersecurity, we know that we are always facing a changing landscape of threats and attacks and that to do nothing is, of course, not the answer.
Others will note that IT components may be manufactured outside of U.S. jurisdiction. This argument is a bit trickier, but in general, I consider it a red-herring distraction, because the final supplier of the Internet-connected device should still be able to evaluate the security-by-design processes used by a subcontractor to design a component, and the final product can still be tested against the Act's measurement criteria.
Again, we could point to the automotive industry here. The proposed Cyber Shield Act is an ambitious undertaking and some will doubt it can be effective.
Nevertheless, I remain positive that the Cyber Shield Act could be a catalyst to change the path of unmitigated risk we are currently heading down. As a country and as a society, we need incentives to encourage vendors and manufacturers to improve the security posture of their products. This, in turn, improves overall security in the creation cycle of technology.
We need to encourage the modernization of security capabilities that can prevent malicious code, pre-execution, with high efficacy and without degrading the user experience. That is not a pipe dream. It is a must as we look to the future of securing the public from attacks.
If done right, the Act and the shield it proposes will create a broad-based consumer-driven continuous improvement cycle for cybersecurity which does not exist today, but is sorely needed.
Malcolm Harkins
Cylance Chief Security & Trust Officer
Address to the Senate Committee on Commerce, Science, and Transportation.
