Afero Chief Security Strategist Bret Jordan participated in a discussion today with other security experts about the Cyber Trust Mark and how it will positively impact security and privacy for the Internet of Things.
The U.S. Cyber Trust Mark is a labeling program for IoT devices being led by the White House and is designed to help consumers make informed purchasing decisions and create incentives for manufacturers to meet higher cybersecurity standards.
“This program is in direct alignment with Afero’s uncompromising view of security and privacy for all devices,” Jordan said during the discussion. “We believe the products that consumers buy and use should be secure by design.”
In addition to Jordan, the discussion featured Tatyana Bolton, Security Policy Manager, at Google; Kevin Kraus, VP of Technology Alliances and IoT Business Development for Yale and August's Residential Electronic Lock Business; Scott Register, Lead of the Security Solutions Team at Keysight Technologies; and Mike Hodge, Solutions Lead for the Emulator Portfolio at Keysight Technologies, who served as host and moderator.
The U.S. Cyber Trust Mark program was first announced last year and Afero has supported it from Day 1. The Cyber Trust labels are expected to be on consumer products at some point in 2024.
Google’s Tatyana Bolton said during the discussion that Cyber Trust Mark’s best feature is that it increases transparency: “That is key to making sure that consumers can actually buy items that are more secure. We think that transparency increases the baseline of security for consumer purchasing decisions.”
Yale US’ Kevin Kraus agreed and compared the mark’s impact to that of the Energy Star label on appliances or a nutritional label on the food we buy. The label is a forcing function for improved disclosures to enhance the consumer experience.
“Just like any standard,” Kraus said, “establishing minimum requirements for cybersecurity means manufacturers are going to have to adopt best practices in secure design — unique, non-guessable default passwords, secure authentication mechanisms, and testing devices in the lab against real-world cyberattacks and trusted third parties.”
Keysight’s Scott Register said that testing products against a standard is a good initial step but that manufacturers should still do more over the lifetime of devices: “When we’re thinking about these IoT devices, a lot of them may have very long operational lifespans. You put in a webcam, a video doorbell, or a garage door opener and it may be there for a decade, so it’s really important to keep testing that device so that, over that timeframe, you’ve maintained security for your customers.”
Afero concurs that security is not a one-time feature integration. Security should be woven into a device’s entire lifecycle, an approach that Afero has taken as the platform powering millions of devices across 130+ product categories from 35+ manufacturers and large retailers like The Home Depot and Kingfisher in the U.K.
“Security really starts before any line of code is written,” Jordan said. “And we are committed to laying that groundwork from supply chain to end user, from device to cloud, and from cloud to mobile app. But the real key is to not have this bolt-on, after-the-fact security.”