The Atlantic Council of the US is calling for technology distributors to enforce IoT security standards for all products they source from overseas manufacturers.
The proposal from the council — which bills itself as “a nonpartisan organisation that promotes constructive US leadership and engagement in international affairs” — is contained in a new report: The Reverse Cascade: Enforcing Security On The Global IoT Supply Chain produced in conjunction with Scowcroft Center for Strategy and Security and the Cyber Statecraft Initiative, and co-authored by internationally renowned security technologist, Bruce Schneier.
It summarises the well-known problem that many IoT devices are low-cost, offer minimal security and are manufactured outside the US so it has limited means of enforcing any standards. Instead, the report proposes applying regulatory pressure to domestic technology distributors to drive adoption of security standards throughout their supply chains.
According to the report, addressing foreign enforcement of security standards is an essential hurdle that governments must clear in order to ensure that digital transformation continues to provide benefits without compromising consumer product safety or national security.
‘Reverse cascade’ to enforce standards
It argues: “This reverse cascade enforces standards back to foreign manufacturers by preventing domestic sale or distribution of products that don’t adhere to the standard. The reverse cascade’s effectiveness is amplified where these supply chains are unusually concentrated in a single or small handful of firms. This approach addresses US regulators’ limited influence in foreign jurisdictions and relinquishes the need to monitor hundreds, if not thousands, of overseas manufacturers directly.”
It says the linchpin of this reverse cascade for IoT would be “an international, or at the least broadly recognised, set of standards for the secure design and manufacturing of IoT devices … [that] encompass a variety of different product types and manufacturing stages.”
The report also proposes a label signifying conformance to this standards ‘baseline’, noting: “A recent survey by a cybersecurity firm found that nearly three quarters of consumers expected their IoT devices to be secured by the manufacturers, with 87 percent believing that it is the manufacturers’ responsibility to do so.”
It suggests a proposed National Cybersecurity Certification and Labeling Authority (NCCLA) or an existing agency like NIST could create a simple labelling scheme for the selected international standard, creating a second source of pressure on distributors and, thereby, manufacturers.
In Australia the IoTAA has proposed a similar scheme, as has the UK Government.
