Google’s five principles for IoT security labelling

  • November 8, 2022
  • Steve Rogerson

Following the announcement by the US government that it plans to launch an IoT labelling service, Google has laid out five principles for implementation.

In a blog post by its security team, Google said it believed security and transparency were paramount pillars for electronic products connected to the internet. But it said the details of IoT product labelling, the definition of labelling, what labelling needed to convey in terms of security and privacy, where the label should reside, and how to achieve consumer acceptance, were still open for debate.

It defines a label as printed and/or digital representation of a digital product’s security and/or privacy status intended to inform consumers and/or other stakeholders. A labelling scheme is a programme that defines, manages and monitors the use of labels, including user experience, adherence to standards or security profiles, and lifecycle management of the label. An evaluation scheme is a programme that publishes, manages and monitors the security claims of digital products against security requirements and related standards.

“We believe in five core principles for IoT labelling schemes,” said the blog. “These principles will help increase transparency against the full baseline of security criteria for IoT. These principles will also increase competition in security and push manufacturers to offer products with effective security protections, increase transparency and help generate higher levels of assurance of protection over time.”

The five principles are:

  1. A printed label must not imply trust. Unlike food labels, digital security labels must be live labels, where security and privacy status is conveyed on a central maintained web site, which ideally would be the same site hosting the evaluation scheme. A physical label, either printed on a box or visible in an app, can be used if and only if it encourages users to visit the web site such as by scanning a QR code or clicking a link to obtain the real-time status.
  2. Labels must reference strong international evaluation schemes. The challenge of using a labelling scheme is not the physical manifestation of the label but rather ensuring the label references a security and privacy status or posture that is maintained by a trustworthy security and privacy evaluation scheme, such as the ones being developed by the Connectivity Standards Alliance (CSA) and the GSMA. Both these organisations are actively developing IoT security and privacy evaluation schemes that reference well-regarded standards, including recent IoT baseline security guidance from Nist, Etsi, ISO and OWASP.
  3. A minimum security baseline must be coupled with security transparency. A minimum security baseline must be coupled with security transparency to accelerate ecosystem improvements. Security labelling is nascent, and most schemes are focused on common sense baseline requirement standards. These standards will set an important minimum bar for digital security, reducing the likelihood that consumers will be exposed to truly poor security practices. However, security is not a binary state. Applying a minimum set of best practices will not magically make a product free of vulnerabilities, but it will discourage the most common security foibles. Furthermore, it is folly to expect that baseline security standards will protect against advanced persistent threat actors. Rather, they’ll hopefully provide broad protection against common opportunistic attackers.
  4. Broad-based transparency is just as important as the minimum bar. While it is desirable that labelling schemes provide consumers with simple guidance on safety, the desire for such a simple bar forces it to be the lowest common denominator for security capability so as not to preclude large portions of the market. It is equally important that labelling schemes increase transparency in security. So much of the discussion around labelling schemes has focused on selecting the best possible minimum bar rather than promoting transparency of security capability, regardless of what minimum bar a product may meet. This is short-sighted and fails to learn from many other consumer rating schemes such as consumer reports that have successfully provided transparency around a much wider range of product capabilities over time.
  5. Labelling schemes are useless without adoption incentive. Transparency is the core concept that can raise demand and improve supply of better security across the IoT. However, what will cause products to be evaluated so that security capability data will be published and made easily consumable? After thirty years of the world wide web and connected digital technology, it is clear that simply expecting product developers to do the right thing for security is insufficient.

National labelling schemes should focus on a few of the biggest market movers, in order of decreasing impact, the blog said.

Some national governments are moving towards legislation or executive orders that will require common baseline security requirements to be met, with corresponding labelling to differentiate compliant products from those not covered by the mandate. National mandates can drive improved behaviour at scale. However, mandating a poor labelling scheme can do more harm than good.

For example, if every nation creates a bespoke evaluation scheme, small and medium size developers would be priced out of the market due to the need to recertify and label their products across all these schemes. Not only will non-harmonised approaches harm industry financially, they will also inhibit innovation as developers create less inclusive products to avoid nations with painful labelling regimes.

Retailers of digital products could have a huge impact by preferencing baseline standards compliance for digital products. In its most impactful form, the retailer would mandate compliance for all products listed for sale. The larger the retailer, the more impact is possible. Less broad, but still extremely impactful, would be providing visual labelling and/or search and discovery preferences for products that meet the requirements specified in high-quality security evaluation schemes.

Many digital products exist as part of platforms, such as devices built on the Android Open Source Project (AOSP) platform or apps published in the Google Play app store. In addition, interoperability standards such as Matter and Bluetooth act as platforms, certifying products that meet those interoperability standards. All these platform developers may use security compliance within larger certification, compliance and business incentive programmes that can drive adoption at scale. The impact depends on the size and scale of the platform and whether the carrots provided by platform providers are sufficiently attractive.

“Our goal is to increase transparency against the full baseline of security criteria for the IoT over time,” said the blog. “This will help drive competition in security and push manufacturers to offer products with more robust security protections. But we don’t want to stop at just increasing transparency. We will also strive to build realistic higher levels of assurance. As labelling efforts gain steam, we are hopeful that public sector and industry can work together to drive global harmonisation to prevent fragmentation, and we hope to provide our expertise and act as a valued partner to governments as they develop policies to help their countries stay ahead of the latest threats in IoT.”