Milestones in IoT security – the first anniversary of the “Executive Order on Improving the Nation’s Cybersecurity”

This is the first in a series of blog posts spotlighting “milestones” in consumer IoT security policy from around the world. This series will showcase the real and potential impact of significant and ambitious regulatory actions from around the world, as well as a growing global consensus to improve consumer IoT security.

Today marks one year since the White House released the “Executive Order (EO) on Improving the Nation’s Cybersecurity,” a landmark directive from the President of the United States to mitigate increasing national cyber risk. As the EO states, “the United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” The same is true for technology users across the globe. Cyber criminals relentlessly search for new ways to extract data, information, and otherwise compromise computing devices for malicious purposes and/or financial gain. While much of the EO is focused on improving the cybersecurity of government systems (an important goal), one section focuses specifically on protections for consumers in the area of IoT security – a high priority for the Cybersecurity Tech Accord and its signatories.

Consumer IoT device security is an area where the Cybersecurity Tech Accord has devoted much of its efforts in recent years, both on its own and in collaboration with partners across stakeholder groups.  Earlier this year, working with the World Economic Forum, I Am The Cavalry, and Consumers International we released a joint statement to set priorities and build consensus across industry, consumer advocates and security researcher communities. The statement specifically called on manufacturers and vendors to support five minimum capabilities in consumer IoT devices:

(1) No universal default passwords;

(2) Implement a vulnerability disclosure policy;

(3) Keep software updated;

(4) Secure personal data; and

(5) Secure communications.

The necessity of these capabilities as a foundation to building more secure devices is widely recognized, and the statement is now endorsed by over 100 organizations from across stakeholder groups around the world, including a number of government cybersecurity agencies.

The Executive Order has, in the past year, helped further prioritize these security capabilities. In the directive, President Biden tasked the U.S. National Institute for Standards and Technology (NIST) with developing a security label for consumer IoT devices.  This ambitious effort builds on NIST’s extensive track record on cybersecurity, and specifically IoT security, and in coordinating input from across the multistakeholder community. In February of this year, NIST then released recommended criteria for the proposed label, which we were glad to see covers each of the security capabilities highlighted above.  Similarly, other governments, including Singapore and India, are taking action to improve IoT security by recommending these core capabilities, among others. 

We are pleased to see this increased attention and growing consensus around a starting point for building more secure IoT devices.  The EO and the work elsewhere across the globe, coupled with commitments from responsible technology companies to increase IoT security, will drive tangible progress in protecting online and connected users and devices.  We hope this momentum not only continues but increases in the coming years, and the Cybersecurity Tech Accord looks forward to partnering further with all stakeholders to ensure it does, leading by example and highlighting best practices to better protect consumers everywhere.