White House considers cybersecurity ratings to boost visibility
By enhancing cybersecurity visibility and creating a market for it, the Biden administration wants to encourage the use of products and services that have security built in at the outset.
The White House may soon roll out a cybersecurity ratings system that would provide greater visibility into the security of hardware and software products and encourage the market to develop more secure systems.
In a March 12 background press call on the Biden administration’s response to the Microsoft Exchange Server and SolarWinds intrusions, an unnamed senior administration official stressed the importance of increasing product and network visibility, modernizing and IT infrastructure across the federal government and sharing information with the private sector.
Starting with the nine federal agencies compromised by the SolarWinds attack, the official said the administration would be “rolling out technology to address the specific gaps we identified.” The technology will then be deployed more broadly to the rest of the federal government “to ensure we have the visibility we need to have trust in our networks, that we can protect the important work the federal government does on behalf of the American people,” the senior official said.
To mitigate the cost of incident response and cleanup resulting from insecure technologies, the White House wants to encourage the use of products and services that have security built in at the outset by enhancing cybersecurity visibility and creating a market for it.
Years ago, when New York City Mayor Michael Bloomberg wanted to improve restaurant sanitation, the administration official said, “he required restaurants to put a simple rating -- A, B, C, D — in their front window to make a market -- to make a market around health and sanitation.”
The official also pointed to Singapore, which has introduced a program that rates and labels consumer internet-of-things devices against cybersecurity standards. The currently voluntary program launched in October 2020, but only Wi-Fi routers and smart home hubs were evaluated. Now the Cybersecurity Labelling Scheme (SLC) covers all categories of consumer devices, such as IP cameras, smart door locks, smart lights and smart printers in an effort to improve overall cybersecurity hygiene and better secure the nation.
SLC identifies four tiers of cybersecurity provisions, starting with products that feature basic password protection and regular updates to those that have undergone third-party penetration testing. It gives consumers “a basic level of security assurance … by implementing basic safeguards and eradicating common mistakes and vulnerabilities,” according to the SLC website.
“We don’t have that in the U.S. today,” the official said. “We don’t have that transparency so that people can make a market for cybersecurity.”
The administration is “looking to do a very similar thing with cyber and the cybersecurity of software companies we buy software from,” the official said, with more details becoming available in the next few weeks.
“[We’re] thinking through rebooting the approach to software security, rebooting the approach to software security standards, and trying to get to a goal we have: that the level of trust we have in our systems is directly proportional to the visibility we have to their cybersecurity,” the official said. “The level of that visibility needs to match the consequences if those systems fail.”
NEXT STORY: Unpatched Exchange Servers hit with ransomware