Want to Rank Devices’ Cybersecurity? Here’s How to Do it.

Want to tell consumers how cybersecure their internet-connected cars, cameras and toasters are? That might be harder than it looks, a cybersecurity think tank said Thursday.

Creating such a rating system is an “excellent idea,” the Institute for Critical Infrastructure Technology said in Thursday’s analysis. It will be far more difficult to implement, however, than rating cars for fuel efficiency or buildings for energy conservation, ICIT Senior Fellow James Scott said.

Why? First, there are the companies that offer digital products, which will want to water down ratings criteria. Then, there are consumers unwilling to wade through the fine printing of ratings too complex. Finally, there’s the threat landscape itself, which is constantly evolving, Scott said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The analysis was prompted by Cyber Shield, a legislative proposal floated by Sen. Edward Markey, D-Mass., during a March Commerce Committee hearing. Markey described the program as a voluntary one-star to five-star rating that would vet connected devices on a number of cybersecurity metrics including how easily they can be updated to defend against new threats.

Markey’s proposal got a mixed reception from industry panelists at the hearing who worried the ratings would quickly fall out of date or that consumers would become overconfident in a device’s security because of a high rating and not take basic precautions.

Venky Ganesan, who chairs the National Venture Capital Association, expressed concern government-backed ratings would inhibit innovation and that government should leave the job to market incentives.

Markey shot back that “markets had years to do something,” but devices are no more secure.

There are three main criteria to ensure a Cyber Shield program works, ICIT’s Scott said.

First, officials must ensure industry leaders are involved in developing the ratings but not leading the team. If industry leaders play too large a role, they could water down the rankings to the point they serve little value or large companies could “weaponized” the rankings so only the biggest companies can afford to earn five stars, Scott said.

Second, the program should include a substantial public education component aimed at making consumers care enough about cybersecurity that the rankings actually change their buying decisions.

“This is a daunting effort; however, it is a cultural shift that needed to happen years ago but lacked the right fulcrum,” Scott said. “An education provision of Cyber Shield will also provide a significant secondary victory, even if industry does not widely adopt the certification or if implementation proves difficult.”

Finally, the rankings themselves should go beyond a mere one-star to five-star ranking to incorporate more dynamic data, Scott said, perhaps through a QR code that calculates real-time scores based on the threat landscape.

“An artificial intelligence system could even be trained to weigh the data and calculate accurate scores,” Scott said. “Instead of a star system (i.e. 4/5, etc.), Cyber Shield might be more meaningful and effective with a confidence score (i.e. there is a 92 percent chance that this device collects, processes and transmits data securely).”

Even if ratings are static, those ratings should be calculated when devices are close to market, after as much of their supply chains are completed as possible, Scott said, especially overseas portions.

Rankings should also be done by trusted third parties, not by companies themselves, he said.