Incentivising default cyber hygiene
The Register reports Singapore wants to provide consumers with cyber secure environments, the same as it now provides fresh water and sewerage services to its citizens.
How will Singapore go about doing this, you may ask?
This answer entails a voluntary cybersecurity labelling scheme that will rate the cyber security level of consumer broadband gateways, among other connected devices.
This was announced by the Brigadier General of the Cyber Security Agency, Gaurav Keerthi, during BlackHat Asia in early October.
Keerthi was reported as saying, “…with everyday life increasingly dependent on online services, he said Singapore has decided it is time to provide the infosec equivalent of clean tap water to all.”
Enter the Cybersecurity Labelling Scheme, or CLS, that CSA says is the first of its kind in Asia Pacific. Since March, 2020, CSA has promoted CLS as being able to indicate the level of cybersecurity reflecting the security features of smart devices.
This is a two-prong approach to help consumers make more informed buying decisions, and understand their cyber risk exposure, as well as incentivise manufacturers to develop more secure products. The perception right now is that cybersecurity measures and cybersecurity features are being overlooked as manufacturers tend to favour profits and quicker time-to-maker.
The CLS hopes to address this shortcoming.
In April, Bird & Bird, an international law firm outlined that the CLS will initially focus on Wi-Fi routers and smart home hubs. The CLS would assess and test these category of devices on:
- Meeting basic security requirements such as ensuring unique default passwords;
ii) Adherence to the principles of Security-by-Design;
iii) Absence of common software vulnerabilities; and
iv) Resistance to basic penetration testing.
Bird & Bird also drew parallels to the EU certification framework for digital products and services under the EU Cybersecurity Act, which is designed to be a comprehensive, EU-wide scheme which applies to specified products and services. This particular certificate is required to specify the assurance level, and take into account the intended use of the product or service in terms of the probability of and potential impact of an incident.
European examples and challenges
It is also worth noting the Finnish equivalent of Singapore’s CLS by its Transport and Communications Agency, Traficom, which was launched in November 2019, and which is based upon the draft European Standard EN 303 645 ‘Cyber Security for Consumer Internet of Things’ (“Draft EU Standard”).
Traficom has awareded its label to a smart home device, a smart heating system, and a fitness smartwatch. With the amount of applications increasing, the agency indicated it needs more resources in order to examine the applications and adequacy of the companies.
The Draft EU Standard is built upon 13 outcome-focused principles:
- i) No universal default passwords;
ii) Implement a means to manage reports of vulnerabilities;
iii) Keep software updated;
iv) Securely store sensitive security parameters;
v) Communicate securely;
vi) Minimise exposed attack surfaces;
vii) Ensure software integrity;
viii) Ensure that personal data is protected;
ix) Make systems resilient to outages;
x) Examine system telemetry data;
xi) Make it easy for consumers to delete personal data;
xii) Make installation and maintenance of devices easy;
xiii) Validate input data.
Details of how devices will be rated by Singapore’s CLS will be revealed during Singapore International Cyber Week 2020, which started this week on October 5th.