We previously discussed using something like a labeling system to label network assets as safe to use concerning cybersecurity to help curb internet cyber pollution. This is an important topic because there is a tremendous amount of insecure software in the wild; millions of servers, desktops, and billions of IoT devices. At Arctic Security, we see how they affect thousands of organizations every day when those weaknesses are found to be exploitable.
We also discussed finding ways to determine if an organization is being negligent in its approach to helping stop cyber pollution. But knowledge is not enough, we do also need to persuade organizations to do better.
Now the idea of the labeling approach is indeed a good one. Regulators could create an environment where devices must be deemed safe for use in the networked world before deployment. In the USA, Underwriter Laboratories (UL) undertook such a task with the creation of UL 2900, which was meant to be a security certification for devices built upon the longstanding reputation UL has garnered by certifying the safety of devices. It is applied to devices such as electrical appliances and tools to prevent failures that can lead to injury, death, or massive fires.
This initiative arose from the massive fire that destroyed part of Chicago in the early 20th century. Eventually, the availability of the certification led to insurance underwriter organizations requiring a UL seal to insure companies that made, sold, and used such devices. This is an example of an approach that creates a barrier to entry rather than directly penalizing organizations for not complying. Persuasion by creating a tangible incentive to do things better.
Now, this is not always 100% effective. You can still buy products in the US that do not carry a UL certification or a competing equivalent certification (such as TUV in Europe) and take your chances. In the EU, most electric products must be certified and labeled with the CE mark. This led to improved manufacturing practices that have become so commonplace that even non-certified devices today were much safer than 100 years ago. Something to strive for in cyberspace.
There are also instances where direct penalization for negligence may be appropriate. One example would be organizations that outright misrepresent a system's cybersecurity “hygiene” and safety. Again, this would have to be determined by comparing the claims against well-established criteria, which we still lack. Another would be organizations that are given ample opportunity to correct such issues, continue to avoid correcting changes, or perhaps only rectify some of the problems and not all known issues.
Ultimately, however, the consumer plays an important role. If the consumer of networked products and systems allows devices polluting the internet to continue operating, they will continue to operate. So maybe we need to talk about the consumer…