|
Sixty years ago, Paul Baran and Sharla Boehm at The RAND Corporation released a seminal paper that would fundamentally reshape the cyber world forever more. Their paper, simply known as Memorandum RM-1303, described how specialized computers could be used to route digital communications among a distributed universe of other computers. It set the stage for a flood of endless developments that resulted in the interconnected world of everything, everywhere, all the time.
A few days later, Paul Baran published a second less-known seminal paper that would also fundamentally reshape the cyber world. That paper directed at the U.S. national security community known as Memorandum RM-3765 described a bold new world of cybersecurity—articulating all the threats and mitigations. It also set the stage for a different kind of flood—a cybersecurity Zero Trust universe of ever-expanding vulnerabilities and mitigations.
Three years later, in the Spring of 1967, following extensive collaboration between the National Security Agency’s (NSA) Bernard Peters and RAND’s Willis Ware, a public cybersecurity conference at Atlantic City was orchestrated where they announced to the world their insights. Their companion papers described in prescient detail what was feasible for a modicum of cybersecurity and what was not. The key findings were—“security cannot be attained in the absolute sense,” and it was essential to implement critical security controls “to attain a probability of loss which is commensurate with the value returned by the operation being secured.”
Last year, the Federal Communications Commission (FCC) released another paper that would demonstrate how political institutions are capable of collective cyber madness, and added to the expanding “IoT Cyber Seal Fog.” The FCC published a Notice of Proposed Rulemaking in Docket 23-239, in a kind of explosion of frustration and embarked on a Cyber Trust Label Gambit of compliance testing proffered to significantly expand its own bureaucracy, embark on discredited chimera of absolute cyber security, and potentially harm the nation’s cybersecurity.
A few days ago, the FCC in an Order unleashed this cyber mishegoss as a new set of rules—weirdly under the all-caps oxymoronic title “Part 8—INTERNET FREEDOM.” The Order pursues most of the cyber risk actions eschewed sixty years ago as largely unfulfilling and has a striking resemblance to the onerous European Union Cyber Resilience Act (CRA) mandatory regulations.
At the outset, it should be noted that what ensues here is political theatre. The U.S. Congress and White House demanded doing something, so their compliant Federal agency obliged with “something.” You know they have accomplished their task because the FCC Commissioners self-congratulate at the end of their promulgating document saying, “because the future of smart devices is big and the opportunity for the United States to lead the world with a global signal of trust is even greater.” Or, better yet, “I’m thrilled that we are enacting this order today.” Bear in mind that this is from an agency that has essentially zero cybersecurity expertise and a long history of eschewing participation in any cybersecurity activity except for its own industry advisory cybersecurity subgroup, which long ago recommended alternative approaches.
Similarly, the Order is bereft of input or citations from any of the many communities that actually deal with IoT vulnerabilities, Internet engineering, and cyberthreats—such as FIRST, MITRE, GSMA, 3GPP or the IETF. It simply ignored all the comments in the proceeding that did not comport with the proposed certification scheme. The FCC states in the Order that it relied instead on “being informed” by entities—all having a well-established institutional or financial interest in certification testing. Never mind that sixty years ago, in a much simpler world, it was recognized that such schemes for software products that constantly evolve and have no steady state are ineffective the moment they are powered up and connected to a network as well as highly dependent on myriad local security variables.
Whether the harm to cybersecurity done by the FCC rules is somehow compensated by any real benefits is dubious. The one saving grace of the FCC Order is that it proposes a “voluntary” scheme that few, if any, IoT vendors are likely to embrace or consumers seek. However, the FCC’s attempt in its Order to make their scheme “effectively mandatory” by potentially linking it to the decidedly mandatory and onerous European Union Cyber Resilience Act (CRA) provides sufficient concern to add to a basis for judicial appeal and broad industry opposition.
The FCC dubiously asserts in its new rules that the “Order…elevate[s] the nation’s cybersecurity posture and provide consumers with assurances regarding their baseline cybersecurity.” However, the only things the rules actually accomplish are to create a huge new, multi-tiered bureaucratic ecosystem internal and external to the FCC that is funded forever by those applying for the cyber trust seals, who also subject themselves to FCC cybersecurity certification jurisdiction, authority, testing, and reporting. Inquiring Minds would ask what rational product vendor CEO would do this to obtain a FCC cyber label and a listing in its sponsored registry.
An initial starting point in an analysis of the rules is the FCC’s definition of the subject matter—Consumer IoT Products. Such products are those “intended primarily for consumer use,” and exclude medical devices and motor vehicle equipment. Products are defined both as “an IoT device and any additional product components (e.g., backend, gateway, mobile app) that are necessary to use the IoT device” and under the manufacturer’s control. An “IoT Device” is “an Internet-connected device capable of intentionally emitting radiofrequency energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.”
This abstruse word salad of vague terminology has little to do with technology, but is mainly created to further to the FCC’s rubric for entering the cybersecurity business under its existing legislative authority. In today’s Software Defined Network (SDN) ecosystem, the definition is also an enormous assertion of global jurisdiction over almost everything digital—here also resembling the EU’s CRA definition of digital elements and processes.
Assuming there is actually some entity that would be interested in a label, who can apply? This is where it gets interesting, and the FCC’s manifestation of xenophobia is on full display—introducing almost unsurmountable complexities. No product or component produced by the scores of constantly changing prohibited entities listed by the FCC, the Commerce Department, Department of Defense, or the GSA can get a label. The analysis necessary to analyze all product components is almost incomprehensible.
Lastly, there are application requirement details. This is where the bureaucracy really begins. For every product and product change, applicants must submit 22 sets of information and declarations “in a form and format prescribed by the Commission with a penalty of perjury for anything that is not “true and correct.” In addition to the prohibited entity requirements, the applicant must declare it “has taken every reasonable measure to create a securable product” notwithstanding the reality that absolutely securable products are fundamentally not possible to create.
The FCC scheme also completely ignores the challenge of open-source software. Except that, in the Further Rulemaking Notice, there is a proposal that the declaration under penalty of perjury concerning software from “high-risk countries” does not apply to open-source software.
Applicants must also “diligently identify critical vulnerabilities in our [sic] products and promptly issue software updates correcting them” for the stated support lifetime of the product. The IoT label applicant must also agree to being subject to investigations for non-compliance, auditing, and must retain relevant records.
A huge new tiered bureaucratic ecosystem is created under the new FCC scheme. The ecosystem includes Cyber Label Administrators (CLA), CyberLABs, CLA-Run Labs, In-House Testing Labs, and IoT Registries. Each has its own rules, accreditation programs, processes, and delegated powers. The IoT Registry provisions also include the ability to expand reporting requirements. However, the Rules are not actually known because the Commission incorporates by reference three ISO/IEC standards costing 453 Swiss Francs—pointing only to their sales office rather than facilitating transparent availability. It is a disdained practice treated by the Commission’s own Federal appellate court last year.
All of the activity is subject to ever expanding FCC notice and comment proceedings, and expansive new rules requiring applicants provide any “additional data elements that the Bureau deems necessary.”
Of special note is the Commission’s focus on performing “post-market surveillance activities.” The Order asserts that “this requires vigorous review and enforcement to ensure that products bearing the Cyber Trust Mark are in compliance with the program standards.” However, given the Commission’s all-encompassing definition of IoT as basically everything digital, combined with the ubiquity of internet access, how exactly is surveillance of a digital device, software or process with an FCC trust label possible? The Order delegates the surveillance and auditing authority to CLAs to implement.
The FCC Order’s expansive “voluntary” regulatory scheme bears a striking resemblance in substance and bureaucracy to the European Commission’s even more excessive mandatory regulatory scheme known as the Cyber Resilience Act (CRA). The FCC Order provides notice that it will “coordinate and engage with international bodies maintaining their own labeling programs” and consider mutual recognition of labels.
Authority is delegated to Commission staff “to develop international recognition of the Commission’s IoT label and mutual recognition of international labels. Reference is also made to a troubling “EU-US Joint CyberSafe Products Action Plan” “to work together on achieving mutual recognition for government-backed cybersecurity labeling programs and regulations for IoT devices.” All of these provisions set the stage for potential FCC regulatory creep into de facto mandatory certification.
The Commission ignored the concerns widely expressed about these kinds of IoT regulatory certification schemes themselves constituting cyber threats. As was recognized 60 years ago, it is fundamentally not possible to produce networked computer devices that are free from threats. The threats arise from all manner of vulnerabilities that cannot be tested—in part because their manifestation includes innumerable implementation variables unknown to the vendor and cannot be tested. Those vulnerabilities that can be tested currently exceed several hundred and are constantly evolving. The testing resources and expertise needed are enormous.
The vulnerability ecosystem is constantly discovering new vulnerabilities. Suggesting to consumers that a simple label or information in an FCC registry provides them significant cybersecurity is simply disinformation. Consumers should instead be encouraged to adopt an appropriate Zero Trust Model and implement Critical Security Controls that include necessary security configurations.
The onerous proposed FCC and EU certification schemes requiring disclosure of discovered vulnerabilities and recertification with every change—are certain to result in FCC-certified vendors becoming reticent to do necessary frequent patch development and deployment. Consumers will bear the consequences with less secure products.
A Further Notice of Proposed Rulemaking (FNPRM) is also included with the FCC Order that will create a continuum of submitted comments, orders, and rules. The Commission proposes even more onerous and far-reaching, if not impossible, requirements dealing with software components, transit and storage of information, “cellular interface modules” [sic], and require the product provider to submit and update this information on a label registry page.
Given the expansive and extreme regulatory actions of the FCC, it seems highly likely that multiple interested parties will appeal the Commission’s order to Federal Court of Appeal for the DC Circuit shortly after the Rules come into force in April. A number of bases could constitute a cause of action such as lack of authority, unreasonableness, or anticompetitive effect.
If the FCC IoT label regulations manage to survive judicial review, the significant size of the regulatory bureaucracy, processes, and collaboration, along with like-minded regulatory brethren abroad, will expand and struggle to implement the provisions. It is a phenomenon referred to by cybersecurity professionals as entering the Common Criteria Tunnel of Doom—where increasing resources are expended endlessly with diminishing returns.
It is difficult to imagine why any IoT vendor would buy into the FCC’s cybertrust label scheme with all of its adverse consequences and potential criminal perjury liability. There are better private-sector IoT labels in the marketplace. Knowledgeable consumers could well regard the FCC label as an indicator of diminished cybersecurity capacity. So, it is possible that the scheme will simply collapse as a misbegotten regulatory dud among the fog of other IoT schemes. Meanwhile, cybersecurity vulnerabilities and incidents will continue to increase—exacerbated by misdirected resources that should have been focussed on implementing Zero-Trust and Critical Security Control models that demonstrably reduce risk.
The FCC label certification scheme seems like an embarrassing, misguided political display of its own lack of knowledge rather than the global cyber trust leadership it is seeking.
The good news is that a number of significant private sector companies and groups have undertaken independent cooperative efforts with the vulnerability discovery community to engage in effective analysis and “approval” of IoT products entering the marketplace without the government bureaucracy.
Sponsored byVerisign
Sponsored byRadix
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byWhoisXML API
I have been both a fan and a critic of Common Criteria for much the same reasons. It is an expensive path to follow and has some justification for some elements. It is however notoriously difficult to apply in large distributed systems that are mutable by design, and in which the operational deployment is uncertain. In fact it is so difficult to apply in such systems that trying to certify the system is probably unattainable. It is trying to say a building is perfect because one brick in the entire edifice is perfect. It doesn’t work that way. The tunnel of doom is that unless all the combinations are tested, and all the processes in support of those combinations are tested, the process is always going to be best effort. If regulations require going down this path I’d suggest it is going to cause stagnation of innovation and market growth that we need, as all resources will be required to do the evaluation and we’ll reach a point where we have nothing left to feed the programme with. It is its own existential crisis in that it will eventually eat itself.