It's a big challenge because most consumers only have a foggy understanding about which products are most secure against hacking. Even if they understood better, experts fear security would still rank far lower in buying decisions than factors like price and features.
The big plan from Commerce’s National Institute of Standards and Technology (NIST) is a certificate program that verifies Internet-connected devices meet a set of basic cyber standards such as accepting software patches and allowing users to control what information the devices collect and share about them.
NIST isn’t creating the labels itself but put together a lengthy set of recommendations for what they should look like and is hoping an industry association or standards-setting body will take up the challenge.
The ultimate goal: A virtuous cycle in which consumers prize the certificates, so companies try to earn them, stores and e-commerce sites prefer to stock products with certifications, and insurers use the certificates to assess product companies' liability.
The effort, which sprang from President Biden’s big cybersecurity executive order in May, marks one of the rare instances in which the government is trying to move beyond hiking cyber defenses in critical industries to actually changing how the broader nation thinks about cybersecurity.
NIST is also pushing a public education campaign that gets consumers to look for and value the certificates in the same way they value certifications that say a product is energy efficient or produced in the United States.
“Making security relatable to someone's daily life and how it can impact them is really critical for the success of this,” Julie Haney, an NIST computer scientist who’s working on the project, told me.
The effort comes as cyber and privacy risks to the average consumer are proliferating. Homes are increasingly stocked with Internet-connected devices such as smart speakers, thermostats and baby monitors — many of them built without security in mind. Hackers frequently compromise those devices to scoop up sensitive information or even harass their users. The computing power from those devices has also been stolen by hackers and harnessed for large-scale cyberattacks.
“People are bringing these things into their homes, into these very personal spaces, and they don't understand the potential security and privacy consequences and risks of that,” Haney said. “The bar really needs to be raised or a lot of people are going to suffer.”
Carbs, fat and protein
The project sprang from a longstanding idea to create cybersecurity labels for tech products similar to nutrition labels on food.
As NIST studied the idea, however, it became clear they needed something simpler. While most Americans can decode nutrition data like calories and sodium levels, their eyes would go bleary when confronted with their cyber equivalents.
They settled on a certificate, which products either earn or they don’t. But the certificates will be accompanied by a QR code that can lead consumers to far more detailed information if they want it.
Other recommendations include:
- To the extent possible, the certificates should be managed by one organization and they should look the same for all products
- Mangers should regularly assess how effective the certificates are in guiding consumers’ buying decisions and change them accordingly
- Certificates should be easy to find for both in-store and online products and easy to find and consult even after a purchase is made
NIST will release its final set of recommendations on the program next month then conduct a survey by May of existing efforts with similar goals that might take on the certificate effort.
While the program itself could get off the ground soon after that, officials cautioned that changing how Americans think about cybersecurity when they buy tech products will likely take much longer.
“Other consumer labeling programs that were successful, it's not a nine month or one year kind of a timeline,” Warren Merkel, NIST’s chief of standards services, told me. “It's a much longer time to get the consumer education right and to get the awareness right. So, hopefully, we'll be successful in providing a jumping in point for somebody to get on that multiyear path.”
The White House is hosting industry leaders today to discuss cyber vulnerabilities in open-source software
Representatives from Amazon, Apple, Facebook and Google are among the companies and organizations that will be attending the meeting, a senior official said. It comes in the wake of a vulnerability in the log4j software library that the U.S. government said was among the most serious in history and could take years to remediate. Nearly a dozen federal agencies and departments will send representatives to the summit, the official said.
The log4j bug has prompted a rush to shore up open-source software, which is vital to large portions of the Internet but typically maintained by volunteers. Other participants at the meeting include: IBM, Oracle and the Apache Software Foundation. It will be hosted by Deputy National Security Adviser Anne Neuberger.
At least 35 people in El Salvador were targeted with NSO Group’s Pegasus spyware
The victims included at least 22 journalists from the independent El Faro news site, Mary Beth Sheridan and Craig Timberg report. Some of the journalists’ devices were infected a dozen or more times, which Citizen Lab senior researcher John Scott-Railton called “jaw-droppingly aggressive and persistent.”
The news is already prompting a big response: In an open letter, researchers and nongovernmental organizations have demanded that El Salvador’s attorney general, Rodolfo Delgado, open an investigation into the use of Pegasus in the country. The signatories of the letter — which include Access Now, Amnesty International, and the Committee to Protect Journalists — called for the United Nations to condemn human rights violations of NSO clients and “offer robust support for impartial and transparent inquiries into the abuse.”
A person familiar with the company's operations who spoke on the condition of anonymity to discuss sensitive matters said El Salvador doesn't have an “active system” from the NSO Group, and the company will investigate the allegations. NSO said it considers targeting journalists to be a misuse of Pegasus and it has zero tolerance for such misuse.
In other Pegasus news:
Polish lawmakers approved a committee to investigate Pegasus hacks in the country. Three Polish opposition figures say they were targeted by the spyware, leading a top opposition lawmaker to call the situation in the country a crisis of democracy. The committee was narrowly approved by Poland’s senate, where the opposition party has a small majority. However, the committee can’t require witnesses to testify and lawmakers from the ruling Law and Justice party are refusing to join the committee, the Associated Press’s Vanessa Gera reports.
Pressure is building for the European Union to investigate Pegasus. Renew Europe, the European Parliament’s third largest bloc, called for a committee to investigate spyware accusations, Gera reports. Sophie in ’t Veld, a Dutch member of the European Parliament, called for the European Commission to follow the U.S. government’s lead and “quickly blacklist” NSO.
Check out the Post's full Pegasus Project investigation here.
Election administration races are seeing a fundraising surge after Trump’s phony claims
This year’s races for top state election officials could see record fundraising as the baseless claim that the 2020 election was stolen becomes a centerpiece of the races, the Brennan Center for Justice’s Ian Vandewalker and Lawrence Norden write.
- In the Georgia secretary of state contest, four candidates have raised more than the 2018 winner had at this point. The top fundraiser is Rep. Jody Hice (R-Ga.) who has falsely claimed the 2020 election was rigged.
- Michigan Secretary of State Jocelyn Benson (D) has raised $1.2 million, six times what the previous incumbent in the position raised. A Republican challenger, Kristina Karamo, who has promoted the idea that voting machines could have flipped votes to Biden, has raised more than $160,000.
“Increasingly, election denial is a highly visible issue in races for election administration positions,” Vandewalker and Norden write. “Indeed, as far as we are aware, this is the first time in the modern era that questions about the legitimacy of elections have played such a prominent role in contests for election officials.”
An encrypted phone company secretly run by the FBI shipped more phones to the United States than previously known
More than 100 Anom phones were shipped to the United States in 2020, raising questions about whether more of the phones were used in U.S. law enforcement investigations than previously known, Motherboard’s Joseph Cox reports. It had previously seemed that just about 15 of the phones were used in the United States.
The operation, which lasted three years, ensnared hundreds of alleged criminals who thought they were using phones custom-made for criminal activity but that were actually controlled by the FBI. Australian law enforcement monitored U.S. phones during the operation because of legal reasons, Cox reports.
The Senate passed cybersecurity legislation to bolster state and local governments
Lawmakers unanimously approved the legislation, which now goes to the House. It will give state and local governments access to upgraded cyber tools, the Record’s Martin Matishak writes.
Securing the ballot
National security watch
- Rep. Yvette D. Clarke (D-N.Y.), Rep. John Katko (R-N.Y.), the Department of Homeland Security’s Undersecretary for Policy Robert Silvers, and FBI Assistant Director Bryan Vorndran discuss 2022’s cybersecurity priorities at a Silverado Policy Accelerator event today at 9 a.m.
- Silverado Policy Accelerator chairman and co-founder Dmitri Alperovitch, U.S. Secret Service Assistant Director Jeremy Sheridan and FBI Deputy Assistant Director Tonya Ugoretz discuss cybersecurity threats at a Washington Post Live event today at 11 a.m.
Secure log off
“I ain’t seen the sunshine since I don’t know when.” Thanks for reading. See you tomorrow.