With all due respect, I think the market should address this. Like UL Approval from Underwriters Laboratories, players in the market can submit their products to an organization that vets their security and sets standards about updates, product lifetimes, security incident response time commitments etc to obtain their seal of approval. Perhaps the seal has grade levels to indicate the vendor's commitment to security. The highest grades indicate regular audits of vendor practices. And a website where approval status (and possible revocation) can be looked up.
This simultaneously enables innovation by small players while providing a pathway for bigger players to put a meaningful trust signal on their packaging and advertising.
The UL example is one where it would be hard for improved security to happen by itself. UL was founded to solve for fire risk when insuring buildings. It received funding from underwriters that would benefit from the label.
I don't see any particular entity benefiting from security labels - it's a problem of the "commons" where you generally need government intervention of some sort of.
I think the way to make this proposal work is to pass legislation to actually have meaningful financial liability for data breaches.
IFF companies have financial liability, then the market can be expected to find a cost-effective solution.
Without any selection pressure though, there is no reason tho think the market will spend resources to solve this. Users empirically don’t understand security, don’t price it appropriately in advance, and aren’t able to evaluate the security qualities even if they do want to pay more for a “secure” product.
Yes, the consumer would benefit. But Consumers are not a concrete interest group like “property insurers”. They lack the concentration of economic power need to cover the costs.
I'm not sure you are following them. The UL was funded by the Insurance companies. Their point was that there was some organized, rich entity to pay for the costs of operation as they had a financial stake.
I like this approach, it doesn't necessarily need to be just the "market" performing the audits however. The FDA handles audits of medical software companies just fine. Focusing on the Quality Management System and their Risk Assessment/Security practices seems like a solid approach, and of course centralize this data and make it easily searchable as much as possible, and provide API access to it in case vendors like Amazon want to integrate it and display certifications/grades for products/manufacturers automatically.
All that being said, I have no idea how much manpower or money it would take to do audits at that scale, or even what the scale of IoT Devices vs. Medical Devices is.
FDA: $450K per product. And they aren't doing very much more than asking the vendor to describe their protocols, then ensure the vendor complies with their protocols and any agency guidance. Source: I work at an FDA-regulated company.
It depends... I just worked my part of certifying a product(security) and it was only ~$40k.
Agreed on the current state of the FDA filings - there's a lot of paperwork and process auditing - but guidance is lacking and I'd like to have more clarity rather than just "industry best-practices." That said - things are much better and it seems like the trajectory is improving.
Did not know it was $450k per product, my second responsibility outside of software engineering was being the risk manager at my previous company as well which is FDA-regulated.
Still, many IoT companies that sell products don't even have protocols or a QMS at all, and need some kind of heat applied to them.
I might be a bit cynical, but if you divide the world of IoT into companies that do things well (but charge more) and companies that do things badly (but charge less), then I think the following might happen if you mandate QMS and audits.
The companies that do well already just add to their costs (and prices) as they need to employ people to maintain these systems, and companies that do badly will also have to hire those people, and increase their prices, but they will be creating a paper shield around the products, rather than a genuine product improvement.
It's not just covered by hiring compliance people. You need to have an actual quality management system, e.g. a Jira (or whatever) instance that links from bug reports to documentation to code commit to feature deployment. Instead of just having an email address and sometimes letting the engineers know, and the engineers sometimes make a code commit with a message that makes any kind of sense, and engineers sometimes reviewing code, and engineers sometimes forgetting a region to deploy the update to.
You might think these kinds of things are table stakes, and I would agree.
Agree; I make software as a medical device. My point is you often don't have to do that. You just have to fling a lot of paper at an auditor, which can be generated well (as you describe, and as I would do, and the good companies in my example would already do) or badly (which the bad companies in my example would do) where it's basically generated post hoc in a hurry.
This would make for a fine comment on the record. It would be great to have suggestions about pros and cons of government, court, third-party and other audit means.
I can see it being useful for audiences who know what they're looking for. As an average retail consumer, if I saw such a label I would either have no idea what it means or have to do my own research about what UL is - not to mention the impossibility of them enforcing anything. I guess they could remove the label but how would I know a product I'm using has violated their commitment - routinely check a UL website?
If Amazon etc. was partially responsible for checking the database for you and ensuring listings are properly updated in a reasonable timeframe then it would be more accessible for the average consumer. Even if a consumer doesn't know what UL certification means, if product A has it and product B doesn't and they are similar enough in price, the consumer may opt for product A.
Edit: Reasonable timeframe should probably be dependent on the size/scale/competency of the marketplace platform. In other words, Amazon should be held to a higher standard than a low traffic web store.
This simultaneously enables innovation by small players while providing a pathway for bigger players to put a meaningful trust signal on their packaging and advertising.