Combating Botnets through Consumer IoT Cybersecurity Labeling

Written by: Yongjia Chen, Dathan Duplichen, Andrew Shu, Anna Nguyen Yip

Although the ransomware threat currently gets the most attention, botnets remain a significant problem in the digital ecosystem. As part of our capstone project in the Master’s in International Policy degree program at Stanford’s Freeman Spogli Institute for International Studies, our team reviewed the botnet threat and developed a set of policy recommendations to reduce one facet of the problem: compromised consumer Internet of Things devices. Multiple cybersecurity labeling schemes have been developed, however, with little coordinated effort which hinders their effectiveness. This blog post outlined several key considerations for the NIST-coordinated working group to take into account on their mission to integrate the existing schemes into one national label and achieve international interoperability and mutual recognition with other nations.

Link Between Botnets and Consumer IoT Labeling
In the fourth quarter of 2020, a full 99.8% of botnets utilized a Linux operating system. Given that 71.8% of IoT devices also utilize a Linux OS, it is no wonder that Nokia’s 2019 Threat Intelligence Report white paper indicated that 78% of detected events were attributable to Internet of Things (IoT) bot activity. A specific challenge to this realization is that IoT device users rarely observe the impact of a botnet infection on their devices. This negative externality creates a unique challenge to addressing the problem. Researchers, in addressing this growing threat, were forced to ask, “How do you motivate consumers and manufacturers to take action against a threat that individual users are largely unaffected by?”

Lee’s sliding scale of cybersecurity, as well as a look internationally, lends answers to this question. Lee’s sliding scale postulates that by attending to basic security standards (configurations, patching, transmission security) a device can be secured against a large array of threats with minimal financial investment. As the assurance of security increases, the associated cost with closing the gap also increases for diminishing returns.  This inference demonstrates that with minimal investment a manufacturer can secure a device against a large portion of threats that exist. For subsequent gains in security, increasingly more cost-prohibitive steps must be taken. Therefore, an intervention, to have a significant effect, need not require large capital investments. Product manufacturers can achieve an “80% solution” with minimal burden.

The Singapore Cybersecurity Agency instituted the Cybersecurity Labeling Strategy (CLS) in March 2020 and faced a similar conundrum as discussed here, namely consumer incentive.  Their work determined that by focusing on consumer privacy through personally relatable stories, consumers linked privacy to security. This encouraged adoption of higher security devices. Research by Johnson et al. confirmed a willingness to pay additional premiums for more secure devices. The important element is that consumers must understand the value they are receiving for that increased premium. Impacting consumer purchasing habits at the point of sale for IoT devices appears to be the most significant way that botnets can be addressed. A labeling strategy that informs consumers and is easily adoptable by manufacturers could achieve this result.

Consumer IoT Labeling Strategies
Formally implemented, two national labeling strategies garner significant attention. The Singapore CLS and Finnish Cybersecurity Label (CL). These two labels take different approaches to the consumer experience. While CLS informs consumers through a graduated ranking system of four stars, Finland’s CL uses a binary pass/fail standard. Interviews indicate that the likely outcome of a binary system is a potential perverse incentive to do the minimum to meet the standard and hold onto investment for increased security. Additionally, social science research indicates that a graduated ranking of stars creates a false impression among consumers that each level is equidistant in security/privacy advantages.

In the United States, there are several initiatives spearheaded by academia and the private sector, notably the Carnegie Mellon IoT Security & Privacy Label and the Underwriter’s Laboratory (UL) IoT Security Rating Label. Both add to the perception of what a potential unified label may look like. The Carnegie Mellon University (CMU) model provides transparency and depth of information that would be useful to a security practitioner or knowledgeable consumer, but is overly complex for the lay consumer. Additionally, it would require significant space on the product packaging.  The UL model is well-formed and is a benchmark for the non-linear tiers previously mentioned. The requirement for validation testing underwrites the entire labeling scheme providing confidence in its conclusions. However, the proprietary nature of the UL label poses a challenge for formal international adoption.

Labelling Lessons Learned
Regarding the design of the label, upon close examination and comparative analysis between the existing initiatives, key leading elements are extracted and highlighted as follows. The label should feature a non-linear tiered system in which additional investment to achieve each subsequent tier is not constant. This would ensure easy comprehension for consumers, and facilitate informed purchase decision-making. The initial tiers should be self-reported and easy for manufacturers to comply with, while higher tiers should include external validation. Detailed data and privacy information should be made available to consumers, not on the label but through a link or QR code on the label. The label should reflect the Out of Box (OOB) settings of the device, while including a link to the manufacturer’s user guide to elevating security from default settings. The scheme should require manufacturers to renew the label certification to ensure regular updates.

Looking Forward
On May 12th 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity, instructing the National Institute for Standards and Technology (NIST) to establish a national working group to coalesce national synergy across strategies. This working group will bring together relevant stakeholders to find a single labeling strategy. This plan benefits business owners significantly by not forcing business risk of selecting which strategy will prevail in the eye of the consumers, therefore, worth the investment to adopt. The strategy should also include synchronization across international standards. This will be critical to buy-in from manufacturers. As varying governments adopt standards, manufacturers will not want to be required to submit for approval in each individual market. It would be useful for adoption if the national standard were mapped to internationally accepted guides such as the U.S.’ NIST 8259A, the EU’s ETSI EN 303 645, Singapore’s IMDA IoT Cyber Security Guide, and the UK’s Technology Code of Practice. Ongoing discussions at various international forums including the World Economic Forum create strong momentum for nations to work towards internationally recognized cybersecurity standards and mutual recognition agreements.

The most challenging stakeholder to address will be small-medium-sized manufacturers that lack capital to make significant product modifications. Addressing their concerns will be critical for market adoption. Two strategies can be implemented to gain support. First, the labeling strategy should be voluntary. No requirement should be made for manufacturers to participate. Second, the entry-level into the labeling system should be self-reported. This will allow manufacturers in good faith to gain recognition with minimal financial investment. A potential tertiary strategy is a certification fee holiday for a period of two years. This allows manufacturers to gain the certification at no cost in order to determine its business feasibility after the renewal term.

Nokia reported significant increases in botnet activity since 2016. Botnets, unfortunately, are a nuisance that is not likely to go away. Attempting to stop all botnets is likely a “whack a mole” effort unlikely to succeed. Adhering to Lee’s Sliding Scale, we can foresee that with minimum investment into consumer IoT devices we can achieve an “80% solution.” In order to do this, consumers must feel the value they are getting by purchasing more secure devices.  A national labeling strategy that is easily understood by consumers, partnered with a messaging strategy focused on privacy advantages can achieve this goal. Manufacturers will need to perceive benefits from their investment in redesign and repackaging. The primary means to achieve this is through international reciprocity agreements and fiscal incentives.

About the authors:
Dathan Duplichen holds a master’s degree from the Stanford FSI’s Ford Dorsey Master’s in International Policy program concentrating on Cyber Policy and Security. He is a career technology specialist for the United States Department of Defense that focuses on international cooperation in the cyberspace.

Anna Nguyen Yip (Nguyễn Thuý An) specializes in cyber policies in the Asia Pacific region as well as frontier technologies and digital transformation strategies. She earned the Ford Dorsey Master’s degree in International Policy at the Stanford Freeman Spogli Institute for International Studies and Bachelor’s in Business Administration (First Class Honours) at the National University of Singapore.

Andrew Shu is a U.S. Navy Cryptologic Warfare officer. He holds a master’s degree in International Policy at Stanford University.

Yongjia Chen holds a master’s degree in International Policy concentrating on Cyber Policy and Security at Stanford University.

The views and opinions expressed in this blog post are entirely of the authors and not of the respective organizations aforementioned.

Author: Michael Daniel