A Cybersecurity Nutrition Label Could Fix Market Failure

Consumers care about security and privacy. The U.S. should embrace a cybersecurity nutrition label to inform customers, unlock their latent preference for security, and fix the cybersecurity market failure

 

The resilience of the United States to cyberattacks is dangerously low. Cyberattacks continue to plague and disrupt the stable and continuous operation of everything from government entities to private industry, putting the national security and economic competitiveness of the United States at risk. In recognition of these critical threats, the Obama Administration’s exit memos recommended that the incoming Trump Administration prioritize cybersecurity. A key challenge for cybersecurity is a market failure fueled by consumers who have not been sufficiently informed to value security and privacy. Objectively assessed and uniformly presented security information can jumpstart latent consumer preferences for security. The United States should start by embracing a cybersecurity nutrition label or Monroney sticker.

Consumers don’t yet price security or privacy into decisions about hardware or software. Against the backdrop of public uproar over perceived violations of privacy by government and corporations, this may seem like a misguided observation. However, even a cursory examination reveals that outside a narrow band of issues related to government overstep or perceived corporate injustice, most consumers don’t seriously consider security or privacy when making decisions about digital services and technologies.

In 2016, a series of distributed denial of service attacks disabled Dyn, a large domain name service provider that serves some of the most popular websites in the world. The attack brought the everyday Internet to a sudden halt. Researchers revealed that cheap, poorly secured networked devices (also known as Internet of Things devices) contributed significantly to the attacks. This simple case study highlights a key challenge within the current marketplace for digital services and technology. For consumers, the utility of cheap but adequate devices ostensibly outweighs security and privacy considerations.

News regarding devices’ insecurity also does not seem to affect most consumers’ purchasing habits. In 2015, it was reported that Lenovo shipped devices preloaded with Superfish adware that left consumers vulnerable to man-in-the-middle attacks. Despite these reports, Lenovo’s PC sales continued to grow, capturing greater market share in the aftermath. The unabated surge in growth begs a critical question: Why do consumers care about actions by governments and corporations but largely ignore the security of their personal services and devices?

While consumers may genuinely care about their privacy or the security of their hardware and software, they may lack adequate information to make security-conscious purchases. Consumers are incensed by perceived government or corporate overstep because these incidents receive widespread coverage. In contrast, there simply isn’t a consistent and mainstream source of information regarding the security of consumer electronics and digital services. Often consumers are at the mercy of sales and branding jargon that grows increasingly hyperbolic and vacuous as companies compete for consumer attention. Furthermore, claims made by companies often cannot be independently verified at the time of purchase. Security researchers may uncover vulnerabilities as devices proliferate, but these findings are technical and directed toward engineers and developers. Moreover, the tech reviews conducted by popular Internet personalities and tech journalists often fail to critically assess device security; they too are constrained by a lack of information on new devices.

These misaligned incentives also drive companies to deceive consumers. When Lenovo’s Superfish scandal broke, Dell attempted to capitalize on Lenovo’s security misstep. Dell boasted in marketing materials that they shipped laptops preloaded with only secure and essential software. Unfortunately, Dell’s most popular laptops also harbored a similar security vulnerability to that of the Lenovo laptops. Despite deceiving consumers and exposing them to serious risks, Dell XPS 13 and 15 machines, both affected by the security lapses, remained among the best-selling portable computers on the market. So, how can the United States both jumpstart latent consumer preferences for security and ensure that consumers are presented with relevant, accessible and objective cybersecurity information?

The nonpartisan Commission on Enhancing National Cybersecurity recently proposed cybersecurity nutrition labels. The commissioners argue that consumers need basic information about a product’s security features to be weighed during purchasing decisions. I firmly agree. A nutrition label or certification program would set basic standards to ensure a baseline of security and offer consumers objective information about product safety and security. There are countless examples of successful public and private labelling and certification schemes. The automobile industry is exemplary. Every new car features a Monroney label or window sticker. It offers information on pricing, the equipment included with the car, safety, fuel economy, parts content, and final assembly point. Each piece of information—essential to car consumers—is objectively gathered and uniformly presented.

For the average consumer, vehicle safety, like product security, is difficult to assess without specialized tools, resources, and knowledge. Therefore, the National Highway Traffic Safety Administration (NHTSA), a federal agency, was established to set minimum crashworthy standards. Today, the NHTSA uses a five-star scale to present crash test results, making it easy for consumers to purchase cars that meet their risk tolerance. For more critical, safety-conscious consumers, the Insurance Institute for Highway Safety (IIHS), a private nonprofit organization, assesses cars through a more stringent series of tests. These results are often presented alongside the Monroney safety information and in advertising and marketing materials. Together, the consistent evaluation of vehicle safety and the consistent presentation of that information for all brands and models unlocks the power of the market and enables consumers to make informed choices about the cars they buy.

The foundations for independent cybersecurity oversight already exits. In the cybersecurity world, the National Institute of Standards and Technology (NIST) already sets uncontroversial industry standards. Working closely with industry and academics, NIST develops voluntary industry standards and best practices designed to strengthen both public and private cybersecurity resiliency. Any future government or private certification institution can draw from the guidelines established by NIST, while NIST continues to serve as an independent, non-regulatory research body. Together, NIST’s research and the assessment work of the new institution can raise the cybersecurity baseline and improve consumer awareness and appreciation of cybersecurity.

The security of consumer electronics and digital services should be assured and presented in a similar manner. Hardware and software must be measured against a product-standard baseline and the results presented on a uniform cybersecurity nutrition or Monroney label. A minimum standard would ensure consumers are not exposed to obvious vulnerabilities, and the cyber Monroney label would empower consumers to assess and value product security. Together, objectively assessed and uniformly presented security information can unlock consumers’ security and privacy preferences and put market pressure on companies to improve the security of their products.