Suzanne Spaulding, Senior Advisor at CSIS and Advisor at Nozomi Networks, former DHS undersecretary for cyber and infrastructure where she led the NPPD now called CISA: “This is consistent with the recommendation from the Cyberspace Solarium Commission.”
“This is not regulation. Instead, it's designed to make the market more effective by providing consumers, including business consumers, information they need to better compare security and risks in Internet of Things (IoT) devices. Not only will there be better labelling, this information should drive tech analysts to include a ‘security’ element in their reviews.”
Fixing security flaws
“This helps consumers understand that security is a feature they should look for in considering purchases, which in turn should encourage the producers of IoT to see security as a potential market differentiator. We won't see an improvement in security until we take steps like this one to mitigate the ‘first to market’ imperative that shortchanges investment--and time--in designing more secure and resilient devices.”
Roya Gordon, Security Research Evangelist at Nozomi Networks: “I think this is a great effort! Providing end users with information that aids them in selecting secure technology products while incentivising vendors to prioritising fixing security flaws sounds like a win-win. Now, there are other parts of this policy that would need to be worked through e.g., analysing manufacturers who provide frequent patching and using that to rank their security posture.”
New technological innovation
A vendor can check all the boxes, as far as secure tech development, and still be exploited"
“If this ranking process influences the purchase (or non-purchase) of technological goods, then this could be perceived as the government having direct control of the market by way of this new policy. The patching process (from discovery, CVE curation, patch development, reporting, and implementation) is laborious within itself and may need policy incentives to help fast-track the process.”
“Maybe instead of ranking vulnerable products as low and possibly black-balling them from the market, the government can provide additional assistance to help these products combat the constant tactics threat actors are using to exploit these devices. A vendor can check all the boxes, as far as secure tech development, and still be exploited, and they should not be penalised for that.”
Additionally, all of these policies may make it more difficult for new technology vendors to break into the market, which could create a bottleneck for new technological innovation. Overall, this is a great effort to increase cybersecurity, but there are a few more areas that need to be defined for this policy to be cohesive, and not a constraint, to the cybersecurity/technology industry.