[UPDATE July 23, 2023] I'm happy to announce the successful completion of the IETF SCITT Hackathon demonstration showing how a SCITT Trust Registry can be used to exchange trustworthy software supply chain information, such as SBOM and Vulnerability Disclosure Reports (VDR) and links to Cyber Security Trust Labels needed for a C-SCRM risk assessment. A SCITT Trust Registry works like a "Registry of Deeds", only trusted information is allowed in the SCITT Trust Registry, which software consumers can download.
We all face the same dilemma; how do I know if an app in an app store or an IoT device is trustworthy before buying and installing, and throughout its lifecycle? It’s a big problem that we all face, today. Software runs IoT devices and like all software its “trustworthiness” can change over time due to new vulnerabilities and exploits. Trust in software and IoT devices is ephemeral, trust can change from one second to the next.
The “Cyber Trust Mark Label” recently announced by the US Government aims to provide some transparency into the trustworthiness of an IoT device and its components, including the software and apps that run and interact with the device. Because IoT trust is ephemeral, it’s imperative that the labeling solution chosen by the US Government provide the “current trust level” of a device at any point in time. A static labeling solution, like Energy Star and UL labels are inappropriate for the “Cyber Trust Mark Label” because of their static nature; IoT trustworthiness is not static. Trust in an IoT device can change and the labeling solution must accommodate the dynamic nature of changing trust in IoT devices. Anne Neuberger recognized this reality when she talked about a restaurant cleanliness score analogy. Just like trust in restaurant cleanliness can change from one day to the next, trust in an IoT device and the software used in the device can also change. A dynamic scoring approach is needed to provide consumers with the best information available at the time they are considering a purchase (an IoT device or a meal). A static label, such as Energy Star may provide a false sense of security as the trust profile in an IoT device changes over time. A dynamic label is a more appropriate paradigm for IoT devices and software apps due to their potential for rapid change, like a person’s FICO credit score can change from one day to the next.
Requirement One: The Cyber Trust Mark Label must accommodate the changing trust status of IoT devices and software in order to provide consumers with accurate levels of trustworthiness each day.
The second requirement for the Cyber Trust Mark Label is the need to recognize that trust in IoT devices and software apps is a Global requirement, requiring international cooperation and support. Many of the IoT devices are produced internationally and many of the consumers are spread across the globe. An internationally recognized Cyber Trust Mark Label is required due to the very nature of the Internet, the “I” in “IoT”.  An IoT device can communicate globally because of its “Internet” presence.
Requirement Two: The Cyber Trust Mark Label must accommodate an international solution recognizing the “Internet” presence of these devices and their international market.
It’s imperative that the “Cyber Trust Mark Label” itself be trustworthy. Anyone could fake a “Cyber Trust Mark Label” the same way that currencies are forged. We must have a way to verify that the Cyber Trust Mark Labels we rely on can be verifiably trusted at an international level. Here again we have a model from real life to help guide us in finding a solution to ensure that “Cyber Trust Mark Labels themselves are trustworthy. Land records represent the “truth” about land ownership. Any party can check the trusted land record for a property by viewing the deed in a “Registry of Deeds”. The information kept in a “Registry of Deeds” is considered trustworthy because of the strict process and criteria used when determining to place a land record into the trusted “Registry of Deeds”. A rigorous process and criteria will also be needed to ensure that Cyber Trust Mark Labels are legitimate and trustworthy. The Internet Engineering Task Force (IETF) is working on a “Trust Registry” design within the “Supply Chain Integrity, Transparency and Trust” (SCITT) work group. A SCITT Trust Registry follows the strict protocols and processes defined by the SCITT work group to ensure that only trusted statements are allowed into a SCITT Trust Registry. The SCITT processes and protocols will need to ensure that only trustworthy materials are placed into a SCITT Trust Registry. People can query a SCITT Trust Registry to view the contents of a legitimate, trusted Cyber Trust Mark Label, containing an up to date and accurate trust level for an IoT device that recognizes the changing nature of trust in IoT devices and apps used in IoT devices. The IETF Hackathon scheduled for July 22-23 will include a working example of an IETF SCITT Trust Registry where software supply chain data, i.e., SBOM, Vulnerability Disclosure Reports (VDR) and even “Cybersecurity Label Data” will be demonstrated for use by consumers. Having an International Trust Registry based on the SCITT protocols will provide a solution for sharing trusted software supply chain artifacts internationally, just like a Registry of Deeds is used today to retrieve trusted land records.
Requirement Three: An international “Trust Registry” will be needed to store legitimate, trusted artifacts used in the software supply chain, including “Cyber Trust Mark Labels”, giving consumers access to legitimate, trusted materials that can be used to make risk-based buying decisions.
The Cyber Trust Mark Label must itself be easy to understand and useful to consumers. Here again we have models that are effective at communicating trustworthiness using easy to understand methods, such as restaurant cleanliness scores and FICO credit scores. Consumers need to be able to assess the trustworthiness of an IoT device and the app software used with the device using one of these simple to use analogies. Would you eat at a restaurant with a cleanliness score of “F”. Would a car dealership loan money to a person with a FICO credit score of 320? The Cyber Trust Market Label must satisfy the intended purpose simply and easily; to communicate a level of trustworthiness in an IoT device such that a consumer can make a risk-based buying decision using current, up to date, trust assessments.
Requirement Four: The “Cyber Trust Mark Label” must give consumers a simple and easy to use method to ascertain the trustworthiness of an IoT device similar to how a restaurant cleanliness score or a FICO credit score is used today, using internationally adopted principles.
The US Government is planning to update the Federal Acquisition Rules (FAR) for IoT labeling by September 30, 2023. I hope the people working on these FAR updates and the operational implementation of the IoT “Cyber Trust Mark Label will consider the requirements presented in this article as they seek to provide “radical transparency” to consumers for IoT device trustworthiness, internationally.
NOTE: The IETF SCITT Hackathon taking place on July 22 at 10:30 PST where this SCITT Trust Registry functionality will be demonstrated is available on the IETF Hackathon website.