In-brief: The Obama Whitehouse has tapped famed hacker Peiter Zatko (aka “Mudge”) to head up a new project aimed at developing an “underwriters’ lab” for cyber security.
The Obama Whitehouse has tapped famed hacker Peiter Zatko (aka “Mudge”) to head up a new project aimed at developing an “underwriters’ lab” for cyber security.
Zatko announced the new initiative on Monday via Twitter. “The White House asked if I would kindly create a #CyberUL, so here goes,” he wrote. The new organization would function as an independent, non-profit entity designed to assess the security strengths and weaknesses of products and publishing the results of its tests.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post last week in a piece that looked at testimony Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
Since leaving DARPA, Zatko has served as Deputy Director of Google’s Advanced Technology and Projects division. He did not respond to requests for comment prior to publication.
Underwriters Lab – or “UL” – was founded in 1894 as a private firm dedicated to developing testing and safety standards for everything from fire extinguishers to lithium batteries to heating and cooling equipment and trash cans. UL has developed safety and performance standards for evaluating quality of information technology equipment, as well, but does not make a practice of testing software security or quality.
The idea of an “Underwriters Laboratory” for software has long been bandied about in policy circles and among security experts. In fact, a 1999 paper penned by John Tan (aka “Tan”) a L0pht compatriot of Zatko’s may have been the first to coin the term “CyberUL” and make connections between the problems created by the adoption of insecure or shoddy software and the dangers presented by the adoption of electrification in the late 19th and early 20th centuries.
“Software and systems with a software component are one of the last products that has no transparency to what the customer is getting,” said Chris Wysopal, the Chief Technology Officer at Veracode* and a founder of L0pht in an e-mail.
Wysopal’s company has a platform for evaluating the security of third party software and Wysopal notes that third party testing for software is gaining traction – at least for software developed by smaller firms. “I think all vendors need to go through testing but the big guys have the psuedo-monopolies to be able to say ‘no,'” Wysopal wrote.
Other security experts have considered similar ideas. At the Black Hat Briefings in April, security researcher Billy Rios said that a “Consumer Reports” style rating system that would make it easier for consumers to make simple decisions about the quality of security and privacy protections in a connected home product.
“Consumers don’t want to have to learn about firmware updates. For them, its all about the decision ‘to buy or not to buy,’” he said. Color coded ratings for issues like data security, passwords and privacy would make it easier for consumers to choose products that offer better protections, thereby driving competitors to set a higher bar.
The U.S. Federal Trade Commission (FTC) has also urged U.S. businesses to take steps to protect consumers’ privacy and security as Internet-connected devices that are part of the “Internet of Things” gain mainstream adoption.
The Internet of Things is “already impacting the daily lives of millions of Americans,” the FTC said in a recent report. IoT technology like health and fitness monitors or home security cameras “offer the potential for improved health-monitoring, safer highways, and more efficient home energy use.” But they also raise privacy and security concerns that could undermine consumer confidence, the report concluded.
Non profit groups like IAmTheCavalry are also banging the drum for industry to focus on safety and health issues surrounding technologies like connected vehicles, smart infrastructure and connected health products. Companies designing connected products need to give thought and attention to “future proofing” those technologies: equipping them to function safely and securely over long periods and with little oversight.
Experts agree that market forces may have a bigger impact than government mandates. Specifically: the growing role of cyber insurance in setting benchmarks and standards of safety across industries could be a powerful motivator to software vendors to clean up their act.
“I would love there to be standards and stronger market forces like we have with the insurance industry and liability precedents of the modern UL,” Wysopal wrote.
(*)Veracode is a sponsor of The Security Ledger.