The Council to Secure the Digital Economy, an alliance of tech and telecom groups, today is releasing reports on “baseline capabilities” for Internet of Things device security and on stakeholder coordination in cybersecurity crisis situations.
CSDE was formed in early 2018 in recognition of the cross-sector nature of botnet and other threats that could sabotage the emerging Internet of Things. The group last November issued a well-received guide on fighting botnets that described “baseline practices” and “advanced capabilities” tailored for various stakeholders. Leaders of the group will also discuss their efforts at the Cybersecurity and Infrastructure Security Agency's cyber summit this week at National Harbor, MD.
“The C2 Consensus on IoT Device Security Baseline Capabilities” is intended to provide “clear expert guidance to industry and government on securing new IoT devices in order to raise the market’s expectations for security and to advance global policy harmonization. It is our expectation that this global approach will prove more effective than disparate local initiatives that would fragment security requirements and cause inefficiencies in the market that result in weaker security,” according to Gary Shapiro, president and CEO of the Consumer Technology Association, and Jonathan Spalter, president and CEO of USTelecom.
The “C2” effort refers to a “convening of the conveners,” which “has brought together trade associations, standards development organizations, industry alliances and coalitions to develop the C2 Consensus Baseline, the broadest and most technically deep industry consensus on IoT security worldwide,” according to the baseline capabilities report. The report goes through baselines for “secure device capabilities” and “product lifecycle management capabilities."
The report stresses, “This is a technical document. Beyond the general technical security principle that the best path to IoT security is for technical experts to develop and advance technical security specifications, any questions of law, regulation, and policy pertaining to data security and privacy are out of scope for this document.”
Further, it says, “It is important to note that 'consensus' is not a synonym for 'unanimity.' Where there was not perfect agreement among C2 participants, the key pros and cons of certain recommendations are captured here."
The second document, “Cyber Crisis: Foundations of Multi-Stakeholder Coordination,” is a voluntary guide in which “we lay the foundations for multi-stakeholder coordination during cybersecurity crises that can undermine the security of the digital economy. This guide draws on the diverse international perspectives of CSDE members, as well as their leading practices and real-world actions, to increase incident response readiness, capabilities, and cooperation during catastrophic, crisis-level incidents that call for mobilization of the Information and Communications Technology sector."
The report says, “In the midst of a cybersecurity crisis, government and industry must be prepared to mobilize rapidly and collaborate with relevant responders. This response should be framed in the context of voluntary frameworks where industry leads decisively by leveraging the mature assets and capabilities of Information and Communications Technology (ICT) companies.”
It provides an overview of resources available and the type of threats that may be encountered. It also examines issues such as coordinated vulnerability disclosure, international coordination and more. -- Charlie Mitchell (firstname.lastname@example.org)