U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Insights

a NIST blog

The Importance of Transparency – Fueling Trust and Security Through Communication

By: Katerina Megas, Angela Smith, Dr. Elaine Newton, Dr. Amit Elazari and Barbara Cuthill

Share

Image depicting clear bubbles in a row
Credit: Shutterstock

Who needs to know ‘What,’ ‘When,’ and ‘How’ to tell them

The Challenge

There are many challenges to providing and maintaining cybersecurity in today’s connected world. While product developers increasingly consider security as they design and build products, they may not always communicate critical cybersecurity information about their connected products. Information gaps present a challenge to stakeholders—especially customers—who have limited insight into the security processes, functions and features that protect connected products, components, and services. Effective communication is the next step towards a more secure connected ecosystem.  

Many of our conversations about connected products focus on connectivity in the technical sense (protocols, algorithms, etc.). Promoting trust among participants in the ecosystem and reducing the cybersecurity risks associated with using these products relies on a different type of communication: open dialogue and sharing information. This helps increase knowledge and improve peoples’ understanding about the cybersecurity of a connected product and is a shared responsibility; from hardware and software component suppliers to product developers, system integrators, security researchers and end users… each member of the ecosystem has a role to play. Ideally, ecosystem members should work in alignment to truly mitigate risk—but they all need information to play their part.  

Communicating effectively about security also helps mitigate risk and is important to establishing and maintaining trust. For example, a lack of information about a product’s security capabilities may constrain a customer’s ability to take advantage of them. In some cases, a question is simply not asked (and therefore, the lack of capability goes unrealized until it’s potentially too late). The phrase “knowledge is power” applies; knowing what’s available is the first step to maximizing the value of it, and communication is about what each audience needs to know. To consider next steps, a framework that aligns lexicon and expectations among parties could provide a shared vision of common best practices.

All audiences could benefit from a consistent framework to identify what needs to be communicated, how to organize the information, and the processes that underlie it. Interactions could include developers, manufacturers, service providers, system integrators, security researchers, conformance assessors, regulators, end users, and … (the list can get very long) – each audience may merit a different approach. Additionally, in our interconnected world, this communication often has a global dimension, which brings in cultural and legal variations that must be considered.

For all of these reasons, we are exploring the idea of an approach to creating a Cybersecurity Transparency Framework for Connected Products. Our goal would be to describe a structured approach to achieving necessary and appropriate communication of relevant cybersecurity information among participants involved in the creation, consumption, and use of connected products.

Such a framework would be a tool for sharing information and expectations across the supply chain. For example, it could be used to organize information and identify key topics that need to be covered for various communications use cases, such as:

  • Product creators to customers;
  • Creators communicating with regulators, conformance assessment bodies, and other third parties who need to understand a product; and
  • Supply chain participants communicating with creators that use their components.

The scope would encompass structure, format, terminology, process, and content as well as communication means. Creating a framework can help establish a shared lexicon and terminology for communicating about features and means to drive outcomes (reducing risk, driving security outcomes). Related to process, the framework could help each ecosystem participant define interested parties, the purpose of the interaction, the mode of communication, how communications can be supported by technical means, and the options to implement the interaction with considerations for things such as risk, relevancy, and applicability.

The framework approach could also provide a structure for establishing best practices in sharing content, such as the types of information appropriate for communications at different levels of supply chain participants, support, and use in the connected product ecosystem. This would be both broad and high level to facilitate improving the exchange of cybersecurity-related information throughout the product ecosystem (while allowing for customization, as not every connected product and every customer will need to receive the same information in the same way).

NIST SP 800-213A and NIST IR 8259B, which describe non-technical supporting capabilities for IoT devices, provide a potential starting point for these kinds of discussions, as do efforts, both domestic and international ranging from the global work on consumer IoT cybersecurity labeling schemes to voluntary standards such as ETSI 303 645 and ISO/IEC 27402 (DIS). We look forward to future discussions with stakeholders in this very important topic that we feel is foundational to enabling a more secure connected product ecosystem.  

Questions or Ideas?

If you’d like to weigh on in this concept, please email us at iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov). We’d love to hear from you! 
 

About the author

Headshot image

Angela Smith

Angela Smith serves as the technical lead for NIST’s Cybersecurity Supply Chain Risk Management program in the Computer Security Division of the National Institute of Standards and Technology.  She also represents NIST on the Federal Acquisition Security Council’s Working Group and Task Force, co-leads the public-private Software and Supply Chain Assurance Forum as well as the Federal C-SCRM Forum.  Prior to joining NIST, Ms. Smith was a Senior with GSA where she provided leadership in the development and implementation of GSA’s SCRM program and supported various interagency and Whitehouse-led initiatives and workstreams focused on improving cybersecurity and resilience.   Angela is a Certified Information Systems Security Professional, holds a Masters in Public Administration with a concentration in Information Technology policy from George Mason University, and is a veteran of the US Air Force

Headshot image

Dr. Elaine Newton

Elaine Newton is a Senior Director at Oracle for Global Standards Policy and Compliance, focused on cybersecurity and AI/ML developments. The views expressed in this blog are my own and do not necessarily reflect the views of Oracle. Elaine is also the lead editor of ISO/IEC 27402, baseline security and privacy requirements for IoT devices.  Previously, Elaine worked for more than 11 years at NIST in the Information Technology Laboratory, serving as the Standards Lead for Applied Cybersecurity before joining Oracle. 

Headshot Image

Dr. Amit Elazari

Dr. Amit Elazari is Head of Cybersecurity Policy at Intel, Lecturer at the UC Berkeley Master in Cybersecurity and Reichman University, Israel, and an External Advisor for the Center for Long Term Cybersecurity at UC Berkeley School of Information. The views expressed in this blog are my own and do not necessarily reflect the views of IntelAt Intel, she is responsible for executing Intel’s global security policy. Elazari participates in international standardization, currently serving as co-editor of ISO/IEC 27402, baseline security and privacy requirements for IoT devices. She also chairs the Cybersecurity Policy Committees for the Information Technology Industry Council (ITI) and Open Source Security Foundation (OSSF). She holds a Doctoral Degree in the Law (J.S.D.) from Berkeley Law, and graduated summa cum laude three prior degrees in law and business. Her research appeared in leading academic journals, key conferences such as RSAC, Black Hat, DEFCON, and USENIX, and featured at the WSJ and NYT. She co-founded Disclose.io, a non-profit that foster adoptions of legal protections for good-faith security research. She has an extensive background in technical, policy and legal roles, and practiced High-Tech Law in Israel leading law firm, GKH Law.

Image of Barbara Cuthill

Barbara Cuthill

Barbara Cuthill received her PhD in Computer Science from the University of Connecticut. Her career at the National Institute of Standards and Technology has spanned the Advanced Technology Program, the Technology Innovation Program and the National Strategy for Trusted Identities in Cyberspace National Program Office. She is currently the Deputy Program Manager for the NIST Cybersecurity for IoT Program.

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.