Modern field guide to security and privacy

Opinion: An Underwriters Laboratories for cybersecurity is long overdue

Noted security researcher Mudge left Google to launch what appears to be the cybersecurity equivalent of electronics testing outfit Underwriters Laboratories – an idea first proposed 16 years ago. 

AP
Plant inspectors, civilian employees of the US Army Ordnance, Chicago district, tour the Underwriters Laboratories to study latest methods of combating fire, accident, and sabotage. A rotary sprinkler system is demonstrated to the group in Chicago, Jan. 14, 1942.

The security community on Twitter had as many accolades as questions after well-known researcher Peiter Zatko, aka Mudge, announced he was leaving Google to launch a project with some support — at least in spirit – from the White House. 

But, no, it doesn't look like he's actually forming a government agency.

Mudge didn't reply to an e-mail to clarify what the new endeavor is all about. Even so, the notion that a so-called CyberUL – the cybersecurity version of the Underwriters Laboratories, or UL – is in the works should be news that everyone in the security community and, well, anyone who cares about safeguarding digital wares should celebrate. 

Originally, the UL aimed to help prevent fires started by electrical circuits, reducing the cost to insurance companies. It has since become an internationally recognized authority on safety and technology and provides an earned level of trust between customers and manufacturers. As a result, billions of products have made it to market and benefited society in immeasurable ways. Its success is why an encircled "UL" has become a ubiquitous symbol on most consumer products.

To have a similar organization test the cybersecurity of hardware and software devices – especially with the rise of the Internet of Things – would go a long way toward a more secure world. The actual UL has also begun efforts to develop security testing for software in an effort that is expected to expand. 

A CyberUL obviously won’t prevent all security breaches, though. The UL hasn’t prevented all electrical fires, either. But if executed properly, a CyberUL should raise the cybersecurity bar considerably. At the very least, it should allow businesses and consumers to evaluate their risk when shopping for hardware and software devices.

While this is a relevant and needed idea, it isn't new. Karl Kasper, aka Tan, wrote a paper in 1999 about how he envisioned a similar effort modeled after the UL. 

Both Tan and Mudge were members of the storied hacker think tank L0pht Heavy Industries where he, along with other L0pht members (including myself), pioneered work on vulnerabilities and deconstructing Microsoft Windows security problems.

Mudge went on to take charge of the Cyber FastTrack initiative at the Defense Advanced Research Projects Agency (DARPA) that helped fund numerous cybersecurity projects. After DARPA, he joined Google where he helped launch the company's Project Vault, which helps enable secure communications and storage on Secure Digital memory cards.

Mudge’s tweet on Monday announcing his Google departure didn’t offer much detail. There was no accompanying press release and Mudge hasn’t elaborated on the tweet publicly – yet.

Still, a CyberUL approach to cybersecurity already seems to have the backing of the Obama administration. White House cybersecurity coordinator Michael Daniel told Dark Reading last April "a nonprofit consortium that would rate products" was "very intriguing."

But beginning a new organization to accomplish this goal – especially inside the government – won't be easy. The complexity and reach of security is gargantuan, and trying to shoehorn that into a single standards organization will take considerable effort. Still, nothing yet has brought the UL model to cybersecurity in a fully inclusive way. With his experience at DARPA and Google, as well as credibility with the security research community, Mudge might just be the right person to pull it off. 

C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: An Underwriters Laboratories for cybersecurity is long overdue
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0701/Opinion-An-Underwriters-Laboratories-for-cybersecurity-is-long-overdue
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe