Opinion: An Underwriters Laboratories for cybersecurity is long overdue
Noted security researcher Mudge left Google to launch what appears to be the cybersecurity equivalent of electronics testing outfit Underwriters Laboratories – an idea first proposed 16 years ago.
The security community on Twitter had as many accolades as questions after well-known researcher Peiter Zatko, aka Mudge, announced he was leaving Google to launch a project with some support — at least in spirit – from the White House.
But, no, it doesn't look like he's actually forming a government agency.
Mudge didn't reply to an e-mail to clarify what the new endeavor is all about. Even so, the notion that a so-called CyberUL – the cybersecurity version of the Underwriters Laboratories, or UL – is in the works should be news that everyone in the security community and, well, anyone who cares about safeguarding digital wares should celebrate.
Originally, the UL aimed to help prevent fires started by electrical circuits, reducing the cost to insurance companies. It has since become an internationally recognized authority on safety and technology and provides an earned level of trust between customers and manufacturers. As a result, billions of products have made it to market and benefited society in immeasurable ways. Its success is why an encircled "UL" has become a ubiquitous symbol on most consumer products.
To have a similar organization test the cybersecurity of hardware and software devices – especially with the rise of the Internet of Things – would go a long way toward a more secure world. The actual UL has also begun efforts to develop security testing for software in an effort that is expected to expand.
A CyberUL obviously won’t prevent all security breaches, though. The UL hasn’t prevented all electrical fires, either. But if executed properly, a CyberUL should raise the cybersecurity bar considerably. At the very least, it should allow businesses and consumers to evaluate their risk when shopping for hardware and software devices.
While this is a relevant and needed idea, it isn't new. Karl Kasper, aka Tan, wrote a paper in 1999 about how he envisioned a similar effort modeled after the UL.
Both Tan and Mudge were members of the storied hacker think tank L0pht Heavy Industries where he, along with other L0pht members (including myself), pioneered work on vulnerabilities and deconstructing Microsoft Windows security problems.
Mudge went on to take charge of the Cyber FastTrack initiative at the Defense Advanced Research Projects Agency (DARPA) that helped fund numerous cybersecurity projects. After DARPA, he joined Google where he helped launch the company's Project Vault, which helps enable secure communications and storage on Secure Digital memory cards.
Mudge’s tweet on Monday announcing his Google departure didn’t offer much detail. There was no accompanying press release and Mudge hasn’t elaborated on the tweet publicly – yet.
Still, a CyberUL approach to cybersecurity already seems to have the backing of the Obama administration. White House cybersecurity coordinator Michael Daniel told Dark Reading last April "a nonprofit consortium that would rate products" was "very intriguing."
But beginning a new organization to accomplish this goal – especially inside the government – won't be easy. The complexity and reach of security is gargantuan, and trying to shoehorn that into a single standards organization will take considerable effort. Still, nothing yet has brought the UL model to cybersecurity in a fully inclusive way. With his experience at DARPA and Google, as well as credibility with the security research community, Mudge might just be the right person to pull it off.
C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.