【英文】大西洋理事会报告：制定跨国战略保护物联网生态系统（50页）

英文研究报告 2022年10月18日 08:36 管理员

While the program’s terminology slightly differs, the CLS embraces the same principles as ETSI EN 303 645, doing so in a manner that “groups the clauses and spreads them out across four ranked levels.”41 And while the program’s higher-tier labels incentivize the adoption of stronger security measures, the Singapore Standards Council concedes that the frst-tier labeling requirements “will sufce in staving of [sic] large percentage of attacks encountered on the internet today.”42 Finally, Singapore’s CLS shows how a voluntary labeling scheme can work to gradually dial up requirements for products as the market matures. For example, while the CLS is voluntary for most products, new internet routers sold in Singapore must meet the security requirements for the Level 1 label. This “voluntary-mandatory” split can keep evolving over time, both for diferent product categories as well as specifc security measures.Oregon joined California with its House Bill (HB) 2395, which has much of the same text (e.g., the same defnition of “reasonable security feature” the same enforcement mechanisms) but limits its scope to only consumer IoT products (“used primarily for personal, family or household purposes”).

While the two laws may compel companies to adopt better security in all states, it appears that no cases have been brought forward under the law, even though insecure products are doubtlessly still sold in these states. The United States passed the IoT Cybersecurity Improvement Act into law in December 2020.46 It requires NIST to develop cybersecurity standards and guidelines for federally owned IoT products, consistent with NIST’s understanding of “examples of possible security vulnerabilities” and management of those vulnerabilities.47, 48 Thus, the law seeks to strengthen the security of IoT products procured by the government and intends to infuence the private sector’s IoT cybersecurity practices through the federal government’s procurement power.49 The 2020 act also shifts the burden of compliance from product vendors to federal agencies,50 prohibiting them “[from] procuring or obtain[ing] IoT devices” that an agency’s chief information ofcer deems out of compliance with NIST’s standards.51 Finally, the act requires NIST to review and revise its standards at least every fve years to ensure that recommendations are current, allowing for technical fexibility.