Product Security and Telecommunications Infrastructure Bill

Written evidence submitted by David Kleidermacher, on behalf of Google (PSTIB09)

Executive summary:

● Google supports legislation to set minimum standards of care for the security and privacy components comprising Internet of Things products. The three Code of Practice requirements referenced in the bill (default password, disclosure program, support policy) as well as the timeline to enforcement and scope of product coverage are all sensible starting points for product security legislation.

● Google’s leadership role in developing baseline security requirements, making public commitments regarding its products’ conformance to baseline security requirements, and track record of demonstrating compliance through publicly documented third party security assessments can help inform secondary legislation relating to conformance assessment and monitoring.

● In secondary legislation, Google recommends a stronger focus on transparency across a broader range of Code of Practice / ETSI EN 303 645 as well as industry/vertical specific extended requirements.

● Google strongly cautions against static printed labels that confer compliance and instead urges "live" labels that enable a consumer to view the real-time security status of a product.

● In secondary legislation, Google strongly recommends that conformance assessment and enforcement regimes address the fragmentation and duplication of national assessment and monitoring regimes that may result in undue economic burden to developers, stifle innovation, and run at cross-purposes to the goal of increased security quality and reduced risk to consumers. Google recommends leveraging international, non-profit security expert NGOs to facilitate normalisation and cross-recognition of conformance claims and assessments rather than developing bespoke national testing programs.

______________________________________________________________________________

1. My name is Dave Kleidermacher, and I serve as Google’s Vice President of Engineering, responsible for Security and Privacy for Android-based products, Google Play apps, and Made-by-Google products, which include Nest and FitBit devices, apps, and services. As part of my role, I drive product security assessment and certification strategy and Google’s public commitments to security and privacy best practices, including independent security assessments for Google’s first party products and the platforms Google builds for third party manufacturers and developers. Across my three decades in product security, I have authored, chaired, and served on boards and committees of numerous IoT security standards and conformance assessment efforts, including ISO’s IoT security working group, GSMA device security group, the Connectivity Standards Alliance, the Internet of Secure Things Alliance, and IEEE 2621. Since early 2019, I have worked directly with DCMS and NCSC, providing advice on their Code of Practice and legislative proposal consultations and requests for views. Based on my area of expertise, this testimony covers only the product security portion of this bill.

2. I want to thank DCMS, NCSC, and Parliament for taking a leadership role in fostering public/private partnership in product security standards and leading the way for other nations, which are generally moving more slowly, towards legislation that will drive improved product security at scale.

3. Today the IoT affects consumers in profound ways. Not only are we constantly connected, we’re putting more and more of our lives in the hands of digital technology. Yet we lack global standards for measuring the security quality of connected products, and so consumers have no idea what they’re getting. History has amply demonstrated they’re getting a lot of products with dangerously poor security. And just like we have a right to transparency about ingredients in the foods we purchase, we deserve similar transparency in the security ingredients in the digital products upon which we depend. IoT security today is like food and drug safety in the 19th century, when the lack of standards and labeling led directly to consumer risk and harm. If we can achieve security transparency at scale, it will be the tide that raises all boats because it will enable differentiation that consumers value, and that value will drive demand for healthier choices.

4. Google has long been a leader in not only meeting baseline security requirements for its connected products but also in making public commitments about security support lifetime and other requirements, leveraging independent security labs to validate claims, and fostering similar transparency in its platforms used by third party manufacturers and developers. For example, Google has published up-front security lifetime commitments for its smartphones for nearly a decade and began public attestation of its privacy and security commitments, including commitments to independent security lab assessments, for Nest smart home connected products in 2019. In 2021, Google was the first manufacturer to certify smart home connected products to the highest security level (4) in Singapore’s IoT security scheme, based on ETSI EN 303 645. In addition, since IoT products often comprise mobile apps and services that must also be protected, Google has worked with industry partners to establish public security conformance programs, assessing requirements of the international, broadly adopted OWASP Foundation security standards, for mobile and cloud apps. Google has been using these standards as the basis for certification of apps in sensitive categories, such as VPNs, and will be leveraging this program to provide independent validation of the security and privacy labels in the Google Play app store. Google also works hard to help third party developers adopt security best practices, for example publishing guidance on how to build an effective vulnerability disclosure program .

5. While the current legislation’s focus on three best practices is a sensible start and will improve security, Google also supports the broader set of best practices defined by the Code of Practice and ETSI EN 303 645. In particular, Google favors steps that increase transparency of these practices. Food labels provide a useful analogy. While there are important minimum safety requirements in foods, the nutrition label provides transparency about ingredients that go much further in helping consumers make healthier choices. Rather than specifying a maximum number of calories or grams of carbohydrate, labels enable consumers to compare these measurements across food choices. Similarly, consumers purchasing a webcam should be able to easily compare the relative strength of security between products, including length of security support lifetime and availability of multi-factor authentication. Security labeling schemes must also provide the flexibility for manufacturers to differentiate beyond baseline requirements. For example, Google-certified Android devices already meet baseline security requirements, so in its partner programs, Google extends the baseline to include additional opportunities for differentiation and transparency, including the security strength of the biometric and efficacy (not just lifetime) of security updates.

6. Static labels attesting to conformance are a poor mechanism for security transparency and consumer choice. In contrast to food labels, a digital product certified and labeled today may become unsafe for use tomorrow if a critical vulnerability is discovered and cannot be mitigated. A live label, such as a QR code, can be used by a consumer to obtain real-time security status, such as the current certification web page published for the product under an NGO conformance scheme. The scheme must allow for third parties (e.g. independent security researchers) to submit reports of unmitigated risk so that conformance claims can be pressure tested and not rely solely on a point-in-time evaluation. The QR code may be documented by the manufacturer on web sites and product packaging, but ideally, it should be provided, where applicable, in a product’s user experience, such as within a mobile app used to manage the product.

7. Government-managed conformance assessment programs have in the past proven exceedingly costly relative to the level of confidence they generate and have been unable to keep pace with the speed of technological advancement in consumer electronics. Over the past several years, Google has worked with other tech organisations (such as Amazon, Meta, Resideo, Legrand, and the CSA/ZigBee Alliance), regulators, and independent security experts to develop conformance assessment programs that scale to the IoT. Google recommends leveraging well-established standards bodies, with membership that includes a broad range of leading IoT manufacturers, to deliver scaled conformance programs in which governments help to define standards and provide oversight but do not directly manage conformance evaluation and testing. In addition to the pragmatic monitoring and assessment challenges, non-profit NGO assessment schemes will be instrumental in clarifying key aspects that are impractical to define in legislative policy; for example, when a security vulnerability cannot be mitigated, who shall determine whether the risk is sufficiently high to warrant enforcement action? These issues are very complex, but over the past couple of years we’ve made great progress in demonstrating that technical security experts from a broad stakeholder community brought together within an NGO standards body are indeed able to build measurement, monitoring, and certification regimes that find the right balance and can scale to the IoT.

8. We must build assessment schemes that are normalised and cross-recognised between nations. As a cautionary tale, in the case of Nest smart home products, Google had the entire range independently assessed and certified under one NGO scheme. Subsequently, two different nations imposed distinct certification processes on the exact same products, requiring redundant and expensive documentary and operational efforts. None of these extra certifications made the product better; they only served to add unnecessary cost and time to market. Imagine this happening across all IoT products and across many nations and what that kind of fragmentation and duplication will do to small businesses. Rather than developing national certification schemes, Google recommends first working up front to ensure mutual recognition with well-known NGO standards bodies in a hub/spoke model. Google stands ready to help the UK and other nations chart a practical course for international conformance assessment and monitoring against common sense international IoT security requirements standards, including ETSI EN 303 645 and OWASP ASVS/MASVS.

March 2022