Skip to footer
Passcode
Modern field guide to security and privacy

Opinion: An Underwriters Laboratories for cybersecurity is long overdue

|
AP
Plant inspectors, civilian employees of the US Army Ordnance, Chicago district, tour the Underwriters Laboratories to study latest methods of combating fire, accident, and sabotage. A rotary sprinkler system is demonstrated to the group in Chicago, Jan. 14, 1942.
  • By Space Rogue Contributor

The security community on Twitter had as many accolades as questions after well-known researcher Peiter Zatko, aka Mudge, announced he was leaving Google to launch a project with some support — at least in spirit – from the White House. 

But, no, it doesn't look like he's actually forming a government agency.

Mudge didn't reply to an e-mail to clarify what the new endeavor is all about. Even so, the notion that a so-called CyberUL – the cybersecurity version of the Underwriters Laboratories, or UL – is in the works should be news that everyone in the security community and, well, anyone who cares about safeguarding digital wares should celebrate. 

Originally, the UL aimed to help prevent fires started by electrical circuits, reducing the cost to insurance companies. It has since become an internationally recognized authority on safety and technology and provides an earned level of trust between customers and manufacturers. As a result, billions of products have made it to market and benefited society in immeasurable ways. Its success is why an encircled "UL" has become a ubiquitous symbol on most consumer products.

To have a similar organization test the cybersecurity of hardware and software devices – especially with the rise of the Internet of Things – would go a long way toward a more secure world. The actual UL has also begun efforts to develop security testing for software in an effort that is expected to expand. 

A CyberUL obviously won’t prevent all security breaches, though. The UL hasn’t prevented all electrical fires, either. But if executed properly, a CyberUL should raise the cybersecurity bar considerably. At the very least, it should allow businesses and consumers to evaluate their risk when shopping for hardware and software devices.

While this is a relevant and needed idea, it isn't new. Karl Kasper, aka Tan, wrote a paper in 1999 about how he envisioned a similar effort modeled after the UL. 

Both Tan and Mudge were members of the storied hacker think tank L0pht Heavy Industries where he, along with other L0pht members (including myself), pioneered work on vulnerabilities and deconstructing Microsoft Windows security problems.

Mudge went on to take charge of the Cyber FastTrack initiative at the Defense Advanced Research Projects Agency (DARPA) that helped fund numerous cybersecurity projects. After DARPA, he joined Google where he helped launch the company's Project Vault, which helps enable secure communications and storage on Secure Digital memory cards.

Mudge’s tweet on Monday announcing his Google departure didn’t offer much detail. There was no accompanying press release and Mudge hasn’t elaborated on the tweet publicly – yet.

Still, a CyberUL approach to cybersecurity already seems to have the backing of the Obama administration. White House cybersecurity coordinator Michael Daniel told Dark Reading last April "a nonprofit consortium that would rate products" was "very intriguing."

But beginning a new organization to accomplish this goal – especially inside the government – won't be easy. The complexity and reach of security is gargantuan, and trying to shoehorn that into a single standards organization will take considerable effort. Still, nothing yet has brought the UL model to cybersecurity in a fully inclusive way. With his experience at DARPA and Google, as well as credibility with the security research community, Mudge might just be the right person to pull it off. 

C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.

You've read 3 of 3 free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
Subscribe
QR Code to Opinion: An Underwriters Laboratories for cybersecurity is long overdue
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0701/Opinion-An-Underwriters-Laboratories-for-cybersecurity-is-long-overdue
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe
CSM logo

Why is Christian Science in our name?

Our name is about honesty. The Monitor is owned by The Christian Science Church, and we’ve always been transparent about that.

The Church publishes the Monitor because it sees good journalism as vital to progress in the world. Since 1908, we’ve aimed “to injure no man, but to bless all mankind,” as our founder, Mary Baker Eddy, put it.

Here, you’ll find award-winning journalism not driven by commercial influences – a news organization that takes seriously its mission to uplift the world by seeking solutions and finding reasons for credible hope.

Explore values journalism About us