Commentary|BY TREVOR H. RUDOLPH
TREVOR H. RUDOLPH, former chief of OMB’s Cyber and National Security Division, is a fellow at New America and a senior adviser at SecureInsights.
   Consumer Product Safety Commission for cyber?
Rather than blaming the victims for enabling cyber breaches, one agency should take the lead on security standards for technology products
Repeated cyber breaches have lulled the American public into a state somewhere between complacency and helplessness. As a nation, we have tried to address our cybersecu- rity challenges through workforce development programs, cyber insur- ance, information sharing and regula- tory compliance mandates — just to name a few.
As we continue to pursue those remedies with debatable success, the conventional wisdom is that tech- nology consumers, both individuals and corporations, are responsible
for cybersecurity blunders. We’ve
all heard the common refrains: “You should have patched your systems.” “You should not have clicked that link.” “You should have updated your password.”
Are we really failing because of irresponsible consumers? Or is the technology we use failing consumers?
Consider a few examples. Johnson & Johnson warned that insulin pumps were vulnerable to hackers due to security design issues. The Food and Drug Administration similarly warned that hackers could interfere with St. Jude Medical’s implantable cardiac devices. A recent Veracode report sug- gests that 61 percent of all internally developed applications failed basic compliance tests when measured against the Open Web Application Security Project’s Top 10 list. Com- mercially developed software rated even less secure, failing compliance checks 75 percent of the time.
In our haste to innovate, we have exacerbated a crisis of quality. The
technology on which we rely is being rushed to market without the security protocols needed to protect our infor- mation. Most companies — with  nite resources to build, secure and test products — make trade-offs to pro- duce the most marketable products as quickly as possible. Worries about security and quality upgrades come only after there is suf cient revenue.
Are we failing at cybersecurity because of irresponsible consumers? Or is the technology we use failing consumers?
That approach will not change with- out intervention by outside forces.
We need a governance system that includes enforcement, incentives and penalties to ensure effective implementation of stronger security design practices.
The Consumer Product Safety Commission oversees a similar gov- ernance system. CPSC is responsible for protecting consumers and their families from products that pose a  re, electrical, chemical or mechani- cal hazard. It executes that mission through legislatively mandated safety regulations and an accreditation and certi cation process that uses outside laboratories to test products for com- pliance with standards.
I propose that a new or existing federal agency be charged with gov- erning, incentivizing and enforcing security design standards for technol- ogy products. Existing agencies that could perform such a function include CPSC, the National Institute of Stan- dards and Technology and the Federal Trade Commission. However, expand- ing the authority of an existing agency can be dif cult so a new organization would be preferable.
Regardless, the proposed organiza- tion — call it the Consumer Technol- ogy Security Commission — would be responsible for coordinating the development of security design stan- dards and partnering with Congress to mandate relevant standards, build- ing an accreditation and certi ca- tion program, and enforcing quality through regular testing by third-party assessors and conducting recalls when appropriate.
It is important to note that this proposal is not simply about creating more regulation; it could be a boon for industry. The accreditation and certi - cation program could scale the review and testing of technology products and ensure that only security-aware technology makes it to consumers, thereby reducing the chance of cyber- attacks in the  rst place. It could also encourage small and midsize business- es to meet the certi cation demand, thereby increasing market capacity.
In our fractious political sys-
tem, this is an opportunity to come together around a common-sense solution that could truly address our cybersecurity woes. n
     January/February 2018 FCW.COM 13