Crossroads Blog | Institute National Security and Counterterrorism

UL

UL Refuses to Share new IoT Cybersecurity Standard

Underwriters Labs (“UL”) refuses to share new IoT Cybsersecurity Standard (ArsTechnica): According to this article, UL’s refusal to allow researches to examine the full text of this new UL standard for cybersecurity is raising a lot of eyebrows and in many respects is the very antithesis of the typical process by which standards are developed with respect to the internet.  Ars was told that it could view a copy of the new UL 2900 certification but in order to do so would have to pay the full retail price and essentially become a UL customer, according to the article.  The article cites several sources that indicate a high level of concern with this model and the lack of transparency and outside validation for this internally developed standard.  While Ken Modeste, the head of UL’s cybersecurity technical services stated that UL has been around since 1894 and they exist to help the public and industry choose safe products, according to ArsTechnica.  The article also quotes another critic, Peiter “Mudge” Zatko (formerly head of cybersecurity research at DARPA), who indicated that UL’s for-profit incentives create a “perverse incentive structure.  Empowering the consumer is not where they derive their value/profit…”


Opinion

The concept of standards with respect to the Internet has largely been that of a collaborative effort between various stakeholders.  The UL model puts this on its head and is more of a unitary, dictatorial approach which may in many ways fail to bring in the diversity of opinions and backgrounds which are typical of many of the internet standards developed with a more open and feedback-driven approach.  Mudge also hits on a key point, if the standard is being developed and marketed by an entity with an explicit profit motive then is their goal really to empower the consumer or to exact profits?  The lack of transparency and the circumvention of industry buy-in is troubling and diminishes rather than enhances the credibility of this new UL standard.  Of course, it is difficult to say for sure since I did not pay the requisite $600 in order to actually view the UL 2900 documentation.  The question then becomes is this a model for enhanced cybersecurity or merely a model for enhanced revenue for UL?

Leave a Reply

Bitnami