MINNEAPOLIS — Would mandatory security ratings on smart phones and other consumer devices help people make wiser cybersecurity decisions?
Or is the issue so complex that such labels — which advocates compare to nutritional labels on cereal boxes — would only confuse consumers and send misleading signals into the marketplace?
How about intentionally dumbing down products so they can't be repurposed for terrorist or criminal activities?
"Maybe products should be locked down and not updated," suggested Steven Chabinsky, general counsel and chief risk officer at the cybersecurity firm CrowdStrike.
"Maybe the product does what it does and can't be used for other things," said Chabinsky, a member of a presidentially appointed cybersecurity commission. "The coming [cybersecurity] tsunami is happening because we put so much functionality in these products. ... We keep adding and adding and adding."
The result, he suggested, is common consumer devices that can be used to wreak cybersecurity havoc.
These are the kinds of issues the cyberpanel is mulling.
The Commission on Enhancing National Cybersecurity met here on Aug. 23 to hear from consumer advocates, technologists, the Federal Trade Commission and other witnesses as it works on producing a report by Dec. 1 that is intended to help the next president identify top cyberpriorities and map out a national strategy.
This was the commission's fifth public meeting, with a final public session planned for September in Washington, D.C.
The commission is busy "scoping the recommendations, creating the narrative" for the final report, Executive Director Kiersten Todt told InsideCybersecurity.com.
Todt said the report will include a "manageable number of recommendations" that will be "actionable" and "accessible."
The witnesses offered a lengthy list of recommendations on Tuesday, touching on regulatory issues, companies' responsibilities toward consumers and other problems.
Susan Grant of the Consumer Federation of America called for a regulatory environment in which "privacy" is the "default" setting on consumer devices, while calling for a "central government entity" to set security standards.
She also strongly backed proposed Federal Communications Commission privacy rules that the telecom industry vigorously opposes as counterproductive regulatory overreach.
Sarah Zatko of the Cyber Independent Testing Laboratory put out the idea of labeling requirements that would give consumers usable information, but the subsequent discussion around her recommendation revealed how complicated that seemingly straightforward idea might prove to be in practice.
Commissioner Joseph Sullivan, the chief security officer at Uber, questioned whether meaningful security information could be boiled down into a usable format that would appear on a product label.
Another commissioner, Ajay Banga of MasterCard, said "it seems hard to get there" if the goal is "contextualized data" that would appear on the packaging of a consumer device.
On other issues, witness Gary Toretti of Sabre Corporation called for a renewed government commitment to collaboration and cyberinformation-sharing.
He stressed the need for a "single, comprehensive framework" that defines how the government approaches cybersecurity and allows agencies to streamline and harmonize regulations.
For industry, Toretti said a key focus should be on developing "self-protecting consumer systems" that include a mechanism for automatically patching and updating. This, he said, is critical for securing the fast-evolving "Internet of Things," which involves interconnected devices ranging from electricity meters to automobiles and traffic systems to toasters and refrigerators.
Brian McCarson of Intel Corp. called on Congress to "establish a national IoT strategy" that would encourage partnerships on connected vehicles, "Smart Cities" and other areas.
The Minneapolis session wraps up the roadshow and fact-gathering portion of the commission's work. At the next session in Washington, commissioners will discuss initial findings and embark on the final push to complete the report by December.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.