Why Connected Gadgets Need Security ‘Nutrition Labels’

Food Industry Collaboration May Cut Salt Intake, Save Lives

Last fall, the eastern seaboard of the United States suffered a digital attack that resulted in a major Internet blackout. A swarm of Internet-connected webcams and other devices blocked millions of people’s access to popular websites such as Twitter (TWTR, +1.45%), Amazon (AMZN, +0.51%), and Netflix (NFLX, +0.86%).

What went wrong? According to Hugh Thompson, chief technology officer at cybersecurity firm Symantec (SYMC, -0.16%), the problem happened long before someone used a “botnet”—a collection of hijacked computers—to blast Internet infrastructure with bogus traffic. Rather, it started as soon as the unsecured devices that became that botnet rolled off the assembly line.

Many of these webcams and devices had default passwords and usernames that easily allowed a hacker to compromise them. It should become standard practice, in Thompson’s view, that manufacturers disclose some basic level of security-related information about their products, such as whether they have easily hackable credentials.

Get Data Sheet, Fortune’s technology newsletter.

Whenever we talk about a “breach or attack or incident,” Thompson said on a call with Fortune, exclusively previewing his keynote address set for Wednesday at the RSA security conference in San Francisco, “we’re really talking retrospectively.” In the future, he said, “the potential for something bad to happen, that itself will be an incident.”

“Think of it as a pre-crime,” added Thompson, who is also a program chair for the conference. As the world connects more gadgets to the Internet, their potential to do harm increases. All these gizmos are essentially electronic spies and zombies lying in wait.

Thompson pointed to all the electronic toys that his kids received during the holidays. “I really have no idea which of those things is able to capture sound,” he said. “That’s a scary thing for me personally.”

Imagine, for instance, that it’s near the close of Symantec’s earnings period and Thompson is at home on the phone with the company’s finance chief, discussing sensitive information. If playthings in the room have the ability to snoop, that could lead to big trouble for him and the company.

One possible solution might involve requiring gadget-makers to divulge the capabilities, and potential faults, of their creations, Thompson said. “Just like you see a nutritional label on every box of cereal or crackers that you buy.”

The difference being that these connected gadget labels would reveal the sensory powers of the devices in question, rather than caloric and sodium content. Can the gadget record audio? Can it capture video? Can it sense light, motion, heat, moisture?

Whatever the device, it “should have a set of security certifications,” Thompson said.

Anything else is just plain unhealthy.