U.S. Launches Effort to Help Consumers Gauge IoT Device Cybersecurity
Internet of Things (IoT) devices are everywhere. Fitness trackers, routers, baby monitors, smart refrigerators, and home security cameras all connect to the Internet, but they don’t all have robust cybersecurity. Many of them ship to consumers with weak, easy-to-guess default passwords and don’t provide regular security updates or patches, putting consumers at risk of cyberattack.
To help keep consumers informed about cybersecurity when making IoT device purchases, the White House announced a new cybersecurity certification and labeling program yesterday—the U.S. Cyber Trust Mark program.
Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel proposed the program, which will need to be approved by the full FCC, and is designed to set a higher standard for cybersecurity across smart consumer devices.
The voluntary labeling program would work similarly to the Energy Star program, which rates appliances’ energy efficiency. It would use cybersecurity criteria published by the National Institute of Standards and Technology (NIST) to measure cybersecurity functions for each device—including requiring unique and strong default passwords, data protection, software updates, and incident detection capabilities. A shield-shaped logo would be used to mark products that meet these standards, and a standardized QR code on the label would give shoppers more details about a product’s cybersecurity measures—including when the device was last cybersecurity certified.
“Smart devices make our lives easier and more efficient—from allowing us to check who is at the front door when we’re away to helping us keep tabs on our health, remotely adjust the thermostat to save energy, work from home more efficiently, and much more,” said Rosenworcel in an FCC statement. “But increased interconnection also brings increased security and privacy risks. Today I am proposing that the FCC establish a new cybersecurity labeling program so that consumers will know when devices meet widely accepted security standards. This voluntary program, which would build on work by the National Institute of Standards and Technology, industry, and researchers, would raise awareness of cybersecurity by helping consumers make smart choices about the devices they bring into their homes, just like the Energy Star program did when it was created to bring attention to energy-efficient appliances and encourage more companies to produce them in the marketplace.”
The current draft proposal outlines the labeling program, and if the proposal is adopted by the FCC, it will be issued for public comment and could be active by late 2024, the Commission noted. The proposal is currently seeking input on issues, including the scope of devices that should be eligible for inclusion, how to develop cybersecurity standards for different types of devices, how to demonstrate compliance, and how to educate consumers about the program.
Chairwoman @JRosenworcelFCC today proposed a new cybersecurity labeling program to protect consumers: pic.twitter.com/2guceWL4Cu
— The FCC (@FCC) July 18, 2023
Higher-risk consumer grade devices like Wi-Fi routers are likely to be the first devices evaluated under the U.S. Cyber Trust Mark program. These are riskier because they are central to home Internet use and, if compromised, can be used to see network activity or launch additional attacks, PC Mag reported.
The White House’s announcement cited support from many big names in the consumer electronics industry, including Amazon, Best Buy, Cisco, Google, LG, Logitech, Qualcomm, and Samsung. The Consumer Technology Association—which puts on the massive annual Consumer Electronics Show (CES)—released a statement supporting the IoT labeling program.
“While walking CES this year, I saw IoT products that improve healthcare, transportation, and energy efficiency. While IoT makes our world better, it also tempts bad actors to exploit consumers’ connected devices,” said CTA president and CEO Gary Shapiro in the press release. “Research shows consumers want more information on the safety and security of their connected devices, and we agree.”
Technology and cybersecurity vendors seemed broadly supportive of the news, but not without a few caveats.
In a statement emailed to Security Management, David Mitchell, chief technical officer for cybersecurity solutions provider HYAS, said the program is a “big step forward to deal with the ever-expanding market of sub-par IoT devices proliferating into our homes and businesses. It will be interesting to see how the vendors react and when and to what extent the EU and other allies participate. While there is no current language around retroactively certifying the millions of later model devices already in service, it is a key piece that needs to be understood.
“Due to the additional workload required by the vendors to meet these criteria, it would not be surprising if there were cost increases for these devices—and hopefully not such a significant cost that consumers will decide to choose the non-certified devices,” he continued.