The Federal Communications Commission has proposed a cybersecurity certification and labeling program that the agency said will help consumers more easily choose smart devices that are safer and less vulnerable to cyberattacks.
FCC Chairwoman Jessica Rosenworcel said the “U.S. Cyber Trust Mark” program would raise the bar for cybersecurity across common devices, such as smart refrigerators, microwaves, televisions and fitness trackers, but also other IoT devices such as smart climate control systems or routers.
Participants in the announcement Tuesday included Yale and August U.S., Cisco Systems, Connectivity Standards Alliance (CSA), Consumer Technology Association, Google, the Information Technology Industry Council and several prominent electronics manufacturers.
The Security Industry Association said it’s monitoring the proposed program but indicated current support for it, as the trade organization has advocated for prioritizing cybersecurity and data privacy.
“We support the U.S. Cyber Trust Mark program’s key goals of improving data transparency and cybersecurity hygiene,” said SIA Executive Director Don Erickson. “While the program is still nascent and focused on addressing high-risk consumer products such as routers at this phase, SIA’s Cybersecurity Advisory Board and Data Privacy Board, along with other interested SIA stakeholders, will continue to monitor the program’s development and evaluate impact to security IoT products offered in the commercial and residential/home automation spaces.”
Erickson added the SIA intends to file public comments to the FCC that reflect member input. “We’re proud to champion strong cybersecurity practices and help educate our industry about the importance of protecting personally identifiable information and look forward to continuing to engage government agencies on these issues,” Erickson said.
CTA President and CEO Gary Shapiro said while he walked the CES show this year he saw loT products that improve healthcare, transportation and energy efficiency, and while IoT “makes our world better, it also tempts bad actors to exploit consumers’ connected devices. Research shows consumers want more information on the safety and security of their connected devices, and we agree.”
CTA’s Vice President of Technology and Standards, Michael Bergman, said a key consideration of any program like the U.S. Cyber Trust Mark is whether the effort expended will lessen security risk.
He noted the program requirements were established by NIST with input from industry subject matter experts, including “extensive participation” from CTA and member companies.
“The U.S. mark will not only recognize the companies that are already incorporating secure-by-design principles into their process, it will move more companies in that direction,” Bergman said.
Under the proposed new program, consumers would see a newly created “U.S. Cyber Trust Mark” in the form of a distinct shield logo applied to products meeting established cybersecurity criteria.
The program would certify and label products based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates and incident detection capabilities.
The federal government — including the Cybersecurity and Infrastructure Security Agency — would support the FCC in educating consumers “to look for the new label when making purchasing decisions and encouraging major U.S. retailers to prioritize labeled products when placing them on the shelf and online.”
The FCC will seek public comment on rolling out the proposed voluntary cybersecurity labeling program, which is expected to be up and running in 2024.
It’s not clear how this program would affect commercial or consumer integrators, installers or distributors of security-related equipment, due to some products eventually being certified or not certified. The Electronic Security Association did not immediately respond to a request for comment.
Manufacturers and retailers announcing support and commitments to further the program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics.
To “further enhance transparency and competition,” the FCC said it plans to use a QR code linking to a national registry of certified devices to provide consumers with specific and comparable security information about the smart products.
Working with other regulators and the U.S. Department of Justice, the FCC said it plans to establish oversight and enforcement safeguards, “to maintain trust and confidence in the program.”
The NIST is expected to define cybersecurity requirements for consumer-grade routers — a high-risk product that, if compromised, can be used to eavesdrop, steal passwords and attack other devices and high value networks. The NIST said it would complete this work by the end of 2023.
The U.S. Department of Energy also said it would collaborate with National Labs and industry partners to research and develop cybersecurity labeling requirements for smart meters and power inverters, both essential components of the “clean, smart grid” of the future.
Brandon Pugh, director of the R Street Institute’s Cybersecurity and Emerging Threats team, said consumers stand to benefit by being able to evaluate products for security and by making purchases accordingly. “However,” he added, “consumer awareness will be a challenge because the label has limited utility if consumers do not understand, value or use it.
“As the label is implemented, efforts should harmonize label standards both nationally and internationally, ensure labels remain current as threats change, monitor the degree to which data privacy standards are incorporated, and look at incentives for quicker adoption and methods to stop fraudulent actors.”
John Dobberstein is managing editor of SecurityInfoWatch.com and oversees all content creation for the website. Dobberstein continues a 34-year decorated journalism career that has included stops at a variety of newspapers and B2B magazines.
