Endpoint Security
,
Governance & Risk Management
,
Internet of Things Security
Proposed Cybersecurity-Labeling Program to Certify Consumer IoT Devices
The Biden administration on Tuesday initiated a nationwide cybersecurity certification and product labeling program aimed at helping consumers choose smart devices that offer enhanced protection against hacking risks.
See Also: Navigating Industrial Cybersecurity: A Field Guide
The new U.S. Cyber Trust Mark program was proposed by Federal Communications Commission Chairwoman Jessica Rosenworcel will help consumers make informed purchasing decisions and identify products in the marketplace with higher cybersecurity standards, the White House said.
The administration said several major electronics, appliance and consumer product manufacturers, retailers and trade associations have made voluntary commitments to increase cybersecurity for the products they sell. Participants include Amazon, Best Buy, Google, LG Electronics USA, Logitech and Samsung Electronics.
The proposed law enables companies to apply the shield logo after meeting established cybersecurity criteria. “The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes,” the administration said.
The Biden administration announced in late 2022 plans to discuss a voluntary program with internet of things manufacturers to help ensure products meet minimum security standards (see: Biden Administration Ramps Up Cybersecurity Requirements).
Cybersecurity challenges related to IoT systems and operational technologies surfaced from the start of the Biden administration when consumers faced a gasoline shortage in May 2021 caused by a ransomware attack on Colonial Pipeline.
President Joe Biden initiated efforts to boost industrial control system cybersecurity in the private sector, either through regulation or through voluntary measures (see: Inside President Biden’s ‘Relentless’ Cybersecurity Focus). Rosenworcel said consumer devices are also vulnerable.
“Increased interconnection also brings increased security and privacy risks,” she said.
The FCC, which regulates wireless communication devices, will seek public comment on the labeling program and hopes to have it running by 2024.
Certification will be based on criteria published by the National Institute of Standards and Technology, including unique and strong default passwords, data protection, software updates and incident detection capabilities.
The administration said the FCC is applying to register a national trademark with the U.S. Patent and Trademark Office that would be applied to products that meet the established criteria.
“The proposal seeks input on issues including the scope of devices for sale in the U.S. that should be eligible for inclusion in the labeling program, who should oversee and manage the program, how to develop the security standards that could apply to different types of devices, how to demonstrate compliance with those security standards, how to safeguard the cybersecurity label against unauthorized use, and how to educate consumers about the program,” the FCC notice says.
Under the proposal, products must include a QR code that consumers can scan for information, pending a certification mark approval by the U.S. Patent and Trademark Office.
“This is momentous,” said Tom Kellerman, who leads cyber strategy at Contrast Security and previously served on the White House Commission on Cyber Security.
“For too long, consumers have been playing Russian roulette when deploying connected devices,” Kellermann told Information Security Media Group.