In a joint effort, the Biden administration and major consumer technology players have unveiled a nationwide cybersecurity certification and labeling program aimed at assisting consumers in selecting smart devices that are less susceptible to hacking. Dubbed the U.S. Cyber Trust Mark initiative, the program will be overseen by the Federal Communications Commission (FCC), with industry participation being voluntary.
The initiative, likened to the Energy Star program for rating appliance energy efficiency, aims to provide Americans with a reliable means of identifying cybersecure internet- and Bluetooth-connected devices. Deputy national security adviser Anne Neuberger highlighted the significance of the program, stating that it would instill confidence in consumers.
Industry giants such as Amazon, Best Buy, Google, LG Electronics USA, Logitech, and Samsung are among the participants, with plans to introduce the "Cyber Trust" label—a shield logo—on devices that meet the government's cybersecurity requirements as early as next year. FCC Chairwoman Jessica Rosenworcel emphasized that the mark would offer peace of mind to consumers and benefit manufacturers who adhere to the National Institute of Standards and Technology's criteria.
The FCC has initiated a rule-making process to establish the program's standards and is seeking public feedback. Additionally, certified devices will feature QR codes that users can scan to access updated security information.
The Consumer Technology Association expects to showcase certification-ready products at CES 2024, the industry's annual January event, once the FCC finalizes the rules. A senior Biden administration official noted that products qualifying for the label would require annual re-certification.
While the White House's proposal has garnered support from industry experts, Justin Brookman, the director of technology policy at Consumer Reports, cautioned that effective adoption would require further efforts. He expressed hope that the labeling initiative would foster healthy competition among manufacturers, compelling them to prioritize consumer security and privacy while committing to long-term support for their connected devices.
The Cyber Trust initiative, which was initially announced in October after a meeting between White House officials and tech industry representatives, comes in response to the surge in cybercrime, where a single vulnerable device can serve as a gateway for cyberintruders to gain access to an entire home network.
Cyber experts reacted to the effort to provide more transparency to users about the security of their IoT products:
Christine Gadsby, VP of Product Security, BlackBerry
"Smart thermostats, wireless security cameras, and digital doorbells come with promises of greater savings, safety, or convenience. But they can also serve as back doors for hackers looking to get into your home network. While these next-generation devices promise to make our homes “smarter”, they’re not necessarily more cyber secure. Our homes are our havens, and our smart devices are supposed to bring us peace of mind. Without understanding the level of cybersecurity baked into these products, we may unintentionally allow strangers to shatter our sense of security and violate the sanctity of our homes. So it’s no surprise four in five consumers surveyed by BlackBerry believe the rollout of a cybersecurity labeling system would make them feel safer and more informed when using Internet-connected devices, and two-thirds would be prepared to pay more for products with higher rankings. At the end of the day, we need to protect what matters the most: our families. This starts with realizing that security should be a requirement and shouldn’t be an optional add-on -- or worse, not thought of at all when it comes to the devices we buy. It’s a right."
Ilona Cohen, Chief Legal and Policy Officer, HackerOne
“HackerOne applauds the White House’s recent IoT labeling initiative, U.S. Cyber Trust Mark, to enhance digital safeguards on internet-connected devices. This initiative reflects the Administration’s continued commitment to putting cybersecurity first, helping consumers find safer products, and improving IoT security transparency.
As cybersecurity complexity increases and vulnerabilities continuously evolve, we believe the certification requirements underpinning the labeling scheme should also include Vulnerability Disclosure Programs (VDPs) to help manufacturers identify cybersecurity flaws in their systems and apply patches before exploitation. We look forward to seeing how this develops and hope to be a resource to the Administration as they work to roll this program out.” Thomas Pace, CEO and Co-Founder of NetRise, previously responsible for ICS security at the DOE: "The US Cyber Trust Mark is undeniably a positive step in the right direction. It follows a similar path as Energy Star and ingredients lists, analogies that have been drawn for some time. However, for this to be meaningful and make an actual impact, it must have one more characteristic in common with Energy Star or ingredients lists, it NEEDS to be mandatory. No one looks to the government to give them more work voluntarily, we all have enough work to do. If real change and secure devices is the end goal, then make it mandatory. We don't need more compliance frameworks that sit on a shelf and are totally ignored.”
Javed Hasan, CEO and co-founder, Lineaje
“The U.S. Cyber Trust Mark was created to reassure consumers that the smart devices they purchase include strong cybersecurity protections. Currently, the criterion set forth by the National Institute of Standards and Technology (NIST) includes strong passwords and incident detection capabilities, as well as, that the device offers regular updates. While these standards are great, they are missing a key component of the overall security puzzle.
IoT devices are powered by software. To prevent consumers from falling victim to the hands of an adversary, it is critical that the companies behind these products are doing their due diligence in building better software, and a more robust software supply chain. Vulnerability scanners can, and often will, miss critical flaws in software components. And software that is not built securely cannot run securely. Organizations creating and running IoT devices need to focus on building and buying better software and assessing any previous software to ensure its integrity.
Instead of a seal on a particular product, I would also recommend to the NIST that it is a QR code instead. The QR Code could take you to a central repository showcasing some of the security requirements, as well as the software bill of materials (SBOM) to add a level of transparency.
The Biden-Harris administration has already set forth several campaigns that indicate its commitment to securing the software supply chain, including U.S. Executive Order 14028. It is my hope that the administration and the NIST include best software supply chain security practices in its guidelines for the U.S. Cyber Trust Mark seal of approval.” ###