The White House unveiled its plan for a U.S. Cyber Trust Mark that will certify that the IoT device marked with the label has met a set of security criteria developed to protect consumers’ networks and device data. The U.S. Cyber Trust Mark will be a voluntary program administered by the Federal Communications Commission, and the label should start appearing on devices in 2024.
As part of the announcement, the White House also said that the Department of Energy will work with the FCC to create cybersecurity standards and a subsequent label for smart meters and power inverters. The White House also hopes to work with the National Institute of Standards and Technology (NIST) to create an additional set of cybersecurity standards developed specifically for routers that would be out before the end of this year.
This is great news, but there’s a lot of sausage to grind before we get from the label from today’s announcement to one that actually acts as an indication of cybersecurity on a device. Let’s get into it.
The White House announced that it would create a cybersecurityfor IoT devices back in October at an event that included folks from the Connectivity Standards Alliance, The CTA, privacy experts from Carnegie Mellon University, and others. Many of the same organizations and people will be at the Tuesday label unveiling event, as will representatives from Amazon, Google, Samsung, Logitech, Best Buy, and more.
The label aims to help consumers judge whether or not a product meets certain cybersecurity standards when choosing between products at a store or online. While no connected device can ever be completely secure, the label would indicate that the product meets a set of standards developed as part of the U.S. Cyber Trust Mark program. This is great because today, companies that invest in security may have higher costs, and without any information, consumers tend to buy the cheapest product. Thus, manufacturers aren’t incentivized to spend a lot on security.
This is clearly a label that the industry folks are excited about. But we’re a ways off before it gets slapped on boxes. Today’s announcement is the beginning of the journey. The goal is to create a set of criteria for third-party administrators to use to certify a device with the Cyber Trust Mark.
As the agency in charge of the process, the FCC plans to open a Notice of Proposed Rule Making (NPRM), which is the process by which the agency seeks public opinion before making new rules or programs. Once the NPRM opens up, there will be a comment period when companies, consumers, activists, organizations, etc., can share their thoughts on criteria and how the program should work. After the comments come in, the FCC will read them, possibly adjust their thinking, and then issue actual criteria that will determine if a device is secure. Then the commissioners will vote on the rules.
The White House is leaning on a document published in 2022 by NIST as the primary criteria for gaining the mark. The primary focus is on cybersecurity, but there’s also the opportunity to add some privacy protection. The White House is envisioning a Cyber Trust Mark for the product box and then a secondary layer of information, such as a QR code, to provide even more information about the cybersecurity and perhaps relevant privacy information.
But let’s focus for now on the NIST criteria that are already developed and will form the basis of the NPRM. NIST has documented six basic security ideas and does a good job laying out the big challenges of securing connected devices. The first challenge is that an IoT product is the sum of many parts, such as an app, a cloud, the device itself, and the various services and software used to build any of these things. And security needs to take into account all of these elements. Since consumers tend to buy a physical product, NIST thinks the best place for a cybersecurity label is on the product box. I agree. But that label on the product also means the cloud and app associated with that product should also be secure.
Another challenge NIST recognized is that IoT devices are dynamic, with feature updates, potentially new vulnerabilities, and updated software occurring over the life of the product. So any label has to be issued and then reviewed over time to ensure that it stays secure. A senior FCC administration official says that the agency is envisioning an annual certification process but that time frame and mechanism for re-certifying a device would be discussed in the NPRM.
The final challenge worth covering is that NIST realizes that the security bar should be higher for a device such as a camera or a connected oven, than for a motion sensor or a light bulb. Hiding behind the trust mark will be different rules for different devices based on their potential for harm and perceived risk. But consumers just need to look for the mark and not worry if a specific set of criteria that works for a sensor should also be the same for a baby monitor.
Anne Neuberger, the
likened it to the Energy Star label which goes on devices as different as a washing machine or a PC. She may not know exactly what makes an energy-efficient washer, but she trusts the mark is applied appropriately.I honestly love everything about this plan, even if I have some concerns about the process. I will spend time in my newsletter this week discussing some of the concerns I have about the FCC being the agency in charge of the program, and my hope that we will see more of a focus on privacy in addition to the security criteria. The NIST document actually does provide opportunities to work some privacy best practices into the labeling program, and I’ll talk about what that could look like.
I also want to note that many of the elements of this program mesh well with the security practices built into the Matter smart home interoperability standard (although these could go further). The U.S. Cyber Trust Mark is by no means a done deal, but it’s closer. We could even see retroactive certifications of existing devices if manufacturers want to make the effort and have the ability to make necessary updates to meet the program criteria.
I doubt that will happen, but given how important securing these devices is and how challenging it can be to assess a device’s security, I can’t wait to see thisin the wild. It will make reviewing connected products easier and make our entire internet safer.
This is the final episode of The Internet of Things Podcast, and to send us…
This article was originally published in my weekly IoT newsletter on Friday August 18, 2023.…
This article was originally published in my weekly IoT newsletter on Friday August 18, 2023.…
Verdigris has raised $10M for smarter buildings: I am so excited by this news, because roughly eight…
Amazon's head of devices, David Limp, plans to retire as part of a wave of executives that…
If you need any more indication that Matter is not going to kill all of…