The White House details its IoT cybersecurityplan

The White House announced that it would create a cybersecurityfor IoT devices back in October at an event that included folks from the Connectivity Standards Alliance, The CTA, privacy experts from Carnegie Mellon University, and others. Many of the same organizations and people will be at the Tuesday label unveiling event, as will representatives from Amazon, Google, Samsung, Logitech, Best Buy, and more.

The label aims to help consumers judge whether or not a product meets certain cybersecurity standards when choosing between products at a store or online. While no connected device can ever be completely secure, the label would indicate that the product meets a set of standards developed as part of the U.S. Cyber Trust Mark program. This is great because today, companies that invest in security may have higher costs, and without any information, consumers tend to buy the cheapest product. Thus, manufacturers aren’t incentivized to spend a lot on security.

This is clearly a label that the industry folks are excited about. But we’re a ways off before it gets slapped on boxes. Today’s announcement is the beginning of the journey. The goal is to create a set of criteria for third-party administrators to use to certify a device with the Cyber Trust Mark.

As the agency in charge of the process, the FCC plans to open a Notice of Proposed Rule Making (NPRM), which is the process by which the agency seeks public opinion before making new rules or programs. Once the NPRM opens up, there will be a comment period when companies, consumers, activists, organizations, etc., can share their thoughts on criteria and how the program should work. After the comments come in, the FCC will read them, possibly adjust their thinking, and then issue actual criteria that will determine if a device is secure. Then the commissioners will vote on the rules.

What will this label require?

The White House is leaning on a document published in 2022 by NIST as the primary criteria for gaining the mark. The primary focus is on cybersecurity, but there’s also the opportunity to add some privacy protection. The White House is envisioning a Cyber Trust Mark for the product box and then a secondary layer of information, such as a QR code, to provide even more information about the cybersecurity and perhaps relevant privacy information.

But let’s focus for now on the NIST criteria that are already developed and will form the basis of the NPRM. NIST has documented six basic security ideas and does a good job laying out the big challenges of securing connected devices. The first challenge is that an IoT product is the sum of many parts, such as an app, a cloud, the device itself, and the various services and software used to build any of these things. And security needs to take into account all of these elements. Since consumers tend to buy a physical product, NIST thinks the best place for a cybersecurity label is on the product box. I agree. But that label on the product also means the cloud and app associated with that product should also be secure.

Another challenge NIST recognized is that IoT devices are dynamic, with feature updates, potentially new vulnerabilities, and updated software occurring over the life of the product. So any label has to be issued and then reviewed over time to ensure that it stays secure. A senior FCC administration official says that the agency is envisioning an annual certification process but that time frame and mechanism for re-certifying a device would be discussed in the NPRM.

The final challenge worth covering is that NIST realizes that the security bar should be higher for a device such as a camera or a connected oven, than for a motion sensor or a light bulb. Hiding behind the trust mark will be different rules for different devices based on their potential for harm and perceived risk. But consumers just need to look for the mark and not worry if a specific set of criteria that works for a sensor should also be the same for a baby monitor.

Anne Neuberger, the Deputy National Security Advisor, Cyber & Emerging Tech, likened it to the Energy Star label which goes on devices as different as a washing machine or a PC. She may not know exactly what makes an energy-efficient washer, but she trusts the mark is applied appropriately.

How does NIST define a secure device?

• Asset Identification — A company needs to have a way to identify its devices and the product components. This helps consumers know what’s on their networks, and manufacturers identify devices in the field for service, updates, etc.
• Product Configuration — IoT devices need to be changeable, so consumers or manufacturers can update them, change default passwords, and hardware reset them to their original configuration. The NIST document also has a line about consumers being able to change the features on the product based on their level of comfort with risk. This might look something like me being able to turn off a microphone or cover a camera, but I’d like to see it go even further.
• Data Protection — NIST doesn’t call this encryption, but that’s what this section is all about. It calls for IoT products to protect data the product stores via “secure means”, and also protect data that are sent between the IoT product or outside the product. This criteria also calls for the product to delete or render inaccessible stored data collected from or about the customer. That last bit is interesting because it could mean that companies who have terrible records at securing data in the cloud or that don’t protect camera data from employees, might not get a mark.
• Interface Access Control — This is an in-depth one, and we’ll see some compromises here. The idea is that IoT products need to have access control policies in place so only authorized folks (the customer, specific manufacturer employees, repair staff, etc.) have access to the device and its data. This section is where the government might require multi-factor authentication for high-risk devices such as cameras or security systems. It also notes that people shouldn’t be able to access the physical elements like an off switch or a reset button on the physical device.
• Software Updates — This is an easy one. Secure IoT devices are those that can be updated, so any IoT product must be able to receive over-the-air updates and the manufacturer should have an established and disclosed way of implementing those updates. Personally, for security updates, I think they should happen automatically.
• Cybersecurity State Awareness — This is an interesting one because I don’t know how widespread it is today. NIST believes that IoT devices need to have some form of logging function for both consumers and manufacturers so they can tell when the device is behaving strangely. While I know some manufacturers keep an eye on device behavior in the field, not all do. And as a consumer, I don’t get logs or information of this nature outside of my purchase of a special device to monitor my home Internet traffic. But I’m all for it. Let there be logs!

What’s good, and what could be better

I honestly love everything about this plan, even if I have some concerns about the process. I will spend time in my newsletter this week discussing some of the concerns I have about the FCC being the agency in charge of the program, and my hope that we will see more of a focus on privacy in addition to the security criteria. The NIST document actually does provide opportunities to work some privacy best practices into the labeling program, and I’ll talk about what that could look like.

I also want to note that many of the elements of this program mesh well with the security practices built into the Matter smart home interoperability standard (although these could go further). The U.S. Cyber Trust Mark is by no means a done deal, but it’s closer. We could even see retroactive certifications of existing devices if manufacturers want to make the effort and have the ability to make necessary updates to meet the program criteria.

I doubt that will happen, but given how important securing these devices is and how challenging it can be to assess a device’s security, I can’t wait to see thisin the wild. It will make reviewing connected products easier and make our entire internet safer.