The Biden Administration is unveiling a new cybersecurity label for smart devices today. In a press briefing, Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel said the new label, called the US Cyber Trust Mark, will signify that devices bearing it meet security standards based on those established in a report by the National Institute of Standards and Technology (NIST). The voluntary program is expected to be in place in 2024, with the labels hitting devices “soon after.”
The program is meant to cover connected devices commonly found in the home like smart refrigerators, smart microwaves, smart televisions, and smart climate control systems. But the announcement also lists “smart fitness trackers” as a device that would be covered by the certification and labeling program suggesting ambitions beyond the smart home. It has the voluntary support of several electronics, appliance, and consumer product manufacturers, retailers, and trade associations including Google, Samsung, Logitech, Amazon, Best Buy, and the Connectivity Standards Alliance (home of the Matter smart home standard).
The FCC is “acting under its authorities to regulate wireless communication devices” to propose the certification and labeling program, which it says would require “strong default passwords, data protection, software updates, and incident detection capabilities,” according to a press release. Rosenworcel likened it to Energy Star, which denotes products such as computers or appliances that meet certain energy efficiency standards.
The Cyber Trust label is comprised of two parts: a logo stamped on the box of a product, and a QR code that buyers can scan later to verify that the device is still certified as cybersecurity threats evolve and patches are needed. I wondered in an interview with Deputy National Security Advisor Anne Neuberger if the QR code would be used to give people more detailed security information about a product, such as whether a product requires a constant internet connection to be operable. Neuberger reiterated that the QR code will help keep customers up to date, encouraging ideas like this via public comment when the time comes.
A senior FCC official said during the Q&A session after the briefing that the Commission is considering annual recertifications, but the intervals haven’t yet been decided. As for who will handle certification, Neuberger said that would fall to third-party labs like the Connectivity Standards Alliance or the Consumer Technology Association.
Neuberger said the label is necessary to “drive the market to build more secure products by design,” saying that companies being able to differentiate themselves with such a label could make them more comfortable with the higher costs of better security.
She also said the program will help drive accountability, as smart home products will have to continue issuing security patches as needed to retain their Cyber Trust label. Neuberger said in an interview with The Verge that there’s always going to be “a new zero day,” calling it “troublesome” that, at times, when the intelligence community discloses an IoT vulnerability to companies, they say they’re done with those products and won’t issue a patch.
During the interview, Neuberger pointed to the NIST report when asked what the FCC will consider an “IoT product” under the Cyber Trust labeling program. Essentially, according to the NIST any network-connected device with a “sensor or actuator” can be considered an “IoT device,” while the whole of that device — the associated app, the cloud backend, and required bespoke hubs — is considered the “IoT product.”
Separate networking devices like Zigbee and Z-Wave hubs that aren’t associated with any one device, though, are instead lumped in with Wi-Fi routers, which weren’t examined as part of the report. The NIST is defining the cybersecurity requirements of consumer-grade routers as a priority given the risks they present to eavesdropping, password theft, and other nefarious activities in targeted homes. It expect to complete this work by the end of 2023 so that the Commission can consider the cybersecurity requirements of routers for inclusion in the labeling program.
The Biden administration is expected to reveal the new Cyber Trust logo later today with a livestream from The White House from 9:30AM to 11AM ET, unveiling more detail about the program and which companies have already committed to it.
So far, the administration lists the following “participants” in support of today’s announcement:
Amazon, Best Buy, Carnegie Mellow University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung, UL Solutions, Yale and August U.S.