FCC adopts voluntary 'Cyber Trust Mark' labeling rule for IoT devices

The Federal Communications Commission approved a voluntary cybersecurity labeling program for wireless consumer Internet of Things (IoT) products.

The program allows manufacturers to put a new “U.S Cyber Trust Mark” on devices that comply with cybersecurity standards developed by the National Institute of Standards and Technology (NIST), including what the White House described last year as “unique and strong default passwords, data protection, software updates, and incident detection capabilities.”

Commissioners voted unanimously to approve the program at their open meeting on Wednesday.

“The device that I think of most when I think about this new world of the Internet of Things—and maybe it is because I am a Mom—is a baby monitor. My goodness, you want that to be safe,” said FCC Chairwoman Jessica Rosenworcel in prepared remarks.

“You want to know when you bring that monitor into your house to watch your newborn, that connection is secure and not going to invite any malware or malicious activity into your home.  I think parents everywhere feel this way.”

Officials compare it to the  “Energy Star” logo on devices showing which are energy efficient. The logo will have a QR code that buyers can scan to get more information on the cybersecurity of the product, including how long support for it lasts, whether it gets software patches and whether security updates are automatic. 

The FCC will oversee the program and “approved third-party label administrators” will evaluate each product’s applications, authorize the labels and more. Accredited labs will be tasked with testing a product’s compliance.

The FCC said it foresees the label applying to products like home security cameras, internet connected appliances, fitness trackers, garage door openers, baby monitors and voice-activated devices. 

The vote caps a yearlong effort by the White House and FCC to push the U.S Cyber Trust Mark idea forward. The U.S. government has gotten several major retailers — including Amazon, Best Buy, Google, Logitech, and Samsung — to back the concept. 

The Cybersecurity and Infrastructure Security Agency (CISA) and regulators at the Department of Justice will designate oversight and enforcement standards.

The FCC noted that it is still seeking public comment on additional requirements, including whether companies should disclose if their product is “developed or deployed by a company located in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country.”

IoT devices have become frequent targets for hackers, particularly nation states and criminals seeking to build powerful botnets that allow them to launch larger attacks. 

The FCC cited third-party estimates showing more than 1.5 billion attacks against IoT devices in the first six months of 2021 alone.  

“From the start, we are building national security into the program. No entity or communications equipment from what is known as the ‘Covered List’ is eligible for a label,” Rosenworcel said, referring to a designation that applies mostly to specific companies in China. 

“This has the power to become the worldwide standard for secure Internet of Things devices, she said  

Experts are mixed on the label concept, with many saying time will tell whether manufacturers take the time to invest in the effort.

Jasson Casey, a former defense contractor and CEO of cybersecurity firm Beyond Identity, said it is unclear if the general consumer will care about or understand the Cyber Security Trust mark. 

“However, by having companies clearly label the software bill of materials that would follow something like NISTs Common Platform Enumeration (CPE), it then becomes possible for 3rd parties to assess the cybersecurity vulnerabilities and apparent risk of these products in a scalable way,” Casey said.  

“This could be useful in informing policy makers on the actions of companies in terms of their awareness and responsiveness to major cybersecurity vulnerabilities in their supply chain and bill of materials. This is likely a great first step in establishing accountability in the construction of software based products.”