FCC approves cybersecurity label for consumer devices

The Federal Communications Commission voted Thursday to approve the U.S. Cyber Trust Mark, a voluntary label that denotes that consumer Internet of Things devices like “smart” home appliances meet baseline security standards.

The FCC approval is the culmination of a White House initiative and is somewhat modeled after the energy efficiency labeling program Energy Star. The program would create an easy-to-recognize label that confirms for consumers that a product meets cybersecurity standards developed by the National Institute of Standards and Technology. 

The hope is that consumers can vote with their wallet and move the consumer market to address the litany of vulnerabilities found in smart devices. A rush of internet-connected consumer devices that often ship with little or poor security have created huge privacy risks for the consumers that rely on them and have given malicious hackers access to huge networks of devices that they can use to carry out and orchestrate attacks. 

Biden administration officials have described the trust mark as a way to address both consumer safety and national-security concerns, as IoT devices are often exploited by state-backed hackers to provide the infrastructure for their campaigns. The U.S. Cyber Trust Mark framework is initially focused on consumer IoT devices but may be broadened in the future.

“If your car explodes following a minor accident or if a table saw comes loose and maims you or your lightbulb overheats and causes a fire, you can take the negligent manufacturer to court and recover your damages,” Commissioner Nathan Simington said during the meeting. “But if an attacker hacks your smart home devices, let’s say your Alexa, listens in on your private conversations, you have little to no recourse against the manufacturer.”

In order to select which product will get the mark, the FCC will choose a lead administrator to build out the program and third-party accredited labs for compliance testing.

Additionally, the mark would include a QR code linking to a “consumer-friendly” landing page for each product that details the current state of the device’s security.

The FCC order requires companies that wish to use the label to list information such as the date of the authorization, the name of the accredited lab, and instructions on how to change the default password (only if the password can be changed, the FCC notes). Other requirements include information on additional security-focused configuration instructions, expected software updates, disclosure of the minimum support period (even if there is none), disclosure of whether a software bill of materials is included and any additional information that the administrator can add.

Amit Elazari, co-founder and CEO of the tech advocacy company OpenPolicy and a participant in a White House meeting on the mark, said she was happy to see that the initiative considers not just the device but also includes the software ecosystem around it, such as apps or cloud infrastructure. 

“We really want to make sure you’re not creating a false sense of security, and the way to do it is to consider all of the components that can introduce a vulnerability,” Elazari said.

Steve Kelly, chief trust officer at the Institute for Security and Technology, said that other countries are either implementing or considering their own IoT security labeling program, so it was “essential that the United States firmly step into the conversation with its own approach, given global supply chains and the global market for these products.”

While the mark is a voluntary effort, Kelly — a former special assistant to the president and senior director for cybersecurity and emerging technology at the National Security Council — said that “from my conversations with many of these companies, they are keenly interested in differentiating their products in the global marketplace.”

The order requires the FCC’s Public Safety and Homeland Security Bureau to work with the Department of Justice’s Office of International Affairs and other agencies to develop international recognition of the label and to also recognize other label programs, such as those in the European Union and Singapore.

The White House’s July announcement of the initiative noted that multiple major manufacturers and retailers were committed to increasing security, including Best Buy, Amazon and Samsung, among others. Some in attendance, like Samsung and LG Electronics, disagreed that the order should cover the broader software and component ecosystem that on which devices rely.

Companies on the FCC’s covered list, such as Huawei Technologies Company and ZTE Technologies, would not be eligible for the mark.

Organizations like the Consumer Technology Association and the consumer advocacy and investigative nonprofit Consumer Reports have praised the initiative, but experts argue that the FCC mark is just a first step. Consumer Reports noted that the final ruling does not include requirements around encryption, vulnerability reporting or privacy disclosure.

“While we’re excited about today’s vote, more work remains. In the future, we’d like to see the FCC include privacy as another element of this label, and more robust security elements are needed,” Justin Brookman, director of technology policy for Consumer Reports, said in a statement.

Thomas Pace, CEO and co-founder of the firmware security firm NetRise Inc., said that the vote “is a good first step in giving consumers better visibility into the security posture of the connected devices they own or are purchasing. In addition to these security labels, the FCC should consider evolving the cyber trust mark to have more prescriptive trust criteria.”