The White House introduced a new label for Internet-connected devices this week after a public notice and input period that spanned eight months. The U.S. Cyber Trust Mark, which was authorized by the Federal Communications Commission (FCC) in a bipartisan and unanimous vote, will be employed on so-called “smart products” sold in the United States by 11 companies.
It will begin to appear later this year, to help American consumers determine whether the smart devices are safe for use at home. It will include a range of devices including home security cameras, TVs, fitness trackers, baby monitors, and climate control systems – all of which have Internet connections. The U.S. Cyber Trust Mark will indicate the products include security features approved by the National Institute of Standards and Technology (NIST).
Major electronics, appliance, and consumer product manufacturers, as well as retailers and trade associations, have been working to increase cybersecurity for the products they sell.
The White House said in a statement that it “launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devices, much as EnergyStar labels did for energy efficiency.”
It added that it had received input from major electronics, appliance, and consumer product manufacturers, as well as retailers and trade associations.
“We see great potential in the U.S. Cyber Trust Mark Program,” said Michael Dolan, senior director and head of Enterprise Privacy & Data Protection at retail giant Best Buy. “It is a positive step forward for consumers and we are excited about the opportunity to highlight this program for our customers.”
Too Much Faith In Labels?
Though the purpose of the U.S. Cyber Trust Mark is to help consumers make informed decisions, it could come with some consequences – namely that Americans may believe products to be more secure than they are. Cybersecurity experts have long warned the weakest link in any network is the humans using it, and that isn’t going to change.
It could get worse as consumers may expect they’re receiving added protection and could inadvertently let their guard down.
“It seems generically like a good idea,” explained Dr. Jim Purtilo, associate professor of computer science at the University of Maryland. “But I wonder whether companies will use this as an excuse to charge more.”
The label could help consumers make better purchases, but it will still be how they use the product once it is out of the box, Purtilo told ClearanceJobs.
“The real question will be whether the criteria they use will strongly correlate with protection,” he warned. “If labeled devices are commonly hacked then people will put much value in the designation.”
Fighting Problematic Products
On the flip side, there remains the fact that a lot of bad products are on the market – and can be all too easily found online. That includes cheap products from China, and the U.S. government is now looking to ban a Chinese-made router out of fear that the products could gather information that is sent to Beijing.
In 2019, Congress passed the Secure and Trusted Communications Networks Act of 2019, which directed the FCC to determine how to best remove and replace Chinese-made equipment in U.S. telecom networks. The U.S. Cyber Trust Mark could help educate consumers that the products at least are spying for China.
Moreover, the label may not be directed at consumers – but more likely the hardware vendors.
“The mark is more to motivate IoT (Internet-of-Things) vendors to do the right thing than as something of value to most consumers,” said Roger Grimes, data-driven defense evangelist at KnowBe4.
“Most consumers, even if they notice the mark, aren’t going to know what it means, aren’t going to research it, and follow any needed procedures, if needed,” Grimes told ClearanceJobs. “Most consumers will ignore it or assume it means “safety,” like the other FCC marks on electrical cords and appliances. But there is a chance the program motivates more IoT vendors to follow its intent and they all work to have better cybersecurity and actually make their products better. If that’s the case, it would become like the other marks and tell the average consumer that it means better ‘safety.’ Time will tell.”
Grimes added that it may also be too easy to point fingers and cast aspersions on any large-scale government program, including this one.
“But I also really appreciate what they are trying to accomplish,” he further acknowledged. “I just wish it wasn’t a half measure and had real teeth to improve cybersecurity from the start. But name the government legislation that wasn’t the half measure. That’s the way laws get passed at governmental scale, half measures where people on different sides of the problem came together to pass something that had half of what each side wanted, so they could at least pass something that each side could accept.”
In other words, the label should be seen as a good start, even if it’s not the end for IoT devices and cybersecurity.
“The way I read the bill and the comments is you get the sense that if the program works as it is currently designed and most IoT vendors cooperate in the spirit of the agreement and try to really improve their cybersecurity, that the program will be updated to have more requirements and less half-measures,” Grimes told ClearanceJobs. “That’s my hope.”
