Still no start date for federal cybersecurity “trust mark” program
An informed consumer is generally a more efficient, healthier, and safter consumer. Which is why product labeling, done right, is a good thing. It lets us know, among other things, how much sugar and calories are in that container on the grocery shelf, how energy efficient an appliance is, or whether a consumer advocacy group thinks the quality of a product qualifies for its seal of approval.
And now a new label category is in the works — cybersecurity. A federal initiative on cybersecurity labeling launched last year is now nearing implementation according to the White House and the Federal Communications Commission (FCC), which proposed and will be running the program. The U.S. Cyber Trust Mark Initiative will allow manufacturers to put that logo on products that meet federal cybersecurity standards that haven’t yet been finalized— more on those below.
It’s voluntary, but according to the White House announcement last month, nearly two dozen major tech players including Amazon, Best Buy, Cisco Systems, Consumer Reports, Consumer Technology Association, Google, LG Electronics U.S.A., Logitech, Qualcomm, Samsung Electronics, and UL Solutions have already signed on to participate.
The program, aimed at making connected devices more resistant to malicious hackers, covers numerous “smart” internet-connected devices — among them refrigerators, microwaves, TVs, speakers, GPS trackers, light bulbs, robot vacuums, climate control systems, fitness trackers, baby monitors, home security cameras, and more.
It excludes smartphones, personal computers, routers, cars, and some internet-connected medical devices including smart thermometers and CPAP machines, which are governed by Federal Drug Administration regulations.
The labels will include QR codes that consumers can scan to display a national registry of certified devices with specific, comparable security information about smart products.
“Just like the Energy Star logo helps consumers know what devices are energy-efficient, the Cyber Trust Mark will help consumers make more informed purchasing decisions about device privacy and security,” said FCC Chairwoman Jessica Rosenworcel.
According to Nicholas Leiserson, assistant national cyber director for cyber policy and programs at the FCC, who participated in a recent cybersecurity panel at Auburn University’s McCrary Institute in Washington, those labels will start to appear on products in months — by this year’s holiday season.
The need is obvious
There is no debate over the need for better cybersecurity in Internet of Things (IoT) devices, and for consumers to be better informed about it. According to an FCC fact sheet, there were 1.5 billion attacks against IoT devices in the first six months of 2021, and there are expected to be at least 25 billion connected devices in use by 2030 — about three times the population of the world.
But how the program is done will have a lot to do with how effective it will be. According to the White House, “working with other regulators and the U.S. Department of Justice, the [FCC] plans to establish oversight and enforcement safeguards to maintain trust and confidence in the program.”
According to an FCC press release from Aug. 10, 2023, the Notice of Proposed Rulemaking is aimed at addressing these issues,
- The scope of devices or products for sale in the U.S. that should be eligible for inclusion in the labeling program
- Who should oversee and manage the program
- How to develop the security standards that could apply to different types of devices or products
- How to demonstrate compliance with those security standards
- How to safeguard the cybersecurity label against unauthorized use
- How to educate consumers about the program.
While, as noted, there is general information about the types of devices that will, or won’t, be covered by the program, there aren’t specifics yet on the rest of those issues.
Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, said the program will maintain trust and confidence “only if the testing of devices is done meticulously, rules are followed by the manufacturers and sellers, buyers are educated on what this program means and what the benefits are, and most important, constant checking if the rules and tests done initially are still valid six months later or more.”
“It is not an easy thing to manage,” he added, noting that products like food have expiration dates while IoT devices don’t. “What happens if a certain technology used on a device is vulnerable after some time? Do you take it from the shelves? Return it to the manufacturer so that they can make it align with the rules again? Does the seller upgrade the firmware to make it compliant again?”
Cipot also wondered about how the program will be funded. “Will government do it out of taxpayer money? Will it manufacturers sponsor it? Or will it be added to the price of the device? This last option would obviously make the secure devices more expensive, which might mean that they will not be selected in comparison with a cheaper device that is not in the program.”
That’s why, Cipot said, he thinks connected devices that don’t meet basic security standards should be banned. If not, it would be like allowing “lamps for sale that don’t meet electrical safety standards and could put buyers at risk of their house burning down,” he said, adding that “security should be an integral part of every device and the user should not be the one who pays more for that.”
Inevitable lobbying
There is also the reality that governmental rulemaking processes can be influenced by industry lobbying — witness the rather elastic definition of what now qualifies as organic food.
Jamie Boote, senior consultant with the Synopsys Software Integrity Group, said he doesn’t think the definition of cybersecurity will be as nebulous as “organic.”
“The back-and-forth between the USDA, Congress, and industry in the ’90s meant that there was ample wiggle room for defining what “organic” meant and unfortunately the regulations were wide open enough to be exploited and not enforced at the level required to prevent fraud,” he said.
However the details are sorted out for the trust mark program, the obvious need means the sooner the program is launched, the better. So how is the rollout actually going?
So far, things are a bit vague. It’s difficult to get much information about what retailers will have to do beyond abiding by cybersecurity basics to qualify for the trust mark. According to the White House and the FCC, the requirements will be “based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, require unique and strong default passwords, data protection, software updates, and incident detection capabilities.”
But most experts now agree that passwords — even strong, unique ones — are outdated as an effective security measure. Multifactor authentication, which offers better protection, isn’t on the list in that press release.
NIST, which operates within the Federal Trade Commission, has a guide to its “cybersecurity framework” on its website that covers five pillars: identify, protect, detect, respond, and recover. But that is for organizations, not devices. There isn’t anything specific yet from NIST on required cybersecurity measures that must be built into connected products to qualify for the trust mark.
Boote agrees that the trust mark now in the works is likely to be “more like the Energy Star logo that helps you understand how much energy is pulled out of the wall and turned into heat,” he said. “With security, it’s possible to assess, roughly, what checks are in place to measure how bad a breach would be and set labeling requirements around thresholds for each product category.”
Technology over purpose
Cipot said he thinks the requirements should be based not on the purpose of a device but the technology it uses. “If you look at what connection protocol it uses, what authentication and authorization it uses, what it connects to, what does the backend use for communication etc., you can make rules based on the technology rather than the device that uses it,” he said.
It is also not clear that the program will launch this fall. A CNBC post earlier this month predicted that “consumers shouldn’t expect to see products bearing the symbol until early next year, at the soonest.” In a response to an email asking about the timeline for the launch, “an FCC spokesperson did not provide any specific dates.”
According to the post, the spokesperson said, “We are now in the process of standing up this comprehensive program as quickly as possible. It is currently undergoing the standard intergovernmental review process that is required for new rules of this sort. Once that process is complete, we will communicate publicly about next steps.”
That communication has yet to appear. The FCC did not respond to several requests for comment this past week on specifics about the rollout of the program.
Nor have there been any announcements on the declaration in a July 18, 2023 White House press release that “NIST will also immediately undertake an effort to define cybersecurity requirements for consumer-grade routers — a higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords, and attack other devices and high-value networks.”
According to the release, “NIST will complete this work by the end of 2023, to permit the Commission to consider use of these requirements to expand the labeling program to cover consumer grade routers.”
That’s an excellent goal that ought to be a priority, since routers are the first line of defense in a home’s internet network. If your router gets hacked, it’s likely your devices will too.
Bottom line: While the labeling initiative is under way, its status remains vague. So the only realistic answer to whether it will be effective is that classic cliché “time will tell.”
“Will the public care? We’ll see,” Boote said. “That depends on the thresholds and checks that are negotiated by everyone involved. At its worst, it could be like California’s Prop 65, [which requires warning notices on any product that includes a substance that could cause cancer or birth defects] that became so ubiquitous as to be meaningless. At its best, it could drive continuous security improvement over time.”
