U.S. Cyber Trust Mark labeling program raises the bar for smart devices’ cybersecurity

The Biden-Harris Administration has announced a cybersecurity certification and labeling program to help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks. The new “U.S. Cyber Trust Mark” program proposed by FCC Chairwoman Jessica Rosenworcel would raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.

Several major electronics, appliance, and consumer product manufacturers, retailers, and trade associations have made voluntary commitments to increase cybersecurity for the products they sell. Manufacturers and retailers announcing support and commitments today to further the program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics.

Under the proposed new program, consumers would see a newly created “U.S. Cyber Trust Mark” as a distinct shield logo applied to products meeting established cybersecurity criteria. The program’s goal is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes.

Acting under its authorities to regulate wireless communication devices, the FCC is expected to seek public comment on rolling out the proposed voluntary cybersecurity labeling program, which is expected to be up and running in 2024. As proposed, the program would leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates, and incident detection capabilities.

The FCC is applying to register a national trademark with the U.S. Patent and Trademark Office that would be applied to products meeting the established cybersecurity criteria. The Administration—including the Cybersecurity and Infrastructure Security Agency—would support the FCC in educating consumers to look for the new label when making purchasing decisions, and encouraging major U.S. retailers to prioritize labeled products when placing them on the shelf and online.

To further enhance transparency and competition:

• The FCC intends the use a QR code linking to a national registry of certified devices to provide consumers with specific and comparable security information about these smart products. Working with other regulators and the U.S. Department of Justice, the Commission plans to establish oversight and enforcement safeguards to maintain trust and confidence in the program.
• NIST will also immediately undertake an effort to define cybersecurity requirements for consumer-grade routers—a higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords, and attack other devices and high value networks. NIST will complete this work by the end of 2023, to permit the Commission to consider use of these requirements to expand the labeling program to cover consumer grade routers.
• The U.S. Department of Energy today also announced a collaborative initiative with National Labs and industry partners to research and develop cybersecurity labeling requirements for smart meters and power inverters, both essential components of the clean, smart grid of the future.
• Internationally, the U.S. Department of State is committed to supporting the FCC to engage allies and partners toward harmonizing standards and pursuing mutual recognition of similar labeling efforts.

This new labeling program would help provide Americans with greater assurances about the cybersecurity of the products they use and rely on in their everyday lives. It would also be beneficial for businesses, as it would help differentiate trustworthy products in the marketplace.

As part of the development of the program, the Biden-Harris Administration and FCC will continue to engage stakeholders, regulators, and Congress to fully implement this program and work together to keep Americans safe.

“This is a great initiative from the US that it will significantly help consumers to recognise devices which are deemed safe by the government. However, one caveat to the scheme is the prevalence of zero-day vulnerabilities that can be discovered in devices long after they are marketed to consumers. As a result, for any vendors participating in the scheme, they must ensure they constantly run proactive pen-testing and vulnerability assessments on their devices and ensure patches and updates can easily be applied when issues are discovered. After all, as the world has seen time and time again recently, what may be deemed safe today, is not a guarantee it will be safe tomorrow,” William Wright, CEO of Closed Door Security, told Help Net Security.

Participants in this announcement include: Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL Solutions, Yale and August U.S.