White House, FCC advance efforts to add security labels to connected devices
The White House and the Federal Communications Commission on Tuesday announced a cybersecurity certification and labeling program designed to make it easier for Americans to evaluate the security of connected home devices.
The U.S. Cyber Trust Mark program will be applied to “smart” internet-connected devices ranging from baby monitors to fitness trackers that have become popular targets for hackers due to lax industry security standards, something that the Biden program is hoping to turn around.
“We see the risks adversaries pose, and we really understand the critical need to protect the devices we rely on,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology.
Devices that meet the voluntary cybersecurity guidelines will be labeled with the program’s shield logo which will include a QR code linking to a registry of certified devices and security information about the programs.
The program will draw from the National Institute of Standards and Technology cybersecurity recommendations, including the requirement of unique and strong default passwords, data protection, software updates and incident detection capabilities. Officials noted that the program is similar to the Energy Star labeling program the Environmental Protection Agency and the Department of Energy operate to promote energy efficiency.
“The goal is to make this something that consumers look for in the marketplace and that product manufacturers want to use,” said FCC Chairwoman Jessica Rosenworcel.
As part of the program, NIST will also define specific cybersecurity requirements for consumer-grade routers, another frequent hacker target. The requirements are expected to be reported to the FCC by the end of the year. The Department of Energy will research and develop a cybersecurity labeling requirement for smart meters and power inverters.
The initiative was previewed in a workshop with industry leaders and government officials last fall, as first reported by CyberScoop. The White House initially said it expected to roll out its first set of standards for the program in spring 2023.
The FCC will seek public comment on the program, which is expected to launch in 2024. The rulemaking will explore what liability there might be for manufacturers participating in the program that fails to comply with the standards, a senior FCC official told reporters.
Manufacturers and retailers that have announced support of the program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech and Samsung.