The U.S. government has embarked upon an initiative to label as "cyber secure" common smart devices, such as refrigerators, microwaves, TVs and fitness trackers, the White House said.
The new program, as proposed by Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel, would affix a newly created “U.S. Cyber Trust” mark for devices that meet certain established criteria.
Some of those standards could include unique and strong default passwords, data protection, software updates and incident detection capabilities. The program is expected to be up and running sometime next year.
The Consumer Technology Association (CTA) said it has aligned itself with agencies and organizations, including the FCC, the National Security Council (NSC) and the National Institute of Standards and Technology (NIST) for the launch of the program.
Helping Consumers and Business Make Informed Decisions
The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes and connect to the internet. It would also be beneficial for businesses, as it would help differentiate trustworthy products in the marketplace, federal officials said.
Several major electronics, appliance, and consumer product manufacturers, retailers, and trade associations have committed to increase cybersecurity for the products they sell. Manufacturers and retailers supporting the project include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics.
Commenting on the labeling program, CTA CEO Gary Shapiro said:
"While walking this year, I saw products that improve healthcare, transportation and energy efficiency. While IoT makes our world better, it also tempts bad actors to exploit consumers' connected devices. Research shows consumers want more information on the safety and security of their connected devices, and we agree."
How the Labeling Program Works
Here are some more details of the plan of action:
- The FCC intends the use a QR code linking to a national registry of certified devices to provide consumers with specific and comparable security information about these smart products.
- Working with other regulators and the U.S. Department of Justice, the FCC plans to establish oversight and enforcement safeguards to maintain trust and confidence in the program.
- NIST will also immediately undertake an effort to define cybersecurity requirements for consumer-grade routers, a higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords and attack other devices and high value networks. NIST will complete this work by the end of 2023, to permit the Commission to consider use of these requirements to expand the labeling program to cover consumer grade routers.
- The U.S. Department of Energy announced a collaborative initiative with National Labs and industry partners to research and develop cybersecurity labeling requirements for smart meters and power inverters, both essential components of the clean, smart grid of the future.
- Internationally, the U.S. Department of State is committed to supporting the FCC to engage allies and partners toward harmonizing standards and pursuing mutual recognition of similar labeling efforts.
Public Comment Sought
The FCC is expected to seek public comment on rolling out the proposed voluntary cybersecurity labeling program. As proposed, the program would leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the NIST.
Tthe FCC is applying to register a national trademark with the U.S. Patent and Trademark Office that would be applied to products meeting the established cybersecurity criteria.
The Cybersecurity and Infrastructure Security Agency (CISA) said it will support the FCC in educating consumers to look for the new label when making purchasing decisions. CISA encourages major U.S. retailers to prioritize labeled products when placing them on the shelf and online.
