The Biden administration has launched the U.S. Cyber Trust Mark initiative in an effort to put a nationwide cybersecurity certification and labeling program in place to help consumers choose smart devices that are less vulnerable to hacking.
In a press briefing Tuesday, officials likened the new U.S. Cyber Trust Mark to the Energy Star program, which rates appliances’ energy efficiency. The initiative will be overseen by the Federal Communications Commission (FCC), with industry participation voluntary.
Devices including home security cameras, baby monitors, fitness trackers, TVs, refrigerators and smart climate control systems that meet the U.S. government’s cybersecurity requirements will bear the “Cyber Trust” label, a shield logo, as early as next year.
FCC Chairwoman Jessica Rosenworcel said the mark will give consumers “peace of mind” and benefit manufacturers, whose products would need to adhere to criteria set by the National Institute of Standards and Technology (NIST) to qualify.
“It will allow Americans to confidently identify which internet- and Bluetooth-connected devices are cybersecure,” deputy national security adviser Anne Neuberger told reporters in a pre-announcement briefing.
The Biden administration — including the Cybersecurity and Infrastructure Security Agency (CISA) — would support the FCC in educating consumers to look for the new label when making purchasing decisions, and encouraging major U.S. retailers to prioritize labeled products when placing them on the shelf and online, according to a White House statement.
Among efforts to enhance transparency and competition:
- The FCC intends the use a QR code linking to a national registry of certified devices to provide consumers with specific and comparable security information about these smart products. Working with other regulators and the U.S. Department of Justice, the FCC plans to establish oversight and enforcement safeguards to maintain trust and confidence in the program.
- NIST will immediately undertake an effort to define cybersecurity requirements for consumer-grade routers — a higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords, and attack other devices and high value networks. NIST will complete this work by the end of 2023, to permit the FCC to consider use of these requirements to expand the labeling program to cover consumer grade routers.
- The U.S. Department of Energy announced a collaborative initiative with National Labs and industry partners to research and develop cybersecurity labeling requirements for smart meters and power inverters, both essential components of the clean, smart grid of the future.
In a statement, Consumer Technology Association (CTA) President and CEO Gary Shapiro said consumers could expect to see certification-ready products at CES 2024 in January, once the FCC adopts final rules.
“While walking CES this year, I saw IoT applications improving healthcare, transportation and energy efficiency. While IoT makes our world better, it also tempts bad actors to exploit consumers’ connected devices,” Shapiro said. “Tech makers take this threat seriously and are building and enhancing tools to improve product security and protect consumers. Working with the U.S. government, they’re poised to do even more to combat cybercrime.”
The Cyber Trust initiative was first announced in October following a meeting between White House and tech industry representatives.
The director of technology policy at Consumer Reports, Justin Brookman, welcomed the White House proposal but cautioned in a statement that “a long road remains” to its effective adoption.
“Our hope is that this label will ignite a healthy sense of competition in the marketplace, compelling manufacturers to safeguard both the security and privacy of consumers who use connected devices and to commit to supporting those devices for the lifetime of those products,” Brookman said.
Participants in Tuesday’s announcement included: Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, CTA, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL Solutions, Yale and August U.S.