Experts optimistic on FCC's Cyber Trust Mark for IoT devices

Cybersecurity market experts are optimistic about the FCC's new U.S. Cyber Trust Mark, announced Tuesday to raise the security baseline of IoT products that consumers buy.

The Biden-Harris administration announced the labeling program in July 2023 to help consumers choose smart devices and IoT products that, by the government's standards, are more secure. In its final form, the U.S. Cyber Trust Mark is a voluntary product label administered by the FCC that reflects a set of baseline security standards a given product follows. The criteria for labeling is based on the National Institute of Standards and Technology's (NIST) standards for IoT products.

Following 18 months of public comment and a decision to adopt final rules last year, the White House and Federal Communications Commission (FCC) launched the program this week. As part of this, 11 labeling and certification companies have been conditionally approved for labeling, with one of them, UL Solutions, conditionally selected as lead label administrator.

Though the label was not directly connected to the Biden White House's National Cyber Strategy as unveiled in early 2023, the U.S. Cyber Trust Mark program reflects the strategy's primary tenet of shifting cybersecurity responsibility away from the consumer and toward the vendors that release products.

The program exists to help consumers make more secure buying decisions on select IoT and smart devices included in the program. According to an FCC page dedicated to the program, IoT products are vulnerable to a range of security issues.

"Consumers rely increasingly on the convenience of wireless interconnected smart products, also known as the Internet of Things or IoT. You can link your garage door opener, your front door lock, your house alarm, and your lights so everything opens, unlocks, and turns on when you get home. Once inside, you can keep an eye on your baby from the living room, where you can shop using a voice-activated device -- to name just a few examples," the program page read. "But with this convenience comes risk."

In an FAQ included on the FCC's page, the commission said examples of devices covered by the program include "internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors."

Products not covered by the label include wired devices, devices regulated by other administrations such as the Food and Drug Administration and the National Highway Traffic Safety Administration, products used primarily for manufacturing or industrial control, personal computers, smartphones and routers. The FCC said NIST is working to establish cybersecurity requirements for consumer-grade routers.

Tom Guarente, vice president of external and government affairs at OT and IoT security vendor Armis, told Informa TechTarget's SearchSecurity in an email that the vendor is "proud to have worked with the current administration over these last few months to inform the program's framework."

"Equipping consumers with knowledge of which internet-connected products follow a consistent set of security controls allows them to have a level of trust that may not currently exist in introducing new devices into an environment," he said. "This will drive the market toward better long-term outcomes, encouraging vendors to implement secure-by-design principles from the start. On a broader scale, this mindset can further benefit consumers as security practices at home will transfer to physical workplaces across industries, especially when new assets are brought online and/or old assets are disconnected from business networks."

Melinda Marks, practice director of cybersecurity at Informa TechTarget's Enterprise Strategy Group, said the label was a good move, as well as "good timing before an administration that is looking at decreasing federal regulations."

"Our reliance on digital devices makes us vulnerable to attack, and that is a national security issue," she said. "However, this new U.S. Cyber Trust Mark is voluntary, so participation will be key, but consumers and vendors should support this. This has to be a community effort, from government efforts setting standards and regulations, to company and vendor cooperation, to end users because we can all contribute to take proactive measures to help us safely utilize digital devices."

Hollie Hennessy, principal analyst for IoT cybersecurity at Informa TechTarget's Omdia, said she felt positive about the label in that it will hopefully increase the security baseline of consumer devices, as well as that companies like Amazon have publicly commented on the label. Amazon vice president Steve Downer said the commerce giant "supports the U.S. Cyber Trust Mark's goal to strengthen consumer trust in connected devices" in the White House's news release for the program.

However, Hennessy called attention to the fact that the label is voluntary.

"There will of course be consideration around whether a voluntary label is the best way to do this. While we would hope to then see many large industry leaders attaining the mark, thus spurring on smaller vendors to do so, ultimately it is optional," she said. "That said, Singapore has a similar scheme, which had been quite successful, and there are a number of products that have been certified."

Hennessey also observed that labels are generally static.

"I think the current communication has tried to get the correct information across, but I think there is a risk of consumers seeing the mark and then immediately thinking that product is perfectly secure. But of course, security is always moving. It's hard to put a definitive label on something that could have a major vulnerability crop up a day later," she said. "What the label really is, in my opinion, is an indication that the manufacturer has done its best to ensure the security of the product and will commit to fixing issues that arise within a transparent support period. I think with the right communication, consumers will understand that."

Guarente said moving toward implementing a consistent set of security controls is "extremely important," and that the program's impact will depend on how it is implemented in the agency and enterprise arenas.

"There is much work to do to ensure that manufacturers and providers align to a consistent set of security controls, but we have to start somewhere, and this is a great start," he said.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.