Biden Admin Eyes IoT Cybersecurity With Device Labeling Program
The White House is teaming up with top tech players like Amazon, Google and Samsung to tackle the thorny issue of security and the internet-of-things (IoT).
The Biden administration and White House and the Federal Communications Commission (FCC) this morning took the wraps off a plan for a cybersecurity certification and labeling program that will make it easier for enterprises and consumers to see which smart devices are more secure and less vulnerable to attacks.
The idea is to put a “U.S. Cyber Trust Mark” logo on a broad array of wirelessly connected devices–such as smart refrigerators, microwaves, televisions and fitness trackers–that meet specific criteria laid out by the National Institute of Standards and Technology (NIST). It’s similar to other government programs, such as Energy Star, which inform consumers about devices and machines that meet certain environmental standards laid out by the Environmental Protection Agency (EPA).
The U.S. government and the private sector have discussed the issue for months.
The voluntary labeling program, which the White House expects will begin running in 2024, will give buyers a way to compare the security of competing products and act accordingly.
“This new labeling program would help provide Americans with greater assurances about the cybersecurity of the products they use and rely on in their everyday lives,” the administration said in a press release. “It would also be beneficial for businesses, as it would help differentiate trustworthy products in the marketplace.”
IoT Security a Longtime Concern
Security has been a central issue in the rapidly expanding world of IoT and other connected smart devices, with the question involving both the security of the devices and the networks they run on. Are companies that make IoT products spending enough of their limited budgets on security rather than features? Do the Wi-Fi networks in the millions of homes around the country have the security features needed to protect them?
That becomes an even bigger issue for organizations at a time when more work is being done remotely, with many employees performing their jobs on their home networks.
The issue of cybersecurity also will play a crucial role in determining whether the IoT can reach its full potential, according to a report released last year by McKinsey and Co. The report noted that by 2030, the IoT supplier market will reach about $500 billion. However, greater trust in the security of the IoT could increase the spending by another 20% to 40%, with 5% to 10% more coming from new use cases, growing the total addressable market (TAM) to as much as $750 billion.
“It will take a significant shift in the philosophy of IoT solution design, along with a holistic convergence of IoT and cybersecurity functionalities, to build user confidence in the IoT, speed up its adoption and drive new value across its verticals–thus creating a fully interconnected IoT environment,” the report stated.
Trust Goes a Long Way
The Consumer Technology Association (CTA)–which runs the annual CES tech-fest and is working with the administration on the program–echoed the need for trust as a key part of the Biden Administration’s labeling plan.
“With more than 90% of American consumers worrying about online security threats affecting their household, the new program will offer peace of mind and strong protection for our connected devices,” CTO President and CEO Gary Shapiro said in a statement, adding that the transparency that comes with such a public-private approach that also includes Cisco, LG Electronics, Best Buy and Logitech “allows consumers to make wise buying choices and encourages device makers to meet set cybersecurity standards.”
Cybersecurity has been a key focus of the U.S. government since president Biden came into office, as seen in his Executive Order in May 2021 that pushed the need for greater measures. Securing IoT systems is part of that. The Department of Homeland Security last year issued a report outlining key principles for securing the IoT and NIST rolled out core security baselines for consumer IoT devices.
Next Steps
The FCC is registering a national trademark with the U.S. Patent and Trademark Office that would be used by products meeting the cybersecurity criteria and will work with the Cybersecurity and Infrastructure Agency (CISA) and other departments to educate consumers about the labels and encourage U.S. retailers to prioritize products that carry them.
The government also will use a QR code that links back to a national registry of devices that have been certified to give consumers and businesses more security information that can be used to compare products.
“QR codes, the modern-day version of a label, are easily accessible to consumers buying either in-store or online,” CTA’s Shapiro said. “Consumers can quickly understand which products are built with certain protections to defend against cybercriminals and intruders, and whether devices are equipped with up-to-date software.”
In addition, the FCC also will solicit public comments about the proposal before the program rolls out.
By the end of the year, NIST will create cybersecurity requirements for consumer-grade routers, which are crucial components in home wireless networks that are an avenue for cybercriminals who want to steal information, conduct espionage or move through the network to infect multiple devices.
The U.S. Energy Department is working with the national laboratories and private companies to develop cybersecurity requirements for the smart meters and power inverters that play a key role in smart grids and the State Department will investigate whether this program can be extended internationally.
