From chastity belts to baby monitors and everything in between, pretty much anything can be a connected device these days — but “smart” devices aren’t so clever when it comes to cybersecurity. Over the years, we have seen plenty of stories of how some parts of the Internet of Things are way too easily hacked, often due to their manufacturers not including even basic protections to prevent it. It’s hard, though, for the average person to know if the products they’re trusting (possibly very intimate) parts of their lives to are sufficiently protected from hackers. Next thing you know, your toaster has been conscripted into a botnet army or your casino has been hacked by a fish tank thermometer.
Cybersecurity experts have been raising the alarm about the Internet of Things (IoT) for years now, but those devices remain a significant attack vector. According to cybersecurity provider and researcher Check Point Software (which sells IoT security products), the number of cyberattacks through IoT devices has dramatically increased in the last two years alone. In May 2021, around the time the cyberattacks on the Colonial Pipeline and JBS Foods were disrupting the gas and meat industries, President Biden issued an executive order on “Improving the Nation’s Cybersecurity.” Buried within it was a call to identify criteria for a cybersecurity consumer labeling program for IoT devices.
On Tuesday, the White House announced that we’ll soon get those IoT labels: The US Cyber Trust Mark, which looks like a shield with a microchip on it, will be on products that have cybersecurity protections. It’s like Energy Star, but instead of telling you how energy efficient your new smart air conditioner is, it’ll tell you that your smart air conditioner is harder to hack.
“In 2024, the program will be up and running, and soon after, as you shop online and in stores, you’ll be able to look for the Cyber Trust Mark’s distinct shield, providing you the peace of mind that the devices you’re buying and bringing into your homes, classrooms, or workplace are safer and less vulnerable to cyberattacks,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said in a phone call with reporters.
There’s a lot we still don’t know about the program, which will be overseen by the FCC. Many of the details are still being finalized, including the criteria that devices must meet and how they will be enforced. But you can expect to have things like secured data transmissions, access controls, the ability to update software as needed, and the ability for the consumer to set and change passwords and delete their data.
We also don’t yet know how many or which devices will carry the mark. It’s a voluntary program, so there’s no legal requirement to have the mark in order to be made or sold in the US. But a lot of big names have already signed onto the project, including Amazon, Best Buy, LG, Samsung, Qualcomm, Logitech, and Google. These companies could mandate that they only make or sell Cyber Trust Marked IoT devices, or just have messaging telling consumers that the Cyber Trust Mark exists and feature IoT products that have it. If the government and businesses can make the case to consumers that the presence of the Cyber Trust Mark should be an important factor in their buying decisions, you’ll probably see it on most IoT devices sold in the US soon enough. The market will decide.
“When a shopper goes to Target and they buy a lamp and they bring their lamp home, they don’t expect it to catch on fire. And the reason is because there’s a little certification on that box from Underwriters Laboratory,” Rep. Ted Lieu (D-CA) said in a presentation announcing the effort. “Target has learned over time that if they sell products that are certified by a certification agency, consumers tend not to be mad at them because their products don’t catch on fire, and the manufacturers know that if they meet this standard, Target is more likely to buy the product [to sell].”
Miri Ofir, who’s in charge of Check Point Software’s IoT Protect program, said that she’d prefer mandatory regulations for IoT products, but “as a first step, the labeling program is a good option to allow educated users, and especially enterprises, schools, and organizations in health care, to use IoT devices safely and to decide if they want to invest in purchasing secure devices.”
Kayne McGladrey, a senior member of IEEE, an electrical and electronics engineering trade group, also expressed reservations about the mark. His concern is that Cyber Trust Marked devices could be sold at a premium to account for the increased cost of cybersecurity measures, which could lead to most consumers simply choosing whatever’s cheaper, rendering the program ineffective. He also noted that it won’t address all the devices that pre-date the Cyber Trust Mark and are already in people’s homes.
“For example, LED light bulbs have lifespans of tens of thousands of hours, which means that insecure light bulbs will be a feature of the IoT landscape for the coming decade or longer,” McGladrey said in an email.
The mark will join an increasingly crowded field of symbols on electronic devices. If this makes you wonder what, exactly, they all are or mean — the CEs, FCCs, ULs, the trash cans with an X on them — here’s a little primer on CNET. The new Cyber Trust Mark will also have a QR code that consumers can scan to see a registry of certified devices and information that can be kept current.
“Products evolve, and we want to make sure that this mark, when it’s achieved by a product, is not frozen in time, and there’s a way for a consumer to get updated information,” a senior FCC official said on the call.
The Biden administration plans to roll the Cyber Trust Mark out next year. After that, “a long road remains,” Justin Brookman, director of technology policy at Consumer Reports, said in a statement.
“We must also ensure effective implementation of the labels, adoption of the program, and continue focusing on enhancing consumer education around digital security,” he added. “Our hope is that this label will ignite a healthy sense of competition in the marketplace, compelling manufacturers to safeguard both the security and privacy of consumers who use connected devices and to commit to supporting those devices for the lifetime of those products.”
As Rep. Doris Matsui (D-CA), who was at the announcement, said: “Our cyber defenses are only as strong as the weakest link in the chain.” If the Cyber Trust Mark isn’t effective, that weak link will still be the tens of billions of “smart” devices we stick in our offices, schools, hospitals, homes, and even more intimate locales.