The White House announced Wednesday that it was launching a program that will certify and label wireless smart products such as internet-connected home security systems, smart door locks, smart televisions and others when they meet certain cybersecurity standards.
The Federal Communications Commission will administer the voluntary U.S. Cyber Trust Mark, based on standards set by the National Institute of Standards and Technology. The White House likened the program to Energy Star; just as that program certifies the energy efficiency of appliances, products, homes and commercial buildings, the U.S. Cyber Trust will certify the security of Internet of Things, or IoT, devices.
The labeling scheme will apply to consumer devices that ordinarily do not play a critical function in banks' IT supply chain. The program explicitly excludes personal computers, smartphones, routers and products primarily used for enterprise applications.
However, some consumer IoT devices are equipped with
On
In a statement last year when the FCC proposed the Cyber Trust Mark, Chairwoman Jessica Rosenworcel said the purpose was to help consumers make "more informed purchasing decisions about device privacy and security."
"So when you need a baby monitor or new home appliance, you will be able to look for the Cyber Trust Mark and shop with greater confidence," Rosenworcel said.
Consumer advocacy group Consumer Reports backed the announcement Wednesday. Justin Brookman, director of technology policy for the group, said the trust mark will inform consumers "whether or not a company plans to stand behind the product with software updates and for how long."
"While voluntary, Consumer Reports hopes that manufacturers will apply for this mark, and that consumers will look for it when it becomes available," Brookman said.
The NIST standards underpinning the trust mark program offer a template banks can use to assess the security of enterprise-grade IoT devices such as cameras or alarm systems. These standards assess security patching practices for the product, the ability to identify the product and its components, the device's data transmission and storage safety and the access controls that protect the device from being tampered with by unauthorized parties.
For example, one of the standards NIST created for IoT devices regards interface access control. To meet this standard, a device should enable only authorized individuals, services and components to access the device's interface. This authorization must take place with, for example, multifactor authentication, per
The FCC
As with many consumer electronics in the U.S., some IoT devices are designed by Chinese companies and manufactured in China, raising concerns about the trustworthiness of the products. Hackers backed by the Chinese government have long posed a cybersecurity threat to U.S. critical infrastructure.
In late December, Chinese state-sponsored hackers
Companies listed on the Department of Defense's list of Chinese military companies are not eligible to get the trust mark on their products, nor are products of Chinese telecom companies including Huawei, as these products are deemed to pose an unacceptable risk to U.S. national security.
So long as a manufacturer does not appear on one of these national security blacklists, any company outside the U.S. can apply to receive the U.S. Cyber Trust Mark on its products.
