The Federal Communications Commission has approved a voluntary cybersecurity labeling program for wireless consumer Internet of Things (IoT) products.
The program allows manufacturers to mark devices that comply with cybersecurity standards developed by the National Institute of Standards and Technology (NIST) with the new US Cyber Trust Mark. This includes “unique, strong default passwords,” which the White House described last year. Data protection, software updates, and incident detection capabilities. ”
Commissioners voted unanimously to approve the program during Wednesday's public meeting.
“When I think about the new world of the Internet of Things, the device I think of most, perhaps because I'm a mother, is a baby monitor. Well, I want it to be safe.” said FCC Chair Jessica Rosenworcel in prepared remarks.
“When you bring that monitor into your home to watch your newborn, you want to know that its connection is secure and won't invite malware or malicious activity into your home. Parents everywhere feel the same way. I think that there.”
Officials compare this to the “Energy Star” logo on devices to indicate which one is more energy efficient. The logo includes his QR code, which buyers can scan to get detailed information about the product's cybersecurity, including how long it will be supported, whether there are software patches, and whether security updates are automatic. Masu.
The FCC will oversee the program, with “approved third-party label administrators” evaluating each product's use and approving labels, etc. Accredited laboratories are tasked with testing products for compliance.
The FCC said it expects the label to apply to products such as home security cameras, internet-connected appliances, fitness trackers, garage door openers, baby monitors and voice-activated devices.
The vote ends a year-long effort by the White House and FCC to advance the idea of a U.S. cyber trust mark. The U.S. government has several major retailers supporting the concept, including Amazon, Best Buy, Google, Logitech, and Samsung.
Regulators from the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Justice will specify oversight and enforcement standards.
The FCC states whether companies should disclose whether their products are “developed or deployed by companies located in countries that present national security concerns and whether customer data collected by the products is transmitted.” He said he is seeking public comment on additional requirements, including whether to servers located in such countries. ”
IoT devices are a frequent target of hackers, especially nation states and criminals looking to build powerful botnets capable of launching large-scale attacks.
The FCC cited third-party estimates that there were more than 1.5 billion attacks on IoT devices in the first six months of 2021 alone.
“We built national security into our program from the beginning. Entities and communications equipment included on the so-called 'target list' are not eligible for the label,” Rosenworcel said, adding that the designation He mentioned that it mainly applies to certain Chinese companies.
“This has the power to become the global standard for secure Internet of Things devices, she said.”
Experts are divided on the concept of the label, with many saying only time will tell whether manufacturers take the time to invest in the initiative.
Jasson Casey, a former defense contractor and CEO of cybersecurity company Beyond Identity, said it's unclear whether ordinary consumers will be interested in and understand cybersecurity trustmarks. .
“However, by ensuring that companies clearly label software bill of materials that follow something like NIST's Common Platform Enumeration (CPE), third parties can identify these products' cybersecurity vulnerabilities and obvious risks in a scalable way. ,” Casey said.
“This could help inform policymakers about corporate behavior in terms of corporate awareness and response to critical cybersecurity vulnerabilities in supply chains and bills of materials. This is a great first step towards establishing accountability in building products.”
recorded future
intelligence cloud.
learn more.