The Federal Communications Commission (FCC) proposed a voluntary cybersecurity labeling program intended to provide consumers easily understandable information about the security of Internet of Things (IoT) devices. Under this program, a range of IoT devices or products would be permitted to use a U.S. Cyber Trust Mark, indicating to consumers that these devices meet certain cybersecurity standards and enabling them to make informed decisions.
In comments to the FCC on the proposed program, the Cybersecurity Coalition raised concerns that the FCC envisioned a labeling system that was overly complex, costly, and untested. These risks may potentially suppress the adoption and effectiveness of the label. Although the Coalition believes an IoT security labeling program can be beneficial and strengthen ecosystem resilience, we are skeptical that several proposed program features are needed for a basic labeling program or that they would provide value to consumers.
Scope of Devices and Products
The FCC sought comments on the scope of products that are eligible for the program, including whether the labels should be for an entire IoT product or just the device itself. They also inquired as to whether the program should include consumer devices and products for enterprise and industrial use.
Our take is that the FCC should align with the NIST definition of an IoT product rather than devices - which account for individual components. Recognizing that IoT devices are part of a larger ecosystem, which can have their own separate security issues, “IoT cybersecurity” must go beyond the individual device. Restricting the label solely to devices could lead to a disconnect and add complexity for consumers who must decipher which product elements align and don’t align with the labeling standards. Additionally, the FCC should clarify the scope for services, so that cloud services are not inadvertently included.
When considering whether to include enterprise devices or products for industrial/business use, we advise that the FCC start with consumer IoT products. These products have specific security criteria compared to industrial or business products - which tend to have higher levels of security - and adding enterprise products would introduce complexities to the program. The FCC, however, should remain open to expanding the program to other products in the future after lessons learned from the consumer experience.
Testing and Standards
The FCC proposal envisions the creation of new standards to underpin the labeling program. The Coalition is skeptical that new IoT security standards must be developed for a consumer IoT labeling program. The NIST IoT Core Baseline was designed, per Executive Order and after much industry consultation, to establish minimum security controls in connection with a labeling program. Ultimately a consumer labeling program must designate standards that qualify for the program, and we urge FCC to leverage existing IoT baselines and standards that match the NIST Baseline, such as those from NIST, ETSI, ANSI, and ISO.
Regarding conformity with the standards, the Coalition believes the labeling program should recognize self-attestation and third-party testing. Product manufacturers that falsely self-attest to conformity with security standards should be held liable for fraudulent attestations. We recommend against requiring third-party testing for all products. This would be costly, create delays in approval, and undermine the objective of promoting wide adoption of the label.
Label Structure
The FCC proposes a single binary label with layering that will utilize a QR code. Products or devices will either qualify or not qualify for the label, and a scannable QR code will direct consumers to more detailed information. The FCC asked several questions for feedback related to program administration and logistics of the label itself, including: How to display the label (e.g. affixed to the device or packaging), and what information should be accessible via the QR code.
The Coalition supports the need for a clear, accessible, and informative labeling system to empower consumers and aid their purchasing decisions. We advocate for a straightforward approach: products either qualify for the label or they do not. We also agree that having a single binary label layered with information is the appropriate method for consumer IoT labeling. A recognizable symbol, accompanied by a QR code, serves as the gateway to more detailed security information, avoiding confusion and complexity for consumers.
The trust mark should be standalone on the initial layer, rather than clutter product packaging. The second layer should include a QR code and link for consumers to learn more about the label and the IoT product’s security features, as well as a reminder that the label does not guarantee security. Finally, the last layer can link to detailed dynamic information such as the length of security support, a point of contact for vulnerability disclosure, and machine-readable data or information about cyber hygiene provided at the discretion of the manufacturer.
The emphasis should be on transparency and simplicity for the label. Too much up-front information will undermine the usefulness of the label. Consumers should be able to make quick purchasing decisions based on the presence or absence of the Trust Mark – the top layer – alone, while more sophisticated consumers have a pathway to access more granular security information.
Updates and IoT Registry
The FCC proposes establishing an IoT registry where the public can access a catalog of devices or products that have been approved. Additionally, the FCC proposes that consumers are made aware of “any vulnerabilities” or updated product information through the IoT registry.
While the Coalition supports a third label layer that provides more detailed security information, we are skeptical that an IoT registry, operating as a searchable catalog of labeled products, will be useful for consumers. It is highly unlikely that most consumers will review and compare products through a catalog before making a purchase. Instead of requiring a central registry, we recommend working with major retail platforms to enable consumers to easily filter search results for labeled products, as many major ecommerce sites presently do for electrical appliances that are ENERGY STAR compliant.
In regards to vulnerability information, the FCC should not require organizations, as part of the labeling program, to publish vulnerability reports or security patches on a central registry. The Coalition opposes requiring notification to IoT registry operators or the public when they become aware of an unpatched vulnerability, unless the vulnerability voids the product’s conformity in the labeling program. Requiring manufacturers to publicly report unpatched vulnerabilities leads to a higher likelihood of potential entry points for exploitation by malicious actors and may inadvertently jeopardize cybersecurity outcomes.
Keep It Simple for Consumers
Unfortunately, many aspects of the FCC’s proposed labeling program would go far afield from serving as a market differentiator for baseline IoT security. The FCC should not overly complicate the labeling program with an unnecessarily broad scope, new standards, multiple third-party administrators, a registry, and detailed security information.
From the perspective of the Cybersecurity Coalition, the IoT labeling program should be driven by two overarching objectives: enabling a broad set of consumers to make informed purchasing decisions about consumer IoT security, and enabling reciprocity with other IoT security labeling programs. Gathering reliable data on how consumers use and understand the label in live environments will help determine the most effective approaches.
The Coalition urges the FCC to view the program as a long-term effort that focuses on basic security for consumer IoT, adapts to market testing, and may be expanded over time as appropriate.
Read Next
The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)
In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.
Counter Ransomware Initiative Adds Private Sector Members
Earlier this month, more than 68 countries and organization members met for the fourth annual International Counter Ransomware Initiative (CRI), which included the addition of a public-private advisory panel.
Singapore International Cyber Week 2024: Striving for Digital Trust Amid U.S. Election Uncertainty
Governments from across the globe descended on Singapore for its Ninth Annual International Cyber Week (SICW)to talk cyber and tech policy and meet one another bilaterally and in various multilateral groupings.