New FCC effort seeks alignment with NIST principles on cybersecurity
The Biden administration and the Federal Communications Commission are working on a product labeling effort focused on standards for cybersecurity in consumer and IoT products. A new “U.S. Cyber Trust Mark” program has been proposed by FCC Chairwoman Jessica Rosenworcel and was spotlighted this week with an event at the White House, with support from companies including Qualcomm, Samsung, Keysight Technologies, Cisco, Amazon, Google, LG, Qorvo, Logitech and others.
Rosenworcel is proposing a voluntary cybersecurity labeling program which would indicate to consumers that a product meets widely accepted, basic cybsecurity standards, which she compared to the Energy Star labeling program. This is meant to “raise the bar” for security in commonly available consumer IoT devices like home appliances, televisions, climate control systems, fitness trackers and other wirelessly connected “smart” products. It could put in place certification requirements such as unique and strong default passwords, software updates and incident detection capabilities, for example.
“Increased interconnection also brings increased security and privacy risks,” Rosenworcel said. “This voluntary program, which would build on work by the National Institute of Standards and Technology, industry, and researchers, would raise awareness of cybersecurity by helping consumers make smart choices about the devices they bring into their homes, just like the Energy Star program did when it was created to bring attention to energy-efficient appliances and encourage more companies to produce them in the marketplace.”
If approved by the FCC, the agency will issue a notice of proposed rulemaking to take comments on such a program, and it could be up and running by 2024.
According to Check Point Research, the first two months of this year saw a 41% increase in the average number of weekly attacks per organization targeting IoT devices, compared to the same period in 2022. A Nokia cybersecurity report published last month found that dedicated denial of service (DDoS) attacks leveraging insecure IoT devices had jumped five-fold in the past year.
As part of the related efforts, NIST is also going to “immediately” start working on defining cybersecurity requirements for consumer-grade routers and aim to complete that work this year, according to the White House, because routers are a “higher-risk type of product” that can be used to “eavesdrop, steal passwords and attack other devices and high value networks.” Outlining router security requirements by the end of 2023 will enable the FCC to consider those requirements and expand the labeling program to cover consumer routers.
But the related cybersecurity effort extends beyond consumer devices. The Department of Energy will be working with the National Labs and industry partners to develop cybersecurity labeling requirements for smart meters and power inverters, and the White House said that U.S. Department of State will support the FCC in harmonizing standards and mutually recognizing similar labeling efforts in other countries.
The new labeling program “would help provide Americans with greater assurances about the cybersecurity of the products they use and rely on in their everyday lives,” according to a White House statement and it would also help businesses to “differentiate trustworthy products in the marketplace.”
In response, CTIA (which already has an IoT cybersecurity certification program) said that it supports “voluntary, flexible and harmonized efforts to enhance IoT security based on industry certification programs” and that it looks forward to working to ensure that the labeling program “is implemented based on the NIST Core Baseline using existing industry certifications, that the program provides a safe harbor for companies that participate, provides a consistent application of IoT security capabilities at the federal level, and enhances consumer understanding of the importance of IoT security.”
